EDPB publishes guidelines on legitimate interest

The European Data Protection Board has adopted guidelines on the processing of personal data on the basis of a legitimate interest.
Categories:

On October 8, 2024, the European Data Protection Board (EDPB) adopted guidelines on the processing of personal data on the basis of a legitimate interest. With the guidelines, the EDPB aims to clarify the term "legitimate interest". Companies should consider the guidelines as they are intended to provide greater legal certainty.

Three requirements for "legitimate interest"

The legitimate interest is one of six possible legal bases in Art. 6 para. 1 GDPR, on the basis of which personal data can be lawfully processed. Art. 6 para. 1 lit. f GDPR stipulates that personal data may be processed if this is necessary to safeguard the "legitimate interests" of the controller or a third party - provided that the interests or fundamental rights and freedoms of the data subject do not prevail.

The term "legitimate interest" is broad in the legal sense and is now explained in more detail in the guidelines.

In order to be able to invoke a legitimate interest, the controller must fulfill three requirements according to the EDPS:

  1. Pursuit of a legitimate interest by the controller or a third party
    As the EDPB emphasizes, only interests that are legitimate, clearly and precisely formulated, real and current can be considered legitimate. Such legitimate interests could, for example, exist in a situation in which the person is a customer or is in the service of the controller.

  2. Necessity of processing personal data to pursue the legitimate interest
    If there are adequate, equally effective but less intrusive alternatives to achieve the interests pursued, the processing may be considered unnecessary. The necessity of processing should also be examined from the perspective of the principle of data minimization.

  3. The interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest of the controller or a third party (balancing test).
    The controller must ensure that its legitimate interest is not overridden by the interests, fundamental rights or freedoms of the individual. In making this assessment, the controller must take into account the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards that could limit the impact on the individual.

Focus on the need for processing

As an example, the guidelines also mention the processing of personal data for direct marketing purposes, where the rights of the data subjects must be carefully weighed up.

However, the assessment in the guidelines is not only about economic interests, but also about preventing fraud, ensuring network security or carrying out internal administrative processes.

An essential requirement of Art. 6 para. 1 lit. f GDPR is the "necessity" of the processing. The guidelines make it clear that the controller's interest may only be pursued if there is no other, less intrusive measure to achieve the same objective. "Data minimization", one of the core principles of the General Data Protection Regulation, must always be taken into account.

Reading tip: ECJ ruling on GDPR fines - what discretion does a data protection authority have?

Weighing up legitimate interests and fundamental rights or freedoms

The most difficult step in the application of Art. 6 para. 1 lit. f GDPR is the balancing of the legitimate interests of the controller and the rights and freedoms of the data subject. According to the guidelines, this balancing must take place before data processing begins and is highly context-dependent. Factors such as the type of data processed, the impact of the processing on the data subject and the reasonable expectations of the data subject in relation to the data processing must be taken into account.

The guidelines also emphasize that the balancing of interests is particularly strict in certain cases, such as the processing of data of minors or particularly vulnerable persons. As children have a particular need for protection, higher requirements must be placed on the balancing of interests when processing their data.

According to the guidelines, the right to object pursuant to Article 21 GDPR is particularly relevant. If the data subject objects to the processing of their data, processing may only be continued if there are compelling legitimate grounds for doing so.

The guidelines of the European Data Protection Board on rt. 6 para. 1 lit. f GDPR provide valuable clarification on the application of "legitimate interests" as a legal basis for data processing. They emphasize that this legal basis must not be used lightly and requires strict consideration in order to safeguard the fundamental rights of the data subjects. Careful documentation and implementation of this balancing exercise is crucial to ensure the lawfulness of the processing.

Source: Guidelines of the European Data Protection Board on legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR

Tags:
Share this post :
en_USEnglish