10 August 2018
by Christian Bogaru, Managing Partner
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”) was adopted on 27 April 2016, and became enforceable on the 25th of May 2018. Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
It is very important to determine the lawful basis before beginning processing personal data, otherwise you can be penalized with a fine up to 20 million euros or 4% of your global turnover, whichever is higher.
The GDPR provides six lawful basis for processing, according to Article 6 (1), respectively:
- consent of the data subject (consent);
- actual or envisioned contract with the data subject where the processing of personal data is necessary for its performance or, as the case may be, to enter into the contract (contract),
- legal obligation (legal obligations);
- protection of the data subject`s vital interests (vital interests),
- the performance of a task in the public interest or for official functions (public task), and the task or function has a clear basis in law;
- legitimate interests unless there is a good reason to protect the data subject`s personal data which overrides the legitimate interests (legitimate interest).
The legitimate interests is not available to processing carried out by public authorities in the performance of their tasks.
The notion of “legitimate interest” is not something new, it existed before the GDPR, stated in Article 7 of the Directive 95/46/EC and implemented in the Law no. 677/2001 regarding the protection of the individuals concerning the processing of personal data and the free circulation of such data.
Legitimate interest may be the legal basis for processing user data if the interests of the user do not override the interest of the controller when considering the reasonable expectations of the user and their relationship with the controller.
The existence of a legitimate interest would need careful assessment including whether the data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The GDPR specifically mentions the use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
Importantly, companies will need to demonstrate compliance (through documentation, policies and keeping a so-called “paper trail”) with their obligations under the GDPR to satisfy the GDPR`s (new) Accountability Principle, rather than carry out a tick box exercise and to prepare itself in the event of an audit by the authorities.
Article 5(2) and Article 24 from the GDPR stipulates that the controller shall be responsible for upholding, and be able to demonstrate compliance with, the principles provided by the GDPR. So, the controller, in the case of an inquiry made by the legal authorities must be able to provide proof (including physical documentation) to demonstrate compliance, by undertaking a Legitimate Interests Assessment (hereinafter “LIA”).
An LIA is a type of risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and Article 24 from GDPR.
An LIA is split into three steps: (1) assessment of whether a legitimate interest exists; (2) establishment of the necessity of processing and (3) performance of a balancing test.
The processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. Your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
In conclusion, the legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. So, in order to avoid any sanctions it`s better to benefit from the guidance of an attorney to ensure you that the personal data processing is conducted in a lawful GDPR-abiding manner.