BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

GDPR: When Can Data Controllers Rely on ‘Legitimate Interests’ for Data Processing? New Guidelines from the EDPB

The European Data Protection Board (EDPB), the umbrella group of the EU’s data protection authorities, has issued new Guidelines 01/2024 of October 9, 2024 on the processing of personal data based on the legitimate interest legal basis in the EU’s General Data Protection Regulation (GDPR).

The EDPB guidelines are not legally binding but are widely followed in the EU. The Guidelines 01/2024 will be subject to public consultation until November 20, 2024.

Data controllers must always have a legal basis to process personal data lawfully in Europe. Article 6(1)(f) of the GDPR is one of the six legal bases for the lawful processing of personal data under the GDPR and by far the most popular. Many data protection agencies (DPAs) have developed their own forms for the balancing of interests to assess which such interests are legitimate.

While there may be differences between these forms, the process for the assessment (balancing exercise) is always the same (three steps) and must be documented properly:

  • The pursuit of a legitimate interest by the controller or by a third party;
  • The need to process personal data for the purposes of the legitimate interest(s); and
  • The interests or fundamental freedoms and rights of the concerned data subjects must not “override” the legitimate interest(s) of the controller or of a third party.

The EDPB comments on these three steps in its lengthy Guidelines (37 pages). The document provides copious detail on how the assessment “should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security.”

What is interesting from a practical standpoint is that the “reasonable expectations of the data subjects” play a significant role for the assessment (cf. Recital 47 GDPR). The balancing test must focus on the “average” data subject.

According to Section 54 of the Guidelines, the following factors can be considered:

  • The “very existence of a relationship with the data subject” (e.g., customers vs. noncustomers)
  • The “proximity of the relationship” (e.g., if the data subject is less likely to reasonably expect data sharing between group entities)
  • The “place and context of the data collection” (e.g., data subjects might expect CCTV in a bank)
  • The “nature and characteristics of the service” (e.g., a regular customer and a mere prospective customer who only subscribed to a newsletter)
  • “Applicable legal requirements in the relevant context” (e.g., confidentiality requirements applicable to the relevant relationship); note in this context that the EDPB repeats in its Guidelines (at 136) its earlier position that the interests or fundamental rights and freedoms of the data subject would usually “override the controller’s interest in complying with a request from a third country law enforcement authority in order to avoid sanctions for non-compliance”

As to the use of personal data for marketing purposes, the EDPB says (at 110): “The fact that Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be carried out to fulfil a legitimate interest does not mean that direct marketing always constitutes a legitimate interest, and that it is automatically possible to rely on Article 6(1)(f) GDPR to engage in all kinds of direct marketing activities.” As such, in some cases another legal basis such as “consent” of the data subject may be the better legal basis under the GDPR.

While the Guidelines are helpful, there is still no EU-wide form for the balancing exercise. Moreover, the most recent decisions of the European Court of Justice (ECJ) may play a role, including the ECJ’s recent ruling in the case of the Netherlands’ DPA against the Royal Dutch Tennis Association (C 612/22). The ECJ has confirmed in this case (at 54) that the “reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on that person” must be considered.