2 minute read
III.3.5. Accountability and transparency
less risky forms of personal data processing (e.g. personal data that is encrypted while in storage or transit, or personal data that are less directly and less readily identifiable) should generally mean that the likelihood of data subjects’ interests or fundamental rights and freedoms being interfered with is reduced.
In connection with these safeguards - and the overall assessment of the balance - the Working Party wishes to highlight three specific issues that often play a crucial role in the context of Article 7(f):
Advertisement
the relationship between the balancing test, transparency, and the accountability principle; the right of the data subject to object to the processing, and beyond objection, the availability of an opt out without the need for any justification, and empowering data subjects: data portability and the availability of workable mechanisms for the data subject to access, modify, delete, transfer, or otherwise further process (or let third parties further process) their own data.
Due to their importance, these subjects will be discussed under separate headings.
III.3.5. Accountability and transparency
In the first place, before a processing operation on the basis of Article 7(f) is to take place, the controller has the responsibility to evaluate whether it has a legitimate interest; whether the processing is necessary for that legitimate interest and whether the interest is overridden by the interests and rights of the data subjects in the specific case.
In that sense, Article 7(f) is based on the accountability principle. The controller must perform a careful and effective test in advance, based on the specific facts of the case rather than in an abstract manner, taking also into account the reasonable expectations of data subjects. As a matter of good practice, where appropriate, carrying out this test should be documented in a sufficiently detailed and transparent way so that the complete and correct application of the test could be verified - when necessary - by relevant stakeholders including the data subjects and data protection authorities, and ultimately, by the courts.
The controller will first define the legitimate interest and make the balancing test, but this is not necessarily the final and definitive assessment: if, in reality, the interest pursued is not the one that was specified by the controller or if the controller only defined the interest in insufficient detail, the balance has to be re-assessed, based on the actual interest, to be determined either by a data protection authority or by a Court.99 As is the case for other key aspects of data protection, such as the identification of the data controller or the specification of purpose100, what matters is the reality behind any assertion made by the controller.
The notion of accountability is closely linked to the notion of transparency. In order to enable data subjects to exercise their rights, and to allow public scrutiny by stakeholders more broadly, the Working Party recommends that controllers explain to data subjects in a clear and user-friendly manner, the reasons for believing that their interests are not overridden by
99 For example, following a complaint or an Article 14 objection. 100 See Opinions cited in footnote 9.
