Article 6 (1)(f) is one of the grounds for lawful processing BUT it does require a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject, in particular where the data subject is a child. The outcome of this balancing test will determine whether Article 6 (1)(f) may be relied upon as a legal ground for processing. This condition cannot legitimise the processing of special categories of personal data (sensitive personal data).
The GDPR recognises the following legitimate interest scenarios:
processing is strictly necessary for the purposes of preventing fraud;
processing for direct marketing purposes;
for purposes of ensuring network and information security;
for transmitting personal data within a group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data;
for disclosing personal data to a competent authority (criminal investigations);
exercising of the right to freedom of expression or information, including in the media and the arts;
processing for historical, scientific or statistical purposes;
The Article mentions 'third parties'. Examples of legitimate interests of third parties include:
publication of data for purposes of transparency and accountability – e.g. the salaries of top management in a company;
historical or other kinds of scientific research – particularly where access is required to certain databases;
general public interest or third party's interest – this may include situations where a controller goes beyond its specific legal obligations to assist law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, child grooming, or illegal file sharing online;
This lawful basis should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply. However, it should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority..
A proper Article 6(1)(f) assessment is not a straightforward balancing test consisting merely of weighing two easily quantifiable and comparable 'weights' against each other. Rather, the test requires full consideration of a number of factors, so as to ensure that the interests and fundamental rights of data subjects are duly taken into account. At the same time, it can vary from simple to complex and need not be unduly burdensome.
It is useful to imagine both the legitimate interests of the controller and the impact on the interests and rights of the data subject on a spectrum. Legitimate interests can range from insignificant through somewhat important to compelling. Similarly, the impact on the interests and rights of the data subjects may be more or may be less significant and may range from trivial to very serious.
Factors to consider when carrying out the balancing test include:
the nature and source of the legitimate interest and whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned;
the impact on the data subject and their reasonable expectations about what will happen to their data, as well as the nature of the data and how they are processed;
additional safeguards which could limit undue impact on the data subject, such as data minimisation, privacy-enhancing technologies; increased transparency, general and unconditional right to opt-out, and data portability;
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018