The General Data Protection Regulation (GDPR), introduced in May 2018, gives users the right to opt out of certain email communications. However, GDPR also allows specific messages to be sent without consent when they are considered to be in the legitimate interest of the data controller.
For a communication to qualify as legitimate interest, it must be something the user would reasonably expect and must have minimal impact on their privacy.
What counts as legitimate interest?
GDPR recognises legitimate interest in situations such as:
- Preventing fraud
- Ensuring network and information security
- Direct marketing in limited circumstances
- Reporting potential criminal activity to authorities
Within Good Grants, legitimate interest may apply to operational messages that are necessary for a program to function.
Examples include:
- Notifying shortlisted applicants or winners of outcomes
- Informing reviewers that reviewing is open and ready to begin
How to assess legitimate interest
To determine whether a message can be sent under legitimate interest, consider the following three questions:
- Purpose: Is there a genuine and lawful reason for sending the communication?
- Necessity: Is sending this message necessary, or could the same outcome be achieved in a less intrusive way?
- Balancing: Would the user reasonably expect this communication, and do their interests outweigh the organisation’s need to send it?
All three criteria should be satisfied.
Sending broadcasts and notifications using legitimate interest
When creating a broadcast or notification, you can choose the legal basis for sending the message. To bypass user subscription preferences:
- Create a new broadcast or notification
- Locate the legal basis drop-down
- Select Legitimate interest of the data controller
Messages sent under this option will be delivered regardless of the recipient’s broadcast or notification preferences.
Selecting Freely given consent by user will respect the user’s subscription preferences.
Good to know
- This article is not legal advice and is not a complete guide to GDPR compliance.
- You should seek legal advice if your program collects or processes personal data.
- The notification triggers 'User registered' and 'Role granted' always bypass preferences, as these messages are required for account access and cannot be disabled.