The new EDPB guidelines on the processing of personal data based on legitimate interest

Contents

On October 8, 2024, the European Data Protection Board (“EDPB”) published a draft version of its guidelines on the processing of personal data based on Article 6(1)(f) GDPR (the “Guidelines”), initiating a public consultation period that will close on November 20, 2024. The document provides crucial interpretative clarifications on one of the most debated and complex legal bases under the GDPR: legitimate interest. This article examines the main points of interest and novelties in the Guidelines.

Context and content

The Guidelines are divided into four main sections: (i) the first section—introductory—frames legitimate interest from a regulatory perspective; (ii) the second is dedicated to the notion of legitimate interest; (iii) the third delves into and elaborates on the most complex aspect of legitimate interest, the balancing of the controller’s interests against the rights of the data subjects; and finally, (iv) the fourth section outlines some of the most common application areas. This new EDPB initiative (marking the second edition of these Guidelines) is particularly valuable as it addresses the numerous interpretative uncertainties that have long characterized the application of this legal basis in data processing activities.

The Notion of legitimate interest

The EDPB precisely outlines the contours of legitimate interest, reiterating the literal formulation of Article 6(1)(f) GDPR and breaking down its essential elements: “the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” From this formulation, the EDPB, following the case law of the Court of Justice, identifies three essential cumulative conditions, each of which must be met to lawfully rely on this legal basis:

  • the controller or third party must pursue a “legitimate” interest. The EDPB acknowledges that defining a precise set of legitimate interests is a challenging task and that a comprehensive list is not possible. However, it identifies three requirements that a legitimate interest must meet: 1) it must be lawful; 2) it must be clearly and precisely articulated; and 3) it must be real and present, not speculative;
  • the processing must be necessary for pursuing the legitimate interest, meaning there must be no less intrusive alternatives with the same effectiveness; (iii) There must be a balancing of the controller’s interests and the data subject’s rights: this balancing is conducted using a structured, case-by-case methodology, which includes considerations regarding the nature of the data, the reasonable expectations of the data subject (e.g., an employee might reasonably expect their data to be processed for internal administrative purposes, but not for marketing purposes), and the impact of the processing on the fundamental rights of the data subjects.

Balancing conflicting interests

The third section of the Guidelines examines the relationship between Article 6(1)(f) GDPR and the rights of data subjects, aiming to outline the limits of applying legitimate interest as a legal basis, emphasizing the need to safeguard the fundamental rights and freedoms of the data subjects. The legitimate interest, as stated in the GDPR itself, must be balanced against the rights of the data subjects, and it must give way if these rights are prevailing. In this context, transparency obligations and the need to facilitate the exercise of data subject rights, including the right of access, erasure, and objection to processing, become particularly relevant.

The EDPB also highlights the importance for controllers to integrate technical and organizational measures to protect data subjects’ rights during data processing.

Application Areas

In the fourth section of the Guidelines, the EDPB analyzes some of the most frequent practical applications of legitimate interest, providing controllers with concrete indications for guiding their assessments.

Direct marketing represents one of the most significant and complex areas: in the absence of a definition within the GDPR, the Court of Justice has defined it as a form of personalized advertising, characterized by the sending of direct and individualized promotional communications. The greatest challenge in this area lies in evaluating the reasonable expectations of the data subjects, who might not expect such processing if not adequately informed: although Recital 47 of the GDPR explicitly mentions it as a possible legitimate interest, the EDPB clarifies that this indication does not constitute a general authorization. The ability to base direct marketing activities on legitimate interest indeed requires a detailed assessment that considers the nature of the marketing activity (distinguishing between more or less intrusive forms), the context of the relationship with the data subject (e.g., the existence of a prior commercial relationship), and the reasonable expectations of the data subjects. Special attention must be given to profiling and tracking activities for marketing purposes, where the balancing test is unlikely to yield a positive result, especially when involving tracking individuals across multiple websites, devices, or services.

