Processing Personal Data Under the GDPR Part 1: Overview and Background
Organizations processing data have long relied “legitimate interest” as a lawful ground for processing. However, using the “legitimate interest” grounds is more complicated than simply having a legitimate interest to process the data. It’s instead a “balancing exercise” between the interests of the controller and the rights and freedoms of data subjects.
Because of this, the Future of Privacy Forum and Nymity collaborated to create a Report that identifies specific cases in which the “legitimate interests” ground has been applied by DPAs and courts from the European Economic Area. Today, in the first of a four-part series, we’ll be taking a look at the background to provide details on the significance of lawful grounds for processing in general. In parts 2, 3, and 4, we’ll examine legitimate interests in CJEU case law, unlawful use of legitimate interests as grounds for processing, and lawful use of legitimate grounds for processing.
“Lawfulness” under the GDPR
According to the GDPR, the condition of lawfulness is fulfilled only when at least one of the six legitimate grounds for processing detailed in Article 6 applies:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a Contract
Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Processing is necessary in order to protect the vital interests of the data subjects or of any other natural person.
Task in the Public Interest
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The GDPR has specific rules for the lawful grounds for processing special categories of data under Article 9. The special categories of data are:
- Data revealing racial or ethnic origin
- Political opinions
- Religious beliefs
- Philosophical beliefs
- Trade union membership
- Generic data
- Biometric data
- Data concerning health
- Data concerning sex life or orientation
Processing of the special categories of data is prohibited, unless allowed under one of the following exceptions:
Explicit consent of the data subject.
Employment and social security law
Carrying out obligations authorized by law or collective agreement.
Necessity to protect vital interest of data subjects.
Carried out with a condition that processing relates solely to people involved in the organisation and that personal data is not disclosed outside that body without consent.
Data manifestly made public
Data made public by the subject.
Data used for the purpose of establishing, exercising, or defending legal claims.
Substantial Public Interest
On the basis of union or member state law.
For the purposes of practicing medicine, assessment of working capacity, or medical diagnosis.
For instance, protecting against serious cross-border threats or ensuring high quality of safety and healthcare.
Archiving, Scientific, or Historical Research
Based on public interest for historical research or statistical purposes.
Processing Personal Data on the Basis of Legitimate Interests in the GDPR
According to Article 6 (1) (f), processing is lawful if it is “necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Having a closer look at this text, there are three elements for this lawful ground for processing to be applicable:
The personal data being processed must be necessary for the legitimate interests to be achieved. Any data not directly linked to accomplishing the legitimate interests are therefore considered “unlawful”.
Existence of a Legitimate Interest
The interest must be real and present, something that corresponds with current activities or benefits expected in the near future. This must be clearly articulated.
The first step in carrying out the balancing test is looking at the nature and source of the legitimate interests on one hand, and the rights of the data subjects on the other. The more safeguards that the controller can bring towards the protection of the data subject, the more the balance will tip towards the controller.
Consequences of Processing Personal Data on the Basis of Legitimate Interest
Processing personal data on the basis of the legitimate interests of the controller or a third party means that the controller does not have to put in place any other measures to ensure that the processing is lawful. However, the rest of the Regulation will still apply, beginning with the principles in Article 5 – transparency, data minimization, purpose limitation etc., and continuing with the rights of the data subjectson data protection officers, registers of processing activities, data protection impact assessments, security requirements and so on.
Right to Object
Of particular interest is the general right to object. The right to object only applies to processing of data based on necessity to carry out a task of a public body and necessity for a legitimate interest. If the processing activity is based on one of these two grounds, the data subject has the right to object to the processing on grounds relating to his or her particular situation.
Right to Data Portability
Under Article 20, the right to data portability is the only right of the data subject that does not apply to processing based on Article 6(1)(f). According to the first paragraph of Article 20, the right to data portability only applies where the processing is based on consent, or on contract. However, even if the controller is not under an obligation to provide for data portability, the Article 29 Working Party advised that data portability deserves special attention among the additional safeguards which might help tip the balance to be able to use Article 6(1)(f) as legitimate ground for processing.
Legitimate Interests in Case Law
In Part 2 of this series, we will be detailing the issue of legitimate interest in CJEU case law. These cases provide insight into how the highest court in the EU sees the balancing of interests, rights and freedoms of the individual, with the legitimate interests of the controller, while also explaining how the court sees the criteria to lawfully use “legitimate interests” as a ground for processing.
All the cases discussed in Nymity’s report, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR: Practical Cases” can be found in Nymty ResearchTM.
Nymity ResearchTMmakes foreign documents accessible through the English language summary feature. To learn more about Nymty ResearchTM, book your demo today! https://www.nymity.com/free-trial
For more in-depth information,