Interesseafvejningsreglen som behandlingsgrundlag i GDPR

Studenteropgave: Kandidatspeciale og HD afgangsprojekt

  • Christian Elbrønd Baroni
4. semester, Jura, Kandidat (Kandidatuddannelse)
The GDPR art. 6, paragraph one, contains legal grounds, in which the data controller must be able to apply at least one, for processing to be lawful. Evidently, it is not possible to consider all the needs for processing beforehand when enacting the GDPR. For this reason, the GDPR contains quite a few general and discretionary provisions. One of these is processing on basis of legitimate interests, GPDR, art. 6, paragraph one, litra f, which allows processing when it is necessary for the purposes of legitimate interests pursued by the data controller or a third party. Application of this provision can be tricky, given that the GDPR offers very little guidance on how the balance test is to be carried out, and which factors are to be included. For this reason, it can be difficult to determine whether a processing can be based on this legal ground or not. The risk of this determination is mainly assumed by the data controller since his judgement can be revoked by national courts and supervisory authorities thereafter. It is this uncertainty, that gives rise to this thesis.

This thesis examines how the provision is to be interpreted and how the balancing of interests is to be done in practice. Furthermore, this thesis aims to acquire knowledge about the elements of the provision, and its use in practice for the purpose of being able to decide, with a high degree of certainty, whether a given process can be made on basis of legitimate interests as a legal ground or not. First, thesis examines the GDPR itself and its preambles. It then examines a guideline published by the Article 29 Working Party, as well as topics and guidelines published by the Danish supervisory authority, Datatilsynet. It then analyses cases from the European Court of Justice and national cases from Datatilsynet. The cases from the European Court of Justice mainly illustrate general properties regarding the provision, whereas the cases from Datatilsynet, which are divided into reoccurring themes, mainly regard the balancing test. This practical approach helps better understand the provision and how the balance test can be expected to turn out in different scenarios.

This thesis finds that that generally, there is a broad access to process on basis of legitimate interests, since the processing was legal in most of the cases. The GDPR does not prescribe an official way to perform the balancing test, however the Article 29 Working Party has described an approach, that while not binding for the member states, appears to be a useful tool. The analyzed cases show that there are several different interests that can be considered legitimate, across many areas, and there does not appear to be areas where processing is precluded or permitted consistently. There are however some patterns, that can be observed. In cases where the purpose is to secure the safety of citizens and solve crime, the processing will most often be legal, since this interest is difficult to override. An employer will also generally have a broad access to process data but must be careful when passing the data to others or when the data regards dismissal of employees. When disclosing data to the public, the regards to freedom of speech, freedom of information and expression will be significant factors, which are also difficult to counterweight in the balance test. The same is true when processing data which is already publicly available, or when the data controller is imposed a certain task by law, or when a data controller processes data to bring civil proceedings. It is also clear, that breach of the principles in GDPR art. 5, or breach of national legislation, will always mean that the processing is illegal, and thus the provision cannot be used.

In any case, the processing on basis of legitimate interests is a very flexible provision, that on one hand permits processing when the other legal grounds prove insufficient, but on the other hand involves some uncertainty and requires careful planning from the data controller, especially in areas where case law is scarce.
Udgivelsesdato18 maj 2021
Antal sider70
ID: 412012725