Invoking the legitimate interest when processing personal data

The basis of the legitimate interest.

The legitimate interest represents one of the six legal grounds on which the processing of personal data can be based and it is regulated in art. 6 (1) f) of (EU) Regulation 2016/679 (GDPR). Thus, according to these provisions, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

When can we invoke the basis of legitimate interest?

This legal basis may be used subject to the general principles of processing and provided the legitimate interest of the controller is not outweighed by the interests of the data subjects.

In order to successfully invoke the basis of legitimate interest, it must be proved that the controller or a third party pursues a certain clearly articulated benefit, that processing based on this purpose is legal and, most importantly, that the interest in processing personal data prevails over the legitimate interests of the concerned persons.

The advantages of using the basis of legitimate interest.

Unlike the other grounds stipulated in the Regulation, the legitimate interest does not have a specific character, encompassing a wide range of legal contexts. Due to this flexible nature, more and more operators choose to invoke it when processing personal data.

For example, the legitimate interest can be used when the processing is not required by law, but it brings a benefit to the controller or other parties, when there is a limited impact on the privacy of the data subject or when the controller cannot / does not want to grant the data subject a high control on the processing procedures he performs (by consent).

The limits within which we can invoke the basis of the legitimate interest.

However, the legitimate interest cannot be used discretionary, but only under certain conditions, given the factual context. Thus, taking into account the circumstances and the field in which the controller carries on his activity, the interests of the company processing the personal data must be balanced with the individual interests of the data subjects. Then, if the results of the balancing test demonstrate that the operator’s interests are prevailing, the legitimate interest basis can be invoked for the processing of personal data.

The Grounds for Legitimate Interest vs. the Grounds for Consent.

Invoking the legitimate interest has, compared to the other legal grounds, both advantages and disadvantages. For example, in comparison to the consent of the data subject, which, once withdrawn, makes the subsequent processing of personal data unlawful, the legitimate interest basis may continue to operate even if the data subject’s consent is withdrawn.

The basis of legitimate interest has the advantage of flexibility, offering a fairly wide margin of use, as opposed to the basis of consent which establishes specific conditions which must be met by the operator with respect to the procedure of informing the data subjects, of collection and deletion of the provided data.

Evaluation of the legitimate interest.

On the other hand, the flexibility of the legitimate interest comes with a detailed set of rules. Therefore, the operator has the obligation to go through an elaborated and documented evaluation procedure (Legitimate Interest Assessment – LIA) before opting to use this legal basis. While for the other legal grounds there is a presumption that the interests of the operator and those of the individuals are balanced, in the case of the legitimate interest this balance of interests must be proved by the operator.

Balancing test.

In order to demonstrate the legitimate interest, a comparative test is required in order to check if the interests of the operator and the ones of the data subject are balanced.

Although not expressly regulated in the GDPR, it is recommended that operators fulfill this comparative test (balancing test) before opting for the legitimate interest. The test is structured, generally, in 3 parts: purpose test, necessity test and, finally, balancing test.

The comparative test analyzes whether there is a legitimate interest of the controller, whether the data processing is necessary for this legitimate interest and whether the interest of the controller is in balance with that of the individual, assessing the potential impact of processing the personal data. Depending on the results of the test, it will be decided whether or not the data processing can indeed be based on a legitimate interest.

In conclusion, although the legitimate interest basis is the most flexible one for processing personal data and is recommended to be used when there is a clear purpose of the operator and a minimal impact on data subjects, it is nevertheless noted that this flexibility requires an increased responsibility on behalf of the operator, which needs to demonstrate the legality of the processing and to respect the balance between his interests and those of the data subjects.

Processing and reusing data from public sources

The principle of transparency.

In order to ensure the transparency and responsibility of public sector bodies, both EU and national legislation has stipulated the possibility of processing and reusing data from public sources. As provided in Working Party Opinion 06/2013 on open data and public sector information (’PSI’) reusea all public information is reusable for both commercial and non-commercial purposes.

Legitimacy of reusing data from public sources.

The legitimacy of processing and re-using data from public sources is primarily based on the public interest in the transparency and responsibility of public sector bodies, as the processing of public sector information, considered “open data”, is done in order to provide more transparency and innovation in the re-use of public sector information.

Also, the data reused by operators are already published and are concerning personal data strictly related to the activities carried out by the individuals and which are relevant for the exercise of public functions.

Limitations of data processing from public sources.

Nevertheless, a balanced approach is needed in all cases when it comes to the protection of privacy and personal data. On one hand, the personal data and the individuals’ right to privacy must be protected and, on the other hand, such protection must not be an unjustified barrier to the development of the re-use market.

Thus, in order for information processing and re-use not to infringe individual rights, it is important to analyze the purpose for which this re-use takes place. As stated in Opinion 06/2013, the purpose for which the data will be re-used must be in line with the original purpose.

Although this principle of purpose limitation in case of re-use of PSIs may appear as a challenge, it is a necessary barrier in order to protect the personal data. Therefore, the subsequent purpose of the use of personal data must be compatible with the original purpose for which the information was made public and the mere fact that personal data is publicly available does not mean that such personal data may be freely used in any situation.

For example, the processing of data from public registers may be necessary for purposes such as commercial activities or crime prevention procedures.

In conclusion, the processing of data from public sources can bring multiple benefits to the community, facilitating transparency and responsibility of public institutions. However, the purpose of the processing and re-use must be compatible with the original purpose for which the data was published.