This post is also available in: SK (SK)

In our practice, we often find that controllers – unless they find another suitable legal basis for processing – argue for their “legitimate interest” in the processing of personal data. The information that they subsequently provide to the data subjects is limited to the following: “We process your data on the basis of our legitimate interest under Art. 6 par. 1 letter f) GDPR “. But is it correct and sufficient? Is the processing of personal data based on legitimate interest that simple? In the following article, we will summarize what you need to think about and what you need to do before you start processing personal data on the basis of “legitimate interest “.

First of all, it is necessary to read well the Article 6 par. 1 letter f) in the GDPR:

‘Processing shall be lawful only if and only to the extent that at least one of the following applies:(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

From the aforementioned, it results that before starting the processing, it is necessary to carry out an assessment of the legitimate interest (the so-called balance test). The GDPR does not provide precise guidance on what the legitimate interest assessment should look like. In any case, given the principle of responsibility and the obligation of the controller to demonstrate the compliance of its own practices with the GDPR, it is recommended that this assessment be documented – i.e. made in writing.

Several European data protection authorities have issued guidelines for conducting legitimate interest assessments, and in principle almost every such guideline is based on a test divided into three parts:

1.       Purpose test

In this part of the test, you need to ask yourself the following questions:

  • Is the processing in our interest (so we or a third party benefit from processing)? It is not enough to rely on vague or general business interests. You need to think specifically about what you are trying to achieve through the processing.
  • Do we process personal data on the basis of an interest that is legitimate? Is the purpose of the processing legal?
  • Is the purpose of the processing ethical? Anything illegitimate, unethical or illegal is not a legitimate interest. For example, although marketing may be a legitimate purpose in general, sending spam emails in violation of direct marketing rules under the Electronic Communications Act may not be legitimate.

If the interest is not legitimate, you did not pass the first part of the test and you cannot use the legitimate interests as your legal basis. It is not necessary to continue with the rest of the test, because the other parts are not able to legitimize the processing, which is illegitimate from the beginning.

2.       Necessity test

  • Is our processing really necessary?
  • Is there no alternative?
  • Can we achieve the same purpose by processing less data or processing data in another or less intrusive way?

In general, processing will be considered necessary if there is no other way to achieve the aim of the processing or if the alternative way to achieve the aim would be too complicated. However, if there are several other alternatives to achieve the aim, you must choose the least intrusive alternative.

3.       Balance test

Your legitimate interests must always be weighed against the rights and freedoms of the data subjects. It should be borne in mind that data subjects have the right not to have their personal data processed in a way that would bother or upset them.

In this section you need to ask yourself the following questions:

  • Do the rights of the data subject not override our legitimate interests?
  • Is the processing of personal data a high risk to the rights and freedoms of the data subjects?
  • What impact will the processing have on the data subjects? Can we minimize or mitigate impacts or risks?

For example, you should consider the processing of a specific category of personal data very carefully, in particular, to be sure that this data is not processed unnecessarily and that there is an exception allowing the processing of such data.

Also in the case, if you process personal data related to “vulnerable persons” (e.g. children, employees, patients, etc.), their rights need to be carefully balanced.

Similarly, you should also consider the way you intend to process personal data (for example, if you use new technology).

After passing all parts of the test, you must decide whether or not your legitimate interests are an appropriate legal basis for the processing and, in particular, whether your legitimate interests are not outweighed by the risks you have identified in the third part of the test. As with the entire test, you must document your decision and keep this documentation for review. The dossier should be subject to regular review and, if necessary, updating.

If you have identified significant risks in your legitimate interest test, you need to consider whether a DPIA (Impact Assessment) is needed to assess the risk in more detail and take potential mitigation measures.

If you have decided that the processing of personal data on the basis of a legitimate interest is appropriate, proportionate and possible, you must not forget to include information about your legitimate interests in your information addressed to data subjects or personal data protection policies. You will learn how to do this correctly in our article How to correctly inform the data subjects when you process personal data on the basis of legitimate interests.

This article is for general and informational purposes only, and the conclusions, opinions or recommendations presented herein may not apply to a specific situation. The article does not constitute legal advice or replace it. When solving a specific problem or situation, we always recommend consulting a lawyer.