FPF and Nymity collaborated to compile a Report on actual cases from practice and relevant guidance from the Article 29 Working Party and individual Data Protection Authorities (DPAs) concerning the use of “legitimate interests” as a lawful ground for processing under EU data protection law. Our aim is to help organizations better understand how to use and apply legitimate interests as a lawful basis for processing, while at the same time contributing to enhanced personal data protection for individuals.
We have identified specific cases that have been decided at national level by DPAs and Courts from the European Economic Area (EEA), as well as the most relevant cases where the Court of Justice of the European Union interpreted and applied the “legitimate interests” ground. We looked at cases across industries and we compiled them in two lists: one for uses of this ground that were found lawful and one for uses that were found unlawful.
There are over 40 cases discussed representing a wide variety of data processing activities from over 15 countries, such as:
Using key-logger software for employee monitoring
Use of GPS tracking data for private investigations
Disclosing health data for litigation purposes
Disclosing personal data for debt collection purposes
Sending emails without consent for electoral purposes
Publishing the sale price of homes that are no longer on the market
Video surveillance of a swimming pool area
Recording data for historical research purposes
Recording employee misconduct
The summary of cases contain useful examples of how the “balancing exercise” is conducted in practice, and in many instances, the safeguards that were needed to tilt the balance and make the processing lawful. Two examples are provided below.
The Report is made available in its entirety to FPF members and licensed subscribers of Nymity Privacy Compliance Solutions.