20 Nov MAY I ARGUE THAT I HAVE A LEGITIMATE INTEREST AS THE SOLE JUSTIFICATION FOR THE TREATMENT OF THIRD PARTY PERSONAL DATA IN SPAIN?
Yes, you can. And this is because the General Data Protection Regulation (GDPR) in its article 7, letter F, includes the legitimate interest of the data controller as the 7th possible option for a basis that allows the lawful treatment of the personal data.
As a data controller how can I be sure that I am covered by my legitimate interest?
The legal standard urges to apply a balancing test: what is necessary for the legitimate interest of the data controller as the person responsible for the treatment (or third parties) must be weighed in relation to the interests or fundamental rights and freedoms of the person concerned. The result of this weighing test will determine whether such legitimate interest can be considered a legal basis for treatment.
Does this mean that this option of justification for dealing with personal data can only be used sparingly only to cover gaps in rare or unforeseen situations such as a last choice, or as a last resort if other basis cannot be used?
No, that doesn’t mean that. There is no legal indication that the justification of legitimate interest should only be applied in exceptional cases and the legal text does not suggest in any other way that the specific order of the other six legal bases has any legal relevant effect. In fact the Working Group of article 29 (currently the European Data Protection Board (EDPB)) has ruled that it is one of the various ways of justification, on the basis of equality with others such as the express consent of the affected, or the legal obligation, for example. And this legitimate interest has its own scope, although it must not be perceived as a preferential option nor should it be used in an undue manner because it is considered less restrictive than the other foundations.
What’s with the balancing test?
Yes, I know: This is an elusive and apparently open concept. And like this one there are many others in the new regulations in this field and others. It could be said that the state of things and social evolutions are leading our legislators to begin to put in the hands of the citizens themselves a certain autonomy of decision or free will against that distrustful profusion of detailed and exhaustive lists of situations, descriptions and casuistic to which we are accustomed. It is a trend that can either be regarded as dangerous for so-called legal certainty or have the advantage of leaving room for interpretation and balance of interests.
The balancing test is a test to be made by the person responsible for the data processing (data controller), by himself or aided by a specialized advisor or a Data protection delegate (DPO) and can lead to the conclusion, in certain cases, that the balance is inclined to favor of the interests and fundamental rights of those concerned and that, consequently, the treatment cannot be carried out.
It should also be emphasized that the reason for the legitimate interest, together with other fundamentals besides consent, requires an examination of the ‘ need ‘ of the personal data request.
The legitimate interest and the other fundamentals of article 7 are alternative bases, and therefore it is sufficient to apply one of them.
Thus, two interests must be put into play in the weighing: the ones of the data controller, and on the other hand the interests of those who will be affected in terms of their fundamental rights
The concept of ‘ interest ‘ is closely related to the concept of ‘ purpose ‘, which is the specific reason for dealing with data: The purpose or intent of data processing. An interest, on the other hand, refers to greater implication that the data controller may have in the treatment, or to the benefit that the person in charge of the treatment obtains-or that the society can obtain-of the treatment.
For example, a company may have an interest in ensuring the health and safety of personnel working in its nuclear power plant. Therefore, the company may aim at the application of specific access control procedures to justify the treatment of certain specific personal data in order to ensure the health and safety of the personnel.
What makes an interest in “legitimate” or “illegitimate”?
In the opinion of the Working Group 29, the concept of legitimate interest could include a wide range of interests, both trivial and very pressing, both clear and controversial. So it will be in a second phase, in trying to weigh those interests in relation to the interests and fundamental rights of those affected, when a more restricted approach should be taken and a deeper analysis carried out.
The following is a non-exhaustive list of some of the most common contexts in which the question of legitimate interest may arise within the meaning of article 7 (f). It is presented below without prejudice to whether the interests of the person in charge of the treatment will ultimately prevail over the interests and rights of those concerned when the test is carried out.
- Exercising the right to freedom of expression or information, including situations in which such law is exercised in the media and in the arts;
- Conventional prospecting and other forms of marketing or advertising;
- Non-commercial messages that have not been requested, including those pertaining to political campaigns or fundraising for charitable organizations;
- The enforcement of rights recognised in judicial proceedings, including the collection of debts through extrajudicial procedures;
- Prevention of fraud, misuse of services or money laundering;
- Supervision of employees for security or management purposes;
- Internal reporting regimes of irregularities;
- Physical security, information technology and network security;
- Treatment for historical, scientific or statistical purposes;
- Treatment for research purposes (including market research).
Therefore, an interest may be considered legitimate provided that the person responsible for the treatment can pursue this interest in accordance with the laws relating to data protection and the rest of the legislation. In other words, a legitimate interest should be ‘ acceptable under the law ‘.
Therefore, a ‘ legitimate interest ‘ which is relevant under article 7 (f)) must:
-Be lawful (i.e. in accordance with applicable national and EU legislation);
-Be articulated with sufficient clarity to allow the test of weighing to take place in contrast to the interests and fundamental rights of the person concerned (i.e. sufficiently specific);
-Represent a real and current interest (i.e., non-speculative).
The fact that the person responsible for the treatment has such legitimate interest in the treatment of certain data does not mean that he can, necessarily, use Article 7 (f)) as its legal basis. The legitimacy of the person responsible for treatment is only a starting point, one of the elements to be analysed under article 7 (f)). Whether article 7 (f)), may be used as a legal basis or not will depend on the result of the following weighing test.