EDPB Draft Guidelines on Legitimate Interest Legal Basis

On 04 October 2024, the CJEU passed a ruling on whether organizations can rely on a ‘legitimate interest’ (LI) basis under the GDPR when processing personal data for commercial purposes. Following the ruling, on 08 October 2024, the European Data Protection Board (EDPB) released draft guidelines on the legitimate interest legal basis for processing personal data. The following is an overview of the EDPB draft guidelines.

Elements to be Considered When Assessing the Applicability of Legitimate Interest Basis

EDPB provides three-tier cumulative criteria that should be met to rely on Article 6(1)(f) GDPR (legitimate interest as a basis for processing).

1. The pursuit of a legitimate interest (LI) by the controller or by a third party;
2. The processing is strictly necessary for the purposes of the LI(s);
3. The interests or fundamental rights and freedoms of data subjects do not take precedence over the LI(s) of the controller or of a third party.

EDPB provides the following three-step assessment for determining if LI(s) can be relied on:

1st step: Pursuit of a LI by the controller or by a third party

An ‘interest’ is the broader stake or benefit that an entity may have in engaging in a processing activity. An interest may be considered ‘legitimate’ if the following cumulative criteria are met:

• The interest is lawful, i.e., not contrary to EU or member state law,
• The interest is clearly and precisely articulated, and
• The interest is real and present and not speculative. The LI(s) must be present and effective at the date of the data processing and not be hypothetical.

The interest pursued by the controller should be related to its actual activities. Sharing information with law enforcement authorities for handling criminal matters would not constitute a LI pursued by a controller whose activity is essentially economic and commercial in nature.

The interest(s) of one or more specific third parties may also be legitimately pursued within the

meaning of Article 6(1)(f), including a third party’s interest in exercising or defending legal claims or seeking disclosure of data for transparency or accountability purposes, or historical or scientific research.

2nd step: Analysis of the necessity of the processing to pursue the LI(s)

Assessing what is ‘necessary’ involves ascertaining whether the LI(s) pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects. In this respect, the principles of data minimization and purpose limitation should also be taken into account.

3rd step: Methodology for the balancing exercise

The purpose of the balancing exercise is to avoid a disproportionate impact on the data subjects. For conducting the exercise, the controller must describe the following:

1. The data subjects’ interests, fundamental rights and freedoms.

The fundamental rights and freedoms of the data subjects include the right to data protection and privacy, but also other fundamental rights and freedoms, such as the right to liberty and security, which may be affected by the processing, either directly or indirectly.

The interests of the data subjects to be taken into account include any interest that may be affected by the processing at stake, including financial, social or personal interests.

2. The impact of the processing on data subjects, including:

a. The nature of the data to be processed,

In qualifying the nature of the data, the controller should consider the following:

• Special categories of personal data enjoy additional protection. A set of data that contains at least one sensitive data item is deemed sensitive data in its entirety. Moreover, it should be assessed whether it is objectively possible to infer sensitive information from the data processed, irrespective of any intention of actually doing so.
• Personal data relating to criminal convictions and offenses enjoy additional protection.
• The types of data that data subjects generally consider to be more private (e.g., financial or location data), or rather of a more public nature (e.g., professional information).

Processing of sensitive or private data is generally more likely to have a negative impact on data subjects, but other data could also have a significant impact, depending on the context.

b. The context of the processing,

When considering the context of processing, the controller should consider the following:

• The scale of the processing and amount of personal data to be processed,
• The volume of data, the volume of data per data subject, and the number of data subjects,
• Status of the controller, including vis-à-vis the data subject,
• Whether personal data to be processed are combined with other data sets,
• Degree of accessibility and/or publicity of the data to be processed, and
• Status of the data subject (e.g., vulnerable individuals) - children merit special protection, particularly when their data is used for marketing or profiling.

c. Any further consequences of the processing.

Controllers should consider potential further consequences for the data subjects, including legal consequences, discrimination, any financial loss, or risk to life or property, defamation, emotional impacts, chilling effect resulting from continuous monitoring or risk of identification, etc. When assessing the impact of processing, an objective assessment is required. In cases where many individuals share the same interests, a collective assessment may suffice, but for more intrusive processing, specific circumstances must be considered. Controllers should not assume all data subjects share identical interests, especially when there are clear indications of individual concerns, such as in employer-employee relationships. The impact weighed in the assessment should already be the minimal impact considering the GDPR requirement for purpose limitation. If high risks are identified, a DPIA should be conducted.

