The European Data Protection Board (EDPB) recently published the "Guidelines 1/2024 on Processing of Personal Data based on Article 6(1)(f) GDPR" to clarify how organizations can legally process data under the legitimate interest basis of the GDPR.
I’m sharing the main objectives of the EDPB Guidelines below. Just a note: the examples provided are my own and not from the EDPB (in case you want to cite them as official examples from the Guidelines.).
Key Considerations
For companies seeking to process data under legitimate interest, three essential conditions must be met:
- the existence of the legitimate interest of the controller;
- the processing to achieve this legitimate interest should be strictly necessary, and
- the data subjects’ fundamental rights should not override the legitimate interest of the controller.
Defining Legitimate Interest
A legitimate interest exists when the following cumulative criteria are met:
- The interest is lawful, i.e., not contrary to EU or Member State law.
- The interest is clearly and precisely articulated. The specific objective must be well-defined and documented to ensure transparency.
- The interest is real and present, and not speculative. The interest should address a current, practical need rather than a hypothetical one.
Practical Application
Examples That Meet Legitimate Interest Criteria
| Example | Scenario | Lawful | Clearly Articulated Purpose | Real and Present Interest |
|---|---|---|---|---|
| Office Building Security | Using surveillance cameras at entry points to ensure only authorized personnel enter the premises. | Yes, this enhances safety and is compliant with local regulations on security. | Yes, the purpose is to protect assets and staff by restricting unauthorized access. | Yes, there’s a continuous requirement for security in facility management. |
| Asset Security in Storage Facilities | Using surveillance cameras to monitor secure storage locations, helping to deter unauthorized access or damage to property. | Yes, this enhances security in compliance with local regulations on surveillance. | Yes, the purpose is to protect stored assets from potential risks. | Yes, there is an ongoing requirement for asset security. |
| Route Optimization for Service Vehicles | Gathering GPS data from field technicians’ vehicles to improve route efficiency, reduce fuel use, and minimize travel time. | Yes, this enhances operational efficiency within legal limits. | Yes, the goal is to optimize routing, save fuel, and decrease travel times. | Yes, there’s a consistent need for route efficiency. |
Examples That Do NOT Meet Legitimate Interest Criteria
| Example | Scenario | Why it is not legitimate |
|---|---|---|
| Selling Customer Data | Selling customer contact information to third-party advertisers without consent. | Violates data protection laws by processing data without consent for purposes not originally specified. Fails all three criteria. |
| Undefined Future Use | Collecting additional personal details from customers “for potential future services” without specifying the purpose or for general “marketing activities” without specifying the exact need for the data. NB: It should be noted that a generic reference to the purpose of “combating fraud” or “for the purpose of information security” to define the legitimate interest, for example in the privacy policy, is not sufficient to meet the transparency and documentation obligations under the GDPR. | The purpose is vague and speculative, lacking a clear, direct need. |
| Intrusive Employee Monitoring | Placing cameras in employee break rooms to monitor activities without a justified reason. | This is intrusive and may violate privacy rights, lacking a clear and lawful purpose and overriding employees’ rights. |
Necessity of Processing
When deciding if data processing is necessary, it's vital to consider if the same goals could be achieved by less intrusive means. For example, if tracking customer delivery updates can be achieved through periodic notifications rather than real-time tracking, then the latter may not be deemed necessary under GDPR standards.
The GDPR principle of data minimization reinforces this idea: personal data collected should be adequate, relevant, and limited to what is essential for the stated purpose. Here’s how this applies to specific examples.
