The New Guidelines
The European Data Protection Board (EDPB) has just released its much-anticipated guidelines on the processing of personal data based on legitimate interest. This legal basis, outlined in Article 6(1)(f) of the GDPR, allows data controllers to process personal data when they have a legitimate interest, provided they meet specific criteria.
These guidelines analyze the criteria set down in Article 6(1)(f) GDPR that controllers must meet to lawfully engage in the processing of personal data that is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party.” It is crucial to note that Article 6(1)(f) should not be viewed as a fallback option when other legal bases are unavailable, nor should it be applied in an extended manner simply because it appears less constraining.
1st Takeaway: Three Cumulative Conditions for Data Controllers
To rely on legitimate interest, data controllers must fulfill three cumulative conditions:
1) Pursuit of a Legitimate Interest: There must be a legitimate interest pursued by the controller or a third party. Only lawful, precisely articulated, and present interests can be deemed legitimate. Controllers are also responsible for informing data subjects about the legitimate interests they pursue when processing is based on this legal basis.
2) Necessity of Processing: The processing of personal data must be necessary for achieving the legitimate interests. Controllers should assess whether there are less restrictive means to achieve those interests, considering data minimization principles outlined in Article 5(1) of the GDPR.
3) Balancing Interests: The interests or fundamental rights and freedoms of the data subjects must not take precedence over the legitimate interests of the controller or a third party. This requires a careful balancing exercise, considering factors such as the nature of the legitimate interest, the impact of processing on the data subject, and any safeguards that might mitigate negative effects.
2nd Takeaway: Practical Insights
The EDPB’s guidelines provide practical insights on conducting these assessments, particularly in contexts such as fraud prevention, direct marketing, and information security. Controllers must document this assessment prior to processing personal data to ensure compliance.
Relationship with Data Subject Rights
The guidelines also outline how Article 6(1)(f) relates to various data subject rights under the GDPR, emphasizing the need for transparency and fairness in data processing practices.
3rd Takeaway: Public Consultation
The guidelines are currently open for public consultation until 20 November 2024, allowing stakeholders to provide feedback on these critical points regarding legitimate interest.
For a detailed overview and to follow the public consultation process, you can check the EDPB’s official announcement here.