Controller's legitimate interests
The processing of personal data can sometimes be justified due to the legitimate interests of the controller or a third party. The use of legitimate interests as a basis for processing requires particularly careful consideration of the data subject's rights and interests.
The processing of personal data can be in the legitimate interests of the controller, for example, when there is a relevant relationship between the controller and data subject. In practice, this means that the data subject is the customer or subordinate of the controller.
Examples of situations in which the controller's interest may be legitimate and permit the processing of personal data:
- direct marketing
- scientific and historical research and the compilation of statistics and
- transmitting personal data within the group for administrative purposes.
Legitimate interest is not a valid basis for the processing of personal data by the authorities in the performance of their duties.
The rights and interests of individuals come first
In principle, the rights and interests of individuals enjoy greater protection than those of the controller. Personal data may not be processed if the data subject's rights or interests override the interests of the controller or third party. This would be the case, for instance, if the data subject is a child.
The influence of the controller's legitimate interests on the rights and interests of the data subject forms a sliding scale. Legitimate interests can vary from insignificant to quite important and even compelling, and their effects on the data subject's rights and interests can vary from more or less significant to the severe.
If the controller's interests are minor, they can only override the interests of the data subject if the effects of these are even less significant. On the other hand, significant and compelling interests can justify the processing of personal data or other effects on the data subject's rights and interests, provided that certain guarantees and measures are observed.
Whether an interest can be considered legitimate can be determined by the so-called balance test. In the test, the interests of the controller or third party are weighed against the rights and interests of the data subject.
Balance test: is a legitimate interest a valid basis for processing?
If you are a controller, you are required to perform the balance test to carefully evaluate, whether or not you may use legitimate interests as a basis for the processing of personal data. Perform all six steps of the test.
Also draw up a written description of the test, which you can use to demonstrate compliance with the GDPR if necessary. It is essential to record the steps of your decision-making. If the purpose, nature or context of processing changes, perform the test again and update the description to correspond to the new processing.
The processing of personal data always requires a legal basis. Evaluate the suitability of the different bases for processing (consent, contract, etc.) for your planned processing operations.
If legitimate interest and the related rights of the data subject are the best solution for the processing, go to step 2.
For an interest to be considered legitimate, it must meet the following basic requirements:
- The interest must be legal (in compliance with Union or national law).
- The interest must be clearly stated so that its balance with the data subject's rights and interests can be assessed.
- The interest must represent a genuine and direct need. The interest cannot be speculative.
If all the requirements were met, go to step 3.
Consider whether the same result could be achieved through means that are less invasive of the privacy of the data subjects.
If this is not possible, continue to step 4.
Evaluate the actual effects of the processing by answering the following questions.
The interests of the controller or third party
- What is the nature of the controller's or third party's interest?
- What benefit would the processing of personal data provide?
- What detriment would ensue from not processing the personal data?
For an interest to be legitimate, the processing of the data must be necessary, for example, for the exercise of a fundamental right (e.g. freedom of speech, freedom of art and research, freedom of trade) and proportionate to it. The public interest or interests of wider communities can also be legitimate (e.g. charities, non-profit organisations).
Other legitimate interests can arise from the interest's proximity to a context to which another basis for processing can be applied (e.g. a contract), but the processing does not fall directly within the scope of this basis. It is also relevant whether the controller's right to process personal data in the pursuit of a legitimate interest is recognised in EU or national legislation or other regulatory instrument.
Effects on the data subject
- What is the nature of the personal data involved?
- How would the personal data be processed (e.g. large-scale processing, aggregation, data mining, profiling, publication)?
- How would the processing measures affect the data subject?
The more sensitive the data (e.g. special categories of personal data or confidential personal data), the greater the potential consequences of the processing for the data subject. Negative and uncertain consequences of processing decrease the probability of the processing being considered legitimate. For example, the large-scale processing and aggregation of individually harmless data could lead to uncovering more personal and sensitive data related to the data subjects.
When evaluating the effects of data processing on the data subject, take both concrete and potential consequences into consideration. These can include future decisions, actions or situations, in which the processing could lead to discrimination against the data subject, but also emotional effects, such as annoyance.
The probability of the risk and severity of the consequences also have an impact on the overall evaluation of effects. The purpose of the balance test is to prevent unreasonable effects from the perspective of the data subject.
- Would the data subject expect his or her data to be used in such a manner?
- Would it be likely that the data subject would object to the processing or at least find it questionable?
The processing may not be unexpected and unanticipated for the data subject. The processing of data collected in restrictive contexts is generally subject to greater restrictions.
- What are the positions of the controller and data subject?
- Do you intend to process the personal data of children?
- Is the data subject in an otherwise vulnerable position?
Pay attention to the controller's relationship to the data subject. Is the controller you represent an individual, small organisation, large company or authority? For example, a multi-national company could use its position of power to justify processing operations with interests that are not legitimate in reality.
The position of the data subject merits closer inspection when the data subject is a child or belongs to another, vulnerable population group in need of special protection. Efforts should be made to determine the effects of the processing on individual persons in such cases.
Determining a temporary balance
After weighing the interests of the various parties, you will be able to gain an understanding of the weight of the controller's or third party's interest in relation to the fundamental rights and freedoms of the data subject.
The measures specified in the GDPR (e.g. the evaluation of proportionality, openness and transparency) support the use of legitimate interest as a processing basis. However, additional evaluation is particularly necessary if it is not clear which way the balance tilts. Consider whether you could take additional measures to prevent unreasonable effects for the data subject.
If the rights or interests of the data subject do not override the interests of the controller, continue to step 5.
You can take further measures to influence the final result of the balance test. The result of the balance test depends on an overall evaluation: the greater the effect of the processing on the data subject, the greater the requirements on the controller's appropriate data protection guarantees. They must decrease the effects on data subjects in a reliable and significant manner.
As a controller, you can perform additional measures such as:
- technical and organisational measures ensuring that the data is not used for decisions concerning the data subject or for other purposes (functional separation)
- extensive use of anonymisation techniques
- utilisation of techniques that improve the protection of privacy (e.g. impact assessment) and
- the encryption of personal data.
Before starting to process personal data, complete and archive the written description of your balance test. Keep transparency in mind and be prepared to justify to the data subject, why the processing of his or her personal data is in the controller's legitimate interest in this case.
The data subject can object to the processing of his or her personal data
When the processing of personal data is based on public or legitimate interests, the data subject has the right to object to the processing of his or her data at any time. At the latest, the data subject must be notified of this right when he or she is contacted for the first time. The information must be presented clearly and separately from other communications. Information society services must include a technical solution that data subjects can use to automatically exercise their right to object.
If the data subject objects to the processing of his or her data, the necessity of processing must be re-evaluated. As a rule, you will then no longer be permitted to process the data subject's personal data, unless
- you are able to demonstrate that there is a compelling and justified reason for the processing, which overrides the rights and interests of the data subject (e.g. a task in the public interest that requires scientific or historical research or the compilation of statistics); or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Personal data may not be used for direct marketing after an objection has been filed.
More information:
Right of the data subject when the processing is based on th controller's legitimate interest