Key Insights from EDPB Guidelines on Legitimate Interest

Key Insights from EDPB Guidelines on Legitimate Interest

The European Data Protection Board (EDPB) is an independent body with a juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR). The EDPB’s provision of this guidance is to enable all controllers to understand and accurately assess how they can utilise this lawful basis, in compliance with the law. It will serve as a standard for all GDPR compliance with regards to Legitimate Interest.

Understanding Legitimate Interest

Legitimate Interests is one of the six lawful basis a data controller may rely on for the processing of personal data. For a processing to be legitimate, it must meet these three requirements:

There must be a “pursuit of a legitimate interest” by the controller or by a third party.

The “need” to process personal data for the pursued legitimate interest.

The interests and rights of the data subject “do not outweigh” the legitimate interests of the controller or third party (a balancing exercise must be performed for each processing).

Unpacking the Difference: Interest vs. Purpose

To further understand the term legitimate interest, it is important to distinguish between “interest” and “purpose”

A “purpose” is the specific reason why the data is processed: the aim or intention of the data processing. An “interest”, on the other hand, is the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity.

An interest may be regarded as “legitimate” if the following cumulative criteria are met:

The interest is lawful, i.e., not contrary to EU or Member State law.

The interest is clearly and precisely articulated.

The interest is real and present, and not speculative (it must not be hypothetical at the date of processing).

When Can Personal Data Be Shared for Third-Party Interests?

Instances where personal data may be processed in the interest of a third party include:

Establishment, exercise or defence of legal claims.

Disclosure of data for purposes of transparency and accountability.

Historical or other kinds of scientific research.

General public interest or third party’s interest (both are not to be confused as the same)

In the above context, it should be noted that if personal data will be processed for a purpose other than that for which the data were initially collected, the controller must check and ensure that the new purpose is compatible with the original purpose under Article 6(4) GDPR (unless consent was received from the data subject).

What Does ‘Necessity’ Mean in the Context of Data Processing?

For a processing to be deemed “necessary”, you must ascertain in practice that the legitimate data processing interests pursued, cannot reasonably be achieved in an effective manner that reduces the restriction of the fundamental rights and freedoms of data subjects.

If there are reasonable, just as effective, but less intrusive alternatives, the processing may not be considered to be “necessary”. The court of Justice of the European Union (CJEU) mandated that all such processing must be examined in conjunction with the “data minimisation” principle in Article 5(1)(c) of the GDPR.
NB: it is generally easier for a controller to demonstrate the necessity of the processing to pursue its own legitimate interests than to pursue the interests of a third party. Also, the latter kind of processing is generally less expected by the data subjects.

How Do We Balance Data Subject Rights Against Legitimate Interests?

The last condition to be met to rely on Article 6(1)(f) GDPR as a legal basis is that the legitimate interest in question must not be overridden by the interests or fundamental rights and freedoms of the data subject.

To properly analyse the rights of data subjects alongside the interests pursued by the controller, the controller must identify and describe the following:

The data subjects’ interests, fundamental rights and freedoms. The impact of the processing on data subjects, including The nature of the data to be processed, The context of the processing, and Any further consequences of the processing. The reasonable expectations of the data subject. The final balancing of opposing rights and interests, including the possibility of further mitigating measures.

The purpose of the balancing exercise is not to avoid any impact on the interests and rights of the data subjects altogether. Rather, its purpose is to avoid a disproportionate impact and to assess the weight of these aspects in relation to each other.

Data Subjects Rights, Interests, and Freedom.

The explicit reference to “interests or fundamental rights and freedoms” in Article 6(1)(f) GDPR has a direct impact on the balancing test to be carried out under that provision. It provides more protection for the data subject, as it requires the data subjects’ “interests” to be taken into account, not only their fundamental rights and freedoms.

Some of the fundamental Rights and Freedom of data subjects include:

the right to data protection and privacy

right to liberty and security

freedom of expression and information

freedom of thought

conscience and religion

freedom of assembly and association

prohibition of discrimination

the right of property etc.

The interests of the data subjects to be taken into account as part of the balancing test include any interest that may be affected by the processing at stake, this includes but not limited to:

financial interests

social interests

personal interests.

It is also important to pay attention to the nature of the data to be processed, things such as special category data enjoy additional protection under article 9 of the GDPR. And personal data relating to criminal convictions and offenses enjoy additional protection under Article 10 GDPR. Other factors to consider include any further consequences of processing and adverse outcomes that can be foreseen, and the reasonable expectations of the data subject.

Finalising the Balancing Test

At the end of this assessment, if the outcome is that the legitimate interest(s) being pursued are not overridden by the data subject’s interests, rights and freedoms, the envisaged processing may take place.

However, if the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects, in view of achieving a fair balance between the rights, freedoms and interests involved.

What’s Next for GDPR Guidelines After Public Consultation?

The Guidance itself is subject to public consultation until 20 November 2024. Following the consultation process, the EDPB will issue a final version of the Guidance, which will become the formal interpretation of this key lawful ground by all data protection regulators represented by the EDPB. This document provides an insight of what is to come if and when the set guidelines are approved.