Processing Personal Data Under the GDPR Part 4: Lawful Use of “Legitimate Interests”

Written by Teresa Troester-Falk
on May 10, 2018

While the “legitimate interests” ground for processing can be lawfully applied in many cases, the processing must be subjected to a balancing test which involves looking at the nature and source of the legitimate interests on the one hand and the impact on the rights of the data subjects on the other hand. After analyzing the two sides against each other, a provisional balance should be established and the more safeguards the controller can bring towards the protection of the data subject, the more the balance will tip towards the controller.

To provide greater clarity on this balancing act, The Future of Privacy Forum and Nymity teamed up to author a paper entitled, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR”. So far, in our 3-Part series on the paper, we’ve examined the background of the “legitimate interests” ground, its use in CJEU case law, and unlawful applications of the ground in real-life cases.

Today, in the conclusion of our series, we will look at cases in which the “legitimate interests” ground for processing has been lawfully applied at the member state level (the European Economic Area or EEA).

Criminal Records Accessed for Employment Background Checks (Netherlands)

The Dutch DPA authorized the use of criminal records to conduct background checks for employers. While the DPA acknowledged that criminal records information is considered sensitive data, and that its processing is prohibited as a rule by the national data protection law, they acknowledged one exception: “assessing an application by a data subject in order to make a decision about them”.

The DPA held that the company in question (who acted as a third party to employers) can rely on legitimate interests as a lawful ground for processing, only to the extent its clients had a legitimate interest to receive a background profile of job candidates. Following assessment of internal rules and procedures of the company, the DPA was satisfied that the company has established processes that only conduct a check once it is deemed that their client has a “legitimate interest” or that the background check is subject to legal obligation.

Disclosure of Health Data from Hospital to Attorney (Greece)

A hospital asked the Greek DPA if it is allowed to disclose medical information about a patient to a law firm requesting access. The law firm requested information regarding a patient’s stay at the hospital (date and length of time) and medical condition, with the justification that the information was necessary in an open litigation initiated by the patient against the law firm’s client. The patient was claiming damage due to building negligence that led to injury.

The DPA decided that disclosure of sensitive records is permitted in this case. It argued that under the national data protection law, such disclosure is allowed in exceptional circumstances, including litigation. The DPA supported the legitimate interests ground, as the disclosure of data was proportionally necessary for rebuttal of allegations by the data subject against the accused. The DPA also noted that the disclosure would only be lawful if the data subject was notified of the sharing of data.

Disclosure of Personal Data to a Debt Collector (Bulgaria)

An individual complained to the Bulgarian Data Protection Authority that a telephone service provider disclosed her personal information to a debt collection agency without her consent, which is in violation of the national data protection law. Upon investigation, the DPA found that there was a contract between the Complainant and the telephone service containing a clause stipulating that personal data could be disclosed to a third party for collection of overdue accounts.

According to the assessment of the DPA, the service provider had a legitimate interest in collecting money owed by the Complainant under that contract. Thus, the DPA concluded that the telephone service provider had two lawful grounds for processing: Necessity for the performance of a contract, and the legitimate interest of the controller.

Providing Personal Data as Part of a Merger (Greece)

Two Greek insurance companies requested a DPA exemption from obtaining consent to transfer policyholder, employee, and client data to complete a merger. The companies argued that consent is not required since all data of the assignee will automatically become an asset of the assignor upon completion of the merger. They stated that notice of the merger can be made through a press announcement in 2 national newspapers, and on the companies’ official websites.

The DPA granted the exemption, noting that article 5 of the Law on Processing of Personal Data permits personal data processing without data subject consent if absolutely necessary to fulfill a legitimate interest of the controller or a third party.

Recording for Historical Research Purposes (Greece)

An individual asked the Greek DPA for permission to repurpose personal data previously collected on the inhabitants of a village for use in a genealogy book. The data included the name, age, marriage information, profession, and aliases of the subjects. The DPA determined that historical research is a legitimate interest that can take precedence over individual rights and freedoms (particularly since the individuals had previously provided the data for another purpose).

They also noted that the author is required to notify the subjects of the processing of their personal data prior to the publication date, and to notify the DPA of the personal data file.

Nymity Research: Case Law from Across the Globe

The cases mentioned in the Nymity-FPF report, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR: Practical Cases” can all be found in greater detail on Nymity Research™. To assist our clients in keeping up-to-date with data privacy legislation and court decisions across the world, Nymity Research™ contains an unparalleled breadth of information, including English language summaries for foreign language documents. To request a demo of Nymity Research™, visit, or click here to

You may also like:

GDPR ccpa
New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Survey explores differences in data and privacy practices based on company size, location, sector and geographic reach

GDPR ccpa
TrustArc’s Nymity Awareness Tracker Enables Privacy Knowledge Across Entire Business

Tailored Information Empowers Privacy Champions at Every Level

GDPR ccpa
REIMAGINING PRIVACY: TrustArc Acquires Nymity

Terry McQuay, President and Founder at Nymity Today we’re pleased and proud to be announcing that Nymity, the company ...