Of interest.

Processing of personal data based on legitimate interest

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“), it is possible to process personal data of data subjects – natural persons – on the basis of one or more of six legal bases outlined in GDPR. One of these legal bases is legitimate interest.

On 9 October 2024, the European Data Protection Board (“EDPB“) adopted Guidelines on processing personal data based on legitimate interest (“Guidelines“), available here, within the meaning of Article 6(1)(f) of the GDPR, which are a non-binding methodological and interpretative tool for data controllers who process personal data specifically on the legal basis of legitimate interest.

Legal basis
The legal bases under the GDPR are as follows:

  • the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • the processing is necessary for compliance with a legal obligation to which the controller is subject;
  • the processing is necessary for the protection of the vital interests of the data subject or another natural person;
  • the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;
  • the processing is necessary for the purposes of the legitimate interests of the controller or of a third party concerned, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

The controllers commonly tend to misjudge and misidentify the legal basis on which they process personal data, resulting in numerous cases of illegal processing of personal data.

It is the processing based on the legitimate interests of the controller or of a third party, i.e. under Article 6(1)(f) of the GDPR, which is mistakenly considered by controllers as the all-encompassing legal basis for the processing of personal data, and to which controllers incorrectly resort when no other legal basis is available to them and when they declare, without further ado, that the processing of personal data is necessary for the fulfilment of the claimed legitimate interest.

However, such a practice is contrary to the core principles of the GDPR, i.e. the principle of minimisation of the processing of personal data and the necessity of legitimate grounds for processing.

Legitimate interest of the controller or third party
The processing of personal data based on a legitimate interest of the controller is only possible under the GDPR and the Guidelines if three conditions are met:

  1. the processing pursues a legitimate interest of the controller or a third party;
  2. the processing is necessary for the fulfilment of a legitimate interest of the controller or a third party; and
  3. the interests or fundamental rights and freedoms of the data subject do not override the interests of the controller or the third party.

In accordance with the Guidelines, controllers should assess and evaluate the fulfilment of the above conditions before they commence the personal data processing, and the Guidelines organise the procedure into three successive phases or steps.

The first step in assessing whether personal data can be processed based on Article 6(f) of the GDPR is to verify the existence of a legitimate interest of the controller or third party. In the event of concurrent existence legitimate interests, the controller is obliged to assess them individually.

Although a definition of a legitimate interest as such can not found in the GDPR, the legislator’s intention can be inferred from the recitals of the GDPR, where the case law of the Court of Justice of the European Union (“CJEU“) may also provide guidance. In line with the above, the Guidelines summarise and specify the requirements for the quality of the legitimate interest of the controller or third party.

The Guidelines set out three basic requirements that must be met to qualify the interest of the data controller or third party as legitimate, where the legitimate interest must be:

  1. lawful;
  2. clearly and precisely articulated;
  3. real and present.

The legitimate interest of the controller or the third party must, in the first place, comply with the laws of the Member States and of the European Union. Although there is no list of “permissible” legitimate interests in the legislation, some approbated legitimate interests can be deduced from the CJEU case law. These include, for example, access to online information, ensuring the continued operation of publicly accessible websites, obtaining personal data of a person who has damaged someone’s property to bring a lawsuit for damages, protecting the property, health, and life of co-owners of a building, improving products and assessing the creditworthiness of persons, among others.

Furthermore, the legitimate interest of the controller or third party must also be clearly and precisely articulated. The significance of this requirement is to serve the necessity to subsequently weigh every single legitimate interest against the fundamental rights and freedoms of data subjects.

Finally, to assess the legitimacy of the controller’s or third party’s interests, it is essential that the articulated legitimate interests have a basis, i.e. they must not be arbitrary, speculative, or hypothetical, and therefore must be existing and real at the time of the processing of the personal data.

Necessity to achieve the legitimate interests of the controller or third party
To establish processing based on legitimate interest under Article 6(1)(f) GDPR, the processing of personal data must be necessary for the achievement of the legitimate interests of the controller or of a third party, which the controller has identified with sufficient precision and certainty in the previous step (step 1).

In general, the interest pursued by the controller should be related to the actual activities of the controller. In addition to the legitimate interest of the controller, the legitimate interests of one or more third parties may be pursued, all of which must be individually weighed against the fundamental rights and freedoms of data subjects. However, the processing of personal data must be strictly necessary to achieve the articulated interest of the controller or of the third party, i.e. whether the processing of the data can’t reasonably be expected to achieve the interest as effectively in practice by other alternative and less invasive means which constitute less interference with the fundamental rights and freedoms of data subjects. As a reminder, the controller should consider adopting appropriate measures to ensure compliance with the basic principles of processing, e.g. minimisation of processing.

In this context, we would like to add that personal data may subsequently be processed for purposes other than those for which they were initially collected, but that such processing must be compatible with the purposes for which the personal data were initially collected, in this light, the following should be considered:

  1. any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
  2. the circumstances in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;
  3. the nature of personal data, in particular, whether special categories of personal data or personal data relating to criminal convictions and offences are processed;
  4. the possible consequences of the intended further processing for the data subjects;
  5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Overriding of the interests of the controller over the interests and fundamental rights and freedoms of data subjects
The final step in the assessment of the legitimate interest for the processing of personal data is the balancing of the controller’s or third party’s interests against the interests and fundamental rights and freedoms of data subjects, which is carried out through a methodological procedure, the so-called ‘balancing test’, where the controller weighs its legitimate interests (or the legitimate interests of a third party) against the interests and fundamental rights and freedoms of data subjects.

As part of the ‘balancing test’, the controller should assess the following:

  1. the interests, fundamental rights, and freedoms of data subjects;
  2. the impact of the processing on data subjects, including (i) the nature of the data processed, (ii) the context of the processing, and (iii) any other consequences of the processing;
  3. the reasonable expectations of the data subject; and
  4. the ultimate balancing of conflicting rights and interests, including the possibility of further mitigating measures.

When carrying out the balancing test, the controller should bear in mind in particular that its purpose is not to exclude any interference with the data subject’s sphere altogether but to assess whether such interference is proportionate within the context of the processing and whether the legitimate interests and fundamental rights and freedoms of the data subject do not override the legitimate interests of the controller or of a third party.

If the balancing test comes out as negative for the controller, i.e. that the interests and fundamental rights and freedoms of the data subject override the interests of the controller, the controller may not resort to processing personal data based on Article 6(1)(f) GDPR. If the balancing test is assessed as borderline, the controller should consider taking measures to reduce the intrusion of the processing into the sphere of the data subject.

Conclusion
Despite the fact that the processing of personal data on the basis of a legitimate interest of the controller or a third party is considered among the general public (alongside with the base of consent of the data subject, which is not discussed in this article) to be an all-encompassing legal basis under which personal data can be processed more or less at the will of the controller when no other base is available to the controller, the opposite is true.

Processing based on a legitimate interest of the controller, or a third party is only possible in limited cases, subject to specific conditions, and is preceded by an extensive compliance assessment, which involves several steps.

Please do not hesitate to contact us if you have any questions about this topic or any other issue related to the processing of personal data.

 

Mgr. Jakub Málek, Managing partner – malek@plegal.cz

Mgr. Kateřina Vyšínová, Junior lawyer – vysinova@plegal.cz

 

www.peytonlegal.en

 

20. 3. 2025

 

Back