ARTICLE
18 December 2024

Summary Of The EDPB Guideline On Legitimate Interest

The European Data Protection Board (EDPB) is an independent body with a juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR).
Nigeria Privacy

The European Data Protection Board (EDPB) is an independent body with a juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR).

The EDPB's provision of this guidance is to enable all controllers to understand and accurately assess how they can utilise this lawful basis, in compliance with the law. It will serve as a standard for all GDPR compliance with regards to Legitimate Interest.

Properly assessing and making use of the lawful basis from Article 6(1)(f) of the GDPR is not an easy or straightforward exercise, but this guidance provides the much-needed clarity.

Organisations in other countries such as Nigeria, who wish to comply to the highest standards for data protection are on the right track if they commit fully to the directives in this guidance (when it is approved).

What is a legitimate interest?

Legitimate Interests is one of the six lawful basis a data controller may rely on for the processing of personal data.

For a processing to be legitimate, it must meet these three requirements:

  1. There must be a "pursuit of a legitimate interest" by the controller or by a third party.
  2. The "need" to process personal data for the pursued legitimate interest.
  3. The interests and rights of the data subject "do not outweigh" the legitimate interests of the controller or third party (a balancing exercise must be performed for each processing).

To further understand the term legitimate interest, it is important to distinguish between "interest" and "purpose"

A "purpose" is the specific reason why the data is processed: the aim or intention of the data processing. An "interest", on the other hand, is the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity.

An interest may be regarded as "legitimate" if the following cumulative criteria are met:

  • The interest is lawful, i.e., not contrary to EU or Member State law.
  • The interest is clearly and precisely articulated.
  • The interest is real and present, and not speculative (it must not be hypothetical at the date of processing).

Article 6(1)(f) GDPR refers to the legitimate interests pursued "by the controller or by a third party". This means that the interest pursued by the controller should be related to the actual activities of the controller.

In some cases, the processing of personal data may serve to pursue simultaneously the legitimate interests of the controller and of a third party. It is also possible for a third party to have a legitimate interest in pursuing data held by the controller, while the controller has no such interests. Whichever the case might be, for "third parties", the legitimate nature of their interest must be assessed following the same criteria which apply to the controller's own interests.

Instances where personal data may be processed in the interest of a third party include:

  • Establishment, exercise or defence of legal claims.
  • Disclosure of data for purposes of transparency and accountability.
  • Historical or other kinds of scientific research.
  • General public interest or third party's interest (both are not to be confused as the same)

In the above context, it should be noted that if personal data will be processed for a purpose other than that for which the data were initially collected, the controller must check and ensure that the new purpose is compatible with the original purpose under Article 6(4) GDPR (unless consent was received from the data subject).

Analysing the "necessity" of the processing.

The concept of necessity has an independent meaning in EU law, and this must be interpreted in a way that fully reflects the objectives of data protection law.

For a processing to be deemed "necessary", you must ascertain in practice that the legitimate data processing interests pursued, cannot reasonably be achieved in an effective manner that reduces the restriction of the fundamental rights and freedoms of data subjects.

If there are reasonable, just as effective, but less intrusive alternatives, the processing may not be considered to be "necessary". The court of Justice of the European Union (CJEU) mandated that all such processing must be examined in conjunction with the "data minimisation" principle in Article 5(1)(c) of the GDPR. They further emphasised that the processing can only take place "only in so far it is strictly necessary" for the purposes of the legitimate interest identified. And this ties in strongly to the Recital 47 of the GDPR.

NB: it is generally easier for a controller to demonstrate the necessity of the processing to pursue its own legitimate interests than to pursue the interests of a third party. Also, the latter kind of processing is generally less expected by the data subjects.

Balancing exercise for legitimate interest

The last condition to be met to rely on Article 6(1)(f) GDPR as a legal basis is that the legitimate interest in question must not be overridden by the interests or fundamental rights and freedoms of the data subject.

To properly analyse the rights of data subjects alongside the interests pursued by the controller, the controller must identify and describe the following:

  1. The data subjects' interests, fundamental rights and freedoms.
  2. The impact of the processing on data subjects, including
    1. The nature of the data to be processed,
    2. The context of the processing, and
    3. Any further consequences of the processing.
  3. The reasonable expectations of the data subject.
  4. The final balancing of opposing rights and interests, including the possibility of further mitigating measures.

The purpose of the balancing exercise is not to avoid any impact on the interests and rights of the data subjects altogether. Rather, its purpose is to avoid a disproportionate impact and to assess the weight of these aspects in relation to each other.

Data Subjects Rights, Interests, and Freedom.

The explicit reference to "interests or fundamental rights and freedoms" in Article 6(1)(f) GDPR has a direct impact on the balancing test to be carried out under that provision. It provides more protection for the data subject, as it requires the data subjects' "interests" to be taken into account, not only their fundamental rights and freedoms.

Some of the fundamental Rights and Freedom of data subjects include:

  • the right to data protection and privacy
  • right to liberty and security
  • freedom of expression and information
  • freedom of thought
  • conscience and religion
  • freedom of assembly and association
  • prohibition of discrimination
  • the right of property etc.

The interests of the data subjects to be taken into account as part of the balancing test include any interest that may be affected by the processing at stake, this includes but not limited to:

  • financial interests
  • social interests
  • personal interests.

It is also important to pay attention to the nature of the data to be processed, things such as special category data enjoy additional protection under article 9 of the GDPR. And personal data relating to criminal convictions and offences enjoy additional protection under Article 10 GDPR. Other factors to consider include any further consequences of processing and adverse outcomes that can be foreseen, and the reasonable expectations of the data subject.

Finalising the Balancing Test

At the end of this assessment, if the outcome is that the legitimate interest(s) being pursued are not overridden by the data subject's interests, rights and freedoms, the envisaged processing may take place.

However, if the data subject's interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects, in view of achieving a fair balance between the rights, freedoms and interests involved.

Final Note

The Guidance itself is subject to public consultation until 20 November 2024. Following the consultation process, the EDPB will issue a final version of the Guidance, which will become the formal interpretation of this key lawful ground by all data protection regulators represented by the EDPB. This document provides an insight of what is to come if and when the set guidelines are approved.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More