At the end of March 2019, the German Data Protection Conference published a supplement to the position statement on the applicability of the Telemedia Act for non-public bodies as from 25 May 2018 (available only in German). At the same time, the supplement serves as an orientation guidance for the implementation of the data protection requirements for data processing by telemedia services.
In particular, the criteria set out in the position paper for the application of Art. 6 para. 1lit. f) GDPR – legitime interest assessment – are particularly interesting.
The provision in Art. 6 para. 1 lit. f) GDPR has a broad and unspecific scope of application; on the one hand, it is flexible and applicable to a large number of cases; on the other hand, its application frequently leads to legal uncertainties in specific individual cases.
A three-stage examination is carried out to determine whether the requirements of Art. 6 para. 1 lit. f) GPDR are fulfilled:
- Stage: Existence of a legitimate interest of the controller or a third party
- Stage: Necessity of data processing to safeguard these interests
- Stage: Consideration of the interests, fundamental rights and fundamental freedoms of the data subject in the specific individual case
–> The examination structure is based on the jurisdiction of the European Court of Justice and the opinion of the European supervisory authorities.
Stage 1: Existence of a legitimate interest of the controller or a third party
The legitimate interest can be of an economic, non-material or legal nature and is understood as the essential motive for data processing, e.g. the provision of a service in a user-friendly form, the prevention of fraud as well as direct advertising can be regarded as a possible legitimate interest.
Other interests that could be mentioned for data processing based on legitimate interest:
- Provision of special functionalities, e.g. the shopping cart function
- Free design of the website possibly under efficiency and cost savings considerations
- Integrity and security of the website: IT security measures such as the storage of IP addresses in order to detect and prevent misuse
- Range measurement and statistical analyses
- Personalization/individualization of the offer for the respective user
- Recognition and feature assignment of users, e.g. in the case of advertising-financed offers
- Fraud prevention, protection against service overburdening requests (Denial of Service attacks)
Stage 2: Necessity of data processing to safeguard legitimate interests
However, the existence of a legitimate interest alone does not legitimate data processing. Data processing must be absolutely necessary to safeguard this interest. No milder, equally effective means must be available and the processing limited to the necessary extent.
Stage 3: Consideration of the interests, fundamental rights and fundamental freedoms of the data subject in the specific individual case (core of the legitimate interest assessment)
The legitimate interest of the controller is matched by the interests and fundamental rights and freedoms of the data subject.
These include the right to the protection of personal data, the right to confidentiality of communications, freedom of expression, the interest in the freedom to obtain information and the interest in not experiencing any economic disadvantages (e.g. in the case of personalised pricing).
The conflicting interests are to be weighted; since there is no general rule, the controller should orient themselves on the following principles:
- A constitutionally recognised interest, e.g. the right to the protection of personal data pursuant to Art. 8 of the Charter of Fundamental Rights of the European Union, has a higher weight than an interest that is only recognised by ordinary law in the legal system.
- An interest is more important if it serves not only the controller, but also the general public at the same time, e.g. in research activities.
The recitals of the GDPR can be used to support the application of Art. 6 para. 1 lit. f) GDPR. The following criteria result from the recitals; the details of the respective criteria can be found in the Data Protection Conference Position Paper (available only in German):
- Reasonable expectations of the persons concerned and foreseeability / transparency
- Possibilities for intervention by the data subjects
- Data chaining
- Actors involved
- Duration of observation
- Circle of affected data subjects (e.g. particularly vulnerable persons)
- Data categories
- Scope of data processing
- Bottom line
In summary, it can be said that the legitimate interest assessment within the framework of Art. 6 para. 1 lit. f) GDPR requires an essential examination of the interests, fundamental rights and fundamental freedoms of the data subjects by controllers. The individual case reference is decisive here; general findings do not fulfil the legal requirements. For online marketing, the use of the “legitimate interests of the company” as a legal basis according to Art. 6 Para. 1 lit. f) for online advertising purposes is not generally rejected, but some examples are given where the legitimate interests of the company cannot be regarded as a legal basis.
In each case where legitimate interest is used as a legal basis, the LIA (“Legitimate Interest Assessment”) should be prepared, i.e. an evaluation of the comparison of the legitimate interests of the company with the interests of the data subjects. There are basic forms for this purpose available, please contact us, ePrivacy will be happy to help you.