NJORD Estonia: Does anyone’s interest constitute as „legitimate interest“ in data processing?
Loe eestikeelset versiooni SIIT
According to the General Data Protection Regulation (GDPR), the processing of personal data must have an appropriate legal basis. Legitimate interest is one of the legal bases, which often raises questions for companies.
Several companies have inquired, what the cases of personal data processing exactly are, where legitimate interest may be used. Another question is, what exactly is the so-called “balancing test“.
The GDPR does not provide a comprehensive list of the cases where legitimate interest applies. The use of legitimate interest should be considered when other legal bases (in particular, consent of the data subject or that the data processing is necessary for the performance of a contract with the data subject) are not suitable in the given situation.
Although various cases of personal data processing may be based on legitimate interest, it must be considered that certain conditions must be fulfilled. Namely, the GDPR stipulates that the controller may rely on legitimate interest only where the interests of the controller (or the third party) are not overridden by the interests or fundamental rights and freedoms of the data subject. In order to ensure this, a so-called balancing test must be carried out.
What is a balancing test? It is a legal analysis clarifying the controller’s (or third party’s) legitimate interest. For example, a company processes the personal data of its employees by publishing their photos on its website. The legitimate interest of the company, in that case, is to increase its sales performance (by advertising itself and its team to the potential clients). Further analysis shall examine whether this processing of personal data is necessary for achieving the company’s goals, whether the data subject can reasonably expect such processing of personal data, and what the potential consequences of the processing for the data subject are. As a result of the balancing test, the controller concludes whether legitimate interest can be used or not in this case.
The more infringing the processing of personal data (e.g. profile analysis) is, the more important it is to carefully consider in the balancing test, how the protection of the rights of the data subject is guaranteed. Special attention must also be paid to the reasoning of the balancing test in case the data subject is a child.
Clients have often asked me who should sign the balancing test. The GDPR does not specify that. The balancing test may be signed by the data protection officer (DPO) or a member of the management board.
A properly prepared balancing test is important, as Article 5(2) of the GDPR establishes the “accountability principle”. According to the accountability principle, the controller must follow the principles of the processing of personal data as stated in the GDPR and be able to provide evidence for this. The controller should be prepared to explain the possibility of relying on legitimate interest to the data subject, as well as to the Data Protection Inspectorate.