2 minute read
Executive Summary
Executive Summary
This Opinion analyses the criteria set down in Article 7 of Directive 95/46/EC for making data processing legitimate. Focusing on the legitimate interests of the controller, it provides guidance on how to apply Article 7(f) under the current legal framework and makes recommendations for future improvements.
Advertisement
Article 7(f) is the last of six grounds for the lawful processing of personal data. In effect it requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject. The outcome of this balancing test will determine whether Article 7(f) may be relied upon as a legal ground for processing.
The WP29 recognises the significance and usefulness of the Article 7(f) criterion, which in the right circumstances and subject to adequate safeguards may help prevent over-reliance on other legal grounds. Article 7(f) should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply. However, it should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds.
A proper Article 7(f) assessment is not a straightforward balancing test consisting merely of weighing two easily quantifiable and comparable 'weights' against each other. Rather, the test requires full consideration of a number of factors, so as to ensure that the interests and fundamental rights of data subjects are duly taken into account. At the same time it is scalable which can vary from simple to complex and need not be unduly burdensome. Factors to consider when carrying out the balancing test include:
- the nature and source of the legitimate interest and whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned;
- the impact on the data subject and their reasonable expectations about what will happen to their data, as well as the nature of the data and how they are processed;
- additional safeguards which could limit undue impact on the data subject, such as data minimisation, privacy-enhancing technologies; increased transparency, general and unconditional right to opt-out, and data portability.
For the future, the WP29 recommends implementing a recital to the proposed Regulation on the key factors to consider when applying the balancing test. The WP29 also recommends that a recital be added requiring the controller, when appropriate, to document its assessment in the interests of greater accountability. Finally, the WP29 would also support a substantive provision for controllers to explain to data subjects why they believe their interests would not be overridden by the data subject’s interests, fundamental rights and freedoms.
