Deciphering “Legitimate Interests”: Report based on more than 40 cases from practice
FPF and Nymity collaborated to compile a Report on actual cases from practice and relevant guidance from the Article 29 Working Party and individual Data Protection Authorities (DPAs) concerning the use of “legitimate interests” as a lawful ground for processing under EU data protection law. Our aim is to help organizations better understand how to use and apply legitimate interests as a lawful basis for processing, while at the same time contributing to enhanced personal data protection for individuals.
We have identified specific cases that have been decided at national level by DPAs and Courts from the European Economic Area (EEA), as well as the most relevant cases where the Court of Justice of the European Union interpreted and applied the “legitimate interests” ground. We looked at cases across industries and we compiled them in two lists: one for uses of this ground that were found lawful and one for uses that were found unlawful.
There are over 40 cases discussed representing a wide variety of data processing activities from over 15 countries, such as:
- Using key-logger software for employee monitoring
- Use of GPS tracking data for private investigations
- Disclosing health data for litigation purposes
- Disclosing personal data for debt collection purposes
- Sending emails without consent for electoral purposes
- Publishing the sale price of homes that are no longer on the market
- Video surveillance of a swimming pool area
- Recording data for historical research purposes
- Recording employee misconduct
The summary of cases contain useful examples of how the “balancing exercise” is conducted in practice, and in many instances, the safeguards that were needed to tilt the balance and make the processing lawful. Two examples are provided below.