3. The reasonable expectations of the data subject.

The reasonable expectations of the data subject serve as a key factor in determining whether the processing overrides their rights and interests, as they limit the risk that data subjects may be unduly surprised by the processing or its impacts. The fact that certain processing activities are common in a sector does not necessarily mean that the data subject can reasonably expect such processing. Reasonable expectations do not solely depend on the provision of information under Articles 12-14 of the GDPR. The following factors are also relevant in this consideration:

• Characteristics of the relationship with the data subject or of the service:
  • The very existence of a relationship with the data subject and its proximity,
  • The place and context of the data collection,
  • The nature and characteristics of the service,
  • Applicable legal requirements.
• Characteristics of the “average” data subject (with the exception of a scenario where processing concerns data subjects with different characteristics):
  • The age of the data subject,
  • The extent to which the data subject is a public figure, and
  • The (professional) position that the data subject holds and the expected level of understanding and knowledge of the envisaged processing.

4. The final balancing of opposing rights and interests

If as a result of the balancing exercise, it is determined that the rights and freedoms of data subjects override the LIs being pursued, the controller may consider introducing mitigation measures to limit the impact of the processing, and then carry out a new balancing exercise to assess the impact of the changes. The mitigating measures should not constitute such measures that the controller is legally required to adopt anyway under the GDPR. The controller has the burden to demonstrate that the balancing test has been conducted appropriately.

Article 6(1)(f) and Data Subject Rights

EDPB comments on the various data subject rights that come into play when legitimate interest is the legal basis for the processing of personal data.

1. Transparency

Controllers relying on LI(s) basis must meet GDPR transparency obligations, ensuring fairness, accessibility, and comprehensibility. Data subjects should be informed that the processing is based on legitimate interests and made aware of the specific interest pursued. The controller can also provide the data subject with information from the balancing test prior to any personal data collection. In any case, the information provided should make it clear that the data subject can obtain information on the balancing test upon request.

2. Right of access

Data subjects have the right to know if their data is being processed, to have access to their personal data, and be provided with further information about the processing. Although there is no explicit obligation under GDPR to provide information about the legal basis for processing, EDPB has recommended that controllers provide also this information – or indicate where this information can be found – in response to a request for access.

3. Right to object

The data subject has the right to object to the processing of their personal data. After an objection, the controller can no longer process the personal data unless there are overriding ‘compelling’ legitimate grounds which take precedence over the interests and rights of the data subject, which should be demonstrated by the controller. Not all conceivable legitimate interests that may justify processing under Article 6(1)(f) GDPR are relevant here - only those interests that are essential to the controller (or to the third party in whose LI(s) the data is being processed). Showing that processing would simply be beneficial or advantageous to the controller would not necessarily meet this threshold.

4. Right to erasure

Under the GDPR, data subjects have the right to obtain the erasure of their personal data from the controller, including when the legal basis is LI(s).

5. Automated individual decision-making, including profiling

Article 22 of the GDPR gives data subjects the right to not be subjected to decisions solely based on automated processing, including profiling unless specific exceptions apply. However, not all profiling activities fall under automated decision-making. When invoking the LI(s) basis for profiling, several factors must be considered, including:

• The detail of the profile (e.g., broad vs. granular targeting),
• The comprehensiveness of the personal description,
• The impact on data subjects,
• Potential future combination of profiles, and
• Safeguards to ensure fairness, non-discrimination, and accuracy in the profiling process​.

6. Right to rectification

As per the GDPR, the data subject has the right to ask and obtain from the controller the

correction of inaccurate data and the completion of incomplete data, regardless of which legal basis is relied on.

7. Right to restriction of processing

In certain circumstances, the data subjects may request a restriction of the processing of their personal data, which entails the marking of stored personal data and limiting its processing. The controller may retain the personal data, but must cease other processing activities (except for in cases provided for in Article 18(2) GDPR).

Contextual Application of Article 6(1)(f) GDPR

EDPB also comments on different scenarios in which legitimate interest(s) could be relied upon as a ground for processing personal data.

Processing of children’s personal data

When performing a balancing exercise to assess whether LI(s) basis may be relied on, special care must be taken if children are data subjects, using their best interest as a guide. This assessment will likely vary greatly with regard to, e.g., different age groups with varying levels of understanding or children with disabilities. Specific protection should particularly apply to the processing of the personal data of children for the purposes of marketing, profiling, or offering services aimed directly at children.

Processing by public authorities

Public authorities generally cannot rely on the LI(s) basis when performing their official tasks, as these must be authorized by law. However, in exceptional cases, they may rely on it if the processing is unrelated to the performance of their specific tasks or the exercise of their prerogatives as public authorities, provided this is allowed by national law and documented internally.

Processing for the purpose of preventing fraud

GDPR Recital 47 allows data processing in the field of fraud prevention to be based on the LI(s) ground, provided the interest pursued is legitimate and fulfills the necessity and balancing tests.

Processing for direct marketing purposes

As per GDPR Recital 47, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. However, other legal bases, such as consent, may also be required in certain scenarios.

Before engaging in the processing of personal data for direct marketing purposes, controllers should consider any applicable law that may require consent for certain direct marketing practices or prohibit some kinds of direct marketing. Particularly, under the ePrivacy Directive (ePD), unsolicited communications for direct marketing by email, SMS, MMS, and other similar applications are only allowed with the recipient's prior consent. Therefore, in this context, data processing for direct marketing purposes may not be based on LI(s). When personal data is processed for direct marketing purposes, both GDPR and the ePrivacy Directive may be applicable, but the ePrivacy Directive would be considered as lex specialis. The ePD provides an exception to the consent requirement, mainly ‘soft opt-in’ (marketing can be sent to existing customers regarding similar products and services, provided they can easily opt-out at any time free of charge).

Moreover, Article 5(3) ePD also requires consent for the use of tracking techniques, which requirement must be respected when these techniques are used for direct marketing activities. Any subsequent data processing activity following the tracking operations must have a legal basis under the GDPR, which as per EDPB, would likely be consent, therefore precluding reliance on LI(s). There are marketing communications that are not covered by the ePD (e.g., marketing by post). Therefore, consent requirements would not be applicable to them. Controllers should always assess if any national laws implementing the ePD exist, which may impose obligations beyond those laid down in the ePD.

When reliance on LI(s) is not precluded by law, controllers should assess on a case-by-case basis whether the processing meets the three cumulative conditions discussed above. It should be factored in the balancing test that certain marketing practices can be considered intrusive from the perspective of the data subject, notably if they are based on extensive processing of potentially unlimited data. When determining the reasonable expectations of the data subject, the controller should consider:

• whether the person receiving the direct marketing is an existing customer,
• the nature of the products and services the controller wishes to market, and
• whether it is likely that the data subject would expect to receive direct marketing about such products and services.

Where personal data are processed for the purposes of direct marketing, the data subject has a specific right to object to such processing under Article 21(2) GDPR. This right is unconditional and irrespective of the legal basis relied on by the controller. The data subject is not required to provide any reasoning when objecting, and there is no need for any “balancing of interests” to assess whether the objection should be granted. Therefore, controllers should honor any objection it receives concerning personal data being processed for direct marketing purposes.

Processing for internal administrative purposes within a group of undertakings

According to Recital 48 GDPR, controllers that are part of a group of undertakings may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.

Processing for the purpose of ensuring network and information security

Measures to ensure an appropriate level of network and information security may, in principle, be based on LI(s) basis, provided that its conditions (including the necessity and balancing tests) are complied with. However, certain security solutions, such as firewalls and anti-virus software, may involve large-scale intrusive data analysis, which could significantly impact the outcome of the balancing test. The CJEU has emphasized that data collection from sources outside a social network must be necessary for internal security, should prioritize less intrusive methods, and must observe the data minimization principle.

Transmission of personal data to competent authorities

According to Recital 50 GDPR, indicating possible criminal acts or threats to public security and

transmitting the relevant personal data relating to such acts or threats to a competent authority should be regarded as being in the legitimate interest pursued by the controller. This is qualified by the requirement that the three-tier cumulative criteria for relying on LI(s) is met.

Concluding Remarks

The EDPB guidelines reinforce the established understanding of the legitimate interest basis under the GDPR without presenting a major departure from existing interpretations. EDPB provides insightful guidance on assessing and balancing the interests, rights, and freedoms of involved parties when invoking Article 6(1)(f) for the processing of personal data. By addressing particular scenarios such as direct marketing, processing of children’s data, and automated decision-making, the guidelines clarify practical applications and highlight the need for precise, case-by-case evaluations.