The concept of legitimate interest, to which explicit reference is made in the new General Data Protection Regulation 679/2016 (GDPR), has led to a heated debate as it can be interpreted in various ways and can have different meaning across the numerous State-Members of the European Union. Clarifying the concept of legitimate interest is of great importance for every company and business processing personal data (simple and sensible) of a data subject, as it grants, under certain circumstances, the right to the controller of personal data to process the subjects’ personal data, without their prior consent.
What is provided in the GDPR?
According to article 6 of the Regulation, processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
In particular, article 6 par. 1(f) states that the process is lawful only if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
However, could businesses exploit these provisions and invoke the legitimate interest every time that they do not acquire the specific and freely given consent of the data subject? The answer is negative as the Regulation explicitly states that the processing made for the purposes of the legitimate interests pursued by the controller must be necessary for achieving these purposes and a thorough proportionality test of the fundamental rights, interests and freedoms of the subject, which will be affected, has been conducted beforehand.
When can it be implemented?
When the controller wants to process personal data on the basis of defending his legitimate interests he should be able to demonstrate before any Supervisory Authority and/ or before any subject, whenever questioned, the necessity of the intended processing with respect to the rights of the subjects and that the interests of the subjects do not outweigh the interests of the controller. The decision of the controller should be corroborated and evaluated if it changes the scope of the process procedure. Therefore, a Legitimate Interest Assessment should take place, where the controller will detect if the above conditions are met all the while taking every necessary measure in order to retain the proportionality between his legitimate interests and the rights and freedoms of the data subject.
What does the Legitimate Interest Assessment includes?
The Legitimate Interest Assessment is comprised of three key stages:
In the first stage the legitimate interest must be defined and in particular what is the purpose for processing the subject’s personal data and why it is important for the controller. Nevertheless, even if the controller’s interest for processing the data is obvious and lawful, it must be clearly formulated and the subject must be notified in order to be aware of the legal basis of the processing of his personal data.
In the second stage the controller is obliged to perform a proportionality test. He should test if the processing of the personal data is absolutely necessary for achieving his commercial or business goal. If in the end, the process is deemed necessary he may move in the final and most important stage.
The third stage includes the proportionality test. The controller may invoke the legitimate interest only when the rights and freedoms of the subject, whose personal data are to be processed, have been evaluated and they do not outweigh the interests of the controller. In such a test the possible impact of the intended processing to the data subject, the reasonable expectations of the individual, namely if the subject expected such processing, the kind of personal data processed as well as any unequal relationship between the controller and the data subject.
Strictly and only when the outcome of the assessment is positive may the controller move on with the processing of personal data according to Article 6 paragraph 1(f) of the General Data Protection Regulation 2016/679 (GDPR).
Our law firm’s comment
The invocation of the legitimate interest on behalf of the controllers should not be used unfairly, but should be justified by the necessity of the processing and shall be in absolute proportion to the rights and interests of the subjects’ personal data. Besides, the spirit of the new Regulation puts forth the need to ensure the protection of the subjects’ personal data, by passing on the responsibility to the controllers, who are threatened by hefty fines if they perform any unlawful processing.