Stijn in Security 3 minutes

Notes on the legitimate interest guide

This article contains notes on the Working Party 29 opinion on the “Notion of legitimate interests of the data controller”. The full article can be found here

The concept of interest

Interest vs purpose:

  • Purpose: specific reason for processing
  • Interest: broader, the benefit the controller derives from processing

Example: interest is employee safety, purpose: implementation of access control

Interest must be pursued by the controller: so it is a real and present interest

When is an interest legitimate?

An interest can be considered as legitimate as long as the controller can pursue this interest in a way that is in accordance with data protection and other laws. In other words, a legitimate interest must be ‘acceptable under the law’

So, it needs:

  • Lawful
  • Clearly articulated (to be able to conduct balancing test)
  • Present a real and present interest

The interests or rights of data subject

Must be given broad interpretation. The interest of the data subject does not have to be “legitimate” (unlike controller interest).

Introducing balancing test

  • Interests and rights of subject and legitimate interests controller can be seen on a spectrum, ranging from very important to trivial.
  • Minor controller legitimate interest may only override even more trivial interests data subject
  • Important legitimate interest may in some cases (subject to safeguards & measures) justify significant impact on rights and interests data subject

Key factors for balancing test

These factors can be taken into account when conducting a balancing test.

Assessing the controllers legitimate interest

  • Exercising a fundamental right (newspaper publicizing the details of fraudulent actions of a politician)
  • Public interest (wider community interest), for example: charity processing data for medical research, company detecting fraud (both for itself and the community)
  • Other legitimate interest…
  • Also playing a role in establishing legitimacy:
    • Non binding industry guidelines (or authority guidelines)
    • Societal expectations

Impact on data subjects

Assessing impact:

  • Both positive as negative impact into account
  • Also emotional impact (irritation, fear due to loss of control over data, realising data has been misused,…)
  • ‘Impact’ => covers any possible consequences of data processing (not only the ones that actually happened)
  • Identify the sources of potential impact
  • Take normal risk assessment methodology into account (likelihood & severity)

Nature of data

  • the more sensitive the information involved, the more consequences there may be for the data subject

The way the data is processed

  • Processing scale: processing seemingly innocuous data on a large scale might lead to big impact
  • The more negative or uncertain impact of processing is, the less it will be considered legitimate

Reasonable expectations of data subject

  • Is a data subject reasonably expecting the processing (like receiving email with product tips)

Status controller vs data subject

  • Controller might be dominant (very big company, the only provider,…)
  • If data subject is a child => even more so
  • Also important: employer ⇔ employee relationship

Provisional balance

  • Balance after taking into account the above interests and rights
  • Might be clear
  • Might not be and need countermeasures

Additional safeguards

  • If provisional balance not clear yes or no, we can introduce safeguards
  • Examples:
    • Restriction of data collected
    • Measures to ensure data cannot be used to take decisions on individuals
    • Anonymisation techniques
    • Increased transparency
    • Right to opt out
    • Other measures to empower data subject

Accountability and transparency

  • Is there a legitimate interest? Is the processing needed for the legitimate interest? Do interests and rights data subject override the legitimate interest? => controller accountable for making and documenting exercise
  • Using the processed data for something else than advertised is obviously not allowed (or even, only mentioned in the fine print)

The right to object

  • Even if we made the balancing test, data subject can still object -> need to assess if objection is legitimate and stop processing if so
  • Controller can do more: offer unconditional opt out (is a additional safeguard)