Controller's legitimate interests

The processing of personal data can sometimes be justified due to the legitimate interests of the controller or a third party.  The use of legitimate interests as a basis for processing requires particularly careful consideration of the data subject's rights and interests.

The processing of personal data can be in the legitimate interests of the controller, for example, when there is a relevant relationship between the controller and data subject. In practice, this means that the data subject is the customer or subordinate of the controller.

Examples of situations in which the controller's interest may be legitimate and permit the processing of personal data:

  • direct marketing
  • scientific and historical research and the compilation of statistics and
  • transmitting personal data within the group for administrative purposes.

Legitimate interest is not a valid basis for the processing of personal data by the authorities in the performance of their duties.

The rights and interests of individuals come first

In principle, the rights and interests of individuals enjoy greater protection than those of the controller. Personal data may not be processed if the data subject's rights or interests override the interests of the controller or third party. This would be the case, for instance, if the data subject is a child.

The influence of the controller's legitimate interests on the rights and interests of the data subject forms a sliding scale. Legitimate interests can vary from insignificant to quite important and even compelling, and their effects on the data subject's rights and interests can vary from more or less significant to the severe.

If the controller's interests are minor, they can only override the interests of the data subject if the effects of these are even less significant. On the other hand, significant and compelling interests can justify the processing of personal data or other effects on the data subject's rights and interests, provided that certain guarantees and measures are observed.

Whether an interest can be considered legitimate can be determined by the so-called balance test. In the test, the interests of the controller or third party are weighed against the rights and interests of the data subject.

Balance test: is a legitimate interest a valid basis for processing?

If you are a controller, you are required to perform the balance test to carefully evaluate, whether or not you may use legitimate interests as a basis for the processing of personal data. Perform all six steps of the test.

Also draw up a written description of the test, which you can use to demonstrate compliance with the GDPR if necessary. It is essential to record the steps of your decision-making. If the purpose, nature or context of processing changes, perform the test again and update the description to correspond to the new processing.

 

The data subject can object to the processing of his or her personal data

When the processing of personal data is based on public or legitimate interests, the data subject has the right to object to the processing of his or her data at any time. At the latest, the data subject must be notified of this right when he or she is contacted for the first time. The information must be presented clearly and separately from other communications. Information society services must include a technical solution that data subjects can use to automatically exercise their right to object.

If the data subject objects to the processing of his or her data, the necessity of processing must be re-evaluated. As a rule, you will then no longer be permitted to process the data subject's personal data, unless

  • you are able to demonstrate that there is a compelling and justified reason for the processing, which overrides the rights and interests of the data subject (e.g. a task in the public interest that requires scientific or historical research or the compilation of statistics); or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

Personal data may not be used for direct marketing after an objection has been filed.