Controllers must ensure necessary, proportionate, processing which respects the rights of data subjects, ensuring GDPR compliance.

When processing personal data under the General Data Protection Regulation (GDPR), controllers must ensure that their actions are lawful. Specifically, if relying on Article 6(1)(f) of the GDPR, the processing must be based on a legitimate interest. This is subject to three cumulative conditions: the pursuit of a legitimate interest, the necessity of processing to achieve this interest, and that the data subject’s rights do not override this interest. Controllers are advised to follow a three-step process to determine if their data processing is compliant with the GDPR. The EDPB recently released guidance on processing of personal data which breaks down the factors to be considered when assessing the applicability of Article 6(1)(F) GDPR as a legal basis. 

 Step 1: Pursuit of a Legitimate Interest

The first condition for processing data under Article 6(1)(f) is that the controller or a third party must pursue a legitimate interest. The “interest” differs from the “purpose” of data processing. The interest refers to the broader benefit or stake in the data processing, while the purpose is the specific aim behind the activity.

A legitimate interest must meet three key criteria:

1. Lawfulness: The interest must not conflict with any laws in the EU or its Member States.
2. Clarity: The interest must be clearly articulated to facilitate proper balancing against the data subject’s rights.
3. Reality: The interest must be present and not hypothetical, effective as of the date of processing.

Examples of legitimate interests include product promotion, accessing information online, or even pursuing legal claims. However, the mere identification of a legitimate interest is not enough. The controller must still assess whether the processing is necessary and if the data subject’s rights outweigh the interest pursued.

 Step 2: Necessity of Processing

Once a legitimate interest is established, the controller must assess whether processing personal data is necessary for achieving that interest. Necessity, in the context of Article 6(1)(f), does not refer to convenience but rather means that the interest cannot reasonably be achieved through less intrusive means.

The European Court of Justice (CJEU) emphasizes that data processing must adhere to the principle of “data minimization” under Article 5(1)(c) GDPR. Personal data must be “adequate, relevant, and limited” to the purpose of the processing. Therefore, if less invasive methods can achieve the same outcome, the data processing would not be deemed necessary.

This step is often easier to justify when processing data for a controller’s own interests. However, processing in the interest of a third party is generally harder to demonstrate as necessary and may be unexpected by the data subjects.

 Step 3: Balancing Test

The final step is to balance the controller’s or third party’s legitimate interests against the data subject’s fundamental rights and freedoms. This involves evaluating:

– The data subject’s interests, rights, and freedoms.

– The potential impact of processing on the data subject, considering the nature of the data, the context of processing, and possible consequences.

– The reasonable expectations of the data subject regarding how their data will be used.

– The possibility of mitigating measures to minimize the negative impact on the data subject.

The purpose of this balancing test is to ensure that the impact of the data processing does not disproportionately affect the data subject’s rights. With the GDPR in place, certain actions that could mitigate the impact of processing are now legal obligations for the controller. These include implementing data protection measures and adhering to data minimization principles.

Controllers must ensure necessary, proportionate, processing which respects the rights of data subjects, ensuring GDPR compliance.

Article 6(1)(f) GDPR provides a framework for lawful data processing based on legitimate interests. By following this three-step process controllers can ensure compliance with the GDPR. Controllers must exercise caution when relying on legitimate interests as a legal basis for data processing. The GDPR emphasizes the need for controllers to ensure that the processing is necessary and proportionate to the legitimate interest pursued, without overriding the rights and freedoms of the data subject. By following the aforementioned steps, controllers can ensure that their data processing activities based on legitimate interests align with the requirements of the GDPR and respect the rights of data subjects.

Elevate your data protection standards with Aphaia. Schedule a consultation, and embark on a journey toward strengthening security, GDPR compliance, and the peace of mind that comes with knowing your data protection is in expert hands. Contact Aphaia today.