The European Data Protection Board (“EDPB”) has adopted new Guidelines, that analyse the criteria set out in Art. 6(1)(f) of the General Data Protection Regulation (“GDPR”). that controllers must meet in order to lawfully process personal data that is: “necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
In this Guidelines the EDPB first explains that data controllers need a legal basis for the lawful processing of personal data. Legitimate interest is one of the six possible legal basis. Therefore, legitimate interest should neither be treated as a “last resort” for rare or unexpected situations nor should it be automatically chosen or its use unduly extended on the basis of a perception that this legal basis is less constraining than others.
Furthermore, the EDPB explained that for processing to be based on Article 6(1)(f) GDPR, three cumulative conditions must be fulfilled:
1. The pursuit of a legitimate interest(s) by the controller or by a third party
Only those interests that are: lawful; clearly and precisely articulated; real and present may be considered legitimate.
2. The need to process personal data for the purposes of the legitimate interest(s) pursued
If there are reasonable, equally effective, but less intrusive alternatives for achieving the interests pursued, the processing may not be considered to be necessary.
3. The interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party (balancing exercise)
In this balancing test, the controller needs to take into account:
(i) the interests of the individuals;
(ii) the impact of the processing and their reasonable expectations; and
(iii) the existence of additional safeguards which could limit the impact on the individuals.
In order to determine whether a given processing of personal data may be based on legitimate interest, controllers should carefully assess and document whether these three cumulative conditions are met. This assessment should be done before carrying out the relevant processing operations. In any case, a proper legitimate interest assessment is not a straightforward exercise.
The present guidelines provide guidance on how such an assessment should be carried out in practice, including in a number of specific contexts (e.g., fraud prevention, direct marketing, information, security, etc.) where this legal basis may be considered.