What is Lawful Processing and where it comes from?

Once the General Data Protection Regulation (EU) 2016/679 (‘GDPR’ or ‘the Regulation’) was announced, introduced, and finally adopted in 2016, it had three focal points:

  1.  the global reach of applicability (beyond the EU members states),
  2. the never-before-seen volume of monetary sanctions and
  3. accountability in proving lawful processing by the entities to which the Regulation applied.

In the two years implementation period, in which entities and bodies were obligated to apply or enhance the personal data processing measures to demonstrate compliance, much of how the Regulation’s enforcement in practice would turn out, was still unknown.  This was due to the fact that many of the GDPR’s requirements were novelties, so experience, statistics and analysis, were yet to be accumulated. However, since May 25th, 2018, the formal day of its enforcement, the world of privacy and protection of personal data shifted exponentially, affecting almost all industries and economies. The new conditions, nevertheless, positively contributed for creation of further new businesses and opportunities in multiple of areas, such as security engineering, cybersecurity, software development, managed services, academia and education, consultancy etc.

The requirement of lawful processing of personal data, maintained to be one of the more demanding prerequisites to demonstrate its compliance. Article 6 of the GDPR identifies six bases of lawful processing,

What is the use of ‘Legitimate Interest’?

At inception of the GDPR saga, the ‘star’ basis of lawful processing was the ‘Consent’, since it demonstrated, as never before, that the power lies in the hands of the data subject itself. In effect, using this basis, indeed provided absolute control of data subject to agree to processing and the purposes for it, as well as the right to withdraw such consent at any time. This ‘right to withdraw consent’, left controllers in a peculiar position, since such event would reverse many aspects in their operations and could affect their functioning considerably.

Here, we mostly focus on the private sector and the entities which businesses require data processing for multiple purposes. It became evident, that for aspects where the rest of the lawful basis could not be applied, the basis of ‘Legitimate Interest’ was to be closely examined for application. In particular, for the cases in which there were no explicit contracts regulating some relations with data subjects, or there was no concrete legislation, regulating processing as legal obligation, the basis of “Legitimate Interest’ was the solution.

The delicate aspect of this basis, that made operations to apply it a bit more complex, was that the GDPR did not provide distinct guidance on how to determine proper application of ‘Legitimate Interest’ or what constitutes ‘Legitimate Interest’ between various purposes for processing personal data and various businesses. Also, the GDPR did not provide direct parameters on how to measure and assess those aspects. Only two responsibilities were unambiguously prescribed in the Regulation concerning setting up proper ‘Legitimate Interest’ as lawful basis of processing:

  1. prohibition to override the fundamental rights and freedoms of the data subject;
  2. accountability of controller as principle generalis prescribed in Article 5 item 2.

We would derive here from the two above mentioned requirements and expand a practical breakdown to help set up a process for applying ‘Legitimate Interest’, as lawful basis of processing personal data in one organization.

As practice showed so far, ‘Legitimate Interest’ would be mostly beneficial to be applied for processing activities in some cases, within the areas of recruitment, marketing, sales, intragroup administrative transfers, or processing employee’s data which are not related with legal obligation or contract.

When to apply “Legitimate Interest”?

Out of the six lawful bases, the ‘Legitimate Interest’ biggest trait is that, it is the most flexible one, since it’s not interrelated with a particular purpose, thus may be applicable in wide range of situations. To be able to benefit from this flexibility and wield it to one’s advantage, the focus should be to properly document the process, in order to demonstrate that the Regulation’s principles prescribed with Article 5 are sufficiently applied.  

Consider the following aspects on ‘When’ to apply this lawful basis:

  • When the basis of ‘contract’ or ‘legal obligation’ cannot be applied, but the organization wants to secure long term or reoccurring processing
  • When the organization can successfully assess that legitimate interest exists based on proper assessment process (see below)
  • When vital interest of the data subject or third party, as well as fundamental rights and freedoms of the data subject are not endangered
  • When there is genuine and reasonable expectation that the data subjects would not object such processing and the organization cannot, or does not want to give them upfront control, that can be withdrawn at any time (ex. consent)
  • When there is no plan to include special categories of data in such processing, especially data of children, since that requires additional and more rigorous conditions, that may overburden the process, even though it is not explicitly prohibited
  • When the organization is not an institution that exercises processing tasks in the capacity of public authority

How to implement ‘Legitimate Interest’?

One of the disadvantages you may consider for this lawful basis, is that it requires a bit more administration and operations in order to properly set up the process. It also requires consistency and continuance in applying the process steps for each new type/purpose of processing, depending on the respective organization’s activities and needs.  However, mastering this process will unmistakably provide an advantage to strengthen compliance with the Regulation overall and achieve greater confidence with data subjects, partners and authorities.

Guiding aspects on ‘How’ to do it:

  • Train and educate your staff on the subject and emphasize that their continuous contribution to this process is essential for its success (it really is!)
  • See ‘When’ to use it, since this lawful basis cannot be applied for all processing activities
  • Use it for specific purposes that have distinct material effect and avoid unclear generic business purposes and simplification
  • Undertake ‘Legitimate Interest Assessment’ aka LIA (see below)
  • Apply all steps for each new purpose within the organization’s operations

What is Legitimate Interest Assessment and its steps?

LIA is a specific risk assessment to determine and document the ‘Legitimate interest’ as possible lawful basis that could be applied, for a particular purpose of personal data processing activity.   

It serves to demonstrate compliance with the Regulation and application of its principles, including accountability.  

LIA is done by the staff and team who would be actively processing for a certain particular purpose within the organization’s unit or department, or area of operations. The monitoring and audit of the process is usually done by the organization’s Data Protection Officer (DPO), or other responsible person for ensuring compliance with data protection legislation within the organization.

LIA basics consist of three parts: Purpose Test, Necessity Test and Balance Test. Most common and efficient way to conduct the tests, is through a query of questions and answers, that aim to determine the validity of the undertaking.  It is essential that the questions need to be answered in clear, unambiguous and above all, truthful manner, as the only way to achieve efficiency of the process and true compliance demonstration.

Such queries may include:

  1. Purpose Test (determines if there is indeed legitimacy behind the processing)

  • What is the objective of the processing?
  • What are the benefits of the processing and who benefits?
  • Is the processing ethical and moral? Is it legal?
  • What is the impact if processing is not made?
  1. Necessity Test (determines if there is basic inevitable need for the processing)

  • Can you achieve the same result without processing personal data?
  • Are there other less intrusive methods to achieve the same result?
  • Is the processing proportionate to the achievement?
  1. Balance Test (determines if the processing based on ‘Legitimate interest’ does not override the fundamental rights and freedoms of the data subject)

  • What is the relation with the organization and the data subject?
  • How will the data subject be impacted by the processing?
  • Is the processing high risk to data subjects’ rights and freedoms?
  • Is it likely that the data subject will not object the processing?
  • What personal data is part of the processing?
  • What are the safeguards applied that will secure and lessen the impact of the processing?

If LIA results are not sufficient for a particular assessment of processing and determining lawfulness, an organization might need to undertake a detailed DPIA (Data Protection Impact Assessment).

In conclusion, an organization has to inform data subjects that the basis of ‘Legitimate Interest’ in certain processing activities is applied and elaborate when and how. The most practical way to do that is through its infrastructure of corporate policies, as well as public privacy policies.

28 January, 2022