- within Privacy topic(s)
- with readers working within the Transport industries
- within Privacy, Corporate/Commercial Law and International Law topic(s)
- with Inhouse Counsel
The European Data Protection Board (EDPB) has just published its One-Stop-Shop Case Digest on the use of 'Legitimate Interests' as legal basis for processing Personal Data
Key Points to consider
Legitimate interests is one of the six available legal bases provided in Article 6(1) of the General Data Protection Regulation (EU) 2016/679 (the 'GDPR'), and is considered to be one of the most flexible legal bases allowing controllers to process personal data without receiving consent from a data subject, if it is necessary for inter alia business or commercial interests (provided that the individual's rights and fundamental rights are not overridden).
In order to lawfully use the specific legal basis, a three-part test needs to be satisfied:
- First, identify the legitimate interest pursued by the data controller or third party;
- Second, necessity to process personal data for the purposes of the legitimate interests pursued; and
- Third, the interests or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party ('balancing test').
The EDPB has just published a Case Digest/Report where it compiles cross-border decisions made by national Supervisory Authorities (under the One-Stop-Shop mechanism provided by Article 60 of the GDPR), that analyses controllers' reliance on the legal basis of 'legitimate interests' in specific factual contexts, providing positive as well as negative compliance examples.
You can find the report here: https://www.edpb.europa.eu/system/files/2026-03/spe-oss-case-digest-legitimate-interest_en.pdf
These decisions offer insights into how Supervisory Authorities across Europe have interpreted and applied the concept of legitimate interest. From recording prank telephone calls, to weighing users of rental scooters, to tracking aircraft flights, the decisions cover a wide range of situations, and despite the difference in factual context and the open-ended nature of 'legitimate interests', these decisions present common issues around the types of interests which qualify as 'legitimate' and the way that one should assess the necessity and proportionality of processing in particular contexts.
Key Takeaway:
Controllers should clearly describe the legitimate interests pursued as legal basis, conduct thorough Legitimate Impact Assessments, and consider the data subjects' reasonable expectations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
