Iñigo de Miguel Beriain (UPV/EHU)
Acknowledgements: The author thankfully acknowledges advice, input and feedback on drafts from Bud Bruegger and Harald Zwingelberg.
This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)
Legitimate interest is one of six legal bases for the processing of personal data stated in Article 6(1) of the GDPR (see “Lawfulness, fairness and transparency” subsection in the “Principles” section of the General Part of these Guidelines). This legal basis requires that the legitimate interests of the controller or any third parties to whom the data are disclosed prevails over the interests, fundamental rights and freedoms of the data subjects (Article 6(1)(f). To verify that this is indeed the case, controllers can make use of a tool that is called balancing test, which has been recommended by the Article 29 Working Party, for instance. This tool is aimed at ensuring that the legitimate interests of the controller or any third parties to whom the data are disclosed prevails over the interests and fundamental rights and freedoms of the data subjects.
When do fundamental rights and freedoms of the person concerned by the data protection do not take precedence?
Carrying out a balancing test involves considering several key factors that are decisive in determining which interests, freedoms or rights prevail, namely:
- The nature and source of the legitimate interest: whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned. Evaluating the possible prejudice suffered by the controller, by third parties or the broader community if the data processing does not take place is compulsory.
- The power and status of the two parties (controller or third party and data subject). For instance, an employer intending to process the data of an employee is in a stronger position than the employee. If the data subjects are minor their interests, rights or freedoms should be overweighed.
- The nature of the data. While processing of any personal data should be adequately weighed, processing of special categories of personal data such as racial origin, religious beliefs, generic data or data concerning health, should be given greater weigh.
- The impact of the processing on the data subjects. To this purpose, controllers should consider whether processing might result in a high risk to individuals’ rights and freedoms. If this is the case, they must perform a DPIA.
- The data subjects’ reasonable expectations about what will happen to their data. Controllers should be able to demonstrate that a data subject would expect the processing in light of the particular circumstances applicable. If the purpose and method of processing is not immediately obvious and there is the potential for a range of reasonable opinions about whether people would expect it, controllers may wish to carry out some form of consultation, focus group or market research with individuals to demonstrate expectations and support their position. If there are pre-existing studies in regard to reasonable expectations in a particular context, controllers may be able to draw on these as part of their determination of what individuals may or may not expect.
- The way data are processed (large scale, data mining, profiling, disclosure to a large number of people or publication);
- The additional safeguards which could limit undue impact on the data subject, such as data minimization (e.g. strict limitations on the collection of data, or immediate deletion of data after use) – technical and organizational measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals (‘functional separation’) – wide use of anonymization techniques, aggregation of data, privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments; – increased transparency, general and unconditional right to object (opt-out), data portability & related measures to empower data subjects, etc.
The issue of the additional safeguard
The Article 29 Working Party considers that mitigation measures and safeguards, such as organizational or technical measures adopted by the controller for the protection of the data subject data should be included in the balancing test. There is, however, an alternative approach, which considers that article 6(1)(f) asks for a balancing test between two values, the legitimate interests of the controller (or a third party) and the interests, rights and freedoms of the data subject. Mitigation measures and safeguards do not fit well with any of these values. Therefore, they should not be considered. Otherwise, they would overweigh the controllers’ side since they would undermine the importance of the possible harm to be caused to the data subject interests, rights and freedoms. Kamara and De Hert have made some convincing statements on this concrete issue, by stating that
“including mitigation measures in the assessment would lead to a representation of the actual expected impact of the processing to the data subjects’ rights, and would still allow the legitimate interests to prevail. This approach does not ‘punish’ the controller that takes mitigation measures and safeguards, by not including them in the balancing test. On the contrary it encourages the controller to do so. On the other hand, one should keep in mind that the weight of future safeguards and mitigation measures is always relevant to their realisation and effectiveness. Such measures therefore should be considered, but not play a significant role in determining to which side the scale leans.”
1A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 24. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020 ↑
2A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 24. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020. ↑
3ICO, How do we apply legitimate interests in practice? At: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/ Accessed: 15 January 2020 ↑
4Kamara, Irene and De Hert, Paul, “Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach, Brussels Privacy Hub, Working paper, vol. 4, nº 12, 2018, p.17. At: https://brusselsprivacyhub.eu/BPH-Working-Paper-VOL4-N12.pdf Accessed: 17 January 2020