On October 4, 2024, the Court of Justice issued an important ruling on the processing basis of the legitimate interest (KNLTB/AP, C-621/22).

The ruling reaffirms that three cumulative conditions must be met before the data controller can successfully invoke the legitimate interest:

1. the pursuit of a legitimate interest by the data controller or by a third party;
2. the need to process personal data for the purposes of the legitimate interests pursued; and
3. the interests or fundamental freedoms of the data subjects do not outweigh the legitimate interest of the controller or of a third party.

Following that ruling, the European Data Protection Board (EDPB) published Guidelines on processing based on 'legitimate interest.' These Guidelines concretize how organizations can apply the concept of legitimate interest as a legal basis for data processing.

Meeting the three cumulative conditions for a legitimate interest claim requires a thorough and systematic analysis, which is elaborated and documented in a so-called LIA.

By conducting an LIA, organizations are able to:

• assess whether the cumulative conditions for a legitimate interest claim are met, thus allowing the legitimacy of the data processing to be substantiated in line with the accountability requirement;
• identify and assess risks to the privacy of data subjects;
• implement appropriate measures to mitigate the risks; and
• document and justify why certain choices regarding legitimate interests were made by the organization.

This roadmap consists of the three abovementioned cumulative conditions. Condition 1 (the presence of legitimate interest) and Condition 2 (the need to process personal data) correspond with Step 1 and Step 2 detailed below. For the sake of clarity, we divide Condition 3 (the balancing of interests and rights) into Step 3 and Step 4. For the purpose of a well-documented LIA, we have added a fifth step.

Based on this step-by-step plan, organizations can arrive at a well-documented LIA to substantiate the lawfulness of its processing.

Step 1: Assess whether there is a legitimate interest for the organization to process the personal data

A wide range of interests is, in principle, capable of being regarded as legitimate. It is not required that the interest pursued by a controller is provided for by law in order for the processing of personal data to be legitimate. What is required is that the legitimate interest is not contrary to the law. For example, a controller's commercial interest could constitute a legitimate interest.

Other examples of legitimate interests include:

• fraud and abuse prevention;
• ensuring network and information security;
• internal administrative purposes within a group of undertakings;
• assessing the creditworthiness of individuals;
• product improvement; and
• obtaining personal information of a person in order to sue that person for damages.

Step 2: Is there a need to process personal data for the purposes of the legitimate interests pursued?

The second condition requires organizations to examine whether the interest can also be achieved by other means with a lower impact on the fundamental rights and freedoms of the data subjects, in particular the right to respect for private life and the right to protection of personal data. In other words, organizations must consider whether the intended processing is strictly necessary to pursue the legitimate interest.

The principle of data minimization plays an important role here. Organizations should ask themselves whether the data processing in question is 'adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.'

In some cases, it will be difficult to assess whether the data processing is necessary to pursue the legitimate interest. Sometimes a specific formulation of a legitimate interest may require processing more personal data than a general formulation.

When in doubt about the extent to which the additional data processing is necessary, and thus whether the legitimate interest basis can be invoked, step 3 can look at the impact on the data subject. At step 4, organizations may possibly take additional mitigating measures to minimize the consequences of processing more personal data.

Step 3: Do the interests of the organization (or third parties) outweigh the interests of the individuals whose data are being processed?

The third condition requires organizations to examine the extent to which the interests or fundamental rights and freedoms of the data subject outweigh the legitimate interest of the organization (or a third party) in processing the personal data in question. If this is the case, organizations may not successfully rely on the legitimate interest processing ground, even if they have formulated a legitimate interest (step 1) and the processing is necessary to achieve that interest (step 2). If an organization's legitimate interests do outweigh the interests of data subjects, the processing of personal data is permitted. The aim of this balancing exercise is not to avoid any impact on the data subjects. Rather, its purpose is to avoid a disproportionate impact on the data subjects. This can be accomplished by considering various aspects.

Within this balancing exercise, organizations must identify and describe the following elements.  

• the interests and fundamental rights of the data subjects impacted by the envisaged processing;
• there is a wide array of interests or rights of data subjects that may be affected by data processing, such as financial interests, the right to privacy, or the right to free speech;
• the legal position of the data subject may also be altered. That too qualifies as a consequence with impact; and
• the impact of the envisaged processing on the data subjects;

In this regard, organizations must first pay attention to the nature of the personal data to be processed. For example, if sensitive data is processed, such as information about race, health, or finances, the potential impact on data subjects is great. In that case, the balancing of interests is more likely to favor the data subject.

The context of processing must also be considered by organizations, such as:  

• the duration and scale of the processing and the amount of personal data that is going to be processed by the organization;
• the status of the organization and the relationship between the organization and the data subjects (e.g., whether there is a hierarchal relationship);
• the extent to which the personal data is processed with other datasets;
• the degree of accessibility and/or publicity of the personal data to be processed; and
• the degree of vulnerability of the data subject.

Lastly, with regard to the impact, any further foreseeable consequences of the processing should be taken into account, such as discrimination, financial losses, legal effects, or risks to freedom, safety, physical, and mental integrity or life.

The reasonable expectations of the data subject

In accordance with Recital 47 of the GDPR, the interests and fundamental rights of the data subject may, in particular, override the interest of the data controller where personal data is processed in circumstances where data subjects do not reasonably expect such processing. It should be noted that reasonable expectations do not necessarily depend on the information provided to data subjects by the organization.

When considering what the data subject can expect, the context and relationship between the data subject and the organization play an important role. For example, if there is an existing relationship, then the data subject may be more familiar with the processing. This could make balancing interests more likely to favor the organization.

Step 4: With respect to the envisaged data processing, to what extent can the organization take further measures to limit the impact on data subjects?

In an initial balancing act, organizations will have to weigh their interests against the interests of data subjects. If the outcome of that balancing of interests is in the organization's favor, it may invoke the processing basis of legitimate interest.

However, if the outcome is that the interests of the data subjects outweigh the interests of the organization, the organization may investigate whether there are further mitigating measures that can be taken to reduce the impact on the data subjects, thus still achieving a fair balance. These further measures should be understood to be additional to those measures that organizations should have already taken in any case under the other provisions of the GDPR. In other words, they must go beyond what is already necessary to comply with these legal obligations under the GDPR.

Regarding additional mitigating measures, organizations can do the following with respect to the data processing at issue:

• take technical and organizational security measures in addition to the necessary measures already in place (such as encryption, logging, and need-to-know access);
• limit the amount of personal data and duration of processing even further; and
• provide extra information about the data processing.

If the organization decides to implement any further mitigating measures, it should again perform a balancing test. If it also turns out that after taking additional mitigating measures, the balance of interests is in favor of the data subjects, then invoking the legitimate interest is not possible.

Step 5: Document all steps and be accountable for the choices made

Under the principle of accountability under the GDPR, every organization must be able to demonstrate their compliance with the obligations of the GDPR. This means that organizations must keep detailed documentation of all steps taken to comply with the GDPR. Therefore, it is essential to properly record all of the above steps.

In concrete terms, it is wise to record:

• what legitimate interest there is for the organization;
• why the LI was chosen as the basis for processing;
• why the processing is necessary to pursue the legitimate interest;
• what interests of the data subject and the organization were weighed against each other and why the balancing of interests turned out in favor of the organization; and
• what appropriate measures the organization has taken to mitigate risks to data subjects and to what extent the organization has safeguarded the rights of data subjects.

This documentation must be able to be presented to the regulator upon request to show that the processing complies with the requirements of the GDPR.

Dr. Tim Walree Of Counsel
[email protected]
Freshfields Bruckhaus Deringer LLP, Amsterdam