We can, however, extend this notion of consent to consider an alternative lawful ground for lawful processing of personal data. The setting of cookies based on the ‘legitimate interests of the controller’. This would allow the use of cookies without the strict requirement of explicit consent as stated in Article 6(1)(a). (nb. This would not apply to the public sector due to legislative distinctions)

Article 6(4) sets out several conditions for the use of Legitimate Interest. A data controller would need to have considered their justification of such decision. Due to the way in which and what CANDDi tracks it is likely to fulfil such criteria. (Campaign and Digital Intelligence Limited cannot, however, advise on this as the justification is business specific.)

This is found in Article 6(1)(f) where there are lawful bases available for the processing of personal data where it is “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”

The recitals give examples of processing that could be necessary for the legitimate interest of a data controller including:

Recital 47: “Processing for direct marketing purposes or preventing fraud”
Recital 48: “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data”

Recital 47 would, therefore, cover the setting of first-party cookies for marketing purposes.

Legitimate Interest does however also come with the right to object to the processing by the individual (Article 21). The website would therefore still be required to have the ability for the user to opt-out of such usage.

When considering how the Legitimate Interest approach would relate to the setting of cookies, and use of CANDDi, as a business development/direct marketing tool this would appear to complement.

Have more questions? Submit a request
Was this article helpful?
Thank you!