Practical Application
Examples of Necessary and Acceptable Processing
| Example | Scenario | Necessity Assessment | Minimization Principle | Outcome |
|---|---|---|---|---|
| SMS Notifications for Appointment Reminders | A healthcare clinic sends text reminders for upcoming appointments, accessing only phone numbers. | Necessary to keep patients informed and prevent missed appointments. | Minimal access to contact info; patients can opt out. | Necessary, enhances patient experience while respecting privacy. |
| Visitor Log for Office Access Control | An office logs visitors’ names and arrival times to maintain security and track who enters the building. | Necessary for security purposes and to ensure controlled access. | Limited to essential visitor data only for entry control. | Necessary, protects security without overreach. |
| In-App Chat Support | An app offers in-app chat for customer support, using only necessary data to assist with inquiries. | Necessary to help customers resolve issues directly. | Data access is limited to the interaction; secure handling is ensured. | Necessary, provides efficient support with privacy consideration. |
Examples of Unnecessary or Excessive Processing
| Example | Scenario | Necessity Assessment | Minimization Principle | Outcome |
|---|---|---|---|---|
| Sharing User Data with Marketing Partners | Sharing user data with external partners for marketing campaigns. | Consent or data anonymization could offer less intrusive alternatives | Users may not expect their information to be used for marketing. | Not necessary and violate data protection regulations. |
| Requesting Full Personal Details for Newsletter Signup | Requesting date of birth, occupation, and address for a basic newsletter subscription. | Only an email is typically necessary for newsletters. | Limit data collection to information directly relevant and necessary for providing shipping services. | Unnecessary, infringes on data minimization. |
| Biometric Data for Gym Access | Requiring gym members to use facial recognition or fingerprint for check-in when swipe cards are available. | Alternatives like personal member cards or PIN codes are less intrusive. | Non-biometric methods would meet the same goal. | Unnecessary and excessive. |
Balancing Test: Data Subjects’ Fundamental Rights vs. Controller’s Legitimate Interest
The final step in determining if legitimate interest applies is to assess whether the company’s interest outweighs the potential impact on individuals’ rights and freedoms. This balancing test involves carefully weighing the organization’s goals against any possible negative effects on the people whose data is being processed.
To conduct this balancing test, organizations should:
- Identify individual rights and interests: consider the rights and freedoms individuals have regarding their data, including privacy, freedom of expression, and non-discrimination.
- Assess potential impacts on individuals:
- nature of the data: determine if the data is sensitive or personal.
- context of processing: understand the specific circumstances under which data is collected and used, such as direct collection or through a service interaction. Evaluate whether the data subject is employee, customer or business partner, etc.
- consequences of processing: identify any potential risks, like reputational harm or financial impact, that might affect the individuals involved.
- Consider reasonable expectations: reflect on what individuals would reasonably expect regarding their data usage. For instance, customers who share feedback on a recent purchase may expect the information to be used for improving product features but not for unrelated promotional campaigns.
- Weigh interests and implement safeguards: balance the organization’s legitimate interests against the rights of individuals. If processing could negatively impact individuals, consider measures to minimize the impact, such as anonymizing data, enhancing security measures or do not process the data at all.
Understanding the Data Subject's Interests, Fundamental Rights, and Freedoms
Impact of the Processing on the Data Subjects
Article 6(1)(f) of the GDPR emphasizes that when weighing an organization’s interests against those of individuals, both interests and fundamental rights and freedoms of the data subjects must be considered. This provision adds an extra layer of protection by requiring organizations to take into account not only fundamental rights but also the personal interests of individuals.
The key rights and freedoms of data subjects include:
- Right to Privacy and Data Protection
- Right to Freedom of Expression and Information
- Right to Non-Discrimination
- Right to Personal Security
- Right to Freedom of Thought, Conscience, and Religion
Beyond these, other personal interests may come into play, such as:
- Financial interests: risk of economic impact due to data misuse or unauthorized access.
- Social interests: how data handling might influence personal relationships or social status.
- Reputational interests: potential effects on one’s personal or professional reputation. When evaluating data processing’s impact on these interests, it’s essential to consider all possible ways—positive or negative—that individuals might be affected.
Assessing the Impact of Processing on Data Subjects
After identifying the fundamental rights and interests that might be affected by processing personal data, organizations (controllers) need to carefully evaluate how this processing could impact individuals (data subjects). This evaluation should focus on all the ways people might be affected positively or negatively, currently or in the future by the handling of their personal information. The impact on individuals can be influenced by:
- The nature of the data being processed
- The context in which the data Is processed
- The potential consequences of the processing
1. The Nature of the Data Being Processed
When assessing the type of data to be processed, organizations should pay special attention to:
- Sensitive personal data: certain types of personal data receive additional protection under Article 9 GDPR. Processing these special categories - also known as sensitive data - is only allowed under specific conditions outlined in Article 9(2) of the GDPR. If a dataset contains even one piece of sensitive information, the entire dataset is deemed sensitive, especially if the data items cannot be separated at the time of collection. Importantly, it doesn't matter whether the information revealed is accurate or whether the organization intends to obtain such sensitive information. According to the CJEU, the key question is whether it's objectively possible to infer sensitive information from the processed data, regardless of any intention to do so.
