Article 6 (1)(f) is one of the grounds for lawful processing BUT it does require a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject, in particular where the data subject is a child. The outcome of this balancing test will determine whether Article 6 (1)(f) may be relied upon as a legal ground for processing. This condition cannot legitimise the processing of special categories of personal data (sensitive personal data).
‘Legitimate interests’ may be the most flexible lawful basis for processing, BUT you cannot assume it will always be the most appropriate. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
There are three elements to the ‘legitimate interests’ basis.
You must identify what the legitimate interest is;
You must show that the processing is necessary to achieve it. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply;
You must balance it against the individual’s interests, rights and freedoms. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your ‘legitimate interests’ assessment to help you demonstrate compliance if required. You must include details of your legitimate interests in your privacy notices too.
The GDPR recognises the following legitimate interest scenarios: (note – this ‘recognition’ should not absolve the controller from performing the balancing test)
processing is strictly necessary for the purposes of preventing fraud;
processing for direct marketing purposes;
for purposes of ensuring network and information security;
for transmitting personal data within a group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data;
for disclosing personal data to a competent authority (criminal investigations);
exercising of the right to freedom of expression or information, including in the media and the arts;
processing for historical, scientific or statistical purposes;
The Article mentions 'third parties'. Examples of legitimate interests of third parties include:
publication of data for purposes of transparency and accountability – e.g. the salaries of top management in a company;
historical or other kinds of scientific research – particularly where access is required to certain databases;
general public interest or third party's interest – this may include situations where a controller goes beyond its specific legal obligations to assist law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, child grooming, or illegal file sharing online;
This lawful basis should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply. However, it should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority..
A proper Article 6(1)(f) assessment is not a straightforward balancing test consisting merely of weighing two easily quantifiable and comparable 'weights' against each other. Rather, the test requires full consideration of a number of factors, so as to ensure that the interests and fundamental rights of data subjects are duly taken into account. At the same time, it can vary from simple to complex and need not be unduly burdensome.
It is useful to imagine both the legitimate interests of the controller and the impact on the interests and rights of the data subject on a spectrum. Legitimate interests can range from insignificant through somewhat important to compelling. Similarly, the impact on the interests and rights of the data subjects may be more or may be less significant and may range from trivial to very serious.
Factors to consider when carrying out the balancing test include:
the nature and source of the legitimate interest and whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned;
the impact on the data subject and their reasonable expectations about what will happen to their data, as well as the nature of the data and how they are processed;
additional safeguards which could limit undue impact on the data subject, such as data minimisation, privacy-enhancing technologies; increased transparency, general and unconditional right to opt-out, and data portability;
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018