On April 9, 2014, the Article 29 Working Party (the “Working Party”) issued an Opinion on using the “legitimate interests” ground listed in Article 7 of the EU Data Protection Directive 95/46/EC as the basis for lawful processing of personal data. Citing “legitimate interests” as a ground for data processing requires a balancing test, and it may be relied on only if (1) the data processing is necessary for the legitimate interests of the controller (or third parties), and (2) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. With the Opinion, the Working Party aims to ensure a common understanding of this concept.
First, the Working Party clarifies that the “legitimate interests” balancing test must take into consideration a number of different factors (e.g., the nature of the data, the way the data are being processed). By breaking down the process into several steps and providing practical examples, the Working Party provides detailed guidance on how to carry out this complex assessment. The Working Party also examines the relationship of the “legitimate interests” ground to the other grounds for lawful data processing (e.g., consent), and stresses that the order in which the legal grounds for data processing are listed in Article 7 (with “legitimate interests” being the last on the list) does not mean that the “legitimate interests” criterion should be applied only in exceptional cases, or as a “last resort.”
Second, the Working Party recommends providing guidance on the application of this criterion in the text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). In particular, the Working Party recommends that the Proposed Regulation include a recital that provides a non-exhaustive list of key factors to be considered when applying the balancing test, and a recital stating that data controllers who invoke the “legitimate interests” ground should conduct (and document) the assessment described in the Opinion. Finally, the Working Party recommends adding to the Proposed Regulation a specific requirement for data controllers to explain to data subjects why they believe their interests would not be overridden by the data subjects’ interests, fundamental rights and freedoms. Also, upon request, data controllers should make available to data protection authorities the documentation upon which they based the assessment they have conducted before using “legitimate interests” as the grounds for processing personal data.