The General Data Protection Regulation requires compliance with various principles for the processing of legally compliant personal data (Article 5 GDPR). One of these principles is the legality of data processing, which is further specified in Article 6 GDPR with a final catalogue of conditions (permit, justification). In this context, there is talk of a ban with a reserve of authorisation. At least one of the conditions mentioned must be met to assume that the processing of the data is lawful.

The processing of personal data is therefore only legitimate if (abbreviated):

• on the basis of the person’s consent (paragraph 1 letter a);
• is required to carry out a contract or pre-contractual measures (paragraph 1 b);
• it is necessary to fulfil a legal obligation (paragraph 1 c);
• is necessary to protect vital interests (paragraph 1 letter d);
• It is necessary for the execution of a task in the public interest or in the exercise of official authority (paragraph 1 letter e);
• Or, it is necessary to safeguard the legitimate interests of the responsible person or a third party (paragraph 1 letter f).

The conditions mentioned do not constitute a hierarchical hierarchy to justify legality, but can be met individually or in groups. However, there are still qualitative differences: it is the condition to leave. very specifically and unequivocally formulated after consent, this is the condition to be left. f formulated in a much more open way after protecting legitimate interests. This has the consequence that under the conditions of lst. f subscribe to many different facts that are not covered by the other conditions. However, it also means that applying this condition to establish the legality of data processing requires a more elaborate justification. In addition, the processing of personal data on the basis of lit.

Balancing interests

It is literally mentioned into the article 6 paragraph 1 letter f of the GDPR:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This sentence shows that in order to enforce the provision, the legitimate interests of the responsible (or a third party) must be assessed against the interests, fundamental rights and freedoms of the person concerned. This must always be done in individual cases – the general balance of interests is not allowed – and the interests of the person concerned must not in any way exceed them. On the contrary, this means that the legitimate interests of the responsible person or a third party must exceed those of the person concerned or at least be fairly weighted.

For the actual balance of interests, the existence of an actual legitimate interest of the responsible person (or a third party) must first be established. So you have to check whether the processing of personal data is really necessary for this interest and to achieve the associated purpose, that is, if the processing of data is the most delicate means. Finally, it must be checked whether the interests or fundamental rights and freedoms of the person concerned do not predominate. Any protective measures to be taken must be taken into account. Only if all three points can be answered in the affirmative, the reference to Article 6 paragraph 1 lett. f Legitimate GDPR for the legality of data processing. The burden of proof rests with the processor.

If you are a child under the age of 18, your interests must be particularly high or the requirements must be weighed against particularly strict requirements. Before the child reaches the age of 16, the child’s interests must be compensated.

Legitimate interests (examples)

There are countless examples of legitimate interests. In principle, it is possible to include any legitimate interest of a treatment manager or a third party (whether legal, factual, economic or ideal) recognized by a legal system. According to the GDPR, the processing of personal data can result from a legitimate interest:

• Exercise special fundamental rights such as freedom of expression, the press and broadcasting;
• professional freedom;
• fight fraud (ErwG 47);
• (ErwG 47);
• small business privilege (ErwG 48);
• IT security (ErwG 49);
• to show criminally relevant facts (ErwG 50);
• if the data was obviously made public by the person concerned;
• to enforce, exercise or defend legal action.

Apart from that, the authorities cannot exercise their sovereign activity on Article 6 paragraph 1 letter f GDPR, because all their public duties require a legal basis. At most, however, they can refer to their legitimate interest in processing data outside of fulfilling their public duties (for example, when evaluating visits to their website or sending Christmas cards).

Test scheme for processors

The following test scheme for balancing the interests of data processors on the basis of Article 6 paragraph 1 lett. f The GDPR is based on the observations of WP 217 of the data protection group referred to in Article 29:

1. First of all, it is important to consider the legal basis under Article 6 paragraph 1 of the GDPR may be applicable for expected data processing.
2. If the legal basis of Article 6 paragraph 1. letter f og the GDPR (legitimate interest) must be applied, it must be clarified whether the interest under consideration should be classified as “legitimate” or “unauthorized”. In order for an interest to be considered legitimate, it must meet the following requirements cumulatively:
   (a) must be legal (i.e. it must comply with applicable EU and EU/EEA member state law);b) must be articulated clearly enough so that it can be assessed against the interests and fundamental rights of the person concerned (i.e. it must be sufficiently specific);
   c) must represent a current and current interest (i.e. it must not be speculative).
3. It is also necessary to determine whether treatment is really necessary to achieve the interest pursued. It is important to assess whether there are other, less invasive means to achieve the legitimate interest of the person responsible.
4. The next step is to assess whether the fundamental rights or interests of the person should be weighted above the legitimate interest of the person responsible.
5. The result of the last step must therefore be re-verified taking into account any additional protective measures to be taken and must be ensured that the fundamental rights or interests of the person concerned do not override the legitimate interests of the person responsible.
6. Finally, evidence of compliance and transparency must be provided towards the person concerned.
7. Finally, the controller must check what the further procedure is or on what other legal basis on which his data processing could possibly be based if the person exercising his right of opposition.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DEL LIECHTENSTEIN