Data controllers often rely on their legitimate interests. Pursuant to art. 6 sec. 1 lit. f of GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), personal data may be processed in accordance with the law, if the processing is necessary for the purposes of legitimate interests pursued by the controller. Due to the fact that the concept of a legitimate interest has not been defined in GDPR and because it constitutes a convenient base for personal data processing (there is no need to obtain and archive consents for processing), it is sometimes interpreted by entrepreneurs very widely. Unfortunately, often too widely. In this post I will try to show you how to avoid that.
“Legitimate interest” is a so-called general clause, which means non-defined expression of a evaluative nature giving freedom of interpretation and referring to non-legal norms. That is why controllers have some space in determining what exactly is a legitimate interest pursued by them. However, it is very important not to over-interpret and not to qualify as an legitimate interest situations which don’t constitute a legitimate interests. Below are some guidelines helpful in assessing whether you are dealing with the legitimate interest of the personal data controller.
Step 1 – take a look at the preamble
GDPR, like most acts of the European Union, has a preamble which is longer than the provisions of the act itself. The preamble is a kind of commentary and explanation what was the aim of the legislator when adopting a given regulation or directive. Determining whether the planned activities on personal data can be considered a legitimate interest, it is worth looking first at points 47 and 48 of the preamble. Some specific examples can be found there:
- “where the data subject is a client or in the service of the controller”;
- “transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data”;
- “the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security”;
- “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
The examples given above show how the legislator understands data processing for the purposes of the legitimate interest of the controller. If you plan the same or similar activities with personal data, there is a good chance that they may be classified as your legitimate interest.
Step 2 – check the case law
If, after analyzing the preamble, you still have doubts whether what you are planning constitutes a legitimate interest, you can check the case law. There are more and more decisions of the President of the Personal Data Protection Office in this area. Perhaps a case similar to yours has already been examined and reading the decision may help you to remove doubts.
In recent years, quite well known was the decision on some foundation running activity “for development of democracy, open and transparent administration and civic involvement”, which collected personal data of members of the bodies of entities entered in the National Court Register and published them on its website, showing their connections. The President of the Personal Data Protection Office decided that such actions are compliant with the law and based on art. 6 sec. 1 lit. f of GDPR (decision of the President of the Personal Data Protection Office of May 17th, 2019, file no. ZSPU.440.705.2018).
Step 3 – use your own feeling
If you are unable to find similar case to yours in the preamble or jurisprudence, you may try to assess your situation by yourself. Sometimes you don’t need to be an expert to feel that something is compliant with the law or better to avoid it. I know this advice may not be very helpful, but this is how general clauses work – it happens that that it is completely unclear what actions will be correct.
Step 4 – are you sure you need to process personal data?
If you come to the conclusion that planned activities will constitute a legitimate interest pursued by you, this is only half the success. In next step, you must still assess whether exist legal premises for a legitimate interest. The first premise is the requirement that the processing has to be necessary for the purposes of legitimate interests pursued by the controller. Is it possible to achieve your legitimate interest without processing personal data in the planned way? If not, the condition of necessity is fulfilled. However, if it is possible to implement it in a different way, the processing of personal data on the basis of art. 6 sec. 1 lit. f of GDPR will not be compliant with the law.
Step 5 – are interests or rights of data subject more important?
GDPR excludes the possibility of processing data for the purposes of legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Therefore it is necessary to compare the interests of a controller with the interests and rights of a person whose data are processed to and assess whether the processing for the purposes of the controller does not violate fundamental rights and personal freedoms. Unfortunately, once again, there is no legal definition of these rights, which makes it much more difficult to assess. The doctrine indicates that these may be the rights set out in the Charter of Fundamental Rights of the European Union and the constitution. Additionally, you can again analyze the case law and see how this issue is resolved by the supervisory authority – perhaps dome cases similar to yours have already been examined.
Step 6 (most important) – if you have doubts, resign and look for another basis for processing
If you have any doubts about any of the above steps, resign from the concept of data processing for the purposes of legitimate interest. There are other grounds for processing that may be safer in such a situation. As a last resort, you can always ask the data subject for consent to the processing.
|↑1||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)|