EDPB publishes guidelines on legitimate interest

The European Data Protection Board has adopted guidelines on the processing of personal data on the basis of a legitimate interest.
Categories:

On October 8, 2024, the European Data Protection Board (EDPB) Guidelines to the Processing personal data on the basis of a legitimate interest. With the Guidelines the EDPB wants to clarify the term "legitimate interest". Companies should familiarize themselves with the Guidelines as they are intended to provide more legal certainty.

Three requirements for "legitimate interest"

The legitimate interest is one of six possible Legal basis in Art. 6 para. 1 GDPRon the basis of which personal data can be lawfully processed. Art. 6 para. 1 lit. f GDPR provides that personal data may be processed if this is necessary to safeguard the "legitimate interests" of the controller or a third party - unless the interests or fundamental rights and freedoms of the data subject prevail.

The term "legitimate interest" is broad in the legal sense and is defined in the Guidelines now explained in more detail.

In order to be able to invoke a legitimate interest, the person responsible for the Processing Responsible persons fulfill three conditions according to the EDPS:

  1. Pursuit of a legitimate interest by the controller or a third party
    As the EDPB emphasizes, only interests that are legitimate, clearly and precisely formulated, real and current can be considered legitimate. Such legitimate interests could, for example, exist in a situation in which the person is a customer or is in the service of the controller.

  2. Necessity of the Processing personal data for the pursuit of the legitimate interest
    If there are appropriate, equally effective but less intrusive alternatives to achieve the interests pursued, the Processing are not considered necessary. The necessity of a Processing should also be considered from the point of view of the principle of Data minimization be checked.

  3. The interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest of the controller or a third party (balancing test).
    The Responsible persons must ensure that its legitimate interest is not overridden by the interests, fundamental rights or freedoms of the individual. In this consideration, the Responsible persons the interests of the persons, the effects of the Processing and their reasonable expectations and the existence of additional safeguards that could limit the impact on the individual.

Focus on the need for processing

As an example, the Guidelines also the Processing personal data for direct marketing purposes, where the rights of the data subjects must be carefully weighed up.

The valuation is based on the Guidelines However, it is not only about economic interests, but also about preventing fraud, ensuring network security or carrying out internal administrative processes.

An essential requirement of Art. 6 para. 1 lit. f GDPR is the "necessity" of the Processing. The Guidelines clarify that the interest of the company responsible for the Processing responsible parties may only be pursued if there is no other, less drastic measure to achieve the same objective. The "Data minimization", one of the core principles of the General Data Protection Regulation, must always be taken into account.

Reading tip: ECJ ruling on GDPR fines - what discretion does a data protection authority have?

Weighing up legitimate interests and fundamental rights or freedoms

The most difficult step in the application of Art. 6 para. 1 lit. f GDPR is the balance between the legitimate interests of the controller and the rights and freedoms of the data subject. According to the Guidelines this assessment must be made before data processing begins and is highly context-dependent. Factors such as the type of data processed, the impact of the Processing to the affected person and the reasonable expectations of the data subject in relation to the data processing must be taken into account.

The Guidelines also emphasize that the balancing of interests in certain cases, such as the Processing data of minors or particularly vulnerable persons is particularly strict. Since children have a particular need for protection, the Processing of their data, higher requirements must be placed on the balancing of interests.

According to the Guidelines in particular the right to object pursuant to Article 21 GDPR. When the affected Person of the Processing of their data, the Processing may only be continued if there are compelling reasons worthy of protection.

The Guidelines of the European Data Protection Board to rt. 6 para. 1 lit. f GDPR provide valuable clarification on the use of "legitimate interests" as a legal basis for data processing. They emphasize that this legal basis must not be used lightly and requires strict balancing in order to safeguard the fundamental rights of data subjects. The careful Documentation and implementation of this balancing process is crucial to ensure the legality of the Processing to ensure that

Source: Guidelines of the European Data Protection Board on legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts