Is my processing legitimate…?
In the third post of our “The Articles” Series we are looking at Article 6 – Lawfulness of Processing. Article 6 is quite far reaching so in this post we are specifically looking at paragraph 1. (f) Legitimate Interest as it is a hot topic particularly within the Direct Marketing community.
The relevant part of the article states:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The above does not apply where the controller is a public authority “Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks”.
A Balancing Act
The guidance from the ICO and the Article 29 Working Party is that Legitimate Interest is designed to be a balancing test between the rights of the Controller (or third parties processing on behalf of the Controller) and the rights of data subjects. This makes it difficult to provide definitive answers for a particular scenario.
Secondly, Article 6 (f) specifically points out “where the data subject is a child” and in relation to legitimate interest is indicating that in this instance legitimate interest would have to be heavily balanced towards the data controller in order to be allowable.
If you have specific consent for the processing of PII you intend to carry out then you will probably not need to rely on legitimate interest as the basis of your processing. However, consent must be as defined in Article 7 of the GDPR (we will be looking at Article 7 – Conditions for consent in a later post in this series), if not you may need to specifically request consent prior to processing or rely on legitimate interest or some other criteria if possible.
Legitimate Interest Example
There is no definitive set of rules (at the time of writing) from the ICO on legitimate interest, previous guidance gave the following example:
“A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – ie to recover the debt.”
The above seems reasonable as it balances the legitimate interests of the company and those of the Data Subject i.e. its reasonable for a company to collect debt owed to them based on a contract.
The GDPR does state “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest – Regulation (47)”, but it is no prescriptive under what circumstances this would apply and at the very least it is likely the data controller and or processor will need to demonstrate this with a balancing test.
The Article 29 Working Party has previously considered the use of legitimate interests, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC – Page 47, and concluded that “informed and unambiguous ‘opt-in’ consent would almost always be required, otherwise further use cannot be considered compatible. Importantly, such consent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research”.
And in the same document the Working Party states “object of the balancing exercise has shifted: the issue is no longer about the right to free commercial speech, but primarily the economic interests of business organisations to get to know their customers by tracking and monitoring their activities online and offline, which should be balanced against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored.”
In other words – consent should be the basis for processing PII for behavioural advertising.
Note: Legitimate interest is a complicated area of GDPR. This post is intended to highlight some of the important areas to be considered and to illustrate the considerations that need to be applied. If your organisation is considering legitimate interest as a premise for processing PII then make sure you seek the appropriate guidance.
If you would like to know more about how GDPR Auditing can help your organisation with the GDPR or have any suggestions of future posts for this series please email us at firstname.lastname@example.org or email the author email@example.com.
© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.