Legitimate interest - Art. 6 para. 1 lit f) GDPR

Legitimate interest seems to be the wild card among the legal bases, but must be used with great care. 

If none of the previous legal bases apply, the option remains to justify the processing on the basis of legitimate interest. You are probably now keen to know exactly what this "legitimate interest" means. However, this is precisely what the GDPR does not specify. The controller must formulate and justify this interest. 

So is processing legal as soon as you justify your legitimate interest in writing? No, it's not that simple. The GDPR prescribes a so-called "balancing of interests". In the balancing of interests, the company first describes its own interests as to why it wishes to process the relevant data. Arguments are then collected as to what interests the data subject might have in not having this data processed. Finally, the lawfulness is assessed and decided. As long as the interests of the data subjects in the protection of their data do not prevail, nothing stands in the way of the planned processing. 

Example

An educational institute in the field of adult education would like to analyse the data of participants on its own e-learning platform. 

The following legal bases are not applicable for processing: 

• There is no consent. 
  
• There is no contractual or legal basis. 
• No vital or public interests are protected. 

So what to do? Of course, the institute could now write to all participants and ask for their consent. Alternatively, the organisation can also carry out a balancing of interests. It describes its own interests, i.e. why this evaluation is important for the institute (e.g. entrepreneurial interest, to find out which educational programmes are particularly popular with which target groups). The institute then summarises the interests of those affected (e.g. that the participants do not want their activities to be monitored or classified). At the end of the balancing of interests, an evaluation and a decision are made. 

The institute decides to carry out the evaluation. The risk for the persons concerned is considered to be manageable, as no training content or individual learning outcomes are analysed. In addition, no names or email addresses are included in the analysis, only the internal ID from the database.

Is that legal now? 

This cannot be conclusively assessed. By carrying out a balancing of interests, the institution has at least fulfilled its obligation under the GDPR. However, this does not clarify whether the balancing of interests has led to a correct, legally secure result. In data protection, much is done to the best of our knowledge and belief. Even seeking legal advice at this stage can only provide a presumed level of certainty. As in many other areas of law, one hundred per cent legal certainty can only be achieved after a court has issued a judgement.

Conclusion

If the legal basis is ultimately only based on the legitimate interest, the data controller is obliged to think carefully about whether the processing is justifiable from a data protection perspective. This includes the aforementioned balancing of interests. If, after carrying out this assessment, there is still a feeling of unease, the controller is obliged to consider how they can further reduce the risk of data processing for the data subjects (e.g. by anonymising or pseudonymising the data). 

Source: Clker-Free-Vector-Images on Pixabay