- Data relating to criminal convictions and offences: personal data about criminal convictions and offences also enjoy extra protection under Article 10 of the GDPR.
- Perceived privacy of data types: consider whether the data is generally viewed by individuals as highly private (e.g., financial information, location data) or more public in nature (e.g., professional role or job title).
Impact on individuals: generally, the more sensitive or private the data, the more likely its processing will negatively affect the individual. This should be given more weight in the balancing test between the organization's interests and the individual's rights. Even less sensitive data can significantly impact individuals, depending on how and in what context it is processed.
2. The Context of the Processing
The circumstances surrounding how data is processed can influence its impact on individuals. When assessing this, organizations should consider:
- Scale of processing:
- volume of data: the total amount of personal data being processed.
- data per individual: how much data is collected about each person.
- number of affected individuals: the total number of people whose data is being processed.
- Relationship between organization and individual:
- power dynamics: for example, an employer-employee relationship may require a different assessment compared to a customer and service provider relationship.
- Combining data sets:
- data integration: whether the personal data will be combined with other data sets, potentially increasing the impact on privacy.
- Accessibility and publicity of data:
- public vs. private access: the extent to which the data is publicly available or kept confidential.
- Status of the individual:
- vulnerable individuals: extra care should be taken if the data subjects are considered vulnerable (e.g., children, elderly, or marginalized groups).
Special consideration for children:
- heightened protection: under Article 6(1)(f) of the GDPR and as emphasized by the CJEU, children merit specific protection because they may be less aware of the risks and their rights regarding personal data processing.
- marketing and profiling: this protection is especially important when data is processed for marketing purposes, creating personality or user profiles, or offering services directly to children.
3. Consequences of the Processing
The potential outcomes of data processing can further affect the rights and freedoms of individuals. Organizations should consider factors such as:
- Decisions or actions by third parties: how the processed data might lead to decisions by others that affect the data subjects (e.g., credit scoring affecting loan approvals).
- Legal effects: whether the processing could result in legal consequences for the individual.
- Discrimination or exclusion: risks of individuals being unfairly excluded or discriminated against based on the data.
- Damage to reputation: possibility of harming an individual's reputation, negotiating power, or autonomy.
- Financial losses: potential for individuals to suffer monetary losses due to the processing.
- Service exclusion: being denied access to a service with no real alternative options.
- Risks to personal safety: threats to an individual's freedom, safety, physical or mental integrity, or even life.
Emotional and Psychological Impacts:
- Loss of control: the distress caused by realizing personal data has been misused or compromised.
- Chilling effects: individuals may alter their behavior (e.g., limit free expression or research activities) due to continuous monitoring or fear of being identified.
Objective Assessment and Individual Circumstances
- Objective evaluation: the impact assessment should be conducted objectively, considering the actual effects on individuals.
- Group vs. individual assessment: when many individuals share the same interests, a combined assessment may suffice (e.g., evaluating the impact of video surveillance in a public area). For more intrusive processing, individual circumstances should be carefully considered.
- Avoiding assumptions: do not assume all individuals share the same interests, especially if there are indications to the contrary. Be particularly cautious in contexts like employment or any other arear where power imbalances exist.
Understanding Reasonable Expectations of Individuals Regarding Their Personal Data
GDPR emphasizes the importance of considering what individuals reasonably expect when their personal data is processed by organizations. This concept is crucial when determining whether the processing of personal data is lawful under the "legitimate interests" legal basis.
Implications for Data Controllers:
- Distinguishing from cmmon practice: just because certain data processing activities are common in an industry does not mean individuals reasonably expect them. Organizations should not assume that widespread practices align with individuals' expectations.
- Information provided is not sole determinant: while informing individuals about data processing (as required by Articles 12, 13, and 14 of the GDPR) is important, merely fulfilling these obligations doesn't automatically mean that individuals reasonably expect all types of processing. Reasonable expectations can exist independently of the information provided.
Factors Influencing Reasonable Expectations:
-
Characteristics of the relationship or service:
- existence of a relationship: whether there's an existing relationship with the individual (e.g., customer vs. non-customer) and if that relationship has ended.
