Processing personal data on the basis of your legitimate interest
Processing personal data on the basis of your legitimate interest
Legitimate interest, in terms of data protection, could be defined as the situation in which a company or professional (data controller) could process personal data of other individuals without the need for their consent.
In order to know whether your legitimate interest is a legal argument to defend the processing of other people’s data without their consent, it is necessary to take into account the provisions of the Data Protection Regulation in force.
What does the Data Protection Act say about your legitimate interest?
Your legitimate interest may be argued as long as it does not override the interests or the rights and freedoms of the data subjects (data subjects) taking into account the reasonable expectations of the data subjects based on their relationship with you or your company (data controller), as provided for in recital 47 of the GDPR.
But how can I claim my legitimate interest for the processing to be lawful?
According to Article 6.1 f) of the GDPR, an interest will be considered legitimate when the following requirements are met:
- Be lawful (i.e., in accordance with applicable national and EU law);
- Be sufficiently specific, so that the weighing test (weighting judgment) can be carried out, where the interests of the responsible party and the fundamental rights of the interested parties are analyzed.
- Non-speculative: representing a real and current interest
Weighing test or weighting judgment
The weighing test or weighting judgment, consists of analyzing the three (3) indispensable requirements set forth in Article 6.1 f) of the RGPD, related to:
- The purpose of the processing: satisfaction of legitimate interests pursued by the controller or by a third party.
- The need for treatment: treatment is necessary
- The balance between the parties: provided that the interests or fundamental rights and freedoms of the interested party do not prevail over these interests.
Each phase is exclusive of further weighting, and therefore of the use of legitimate interest-based processing.
In other words, if the purpose analysis does not meet the requirements, the necessity analysis cannot be carried out and so on.
Phases of the weighing test
Phase 1: Purpose
The purpose of the processing must pursue a legitimate interest of the controller, which must be clear and specific, indicating the relationship between the controller and the data subject.
Phase 2: Need
The need for treatment will have to answer the following questions:
- Does it correspond to the purpose of the treatment?
- Is it possible to carry out the processing using only the strictly necessary personal data?
- Is it possible to treat data in a less intrusive way?
Necessity should be understood in a restrictive manner and from a data protection point of view, since the interest of the controller shall not be above the interests and rights of the data subjects, when this necessity is confused with convenience of processing by the controller.
Phase 3: Balancing
It is at this stage that it will finally be possible to establish whether or not legitimate interest can be the basis for legitimizing our processing.
To do so, it will be necessary to determine the balance between the interests of the responsible party and the rights of the interested parties, through a weighing judgment or balancing test, taking into account the following factors:
- Origin of the data: differentiate between whether it was obtained directly from the data subject or through a third party, with or without his or her consent.
- Type of data: it will be important to know which data are subject to processing (contact, economic, fiscal, etc.).
- Whether or not there is a previous relationship with the data subject: determine whether he/she is a customer or employee, or if on the contrary, there is no relationship, thus increasing the possibility of affecting the data subject.
- Expectation: to analyze the data subject’s expectation that the processing could be carried out taking into account the circumstances and purpose of the processing, reasonable expectations of stricter confidentiality and of stricter limitations on further use.
- Affectation to the interests, rights and freedoms of the interested parties: it will be necessary to analyze whether or not there is damage or harm to the rights and freedoms of the interested parties.
Possible scenarios of the result of the weighing test
Once the weighing test has been performed, we can obtain three types of results:
It turns out to be negative:
The balancing test has not been passed because the rights of the data subjects prevail over the legitimate interest of the data controller.
Definitive Positive Result:
The processing may be protected or based on legitimate interest on the part of the controller.
Provisional Positive Result:
There are risks in the processing for the data subjects, whereby harm could occur; however, with the adoption of additional measures, these could be minimized.
The measures to be adopted to minimize damages could be, among others: adoption of data security measures, anonymization, pseudonymization, data minimization, transparency and information to the data subject, limitation of the purpose, as well as the storage period.
It is important to emphasize that there are situations in which the data controller may not base the processing on legitimate interest:
- When the processing relates to special category data
- When the authorities carry out the processing in the exercise of their functions
Business Adapter® at your service
If you are a customer and you have doubts about when you can use the legitimate interest in the processing of personal data that you carry out or wish to carry out, contact your consultant to receive documentation and instructions.
If you are not yet a client and you need advice to comply with the European and Spanish data protection regulations(RGPD + LOPD) to which any company or professional is obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]