EDPB Guidelines on the Processing of Personal Data Based on Legitimate Interest
On October 8th, the European Data Protection Board (EDPB) published the Guidelines 1/2024 on theprocessing of personal data based on Article 6(1)(f) of the GDPR. These guidelines analyse the criteria outlined in Article 6(1)(f) of the GDPR that data controllers must meet in order to lawfully process personal data necessary for the “legitimate interests pursued by the controller or a third party.” According to the Board, legitimate interest criterion should not be treated as a "last resort" for unusual or unexpected situations where other legal bases are deemed inapplicable, nor should it be automatically chosen or its use unduly extended on the assumption that it is less restrictive than other legal bases.
The guidelines outline three cumulative conditions for applying the legitimate interest criterion, which must be assessed by the data controller before undertaking the processing activities in question. These evaluations must be carefully documented.
1. First Step: Pursuing a Legitimate Interest
The first step is to identify whether the interest of the controller or third party is "legitimate," as not all interests automatically qualify as legitimate under Article 6(1)(f). In this regard, the Court of Justice of the European Union (CJEU) has emphasised that controllers must ensure their own interests are genuinely legitimate before moving on to the subsequent stages of the assessment.
Although the GDPR does not provide an exhaustive list of interests that can be considered legitimate, both the GDPR itself and CJEU case law suggest a broad range of interests that may, in principle, be considered legitimate. These include access to online information, ensuring the continued functionality of publicly accessible websites, obtaining the personal data of individuals who have caused property damage, and assessing individuals' creditworthiness.
An interest may be considered legitimate if it meets the following cumulative criteria:
It is lawful and does not conflict with EU or Member State legislation.
It is clearly and precisely articulated to ensure a fair balance with the data subjects' rights.
It is real and current, not speculative or hypothetical.
As a general rule, the interest pursued by the data controller must relate to the controller’s actual activities. The interest may also be pursued by a third party, provided it is balanced against the interests or fundamental rights and freedoms of the data subject.
2. Second Step: Necessity of Processing
According to the Board, the concept of "necessary for the purposes of the legitimate interests pursued by the controller or a third party" does not merely encompass what is useful to pursue such interests. The necessity must be interpreted to fully reflect the objectives of data protection law, requiring a balance between the controller's necessity and the fundamental rights of the data subjects.
The necessity assessment must evaluate whether the legitimate interests can be reasonably achieved with equal effectiveness through alternative, less restrictive, means that do not interfere with the fundamental rights and freedoms of the data subjects. If reasonable, equally effective alternatives exist, that are less invasive, the processing cannot be deemed "necessary." In this context, the CJEU has explicitly noted that the necessity condition must be examined alongside the principle of "data minimisation."
3. Third Step: Balancing Test
The final step involves a balancing test between the legitimate interest of the controller and the rights and freedoms of the data subject: processing cannot be carried out if the data subject's rights outweigh that interest.
i. The balancing test requires the data controller to identify and describe:
The interests, rights, and fundamental freedoms of the data subjects, including the right to data protection and privacy, freedom and security, freedom of expression and information, freedom of thought, conscience, and religion, freedom of assembly and association, non-discrimination, property rights, or physical and mental integrity. Any other interests, such as financial, social, or personal, that could potentially be impacted by the processing must also be considered.
ii. The impact of the processing on the data subjects, including:
a) The nature of the data being processed.
b) The context of the processing.
c) Any additional consequences of the processing.
iii. The reasonable expectations of the data subject, distinguishing between the notion of reasonable expectation and what is considered common practice in certain sectors. The fact that certain types of personal data are commonly processed in a specific sector does not necessarily mean that data subjects can reasonably expect such processing.
iv. The final balancing of conflicting rights and interests, including the possibility of additional mitigation measures: Data controllers may consider introducing measures to mitigate the impact of processing on data subjects, such as pseudonymisation, reducing the amount of data processed, or limiting retention periods.
*****
The Guidelines emphasise the need to respect the transparency principle, which requires data controllers to provide data subjects with clear and accessible information regarding the purposes of the processing, how the data is processed, and the legal basis invoked. Explicit information enables data subjects to fully exercise their rights and understand the reasons behind the collection and use of their data.