here that the ‘legitimate interests’ basis is the most flexible of the six lawful bases, as it is not focused on a particular purpose and therefore gives more scope to potentially rely on it in many different circumstances.
It may be the most appropriate basis when:
The ICO further recommends the use of a three-part test when using the ‘legitimate interests’ basis:
Data Controllers should keep a record of these assessments as part of demonstrating compliance, and include the details of the legitimate interests they are pursuing in published privacy information.
An important note, however, is that the ‘legitimate interests’ basis is not applicable to Processing carried out by public authorities in the performance of their public tasks. Public authorities are defined as those subject to the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002 in Scotland.