The General Data Protection Regulation (GDPR) sets out six lawful grounds for processing, one of which is processing under the Legitimate Interests of a Controller, including those of a Controller to which the Personal Data may be disclosed, or of a Third Party. Legitimate Interest, like Data Protection Impact Assessments, comprise an unclear area in the GDPR. Legitimate interest is a valid legal basis under which to process data, but many organisations struggle with conducting the balancing test obliquely laid out in the GDPR. This post can serve as a guide in defining what considerations organisations should be thinking about and documenting when determining if legitimate interest can be relied upon to process data.
GDPR Legal Basis
Article 6(1)(f) applies where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Under Recital 47
‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.’
‘Purpose’ is the specific reason the data is being processed.
An ‘interest’ is the broad stake a Controller may have in the processing, or the benefit that the Controller derives, or which society might derive, from the processing. It must be real and not too vague. For example, many businesses want to make a profit. This does not mean that the broad objective is a Legitimate Interest in and of itself.
An ‘interest’ can be considered ‘legitimate’ if the Controller can pursue this interest in a way that complies with data protection and other laws.
‘Rights and freedoms’ (including but not limited to privacy rights, such as the European Convention on Human Rights) should be considered and weighed against the interests of the Controller.
Recitals 47 to 50 in the GDPR give some examples of when a Controller may have a Legitimate Interest which would need to be confirmed by a Legitimate Interest Assessment (LIA).
The Legitimate Interests Assessment – 3 Step Balancing Test
1. The assessment of whether a Legitimate Interest exists;
2. The establishment of the necessity of processing; and
3. The performance of a balancing test to decide if a particular processing operation can rely on the Legitimate Interests provision in the GDPR as a Lawful Basis for processing that Personal Data
These are the same principles described by the Information Commissioners Office (ICO), the English Data Protection Authority, and Article 29 Working Party guidance and opinions.
1. Identifying a Legitimate Interest: Ask what is the purpose for processing the Personal Data and why is it important to you as a Controller?
2. The ‘necessity test’: ask, “Is there another way of achieving the identified interest?”
- If there is not, then the processing is necessary; or
- If there is another way but it would require disproportionate effort, then you may determine that the processing is still necessary; or
- If there are multiple ways of achieving the objective, then a Data Protection Impact Assessment (DPIA) should be used to identify the least intrusive processing activity; or
- If the processing is not necessary then Legitimate Interest cannot be relied on as a Lawful Basis for that processing activity.
3. The ‘balancing test’: There are several factors to consider when making a decision regarding whether an individual’s rights would override a Controller’s Legitimate Interest. These include: the nature of the interests, the impact of processing; and any safeguards which are or could be put in place.
The nature of the interests includes:
- The reasonable expectations of the individual
- would or should they expect the processing to take place? If they would then the impact of the individual is likely to have already considered by them and accepted. If they have no expectation, then the impact is greater and is given more weight in the balancing test
- The type of data (i.e. does that data require additional protection in the GDPR, such as data relating to a child or a special category)
- Sensitive data is subject to stricter rules on its use. This must be a consideration in a balancing test, and
- The nature of the interests of the Controller (i.e. is it a fundamental right, public or other type of interest)
- Does it add value or convenience?
- Is it also in the interests of the individual?
- If there may be harm because of the processing, is it unwarranted?
The Impact of processing includes:
- Any positive or negative impacts on the individual, any bias or prejudice to the Controller, Third Party or to society of not conducting the processing
- The Controller needs to carefully consider the likelihood of impact on the individual and the severity of that impact. Is it justified? A much more compelling justification will be required if there is the likelihood of unwarranted harm occurring
- The status of the individual – a customer, a child, an employee, or other
- The status of the Controller – such as, whether a business organisation is in a dominant market position
- The ways in which data are processed: does the processing involve profiling or data mining? Publication or disclosure to a large number of people? Is the processing on a large scale?
Finally, think about what if any Safeguards are or could be put in place including:
- A range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing.
- These are likely to have been identified via a Data Protection Impact Assessment conducted in relation to the proposed activity.
- For example:
- data minimisation
- technical and organisational measures
- privacy by design
- adding extra transparency
- additional layers of encryption
- multi-factor authentication
- data retention limits
- restricted access
- opt-out options
- encryption, hashing, salting
- other technical security methods used to protect data
- When a Controller is processing Personal Data relating to children, or special categories of Personal Data, special care should be taken with the balancing test, as this may give additional weight to the rights of the individual.