Compliance

What are the practical keys to data processing based on legitimate interest?

Practical Keys to Data Processing Based on Legitimate Interest

(Original article published on Elderecho.com)

Teresa Miquel, director of the compliance, privacy and intellectual property departments at Metricson, explains:

“Data processing based on legitimate interest is a valuable tool for companies and data controllers, but it must be applied rigorously. EDPB guidelines emphasize the importance of carefully assessing whether the fundamental rights and freedoms of data subjects are not disproportionately affected.”

Three keys to lawful data processing

The guide highlights three essential cumulative conditions for the processing to be lawful:

1. Existence of a legitimate interest:

  • It must be clear, lawful, real, and current — not hypothetical.
  • The interest must be related to the activities of the data controller or a third party.
  • Example: ensuring the continued functionality of a publicly accessible website.

2. Necessity of the processing:

  • It is essential to assess whether the purposes of the legitimate interest could not be achieved by less intrusive means.
  • This analysis must take into account the principle of data minimization.

3. Balancing rights and interests:

  • The controller must carry out a careful assessment of the impact on the data subjects versus the legitimate interests pursued.
  • Key factors: nature of the data, context of the processing, the data subject’s reasonable expectations, among others.
  • If the impact is significant, it is recommended to implement mitigating measures to reduce the risks.

Miquel adds: “The balancing test does not aim to eliminate any impact on the data subject, but rather to avoid disproportionate impacts. It is essential to document this process transparently in order to be prepared for audits or potential claims.”

Specific aspects highlighted by the guide

  • Protection of children’s data: Children’s data requires enhanced protection.
  • Public authorities: They cannot rely on legitimate interest to perform their duties.
  • Fraud prevention and direct marketing: Specific guidelines are provided on how to apply Article 6.1(f) in these contexts.

Let us remember that processing based on legitimate interest can be an effective tool, as long as it is used responsibly and in strict compliance with the principles of the GDPR.

About Metricson

With offices in Barcelona, Madrid, and Valencia, and a strong international presence, Metricson is a pioneering firm in legal services for innovative and technology-based companies. Since its founding in 2009, it has advised over 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions, and governments.

If you’d like to get in touch with us, don’t hesitate to write to us at contacto@metricson.com. We look forward to hearing from you!

Related articles

Is the new whistleblowing channel mandatory for my company?

Evolving Due Diligence processes

Talk with us

Offices

Paseo de Ruzafa 11, 6º, 12ª
46002 Valencia
960 500 761

    Responsable: Metricson S.L.P.U.
    · Finalidad: Resolver tu petición o duda.
    · Legitimación:  Interés legítimo en responder cualquier cuestión planteada por ti.
    · Destinatarios: Prestadores de servicios tecnológicos, como encargados del tratamiento, que seguirán siempre nuestras instrucciones.
    · Derechos: Puedes acceder, rectificar, suprimir o solicitar la portabilidad de tus datos personales, así como oponerte o limitar el tratamiento de los mismos dirigiéndote a privacy@metricson.com.