How to Conduct the Triple Test to Assess the Legitimate Interests of the Data Controller (GDPR)

A Comprehensive Guide to Using 'Legitimate Interests' as a Legal Basis under the GDPR, Including Challenges, Conditions, and Practical Examples

The concept of ‘legitimate interests’ as a legal basis under the General Data Protection Regulation (GDPR) is often misunderstood and misapplied, leading to unnecessary legal risks. This is evident in cases such as the notable sanction against Facebook (now META), which faced a fine of 390 million euros for [improper application of legitimate interests European Court of Justice Decision] (HTTPS:/ /curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageindex=0&doclang=fr&mode=req&dir=&occ=first&part=1&cid=1652408).

To appropriately invoke legitimate interests under Article 6(1)(f) of the GDPR, it is imperative to conduct a thorough triple test. This test ensures the legality of processing activities under the specified legal basis and aims to prevent potential abuses, especially since obtaining explicit consent from data subjects is not required in this context.

1. Understanding “Legitimate Interests”

According to Article 6(1)(f) of the GDPR:

“The processing is lawful only if and to the extent that at least one of the following applies: f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.”

These provisions allows data controllers to collect and process personal data without obtaining consent, provided they have a legitimate reason to do so. However, to prevent potential misuse, the GDPR adds additional requirements for invoking legitimate interests. These are encapsulated in the following triple test:

  • Objective Test: Does the controller have a legitimate interest in processing the data?
  • Necessity Test: Is the processing of data genuinely necessary for the stated purpose?
  • Balance Test: Do the interests of the data subject outweigh the legitimate interest of the controller?

The French Data Protection Authority (CNIL) emphasizes that this legal basis is applicable to processing activities by private entities that do not significantly harm the rights and interests of the data subjects [CNIL Guidelines] (https://www.cnil.fr/fr/les-bées-legales/tert-legitime)

2. Practical Examples of Legitimate Interests under the GDPR

The GDPR provides specific instances where legitimate interests can be considered a valid legal basis for data processing. These examples, highlighted in Recitals 47, 48, and 49 of the GDPR, include:

  • Fraud Prevention: A key area where legitimate interests are often invoked, highlighting the necessity of processing personal data to protect against fraudulent activities.
  • Network and Information System Security: As elaborated in Recital 49, ensuring the security of network and information systems is a paramount concern. This involves processing personal data as strictly necessary to safeguard against accidental or unlawful events that compromise the integrity, availability, and confidentiality of stored or transmitted data.
  • Commercial Prospecting: The use of personal data for business development and marketing purposes, within certain limits, can be justified under legitimate interests.

The European Commission further clarifies that legitimate interests may be applicable when processing occurs in the context of a customer relationship, for purposes such as marketing, fraud prevention, or ensuring the security of network and IT systems.

If we analyze Recital 49 of the GDPR, we observe that the processing carried out to ensure the security of information systems, based on legitimate interest, has been extensively mentioned: 'The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring the security of the network and information, that is, the ability of a network or an information system to withstand, at a given level of confidence, accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communications services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, stopping ‘denial of service’ attacks, and addressing damage to computer and electronic communication systems.

3. No Legitimate Interest for Public Authorities

It is important to remember that the legal basis of legitimate interests cannot be used by public authorities; Recital 47 explains why: “Considering that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks.”

4.1 Identifying the Interests of the Data Controller or a Third Party and Their Legitimacy

Firstly, it is necessary to clearly identify the interests and objectives of the data controller or third party under which the processing is operated. The following questions can be asked:

  • Why is the processing being carried out?
  • What benefits are expected from the processing?
  • Who benefits from the processing?
  • What would be the impact if the organization could not implement the processing?

Recital 47 is useful in this analysis: “The existence of a legitimate interest would need careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” In the context of a business relationship, it is useful to consider the reasonable expectations of individuals regarding the processing of their data. For example, in a B2B context, it is reasonable for a customer of a company to expect to be contacted by email for a commercial proposal related to an ancillary service.

