Recently, the European Data Protection Board (EDPC) has launched the first version of Guidelines 1/2024, focused on the processing of personal data based on the legitimate interest of the data controller, in accordance with article 6.1.f of the General Regulation of Data Protection (RGPD). Metricson, a prominent legal boutique specialized in startups and technology companies, has provided a series of recommendations for the correct application of these guidelines.

Teresa Miquel, director of the compliance, privacy and intellectual property area at Metricson, highlights the importance of applying data processing based on legitimate interest with the utmost rigor. According to Miquel, “data processing based on legitimate interest is a valuable tool for companies and data controllers, but it must be applied rigorously. The EDPB guidelines underline the importance of carefully assessing whether the fundamental rights and freedoms of data subjects are not disproportionately affected.”

Data processing based on legitimate interest

The EDPB guidelines highlight three essential conditions that must be met cumulatively for data processing to be considered lawful:

  1. Existence of a legitimate interest: This interest must be clear, lawful, real and current, not hypothetical. Furthermore, it must be related to the activities of the controller or a third party. For example, ensuring the continued functionality of a publicly accessible website.
  2. Need for treatment: It is crucial to assess whether the purposes of legitimate interest could not be achieved through less invasive means. This analysis must take into account the principle of data minimization.
  3. Balance between rights and interests: The data controller must make a careful balance between the impact on the data subjects and the legitimate interests pursued. Key factors to consider include the nature of the data, the context of the processing and the reasonable expectations of the data subject. If the impact is significant, it is recommended to implement palliative measures to minimize the risks.

Data processing based on legitimate interest is a valuable tool for companies and data controllers, but it must be applied rigorously

Miquel adds that “the weighting does not seek to eliminate any repercussions on the interested party, but rather to avoid disproportionate impacts. It is essential to document this process transparently to be prepared for audits or possible claims.”

In addition to these general conditions, the EDPB guidelines also address specific aspects that require special attention:

  • Protection of minors’ data: Minors’ data requires enhanced protection due to its vulnerability.
  • Public authorities: These cannot be based on legitimate interest for the performance of their functions, as they must comply with other legal requirements.
  • Fraud prevention and direct marketing: Specific guidelines are established on how to apply article 6.1.f in these contexts, ensuring that practices are transparent and respectful of the rights of interested parties.
Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.