| On 9 October, the EDPB adopted the long-awaited guidelines on legitimate interests. The EDPB initially endorses the three-step test developed by the European Court of Justice in its established case law. According to this, a legitimate interest must first be pursued by the controller or a third party. This interest must at least be lawful. Furthermore the processing must be necessary to achieve the aforementioned legitimate interest. The EDPB tends to take a narrow interpretation. The EDPB also measures the necessity by whether there are milder means to achieve the processing purpose. This criterion could become complicated in the future, especially since the European Court of Justice (ECJ) recently raised the question of whether the data subjects could have been asked for their consent. Finally, the actual balancing of interests takes place, where reasonable expectations and the possible existence of additional guarantees can be taken into account. As a result, the balancing of interests is becoming more similar to the data protecion impact assessment. The ECJ turns to a number of practical fields of application, such as fraud prevention, direct marketing and information security. However, little new information has emerged in these areas so far. Since the guidelines are still subject to a consultation procedure, it remains to be seen whether the final version will take into account the concerns of industry or even include any further restrictions. |
|---|