The Opinion was published on 9 April 2014 by the Working Party and provides a detailed analysis of the criteria that make data processing legitimate per Article 7 of Directive 95/46/EC. From six legal grounds for the processing of personal data stipulated in Article 7, the most known and widely used are:
- the unambiguous consent of the data subject
- processing that is necessary for the performance of a contract with the data subject
- processing necessary for compliance with a legal obligation of controller.
A less constraining ground for processing, as stipulated under Article 7(f), permits the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller or third parties, subject to an additional test balancing the data controller’s interests against the data subject’s fundamental rights and interests.
Application of the balancing test
For a proper assessment of the balancing test, companies have to consider a number of factors, including:
- the nature and source of the controller’s legitimate interest and whether the data processing is necessary and proportionate for the exercise of a fundamental right (e.g., freedom of expression by a newspaper publishing about a corrupt official or interests of the wider community in whistleblowing schemes to combat financial fraud)
- the impact of processing on the data subject and their reasonable expectations about what will happen with their data, as well as the nature of the data (i.e., sensitive data) and how it is processed (e.g., large amounts of personal data are processed or combined with other data, such as profiling or for commercial purposes)
- additional safeguards which could limit the impact of processing on the data subject (e.g., data minimisation, anonymisation, pseudonymisation, unconditional right to opt-out).
If the balancing test falls in favour of the data subject, companies are not allowed to use Article 7 (f) as a legal ground for the processing of personal data.
New obligations for data controller
If the Working Party’s legislative advice on the legitimate interests ground is followed, the data controllers under the proposed regulation will be required to conduct their assessment as described above. They will also have to thoroughly document their assessment and communicate their processing of personal data, as well as any other additional safeguards used, to the data subjects affected.
Recommendations
If your company is involved in big data, the legitimate interests ground may be an important alternative to the processing of personal data based on prior consent. Companies that opt for the legitimate interest ground must do a thorough balancing test to weigh the company’s interests against the interests of the data subject.
We also recommend that companies closely monitor legislative developments on this issue. The results of the public consultation on this Opinion are expected shortly and will offer additional insight into the applicability of the controller’s legitimate interest as a ground for processing of personal data.
Read the full text of the Opinion here.
Read the memo of the European Commission “Making the most of the Data-Driven Economy” here.