Article 6(4) sets out several conditions for the use of Legitimate Interest. A data controller would need to have considered their justification of such decision. Due to the way in which and what CANDDi tracks it is likely to fulfil such criteria. (Campaign and Digital Intelligence Limited cannot, however, advise on this as the justification is business specific.)
This is found in Article 6(1)(f) where there are lawful bases available for the processing of personal data where it is “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”
The recitals give examples of processing that could be necessary for the legitimate interest of a data controller including:
- Recital 47: “Processing for direct marketing purposes or preventing fraud”
- Recital 48: “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data”
Recital 47 would, therefore, cover the setting of first-party cookies for marketing purposes.
Legitimate Interest does however also come with the right to object to the processing by the individual (Article 21). The website would therefore still be required to have the ability for the user to opt-out of such usage.
When considering how the Legitimate Interest approach would relate to the setting of cookies, and use of CANDDi, as a business development/direct marketing tool this would appear to complement.