Network protection and security is another area of practical interest: the EDPB, also recalling Recital 49 of the GDPR and Recital 121 of the NIS 2 Directive, recognizes that measures aimed at ensuring an adequate level of network security may involve the processing of personal data and find a legal basis in legitimate interest. However, as clarified by the Court of Justice in the Meta v. Bundeskartellamt case, it is necessary to verify that the processing is indeed necessary to ensure network security and that no less invasive means exist to achieve the same objective. In this context, particular attention should be paid to security solutions involving deep packet inspection or other invasive forms of communication content analysis.

Fraud prevention is also a significant area: the EDPB acknowledges that a service provider may have a legitimate commercial interest in ensuring that its customers do not misuse the service, an interest that may coincide with that of other customers and third parties to prevent fraudulent activities. However, the Guidelines emphasize that the processing must be “strictly necessary” for this purpose, as expressly stated in Recital 47 of the GDPR. This implies a rigorous evaluation of the proportionality of the processing and its duration, as well as the adoption of appropriate safeguards. Controllers must also be specific about the type of fraud they intend to prevent and the data actually necessary for this purpose.

Another practical application area concerns processing for internal administrative purposes within corporate groups: Recital 48 of the GDPR recognizes that controllers within a corporate group may have a legitimate interest in transmitting personal data within the group for internal administrative purposes. However, the EDPB reiterates that this provision does not provide a “blank check” for intra-group data sharing, but still requires a case-by-case assessment of the necessity of the processing and the balancing of interests with the rights of the data subjects. Particular attention should be given when processing employee data, considering the specific protections provided by national labor laws under Article 88 of the GDPR.

Finally, the specific case of data transmission to competent authorities is addressed: the EDPB, interpreting Recital 50 of the GDPR in light of recent Court of Justice case law, clarifies that the reporting of possible crimes or threats to public security may constitute a legitimate interest of the controller, but only in relation to individual or specific cases. The general and preventive collection of personal data by private operators for systematic reporting to law enforcement authorities is not permissible.

Conclusions

The new EDPB Guidelines highlight that using legitimate interest as a legal basis requires a thorough and well-documented preliminary assessment. It is not a “last resort” legal basis but must be considered with rigor and responsibility, always taking into account the fundamental principles of the GDPR, such as data minimization and transparency.

The public consultation open until November 20, 2024, offers an important opportunity for stakeholders to contribute to the refinement of this document: feedback from the business community, trade associations, and industry professionals could lead to further clarifications or practical adjustments in the guidance provided, especially regarding more complex application areas such as direct marketing or fraud prevention. It is reasonable to expect that the final version of the Guidelines, scheduled for the first quarter of 2025, may include additional practical examples and operational specifications requested by industry operators.

The real challenge for controllers in the coming months will be twofold: on the one hand, they will need to review existing processing activities based on legitimate interest in light of the new guidance, adequately documenting the assessments made; on the other, they will need to implement structured decision-making processes for new processing activities, possibly already aligned with the guidance that will emerge from the public consultation. In this sense, it may be prudent to adopt a conservative approach from the outset, favoring restrictive interpretations of legitimate interest in doubtful cases.

In a context where digitalization pushes towards increasingly complex and pervasive processing activities, the ability to conduct this assessment correctly will become a key skill for any organization. An interdisciplinary approach involving not only privacy experts but also technical and business figures will be essential, accompanied by constant monitoring of interpretative developments following the publication of the final version of the Guidelines.

In the meantime, controllers would do well to begin mapping processing activities based on legitimate interest and preparing the necessary documentation to demonstrate compliance with the new guidance; this proactive approach will allow them to identify any critical issues and plan the necessary corrective actions well in advance of the adoption of the final version of the Guidelines, optimizing the time and resources needed for compliance.

Download Area
Scarica il PDF
Download
Date
Speak to our experts