A recent opinion by the Article 29 Working Party provides practical guidance on the applicability of the “legitimate interests” of a data controller as one of the grounds for the lawful processing of personal data under the EU Data Protection Directive 95/46/EC. The processing of personal data based on controller’s “legitimate interests” is a valuable option for data controllers, in particular where consent is unobtainable or impractical, such as in certain types of processing by companies that handle big data. Referring to legitimate interests as a ground for data processing requires a thorough assessment of, on the one hand, the legitimate interests pursued by data controller or by any third parties to whom the data are disclosed, and on the other hand, the interests and fundamental rights of the data subject. The balancing test between these two interests is necessary for deciding whether the rights of the data subject can be overridden.
This Opinion is highly relevant in the context of the recent Memo on Big Data issued by the European Commission on 2 July 2014, as it ensures the unified interpretation and implementation of the “legitimate interests” ground for data processing under the current Directive throughout the EU. It also provides policy recommendations for the future EU General Data Protection Regulation. Businesses involved in processing big data or in combining existing data with new data sources should carefully study this Opinion.
The Opinion was published on 9 April 2014 by the Working Party and provides a detailed analysis of the criteria that make data processing legitimate per Article 7 of Directive 95/46/EC. From six legal grounds for the processing of personal data stipulated in Article 7, the most known and widely used are:
A less constraining ground for processing, as stipulated under Article 7(f), permits the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller or third parties, subject to an additional test balancing the data controller’s interests against the data subject’s fundamental rights and interests.
Application of the balancing test
For a proper assessment of the balancing test, companies have to consider a number of factors, including:
If the balancing test falls in favour of the data subject, companies are not allowed to use Article 7 (f) as a legal ground for the processing of personal data.
New obligations for data controller
If the Working Party’s legislative advice on the legitimate interests ground is followed, the data controllers under the proposed regulation will be required to conduct their assessment as described above. They will also have to thoroughly document their assessment and communicate their processing of personal data, as well as any other additional safeguards used, to the data subjects affected.
If your company is involved in big data, the legitimate interests ground may be an important alternative to the processing of personal data based on prior consent. Companies that opt for the legitimate interest ground must do a thorough balancing test to weigh the company’s interests against the interests of the data subject.
We also recommend that companies closely monitor legislative developments on this issue. The results of the public consultation on this Opinion are expected shortly and will offer additional insight into the applicability of the controller’s legitimate interest as a ground for processing of personal data.
Read the full text of the Opinion here.
Read the memo of the European Commission “Making the most of the Data-Driven Economy” here.
17 December 2019
16 December 2019
14 November 2019
15 October 2019
16 September 2019
17 April 2019
14 March 2019
31 January 2019
15 January 2019
14 November 2018
De Brauw Blackstone Westbroek
Claude Debussylaan 80
1082 MD Amsterdam
P.O. Box 75084
1070 AB Amsterdam