Retail & Data Protection – Article 2: Legitimate interest processing – how can retailers stay on the right side of compliance?

In today’s fast-paced retail environment, data-driven technologies offer retailers a powerful means to analyse customer engagement, streamline operations and improve performance. Tools, such as CCTV and call recording, provide the means to capture customer interactions, while outputs, like heat mapping and call scoring, translate that data into actionable insights. Because these activities typically involve extensive processing of personal data, retailers must ensure that their use complies with applicable data protection laws.

Data protection laws require a ‘lawful basis’ for retailers to process their customers’ and employees’ personal data, and these bases are set out in law. One of the most flexible of these bases is ‘legitimate interests’, which provides retailers with a practical route to compliance when other bases, such as consent or contract, are inappropriate or difficult to apply.

This article aims to provide a quick overview on what ‘legitimate interests’ are and how retailers can stay on the right side of compliance when seeking to rely on this lawful basis in practice.

What are legitimate interests?

‘Legitimate interests’ is one of the six lawful bases for processing personal data under Article 6(1)(f) of the UK GDPR. It allows retail businesses to process personal data where it is necessary for the purposes of their own legitimate interests or those of a third party, provided they do not override the interests or fundamental rights and freedoms of the individual (particularly children).

Unlike other lawful bases, ‘legitimate interests’ is neither tied to a specific initial purpose (e.g., performance of a contract or compliance with a legal obligation) nor to processing which an individual has actively agreed to (e.g., consent). This provides retailers with flexibility to apply such basis to many types of processing. Although it has a potentially broad application, this does not mean that retailers should automatically default to ‘legitimate interests’ as the basis for processing personal data where other legal bases clearly apply, or without first having conducted a proper assessment of whether such processing will be compliant in practice.

How can legitimate interest processing be applied in practice?

Due to its broad applicability, retailers must be able to demonstrate (more than the other lawful bases) that their legitimate interests for processing is a proportionate and necessary response to the aim they are seeking to achieve, and truly balanced against the interests, rights and freedoms of the individual. Retailers should therefore consider the following practical measures:

1. Lawfulness

Retailers should structure their assessment of ‘legitimate interests’ using a three-part test, namely: (1) Purpose Test – is there a clear and specific legitimate interest? (2) Necessity Test – is the processing genuinely necessary to achieve that purpose? and (3) Balancing Test – do the individual’s interests, rights or freedoms override the legitimate interest?

The Information Commissioner’s Office (ICO) considers it best practice to document this assessment through a Legitimate Interests Assessment (LIA). An LIA not only provides a clear audit trail for relying on ‘legitimate interests’, but also supports a retailer’s accountability obligations under data protection laws.

Importantly, conducting an LIA may reveal that a less intrusive method of processing is available and, therefore, more appropriate. For instance, if a retailer intends to use call scoring (e.g., to monitor staff performance or enhance customer engagement), it may determine that analysing itemised call records achieves the same purpose without needing to record actual call content, or that the inherent privacy risks of recording and then analysing CCTV, for example to establish repeat customers, is likely to necessitate a DPIA to fully assess whether the benefits of surveillance outweigh its potentially adverse impact on customers and employees.

In general, the more intrusive the processing activity, the more detailed and justified the justification for that lawful basis must be. Audio recording, especially if it is continuous, will require significantly stronger justification than purely visual recording. Similarly, where special category data is involved, such as biometric data (e.g., facial images, fingerprint data), additional conditions must be met to ensure lawful processing.

Even where personal data appears to be anonymised, retailers must also carefully consider the risk of re-identification. For example, heat mapping tools, which may be used to track customer movement in-store or online, are typically anonymised. However, if heat mapping is used alongside other data sources, such as an individual making payments, using a loyalty app, or accessing store Wi-Fi, it may become possible to re-identify such individuals, thereby increasing the privacy risk, the need for mitigating such risk, and the level of justification required to rely on ‘legitimate interests’ (or another basis) as a lawful basis for processing.

2. Fairness

Retailers should only handle personal data in ways that people would reasonably expect within the specific context that such data is being processed. Data processing that has an unjustified effect on individuals should be avoided. For example, surveillance methods, like CCTV for analytics and heat mapping, will often be difficult to justify in areas where individuals have a heightened expectation of privacy, such as toilets, changing rooms or staff rest areas.

Similarly, if a retailer intends to implement call scoring, any monitoring should be strictly limited to business-related communications. Routine monitoring of personal calls should be avoided (unless absolutely necessary for such purposes) to respect an employee’s reasonable expectation of privacy.

Retailers must also provide individuals with the opportunity to opt out of such processing or provide alternative arrangements to improve fairness and transparency. This could present challenges when, for example, CCTV is used outside of public safety purposes and is being used for analytics.

3. Transparency

Retailers must also take proactive steps to ensure transparency when processing personal data on a ‘legitimate interests’ basis. For example, in the context of call scoring, it is essential that retailers clearly inform employees and external callers about the nature, extent and purpose of call recording and that employees are made aware that call recordings may be released if particular callers request this. This can be achieved through appropriate means, such as privacy notices, recorded messages or verbal explanations provided by staff to external callers, depending on the context and nature of the circumstances.

For surveillance activities, like heat mapping, retailers should use clear and prominent signage to notify individuals that monitoring is taking place, and those under surveillance must be made aware that they are being recorded. Retailers must also implement additional and appropriate safeguards (where applicable) to limit access to and disclosure of any recorded images. Privacy notices should also clearly set out the legal basis and purpose of data processing, and individuals must be given accessible information on how to exercise their rights.

If you would like any further guidance on legitimate interests processing or any advice on privacy, contracts or AI, please contact one of our experts.

This article is the second in a series exploring privacy and data protection in retail. Take a look at the other articles here.

Article 1 – Retail & Data Protection – Article 1: Why retailers should be talking about privacy – Gordons LLP