- closeness of the relationship: for example, if an organization is part of a group of companies under one brand, individuals might expect data sharing within the group. Conversely, if companies are linked only economically and this is not apparent to customers, individuals are less likely to expect data sharing.
- place and context of data collection: individuals might expect surveillance cameras in a bank for security reasons but not in sensitive areas like bathrooms or saunas.
- nature of the service: a regular customer may have different expectations compared to someone who only subscribed to a newsletter. The depth of interaction influences expectations.
- legal requirements: certain relationships come with legal confidentiality obligations (e.g., doctor-patient confidentiality), affecting what individuals expect regarding data use.
-
Characteristics of the “average individual”:
- age: minors may have different expectations compared to adults. Organizations should consider how age affects understanding and expectations.
- public status: Individuals who are public figures might expect more of their data to be processed or made public than private individuals.
- professional position: the role and knowledge level of an individual can influence their expectations. For example, staff involved in recruitment might expect their personal data (like professional profiles) to be shared with job applicants.
CHECK-LIST:
1. Confirm the Existence of a Legitimate Interest
Lawfulness:
- Ensure that the interest is lawful, meaning it is not contrary to EU or Member State law.
- Action: Verify that the processing purpose complies with all relevant legal requirements. This may include consumer protection law, advertising law, anticompetition law, non-discrimination law, etc.
Clear and precise articulation:
- The interest must be clearly and precisely defined.
- Action: document the specific purpose of the processing in detail.
- Example: instead of stating "marketing purposes," specify "sending personalized product recommendations based on past purchases."
Real and present interest:
- The interest must be real, present, and not speculative.
- Action: ensure that the processing addresses a current need or objective.
- Example: processing data for current fraud detection, not for hypothetical future services.
2. Assess the Necessity of the Processing
Evaluate alternatives:
- Determine if the legitimate interest can be achieved through less intrusive means.
- Action: explore and document alternative methods that are less invasive to individuals' privacy.
- Example: using ID badges instead of biometric data for employee access control.
Apply the data minimization principle:
- Collect and process only the data that is adequate, relevant, and limited to what is necessary.
- Action: review data collection forms and processes to eliminate unnecessary data fields.
- Example: if age verification is needed, ask users to confirm they are over 18 rather than collecting full dates of birth.
Document the necessity:
- Action: provide a rationale for why the processing is necessary and why less intrusive alternatives are insufficient - conduct Legitimate Interest Assessment (LIA).
3. Conduct a Balancing Test
Identify data subjects' fundamental rights and interests:
- Action: list the rights and freedoms that may be impacted, such as privacy, freedom of expression, and protection from discrimination.
Assess the impact on data subjects:
- Nature of the data: determine if the data is sensitive (special categories) or generally considered private.
- Context of processing: consider the type of relationship with the data subject and the expectations they may have.
- Potential consequences: identify any risks or negative effects, such as financial loss, reputational damage, or emotional distress.
Consider reasonable expectations:
- Action: evaluate whether data subjects would reasonably expect their data to be processed in this manner.
- Example: customers expect order details to be used for delivery but may not expect their data to be shared with third-party advertisers.
Weigh the interests:
- Action: balance your legitimate interest against the potential impact on data subjects.
- Implement safeguards: introduce measures to mitigate negative impacts, such as pseudonymization, encryption.
Document the balancing test:
- Action: keep a detailed record of the assessment (LIA), including all factors considered and conclusions reached.
Privacy Policy Updates:
Include specific purpose:
- Clearly state the legitimate interests pursued.
- Example: "We process your delivery information to optimize our delivery routes and improve service efficiency."
Define categories of personal data collected:
- List the types of data processed under legitimate interest.
- Example: GPS location of delivery vehicles, customer service interaction records.
Provide the right to object:
- Inform data subjects of their right to object to the processing.
- Example: "You have the right to object to this processing at any time for reasons arising from your particular situation."
Avoid vague statements:
- Action: do not use generic phrases like "data may be used for marketing/fraud prevention purposes." Such generic reference, is insufficient. Specify the exact need and purpose.
Accessibility and clarity:
- Ensure the privacy policy is easily accessible and written in clear, plain language.
- Action: regularly review and update the policy to reflect any changes in processing activities.
Here is the link to the Guidelines themselves
I hope this overview is helpful for your work or studies 🤓
