Referral Programs

GDPR: Legitimate Interest For Referral Programs And Invitations

Everything you need to know about assessing Legitimate Interest for your referral program or e-vites.

Fact: Running refer-a-friend programs has never been easy.

But without a doubt, GDPR has raised it to a whole new level.

After all, the regulation impacts almost every aspect of a referral program.

(Note: we’ve talked about some of that here and here already.)

And in this post, I want to discuss another factor affecting how you communicate with customers and their connections – the legitimate interest.

We’ll discuss what constitutes a legitimate interest, different marketing scenarios it relates to, and see how it works in referral programs.

So, let’s begin.

Legitimate Interest – Overview

The concept of legitimate interest as the legal basis for processing personal data isn’t new. It existed in the 1998 Data Protection Directive, and what’s interesting, in a quite similar form, at that.

As a concept, legitimate interest defines the reasons for companies to process personal data lawfully. As the article 6 explains, organizations can process the information if:

“it is necessary for the purpose of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

And I admit – at first sight, it’s easy to think that it would help companies explain the use of personal data for various marketing purposes.

Voiding consent could be one of them. After all, even if a person signed up only to a newsletter, a legitimate interest could warrant sending them sales information too, right? One could argue that informing a person about a current offer, for example could constitute a legitimate interest.

But naturally, that’s not the case.

The Data Protection Network explains in their report “Guidance on the use of Legitimate Interests” (note, the document requires registration to access), a legitimate interest must be real and cannot be vague.

As the report states further:

“Many businesses want to make a profit. This does not mean that the broad objective is a Legitimate Interest in and of itself.”

However, as with many other elements of GDPR, the issue isn’t as straightforward. For example, the new EU regulation does cite direct marketing as one of the examples where legitimate interest would apply.

Yet, at the same time, it clearly indicates that legitimate interest cannot be used as a means to contact a person without their consent.


It surely is. So, let’s look at different scenarios that would relate to marketing and growth strategies, starting with the direct marketing mentioned above.

Direct Marketing

Any direct marketing strategy relies on companies sending promotional information to two groups of people:

  • Those with whom a company already have some sort of relationship (i.e., current and past customers or email subscribers)
  • People it has never interacted with before.

Emailing current or past customers poses no complications, provided that the company has asked for their consent when implementing GDPR compliance.

However, it might not have the chance to obtain their consent for processing the data of the second group.

Contacting them, as it turns out, could be acceptable under a legitimate interest. As the DPN report explains:

“An organization may wish to rely upon Legitimate Interests where Consent is not viable or not preferred and the Balance of Interests condition can be met.”

Many growth strategies, including refer-a-friend programs, could fall under the above regulation. Albeit, overall, they might be more complex.

Communicating with Existing Customers

This scenario is pretty straightforward. A company could use legitimate interest as a basis for contacting customers because of the direct and appropriate nature of the relationship.

Reasonable Expectations

Finally, a company might assume that a person would have reasonable expectations towards how their data might be processed. A good example of this is retaining certain data, in spite of a person removing their account, for example. A company might hold on to a particular piece of information to identify the person (i.e., their account email), should they become a customer again.

Legitimate Interest Assessment

The information above provides a good overview of legitimate interest. But there’s one question many organizations might ask:

How to know whether an organization isn’t in a breach of legitimate interest?

And that’s where the legitimate interest assessment comes into play.

As the Data Protection Network explains:

“Such an assessment will certainly assist organizations in meeting their accountability and transparency requirements and ensure that individuals’ interests are put front and center under the GDPR regime.”

The assessment consists of three stages:

#1. Identify a Legitimate Interest

The first step is to define the purpose of processing the data and why it is important to you.

What’s more, a legitimate interest may relate to your goals, as the Data Controller, but also other, 3rd party to whom you may be disclosing the personal data.

And so, when considering the purpose for legitimate interest, you must consider all parties that might have the interest in processing the data.

#2. The Necessity Test

Next, you need to consider whether the purpose for processing the data is necessary to reach your commercial or business objectives.

And the key word in the above statement is “necessary.”

The necessity test, as the Data Protection Network’s guideline publication puts it, aims to answer:

“Is there another way of achieving the identified interest?”

If the answer is no, then the processing is clearly necessary.

If there is another way, however, implementing it would require a large effort, the processing might still be necessary,

However, in a situation where other ways to achieve the objective exist, the legitimate interest cannot be used to process the data.

#3. The Balancing Test

Finally, as part of the assessment, a company must evaluate whether their legitimate interest doesn’t void the rights and freedoms of the individual whose data will be processed.

Factors to consider here include:

  • The nature of the legitimate interest. Will the person expect the processing to take place? What type of data will be processed? The nature of the interest of the controller (i.e., does it add value or is done out of convenience, is it in the interest of the individual, etc.)
  • The impact of processing. Is the processing justified? Will it have any positive or negative impact on the individual? Does not conducting the processing carry any prejudice or bias to the controller, a third-party or society?
  • Safeguard in place to protect the individual, or to reduce any risks or potentially negative impacts of processing.

Legitimate Interest in Referral Programs

Now, taking the above into consideration, it may easily seem like legitimate interest isn’t something with what you should concern yourself.

But then again, consider the following scenarios:

You decide to send a new feature notification to people on your mailing list. However, none of them have given their explicit consent to receive promotional or sales-related messages. They signed up for advice, information, and help with your content.

Processing their data to deliver such message falls under legitimate interest. And as a result, requires you to conduct the Legitimate Interest Assessment.

Similarly, you may act as a processor. In this situation, a client gives you their friend’s email to deliver a referral message. As a result, you’ve received that email without the data subject’s consent. In fact, your only grounds for processing it is the legitimate interest as well.

Again, to process the data, you need to conduct the assessment to prove the validity of the processing.


GDPR caused a stir among marketers, and for a reason. The regulation has forced organizations to think differently about their referral and other growth strategies.

And for one, it makes everyone involved more conscious about the reasons for processing personal data lawfully.

That’s exactly what legitimate interest defines. And hopefully, after reading this post, you have a good idea about how it affects your referral programs, and what you must do to make them GDPR compliant.

Jay Gibb, CEO/Founder at CloudSponge

Follow @circuitfive


Try CloudSponge for free in your
testing environment

Get Started

Have a questions or prefer a guided tour?
Schedule a consultation with our Founder.