Organisations may process personal data only if they identify a valid legal basis for the processing. The GDPR lists limitatively the grounds on which personal data may be processed.
Legitimate interest is one of the six legal grounds for processing personal data and is regulated in Article 6 (1) f) of Regulation (EU) 2016/679 (GDPR). Thus, according to this article, the processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular when the data subject is a child.
Advantages of using the legitimate interest ground
Unlike the other grounds stipulated in the Regulation, the legitimate interest is not specific and covers a wide range of legal contexts. Due to this flexibility, more and more operators choose to invoke it when processing personal data.
For example, legitimate interest can be used when the processing is not required by law but has a benefit for the controller or for others, when there is a limited impact on the privacy of the data subject, or when the controller is unable/unwilling to give full control to the data subject (by consent) over the processing he/she carries out.
The limits within which we can invoke the legitimate interest ground.
However, the legitimate interest cannot be used in a discretionary manner, and can only be used under certain conditions, by reference to the factual situation. Thus, taking into account the circumstances and the field of activity of the controller, the interests of the company processing the personal data must be balanced against the individual interests of the data subjects and only then, if the balancing test results in the interests of the controller prevailing, can the legitimate interest be invoked as a basis for processing personal data.
Article 6(1)(f) of the GDPR requires organisations to ensure that their legitimate interest is not overridden by the interests or fundamental rights and freedoms of data subjects. Therefore, an LIA-type analysis (in the sense of balancing the legitimate interest against the rights of data subjects) will have to be carried out in all cases.
However, a question arises: will each LIA have to be documented or formalised in some way?
Without a doubt, documenting LIAs is good practice for organisations.
Moreover, for complex or intrusive processing, we consider that LIA documentation becomes absolutely necessary. But the same cannot be said for totally unsophisticated processing, where the balance between legitimate interest and data subjects’ rights is easily, intuitively apparent.
Typically, the LIA has three parts:
1. Description of the legitimate interest,
2. Justification of the need, and
3. The justification of proportionality
The proportionality statement is the most complex and sensitive part of an LIA. In essence, the section will need to substantiate the balance between the legitimate interest of the organisation and the rights of the individuals concerned.
In assessing such a balance, various criteria will be considered, such as:
– The nature and volume of the data processed
– Expectations of data subjects with regard to the processing
– Potential impact on data subjects
– Potential impact on the organisation
As a result of applying the above criteria, organisations may conclude that their legitimate interest is less relevant than the privacy rights of data subjects. In this case, counter-balancing measures, so called “safeguards” will have to be implemented: limiting the types of data processed, limiting the data retention period, restricting access to data (limited access privileges, even among relevant staff), use of anonymisation techniques, data aggregation, privacy by design.
Conclusion: Although the legitimate interest ground is the most flexible basis for processing personal data and is recommended to be used when there is a clear purpose of the controller and a minimal impact on data subjects, it is however noted that this flexibility calls for an increased responsibility on the part of the controller to demonstrate the lawfulness of the processing and the respect of the balance between its interests and those of the data subjects.