Among the several GDPR provisions addressed to Controllers, specific attention should be payed to those related with:

 

Attention should be twofold:

1.  from the Controllers point of view since they may enlarge the possibility to process personal data without the Data Subjects' consent, and

 

2.  from the Data Subjects point of view as they could 'lose' control about the processing for several purposes of their data by a variety of Controllers/Third Parties: the operative efficacy of the data subjects' capability to object shall be clarified and tested only in the future.

 

 

A - Legitimate Interest

 

In short terms Legitimate Interest is a licit  interest of the Controller that is not overridden by the Data Subject interest and that renders legitimate a personal data processing without the need of collecting the Data Subject consent or referring to a binding agreement with the Data Subject or making reference to a law obligation or law permission.

Therefore it is a very attractive legal ground for lawfully processing personal data processing since the Controller is not involved, for example, in gathering and managing the Data Subject consents with related timing and costs.

 

This legal ground  for lawfully performing personal data processing, additional to those related with the Data Subject consent, a contract, a law obligation,.. is certainly not a new concept since it is already present in the European Privacy Directive 95/46/EC Article 7(f). However its  transposition into the 28 EU member states legislations does not seem to be uniform nor consolidated by an extensive use. For example in Italy the application by a Controller of the legitimate interest legal ground for personal data processing is subject to a prior assessment by the Data Protection Authority pursuant to Article 24 (1)(g) of the Italian Privacy Code (Legislative Decree 196/03), the timing of the procedure with the Authority is at least 180 days from the Controller request, and the Controller has to implement the specific measures that  the Authority is allowed to identify.

The existence of issues at Member State level about the adoption of the Legitimate Interest as a legal ground for personal data processing has been clearly acknowledged by the European Court of Justice with its judgment dated on  24.11.2011 in cases C-468/10 and C-469/10: in particular such judgment recalls that EU member states must not overstep the fine line between clarification on the one hand, and setting additional requirements, which would amend the scope of [95/46/EC] Article 7(f) on the other hand.

In any case for a robust application of this legal ground for personal data processing it is essential a clear identification of what can be successfully considered a real legitimate interest: in this sense an important step has been taken by the Working Party 29 with its "Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC": many of the WP29 considerations contained in such Opinion have given basis for the GDPR Legitimate Interest topics.

In this sense is our reading in particular of the GDPR Recitals 47, 48 and 49 where it is reported the need to perform a careful assessment about the existence of the Legitimate Interest and the indication of some cases where the Legitimate Interest could take place: this latter part is particularly meaningful considering the impact on real situations in real company's scenarios, see following Table 1.

 

 

Table 1 Legitimate Interests and related cases  in GDPR Recitals

Purpose/Context...	...whether to be considered Legitimate Interest according to the wording of GDPR Recitals 47, 48, 49
Preventing fraud:	Constitutes a Legitimate Interest of the Controller concerned
Direct marketing:	May be regarded as carried out for a legitimate interest
Transmitting personal data within a group of undertakings for internal administrative purposes:	Controllers part of the group may have a legitimate interest
For ensuring network and information security:	By public authorities, by computer emergency response teams (CERTs), computer security incident response team (CSIRTs), by providers of  electronic communications networks and services, by providers of security technologies and service constitutes legitimate interest of the Controller concernes

 

 

Therefore it is a fortiori essential to perform a robust assessment in order to determine whether, in the specific context of the processing to be made by a Controller, a real and documentable  Legitimate Interest of the Controller itself or a Third Party takes place, as required by GDPR Article 6 (1)(f). Failure in complying with the provisions of GDPR Article 6 involves sanctions up to 20.0000.000 eur or 4% worldwide turnover (if higher) for an undertaking.

An interesting reasoning and practical support about the identification of the cases of Legitimate Interest it is expected from the adoption of privacy Code of Conducts according to GDPR Article 40: in fact according to GDPR Article 40(2)(b), associations and bodies representing categories of controllers and processors may prepare code of conducts for the purposes of specifying the application of the GDPR with regard to the Legitimate Interests pursued by controllers in specific context.

 

In any case a significant roadmap for performing assessments about the applicability of the Legal Interest as legal ground is outlined in summary by the WP29 with the already mentioned Opinion 6/2014:

 

Step 1: Assessing which legal ground may potentially apply under GDPR Article 6(a)-(f)

Step 2: Qualifying an interest as 'legitimate' or ‘illegitimate’

Step 3: Determining whether the processing is necessary to achieve the interest pursued

Step 4: Establishing a provisional balance by assessing whether the data controller’s           interest is overridden by the fundamental rights or interests of the data subjects

Step 5: Establishing a final balance by taking into account additional safeguards

Step 6: Demonstrate compliance and ensure transparency

Step 7: What if the data subject exercises his/her right to object?

 

The Data Subjects are always entitled to object the processing of their personal data for the purposes of Legitimated Interest  of a Controller or its Third Party however the unbalances existing among the parties (example a Worldwide Social Network vs the single Data Subject in particular a child), could make very difficult to  really exercise such Data Subject rights, and in this sense the support from not profit associations in the meaning of  GDPR Article 80 could help in appropriately rebalancing the matter.

 

 

B- Processing for other purposes

 

Also in this case it is not a fully new provision comparing with the Privacy Directive, although the GDPR lays down a more specific definition of the related requirements.

Further processing irrespective of the compatibility with the purpose for which the personal data are collected is allowed when the legal ground for the new processing is the Data Subject's consent or a law obligation; conversely the processing for other purpose than the one pursued for the data collection is subject to a specific prior assessment, in charge to the Controller, according to GDPR Article 6(4).

 

 

Fig. 1 Summary view of the Controller's decision flow about processing personal data for other puposes

 

 

All the elements (a)-(e) listed in GDPR Article 6(4) are important for the Controller's decision, however element (e): "the existence of appropriate safeguards, which may include encryption or pseudonymisation" represents an important control in the hands of the Controller for moving the result of the assessment in his favour, considering in any case the related costs. Please note  that 'appropriate safeguards' should include specific measures in order to enhance and simplify the procedures for the exercise of  Data Subjects right to object, as already outlined by the WP29 with its Opinion 6/2014..

 

 

What about the combination of A and B

 

The combined use of cases A and B could represent an important resource for Controllers in order to lawfully process the personal data for their business at 'minimum cost': no consent,....

On the other hand this may represent a serious obstacle for the control of the Data Subjects on the use of their personal data.

 

A key factor for achieving and acceptable balancing among the right of Controllers and Data Subjects should be the effective application (and enforcement by the competent Authorities) of the Accountability principle GDPR Article 5(2) in particular for the two decision points under Controller's responsibility:

·        ascertain whether the conditions for  Legitimate Interest are met for a given purpose-processing scenario,

·        assess whether there is compatibility between a new purpose of processing and the purpose for which the personal data are initially collected.

 

At the same time an essential factor should be the implementation of programs by the competent authorities for  promoting awareness in the public about the rights of the Data Subjects on the processing of their personal data, with particular attention to children and parents, and for boosting the efficacy of the Data Subjects remedy procedures, also promoting collaboration with  not-for-profit associations aimed at supporting the Data Subjects in lodging complaints and exercise their rights enshrined by the GDPR.