Balance test: is a legitimate interest a valid basis for processing?
If you are a controller, you are required to perform the balance test to carefully evaluate, whether or not you may use legitimate interests as a basis for the processing of personal data. Perform all six steps of the test.
Also draw up a written description of the test, which you can use to demonstrate compliance with the GDPR if necessary. It is essential to record the steps of your decision-making. If the purpose, nature or context of processing changes, perform the test again and update the description to correspond to the new processing.
The processing of personal data always requires a legal basis. Evaluate the suitability of the different bases for processing (consent, contract, etc.) for your planned processing operations.
If legitimate interest and the related rights of the data subject are the best solution for the processing, go to step 2.
For an interest to be considered legitimate, it must meet the following basic requirements:
- The interest must be legal (in compliance with Union or national law).
- The interest must be clearly stated so that its balance with the data subject's rights and interests can be assessed.
- The interest must represent a genuine and direct need. The interest cannot be speculative.
If all the requirements were met, go to step 3.
Consider whether the same result could be achieved through means that are less invasive of the privacy of the data subjects.
If this is not possible, continue to step 4.
Evaluate the actual effects of the processing by answering the following questions.
The interests of the controller or third party
- What is the nature of the controller's or third party's interest?
- What benefit would the processing of personal data provide?
- What detriment would ensue from not processing the personal data?
For an interest to be legitimate, the processing of the data must be necessary, for example, for the exercise of a fundamental right (e.g. freedom of speech, freedom of art and research, freedom of trade) and proportionate to it. The public interest or interests of wider communities can also be legitimate (e.g. charities, non-profit organisations).
Other legitimate interests can arise from the interest's proximity to a context to which another basis for processing can be applied (e.g. a contract), but the processing does not fall directly within the scope of this basis. It is also relevant whether the controller's right to process personal data in the pursuit of a legitimate interest is recognised in EU or national legislation or other regulatory instrument.
Effects on the data subject
- What is the nature of the personal data involved?
- How would the personal data be processed (e.g. large-scale processing, aggregation, data mining, profiling, publication)?
- How would the processing measures affect the data subject?
The more sensitive the data (e.g. special categories of personal data or confidential personal data), the greater the potential consequences of the processing for the data subject. Negative and uncertain consequences of processing decrease the probability of the processing being considered legitimate. For example, the large-scale processing and aggregation of individually harmless data could lead to uncovering more personal and sensitive data related to the data subjects.
When evaluating the effects of data processing on the data subject, take both concrete and potential consequences into consideration. These can include future decisions, actions or situations, in which the processing could lead to discrimination against the data subject, but also emotional effects, such as annoyance.
The probability of the risk and severity of the consequences also have an impact on the overall evaluation of effects. The purpose of the balance test is to prevent unreasonable effects from the perspective of the data subject.
- Would the data subject expect his or her data to be used in such a manner?
- Would it be likely that the data subject would object to the processing or at least find it questionable?
The processing may not be unexpected and unanticipated for the data subject. The processing of data collected in restrictive contexts is generally subject to greater restrictions.
- What are the positions of the controller and data subject?
- Do you intend to process the personal data of children?
- Is the data subject in an otherwise vulnerable position?
Pay attention to the controller's relationship to the data subject. Is the controller you represent an individual, small organisation, large company or authority? For example, a multi-national company could use its position of power to justify processing operations with interests that are not legitimate in reality.
The position of the data subject merits closer inspection when the data subject is a child or belongs to another, vulnerable population group in need of special protection. Efforts should be made to determine the effects of the processing on individual persons in such cases.
Determining a temporary balance
After weighing the interests of the various parties, you will be able to gain an understanding of the weight of the controller's or third party's interest in relation to the fundamental rights and freedoms of the data subject.
The measures specified in the GDPR (e.g. the evaluation of proportionality, openness and transparency) support the use of legitimate interest as a processing basis. However, additional evaluation is particularly necessary if it is not clear which way the balance tilts. Consider whether you could take additional measures to prevent unreasonable effects for the data subject.
If the rights or interests of the data subject do not override the interests of the controller, continue to step 5.
You can take further measures to influence the final result of the balance test. The result of the balance test depends on an overall evaluation: the greater the effect of the processing on the data subject, the greater the requirements on the controller's appropriate data protection guarantees. They must decrease the effects on data subjects in a reliable and significant manner.
As a controller, you can perform additional measures such as:
- technical and organisational measures ensuring that the data is not used for decisions concerning the data subject or for other purposes (functional separation)
- extensive use of anonymisation techniques
- utilisation of techniques that improve the protection of privacy (e.g. impact assessment) and
- the encryption of personal data.
Before starting to process personal data, complete and archive the written description of your balance test. Keep transparency in mind and be prepared to justify to the data subject, why the processing of his or her personal data is in the controller's legitimate interest in this case.