DATA PROTECTION
European Data Protection Board: Guidelines on the processing of personal data based on legitimate interest.
The EDPB adopted the Guidelines on the processing of personal data based on legitimate interest.
Data controllers need a legal basis to process personal data lawfully. Legitimate interest is one of the six possible legal bases.
These Guidelines analyse the criteria set down in Art. 6(1) (f) GDPR that controllers must meet to lawfully process personal data on the basis of legitimate interest. It also takes into consideration the recent ECJ ruling on this matter (C-621/22, 4 October 2024).
In order to rely on legitimate interest, the controller needs to fulfil three cumulative conditions:
- the pursuit of a legitimate interest by the controller or by a third party;
- the necessity to process personal data for the purposes of pursuing the legitimate interest;
- the interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest(s) of the controller or of a third party (balancing exercise).
First of all, only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate. For example, such legitimate interests could exist in a situation where the individual is a client or in the service of the controller.
Second, if there are reasonable, just as effective, but less intrusive alternatives for achieving the interests pursued, the processing may not be considered to be necessary. The necessity of a processing should also be examined with the principle of data minimisation.
Third, the controller must ensure that its legitimate interest is not overridden by the individual's interests, fundamental rights or freedoms. In this balancing exercise, the controller needs to take into account the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards which could limit the impact on the individual.
In addition, these Guidelines explain how this assessment should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security. The document also explains the relationship between this legal basis and a number of data subject rights under the GDPR.
The Guidelines will be subject to public consultation until 20 November 2024.
Data controllers need a legal basis to process personal data lawfully. Legitimate interest is one of the six possible legal bases.
These Guidelines analyse the criteria set down in Art. 6(1) (f) GDPR that controllers must meet to lawfully process personal data on the basis of legitimate interest. It also takes into consideration the recent ECJ ruling on this matter (C-621/22, 4 October 2024).
In order to rely on legitimate interest, the controller needs to fulfil three cumulative conditions:
- the pursuit of a legitimate interest by the controller or by a third party;
- the necessity to process personal data for the purposes of pursuing the legitimate interest;
- the interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest(s) of the controller or of a third party (balancing exercise).
First of all, only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate. For example, such legitimate interests could exist in a situation where the individual is a client or in the service of the controller.
Second, if there are reasonable, just as effective, but less intrusive alternatives for achieving the interests pursued, the processing may not be considered to be necessary. The necessity of a processing should also be examined with the principle of data minimisation.
Third, the controller must ensure that its legitimate interest is not overridden by the individual's interests, fundamental rights or freedoms. In this balancing exercise, the controller needs to take into account the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards which could limit the impact on the individual.
In addition, these Guidelines explain how this assessment should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security. The document also explains the relationship between this legal basis and a number of data subject rights under the GDPR.
The Guidelines will be subject to public consultation until 20 November 2024.