The french CNIL indicates that "the interest pursued by an entity can be presumed if the following 3 conditions are met:

  • The interest is manifestly lawful in view of the law;
  • It is determined clearly and precisely;
  • It is real and present for the concerned entity, and not fictitious.

4.2 The Condition of Necessity

The organization must then ensure that the processing is necessary (see Art. 6: “the processing is necessary for the purposes of legitimate interests”).

This condition can be broken down into two points:

On one hand, it is necessary to verify that the processing actually achieves the intended purpose, rather than serving other objectives. This condition often poses problems in cases where an organization claims to collect data for one purpose, while in reality, it uses the data for entirely different purposes. Attention must be paid to this as it represents a real and significant risk of deviation. On the other hand, it is necessary to ensure that there is no less intrusive means of achieving the same objective than implementing the processing. Therefore, the following questions can be asked:

  • Will this processing actually help the organization achieve the initially stated objective?
  • Is the processing proportionate to this objective?
  • Is it possible to achieve the same objective without the processing?
  • Is it possible to achieve the same objective by processing less data, or by processing the data in a less intrusive manner (also consider the principle of data minimization)?

The fundamental interests and rights of the data subject could, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Generally, “necessary” means that the processing must be a targeted and proportionate means of achieving the stated objective. Again, the legal basis of legitimate interests cannot be relied upon if there is another reasonable and less intrusive means to achieve the same result.

4.3 The Balancing Condition

To understand the balancing test, we need to revisit Article 6. Indeed, the legitimate interests of the data controller (DC) may justify this legal basis “unless the interests or fundamental freedoms and rights of the data subject that require protection of personal data prevail.”

Thus, a balance is established: the interests of the DC cannot override the interests, freedoms, or fundamental rights of the data subject.

Recital 47 adds further elements to the analysis of this balancing condition:

  • “unless the interests or fundamental freedoms and rights of the data subject prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the controller
  • “the existence of a legitimate interest should be subject to careful assessment, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a particular purpose
  • “The interests and fundamental rights of the data subject may, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing

The reasonable expectations of the data subjects - in English “reasonable expectations of data subjects based on their relationship with the controller” - are thus essential elements to consider.

The CNIL states that “the entity must therefore strike a balance, a weighing of the rights and interests at stake, and verify in this context that the interests (commercial, security of goods, fraud prevention, etc.) it pursues do not create an imbalance to the detriment of the rights and interests of the individuals whose data is processed.” Then “the entity must first identify all kinds of consequences that its processing may have on the data subjects: on their privacy but also, more broadly, on all the rights and interests covered by the protection of personal data.” Finally, “The entity must then take into account, in the weighting between its legitimate interest and the rights and interests of the persons, their ‘reasonable expectations’.”

A series of questions can be posed to clarify these aspects:

  • General Context of Processing

    • Are there any Article 9 or 10 data involved?
    • Are these data likely to be considered particularly “private” or sensitive by the individuals?
    • Are data of children, minors, or vulnerable individuals being processed?
    • Are data related to the personal or professional capacity of individuals being processed?
  • Relationship with the Data Subjects

    • Is there a relationship with the individual?
    • What is the nature of this relationship, and how have the data been used in the past?
    • Were the data collected directly from the individuals?
    • What information were they provided with?
    • How long ago were the data collected? Are there any technological or contextual changes since then that would affect expectations?

5. Key Texts

The aforementioned Article 6.

  • Recital 47 “The legitimate interests of a data controller, including those of a data controller to whom personal data may be disclosed, or of a third party, may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the data controller. Such a legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the data controller in situations such as where the data subject is a client of the data controller or is in the service of the data controller. In any case, the existence of a legitimate interest should be subject to careful assessment, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a particular purpose. The interests and fundamental rights of the data subject may, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks. The processing of personal data strictly necessary for fraud prevention purposes also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest.”

  • Recital 48 “Controllers that are part of a group of undertakings, or institutions affiliated with a central body, may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data of clients or employees. The general principles for the transfer of personal data, within a group of undertakings, to an enterprise in a third country remain unaffected.”

  • Recital 49 “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e., the ability of a network or an information system to withstand, at a given level of security, accidental or unlawful events that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communication services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”