Draft EDPB Guidelines on Data Processing Under Article 6(1)(f) GDPR: Understanding ‘Legitimate Interests’

The European Data Protection Board (EDPB) on 8^th October 2024, issued draft Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) of GDPR(Guidelines) and released it for public consultation on 9^th October 2024. These guidelines shall remain open for comment until 20^th November 2024. 

These draft guidelines lay out the conditions for processing personal data based on “legitimate interest,” balanced against the rights of data subjects and in compliance with other provisions of the GDPR. The guidelines provide a detailed framework for assessing when legitimate interest can lawfully justify data processing.

Understanding GDPR’s Article 6(1)(f) 

Under the GDPR, the legal basis for processing personal data is provided under Article 6. The six-basis outlined under the GDPR provide lawful grounds for the processing of personal data in compliance with the law. Among them, Article 6(1)(f) refers to the “legitimate interests” of a data controller or third party as a lawful basis for processing, provided that these interests are not overridden by the fundamental rights and freedoms of the data subject, with special emphasis on the data of children. Processing by public authorities is in general excluded from the scope of Article 6(1)(f).

Assessing the Applicability of Article 6(1)(f) 

The Guidelines specify three cumulative conditions that must be fulfilled in order to determine whether data can be lawfully processed based on Article 6(1)(f). The listed conditions are as follows:

• The pursuit of a legitimate interest by the controller or by a third party
• The processing of personal data must be necessary for the purposes of the legitimate interest pursued
• The interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest of the controller or of a third party. For this condition, it is necessary for the controller to evaluate its legitimate interests against the fundamental rights of data subjects in a “balancing exercise” for each processing activity based on legitimate interest.

The Guidelines further provide a three-step assessment to determine the fulfilment of these conditions.

Step 1: Pursuit of a legitimate interest by the controller or a third party

The “interest” pursued by the controller or third party is related to but distinct from the “purpose” of processing data. According to the guidelines, the latter refers to the specific reason for processing data while the former refers to the broader interest or benefit that a controller or third party may have in the processing activity. It is pertinent to note that not all interests qualify under Article 6(1)(f) GDPR. Therefore, the first step is to determine whether the interest is “legitimate.”

There is no exhaustive list of legitimate interests, but examples recognized by the GDPR and the Court of Justice of the European Union (CJEU) include online information access, maintaining publicly accessible websites, and protecting health and property. To be deemed “legitimate,” the interest must meet three cumulative criteria: it must be lawful, clearly articulated, and real and present rather than speculative.

Further, Article 6(1)(f) GDPR specifically refers to legitimate interests pursued by the controller or a third party. Generally, the controller’s interest should relate to its general activities. The provision also acknowledges that specific third-party interests can be balanced against the rights of data subjects. The legitimacy of these third-party interests must be assessed using the same criteria as for the controller’s interests. It’s important to differentiate between specific third-party interests and broader public interests, which are governed by Articles 6(1)(e) or (c). 

Additionally, if personal data is processed for purposes other than its original intent, the controller must ensure compatibility with the initial purpose under Article 6(4) GDPR, particularly when shifting from processing for its own legitimate interest to that of a third party.

Step 2: Analysing the necessity of processing for pursuing a legitimate interest

The second step in assessing legitimate interest under Article 6(1)(f) GDPR is determining the necessity of the data processing activity in the fulfilment of the legitimate interest. “Necessity” means more than what is useful. To assess whether processing is “necessary” under Article 6(1)(f) GDPR, controllers must determine if the legitimate interest can be achieved just as effectively by less intrusive means. If so, the processing is not necessary.

Step 3: Balancing Exercise

Lastly, to rely on Article 6(1)(f) of the GDPR for lawful data processing, the controller must satisfy a balancing test. This involves weighing the legitimate interest pursued by the controller against the fundamental rights and interests of the data subject. Key factors include:

1. Data Subjects’ Interests and Rights: Controllers must consider how the processing impacts rights like privacy, liberty, and freedom of expression, as well as financial or personal interests.
2. Impact on Data Subjects: The nature of the data, its sensitivity, and the context of processing are critical. Sensitive data (e.g., health or criminal data) demand higher protection and pose greater risks to the data subject.
3. Reasonable Expectations: Controllers must account for what data subjects can reasonably expect in terms of their data’s processing, based on their relationship and context.
4. Mitigating Measures: Additional safeguards beyond GDPR compliance may be introduced to reduce the impact on the data subject, ensuring a fair balance.

