In October the European Data Protection Board ("EDPB") released for public consultation the first version of the guidelines on processing of personal data based on Article 6(1)(f) GDPR.
This article will set out an overview of the guidelines, focusing on the highlights from relevant sections.
Article 6(1)(f) is one of the six legal bases for the lawful processing of personal data set out in the GDPR. For data processing to be based on this article, three cumulative conditions must be met:
The guidelines set out the three steps that controllers should take when assessing the applicability of Article 6(1)(f) GDPR as a legal basis.
The guidelines define an "interest" as a "broader stake or benefit that a controller or third party may have in engaging in a specific processing activity". They also acknowledge that although there is not an exhaustive list of "legitimate interests" an interest may be considered legitimate if it meets the following criteria:
There is a non-exhaustive list of legitimate interests, examples include:
The EDPB also included a few examples in the guidelines of scenarios where there would be a non-legitimate interest.
As a general rule, the interests pursued by a controller should relate to the activities of the controller. The interests of a third party can also be legitimately pursued under Article 6(1)(f). Some examples of where personal data may be processed in the interest of a third party include:
This step outlines that it must be ascertained whether the legitimate data processing interests being pursued can be reasonably achieved by other means that are "less restrictive of the fundamental rights and freedoms of data subjects". As if there is a reasonable, and just as effective, alternative the processing may not be considered necessary.
It is noted that in practice it is usually easier for a controller to demonstrate the necessity of processing data to pursue its legitimate interest, as compared to a third party looking to demonstrate the same thing.
The balancing exercise entails balancing the opposing rights and interests, which will be dependent on the specific circumstances of the case, with the aim to avoid any disproportionate impact the data processing may have on the data subject, as opposed to any impact at all.
The controller is required to identify and describe:
The guidelines explain how Article 6(1)(f) interacts with a data subject's rights.
When it comes to transparency and information to be provided to data subjects, adoption of measures and safeguards under the fairness principle should support the data subject's transparency rights under the GDPR. If processing is based on Article 6 (1)(f) the legitimate interests pursued must be communicated to the data subject in accordance with Articles 13(1)(d) and 14(2)(b) GDPR.
In regard to the right of access, the EDPB have recommended that controllers should provide data subjects with information about the legal basis for the processing of their personal data, or at least indicate where this information can be found, when given a request for access. This recommendation is because the right of access must enable that data subject to confirm that their personal data is processed in a lawful manner; something that the data subject may not be in a position to ascertain without knowing the legal basis for processing.
If a data subject uses their right to object against a processing activity based on Article 6(1)(f), the controller must carry out the balancing test under Article 21(1) GDPR, which requires the legitimate interests that the controller is pursuing through the processing to be "compelling". To be considered compelling, the interest should be essential to the controller or third party – simply being beneficial or advantageous to them would not be sufficient. Once a compelling ground has been found, the controller should assess whether this overrides the interests, rights, and freedoms of the data subject, considering the situation of the data subject. This balancing exercise must be documented in accordance with the accountability principle.
With the right to erasure, the guidelines find that, in the context of Article 6(1)(f), this right is often closely linked to the right to object. This may result in the data subject's request being unclear as to whether they wish to obtain the erasure of their personal data. If this is the case, the controller cannot refuse to act on their request because it lacks indication of the legal ground for the request. The indications given by the data subject in their request, alongside the context of the request, should be taken in account when deciding what to do. If there are any doubts as to the scope of the request, controllers are recommended to ask the data subject to specify their request. As the criteria to determine whether an objection or erasure request as essentially the same, it is implied that if an objection under Article 21(1) GDPR is granted, then a related erasure request under Article 17(1)(c) GDPR should be granted also.
In relation to the right to not have a decision be based solely on automated decision making, Article 6(1)(f) should not be considered Union law authorising automated decision making within the definition of Article 22(2)(b) GDPR. When considering if the controller intends to engage in profiling which would lead to an automated decision-making, the guidelines outline the following elements as of particular relevance when performing the balancing exercise before Article 6(1)(f) is evoked as a legal basis:
With the right to rectification, this can be successfully evoked by the data subject if they can substantiate that the data being processed is objectively incorrect or incomplete. Additionally, the right may not be used to ensure that a certain evaluation reflects the personal opinion of the data subject, or to correct answers at a professional examination that are incorrect.
Lastly, with the right to restriction of processing, of relevance to data processing based on Article 6(1)(f) is the fact that the data subject has the right to obtain from the controller restriction of processing when they have objected to processing based on that particular article under Article 21(1) GDPR. This restriction will apply only pending the verification of whether the legitimate interests of the controller override the rights, interests and freedoms of the data subject. Once the verification is concluded, the data should either be deleted or the restriction uplifted.
The guidelines provide contextual application of Article 6(1)(f) GDPR for several scenarios and sectors:
With the guidelines having undergone public consultation until the 20 November, amendments to the current version are to be expected. The final product shall no doubt be a significant tool for assessing whether Article 6(1)(f) is the correct legal basis for the processing of personal data. In particular, it will be an important guide as to what constitutes a "legitimate interest" under Article 6(1)(f).
