Legitimate Interest as a Legal Basis for Data Processing
The collection and processing of personal data inevitably involve an intrusion into the privacy of the individuals whose data is being processed.
For this reason, the Law on Personal Data Protection (LPDP), enacted in 2018 to align with the General Data Protection Regulation (GDPR), introduced six legal bases for the lawful processing of personal data.
Legal Bases for Lawful Data Processing
Data processing is lawful only if it fulfils one of the following conditions:
- Consent of the Data Subject: The individual has consented to the processing of their personal data. Consent is granted either by physically signing a document specifying the purposes and methods of data processing or by checking a box online (e.g., subscribing to a seller’s newsletter, making an online purchase, etc.).
- Contractual Necessity: Processing is necessary for the execution of a contract with the data subject or for actions prior to entering into a contract. For example, delivering purchased goods requires the seller to collect the buyer’s delivery address and phone number, which are often shared with delivery services.
- Legal Obligation: Processing is necessary for compliance with a legal obligation of the controller. For instance, an employer collects employee data not only to conclude an employment contract but also to fulfil mandatory insurance and tax obligations.
- Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person. For example, employers may process data of an employee’s dependents for health insurance registration.
- Public Interest or Legal Authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. For instance, the Statistical Office processes population data for census purposes.
- Legitimate Interest: Processing is necessary for the legitimate interests of the controller or a third party unless overridden by the interests, rights, or freedoms of the data subject, especially in the case of children.
Controllers are required to identify the appropriate legal basis for each specific processing activity.
Legal Basis
The legitimate interest of the controller or a third party is often considered when other legal bases cannot apply. However, this broad basis comes with certain prerequisites:
- Necessity: The processing must be necessary for the controller or third party.
- Defined Interest: The controller must clearly define their interest.
- Non-Infringement: The processing must not harm the interests, rights, or freedoms of the data subject, especially if the subject is a minor.
The Balancing Test
Even if these conditions are met, the controller must conduct a balancing test:
- Could the same outcome be achieved without data processing or with less processing?
- Would the data subject reasonably expect such processing, or would it be considered unacceptable?
- If the processing conflicts with the subject’s rights or causes harm, it is unlawful.
If the balancing test favours processing, the Commissioner for Information of Public Importance and Personal Data Protection may require a documented justification.
Examples
- Video Surveillance: Store owners may install cameras for security purposes, balancing this need with customers’ privacy.
- Personalized Marketing: Online stores analyze purchase data to tailor marketing campaigns. However, they must allow users to opt-out and ensure compliance with data protection laws.
- Public Transparency: A public enterprise may publish salaries of executives to foster credibility, despite the potential privacy concerns.
Misapplication
A common misuse is processing personal data for direct marketing. However, the Advertising Law and Consumer Protection Law prohibit direct marketing through unsolicited calls or emails. Such activities require explicit consent.
Legal Act
The Commissioner recommends that controllers prepare a document outlining:
- The legitimate interest and its necessity.
- The impact of data processing on the data subject.
- Justification that the controller’s interest outweighs the subject’s privacy rights.
Notification and Objection
Data subjects must be informed, typically through privacy policies or contractual documents. They have the right to object to such processing at any time. If the objection is valid, the controller must cease processing unless there are overriding legal grounds.
Conclusion
Legitimate interest as a legal basis requires a cautious approach. Controllers must ensure that the processing is necessary, the interest is justified, and the rights of data subjects are not infringed. The balancing test and proper documentation are essential. Given the complexity of compliance, consulting a legal expert is highly recommended.
Workplace Harassment (Mobbing): Employer Obligations and Legal Risks
Workplace harassment and harassment related to work (hereinafter: mobbing) is not merely a problem between the perpetrator and the victim — it is also a
NDA and Trade Secret: How to Properly Protect Confidential Information in Business
A Non-Disclosure Agreement (commonly referred to as an NDA) protects confidential information exchanged between contracting parties during negotiations, cooperation, or an employment relationship. A trade
Why Every Employer Should Have a Rulebook on Work (Employee Handbook)
When asked whether a Rulebook on Work (Employee Handbook) is a mandatory general act for an employer, the answer is very short: it
Director of a Commercial Company – Rights, Duties and Liability
A director of a commercial company is not merely a formal head of a company. The director is responsible for managing business operations, making strategic
Fixed-Term Employment Contract: rules and risks 2026
Although a fixed-term employment contract is considered an exception under the Labour Law, in practice it is very often used as a rule when hiring
Notice of Grounds for Termination of an Employment Contract
A notice of grounds for termination represents the initial procedural stage in the process of termination of employment. It is not merely a