The European Data Protection Board has published an analysis by TJ McIntyre, one of their panel of experts, about legitimate interests, looking back at many cases where controllers have fallen foul of the GDPR by not applying it properly.
It’s long and detailed, and you should read it if your organisation uses Legitimate Interest as a legal basis for processing data regularly.
The Legitimate Interest lawful basis occupies an awkward position. It is inaccurately described as a loophole by consent fetishists. It is casually applied retrospectively by controllers who didn’t think about GDPR when they started something.
Neither side is appealing.
The appropriate use of the LI sits in the middle. You need to carry out a detailed, thoughtful consideration of the legitimacy of the data use (which, as the digest shows, can be a purely commercial interest) and balance that against the impact on the individuals who will be affected. It’s easy to let the former take priority, and some organisations find it hard to put themselves in the shoes of the data subject.
Legitimate interests will always be part of European data protection law. Using it isn’t a dodge or an avoidance of the ‘spirit of the law’. I don’t believe in ghosts and done properly, it’s as valid a justification to use personal data as any other.
You can read the full report here.
0 Comments