Processing Personal Data Under the GDPR Part 3: Unlawful Use of “Legitimate Interests”
As is the case with any number of principles within the data privacy sector, the concept of “legitimate interests” is not a black-and-white matter. Instead, there are many nuances involved in balancing the rights and freedoms of data subjects, and the interests of the controller. Where the “legitimate interest” grounds for processing may be applied in one case, it may be dismissed in the next, and as such it is helpful to familiarize oneself with historical cases in which this grounds has been used both lawfully and unlawfully.
Today, in Part 3 of our four-part series on our recent joint paper with the Future of Privacy Forum entitled, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR”, we will take an in-depth look at cases of unlawful use of “legitimate interests” as grounds for processing.
Publication of WHOIS Data of Domain Name Registrants (Netherlands)
A Dutch registry asked the Dutch DPA if it is legal to publish all WHOIS data on the internet, in essence giving the public unlimited access. The Dutch DPA, relying also on recommendations of the Article 29 Working Party, responded that such a publication is in breach of data protection law, as none of the lawful grounds for processing is applicable, including necessity for a legitimate interest.
The DPA stated that consent cannot be used because it wouldn’t be freely given; necessity to enter a contract cannot be used, as the individual domain name holders are not a party to the contract between ICANN and Registries; and legitimate interest cannot be used because the publication concerns unlimited access to all personal data. In FPF and Nymity’s examination of the case, it appears that the Dutch DPA implies that layered access to the data would enable the “legitimate interests” ground to be used.
Using Key-Logger Software in Employment Context for Monitoring Purposes (Germany)
A company installed software on an employee’s computer that recorded all the keyboard inputs, and produced screen shots on a regular basis. The employee filed a suit against the company after the termination of his employment. The lower courts granted the wrongful termination lawsuit against the company, and the company appealed the decision. In the Appeal judgment, the Federal Labor Court, found that this monitoring technique is too intrusive to be justified by the “legitimate interest” of the Company.
GPS Tracking of a Vehicle for Private Investigation (Germany)
The German Federal Court of Justice upheld the decision of a lower court which sentenced the owner of a detective agency and one of its employees. The agency had installed concealed vehicle-mounted GPS receivers for various clients in order to monitor the movements of targeted individuals.
The motives of the clients were primarily regarding economic and private interests, some of which concerned matrimonial disputes. In its judgement, the Court referred to the balancing exercise of the conflicting interests in the case, and held that the defendants could have processed the GPS information if they had a strong legitimate interest in the data collection- for instance, self-defense. However, tracking individuals by GPS for private interests falls short of the required threshold in the law.
Retaining Banking Data by an Online Retailer (France)
The French Data Protection Authority investigated an online retailer’s practice of retaining customer’s banking data longer than necessary for the transaction to take place. The investigation showed that the company retained banking data by default, at the end of every transaction (including the name of cardholders, card number, validity date and some CVV codes). The retailer argued that it retained the data on two lawful grounds. 1) Necessity for entering or for the performance of a contract, and 2) Necessity for its legitimate interest. Specifically, the facilitation of later payments and optimization of business transactions.
The DPA found that retaining the banking details goes beyond the execution of a service contract for an online sale, since the purpose would be to facilitate hypothetical future sales. The DPA also found that processing was not lawfully based on the “legitimate interests” ground. The DPA acknowledged that there was a legitimate commercial interest of the retailer in facilitating later payments and optimizing business transactions. However, given the sensitivity of banking data, the right of the data subject to have the data deleted after being retained carries more weight than the interest of the controller.
The DPA pointed out that the retailer did not take steps to mitigate danger to the data subjects by implementing appropriate security measures, as the credit card details of millions of customers were stored in clear text, in a single database, making it easily compromised.
How can the “legitimate interests” ground be used lawfully?
In the conclusion of this four-part series, we will examine cases in which the “legitimate interests” ground has been used lawfully. To learn more about these and many more cases in greater detail,
All of the cases in the “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR” paper have been sourced from Nymity Research™, a groundbreaking tool that provides in-depth information from cases around the world. Further, all foreign documents have an English language summary, making it easy to remain up-to-date regarding privacy-related news around the world. To request a demo of Nymity Research™, visit https://www.nymity.com/solutions/research/.