Processing Personal Data Under the GDPR Part 2: DPA Issued Guidance and Legitimate Interests in CJEU Case Law
The “legitimate interest” grounds for lawful processing is less a cut-and-dried approach. It entails “balancing exercise” between the interests of the controller and the rights and freedoms of data subjects. Deciphering when the courts will honour this ground for processing can be complicated, and as such, it is helpful to take a closer look at specific cases in which the ground has been successfully applied.
To this end, Nymity and the Future of Privacy Forum collaborated to produce a report entitled, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR”. The report examines the background of the “legitimate interest” application, as well as cases in which it has been applied by DPAs and courts from the European Economic Area.
Today, in Part 2 of this 4-Part Series on the report, we will take a look at the guidance for specific use-cases issued by DPAs and then we will examine legitimate interests in a significant CJEU case law.
Guidance for Specific Use-Cases Issued by DPAs for using Legitimate Interests
The Article 29 Working Party and the national DPAs have adopted guidance on specific processing activities and the potential use of the legitimate interest ground for their legitimization.
Profiling (WP 29)
Profiling not based on processing solely completed by automated means resulting in legal or significant effects is capable of being legitimized by Article 6(1)(f) GDPR, but this ground does not automatically apply just because the controller or third party has a legitimate interest. The controller must carry out a balancing exercise to assess whether its interests are overridden by the data subject’s interests or fundamental rights or freedoms.
Employee Data (WP29)
WP29 highlighted that in the employment context, consent is rarely deemed “freely given”. The provision highlights several conditions to be met in order for personal data to be processed on this ground, related to the balancing exercise.
Employee Data (Hungary DPA)
The Hungarian DPA’s guidance covers job applications, fitness checks, whistleblowing, employee monitoring, use of biometric entry systems and investigations. The guidance discusses these factors with relationship to consent, and states that employers must develop internal bylaws respecting data processing activities based on legitimate interests and demonstrating compliance with the law.
The Spanish DPA issued guidance to the banking industry on legitimate interest and data portability under the GDPR, and determined that financial entities can process personal data based on “legitimate interests” for several specific purposes as long as they comply with transparency obligations and provide for an effective right to object.
Legitimate Interests in Practice
The Court of Justice of the EU (CJEU) did not have the opportunity to interpret and apply Article 7(f) of Directive 95/46 very frequently (the corresponding provision to Article 6(1)(f) of the GDPR). That being said, there are some cases that provide insight into how the CJEU views the balance of interests, rights, and freedoms of the individual with the legitimate interest of the controller, or third party. These cases also demonstrate how the CJEU interprets the criteria to lawfully use legitimate interests as a grounds for processing.
In the full report, a total of 5 cases are discussed. For the purpose of this blog, we are going to take a look at one case in particular: Google Spain. This case exemplifies the CJEU’s assertion that the fundamental rights of the data subject generally overrule the economic interest of the controller and the interest of third parties to have access to information.
Facts of the case:
A Spanish citizen asked an online newspaper to remove an article regarding his bankruptcy. He also asked Google to remove the link to the article. But when neither organisation agreed, the citizen went to the Spanish DPA. The DPA decided that the newspaper did not need to remove the article (citing journalistic expression), but that Google should remove the link.
Google disagreed, stating in part that Spanish laws should not apply to them, given that they operate out of the U.S. The National Court held proceedings and asked the CJEU for clarification on the interpretation of Directive 95/46.
The assessment of the balance between the legitimate interest of Google versus the interest of the data subject had a significant impact on the outcome of the case. In order to ascertain the existence of the right to erasure (the right to be forgotten), the court analyzed whether the processing of personal data at issue was lawful. It considered that the lawful ground for processing in this case was likely the “legitimate interest” ground.
The CJEU determined that the rights of the data subject outweighed the legitimate interest of the controller and third party in this case, which meant that processing was not compliant with Article 7(f). The right to erasure was therefore affirmed in the case.
Nymity Research: Detailed Summaries of Cases from Around the World
All the cases discussed in Nymity’s report, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR: Practical Cases” were taken from Nymity Research. This tool leverages over 15 years of deep privacy compliance analysis created by Nymity’s privacy and data protection experts and provides in-depth information from cases around the world. All foreign documents have an English language summary. To request a demo of Nymity Research, visit https://www.nymity.com/solutions/research/.
In Part 3 of this series, we will examine in greater detail some cases that demonstrate unlawful use of “legitimate interest” as a grounds for processing. For more information