If the interests and rights of the data subject outweigh the legitimate interest of the controller, processing should not proceed, or mitigating measures must be implemented.

Relationship between Article 6(1)(f) and Data Subject Rights

The GDPR emphasises transparency and the need to uphold the rights of data subjects and this aspect is analysed in the context of processing based on legitimate interest in these guidelines. Controllers must inform data subjects about the legal basis, allow access to the balancing test, and ensure fairness. Key rights include access to data, the right to object, request erasure, rectification, restriction of processing, and protection against automated decision-making. 

Scenarios for Reliance on Article 6(1)(f)

While the application of Article 6(1)(f)may be relevant in variouscontexts, the guidelines provide an illustrious and non-exhaustive list of scenarios or types of data processing where the legal basis of legitimate interest can be relied upon. This list includes:

• Processing of Children’s Data: Article 6(1)(f) GDPR interpreted in line with the Charter and International standards, emphasises a careful balancing test for children, prioritizing their best interests. While the legitimate interests of controllers can coincide with those of children, children’s rights generally prevail in conflicts. Controllers must demonstrate that they have considered children’s best interests and implemented appropriate safeguards, recognizing that assessments will vary based on age and understanding.
• Processing by Public Authorities: Article 6(1)(f) of the GDPR generally does not apply to public authorities processing personal data as part of their official tasks, as established by law. However, in exceptional cases where the processing is unrelated to their official functions, public authorities may rely on Article 6(1)(f), provided it is documented internally and permitted by national law.
• Processing for Prevention of Fraud: Pursuant to Recital 47 of GDPR, processing of data for prevention of fraud is considered a legitimate interest of the controller, provided the processing is strictly necessary for this purpose and fulfils the necessity and balancing tests and complies with principles such as data minimization and purpose limitation. Controllers cannot rely on vague references to “combating fraud” but must clearly specify the type of fraud being targeted.
• Processing for Direct Marketing: Similar to processing for the prevention of fraud, the GDPR permits the processing of data for direct marketing based on legitimate interest. However, not all direct marketing activities automatically qualify. Controllers must ensure compliance with specific legal requirements, such as obtaining consent in accordance with the ePrivacy Directive. Additionally, the right of users to object to such processing is an unconditional right. Controllers should also conduct a case-by-case assessment to ensure that their marketing practices do not infringe on data subjects’ rights.
• Processing by a Group of Undertakings for Internal Management: Transmission of data within a group of undertakings solely for internal management is permitted by the GDPR on the basis of Article 6(1)(f), provided that the necessity and balancing tests are fulfilled. Controllers must also ensure that they comply with national rules on employee data processing and inform employees about the transmission and its legal basis.
• Transmission of Data to Competent Authorities: The guidelines specifically analyse legitimate interest and state that sharing personal data with law enforcement regarding specific criminal acts or threats can be a legitimate interest, but data collection for preventive purposes is not permitted. Additionally, in case of requests made by third-country authorities to disclose data, Controllers must carefully analyse whether such disclosure is mandated by international agreements or permitted under EU law. Disclosing data to non-EU authorities constitutes a cross-border transfer, requiring compliance with the GDPR provisions to maintain equivalent protection standards.

Conclusion

The Guidelines on processing of personal data based on Article 6(1)(f), through detailed explanations and illustrations, provide clarity on the use of “legitimate interest” as a lawful basis for processing data under the GDPR. By outlining the three-step assessment process, the guidelines help controllers clearly establish a legal basis for their processing activities, helping them efficiently balance their interests with the rights of data subjects. The inclusion of specific scenarios and various examples throughout the guidelines provides a more comprehensive understanding of the applicability of Article 6(1)(f). Overall, the guidelines serve as a crucial tool for ensuring that data processing based on legitimate interest is justified, transparent and compliant with GDPR.

Read about the impact of GDPR on digital marketing by clicking here.