Understanding the EDPB Guidelines on legitimate interests under the EU GDPR

The European Data Protection Board (EDPB) recently released new guidelines on processing personal data on the legal basis of legitimate interests. Legitimate interests are considered to be the most flexible legal basis when processing personal data.

It differs from other legal bases under Article 6 that centre around a particular purpose (e.g. performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task).

These EDPB guidelines, adopted on 8 October 2024, provide a detailed framework for businesses and organisations to ensure their data processing activities are lawful when relying on legitimate interests.

Key points from the guidelines:

1. Three cumulative conditions: To lawfully process personal data under Article 6(1)(f), three conditions must be met:
   • The controller or a third party must pursue a legitimate interest.
   • The processing must be necessary for the legitimate interest.
   • The interests or fundamental rights and freedoms of the data subject must not override the legitimate interest.
2. Legitimate interest: Not all interests qualify as legitimate. They must be lawful, clearly articulated, and present. Controllers must inform data subjects about the legitimate interests pursued.
3. Necessity of processing: The processing must be strictly necessary for the legitimate interest. If the same result can be achieved by less intrusive means, those should be used instead.
4. Balancing test: Controllers must balance their legitimate interests against the rights and freedoms of data subjects. This involves considering the nature of the data, the context of processing, and the potential impact on data subjects.
5. Transparency and data subject rights: Controllers must be transparent about their processing activities and ensure data subjects can exercise their rights, such as access, rectification, and objection.
6. Specific contexts: The guidelines provide specific examples of contexts where legitimate interests might apply, such as fraud prevention, direct marketing, and network security. However, each case requires careful assessment to ensure compliance.

These guidelines emphasise the importance of a thorough and documented assessment before relying on legitimate interests as a legal basis for data processing. UK businesses should review their data processing activities of data subjects in the EU to ensure they align with these standards.