Legitimate Interest as a Legal Basis for Data Processing
The collection and processing of personal data inevitably involve an intrusion into the privacy of the individuals whose data is being processed.
For this reason, the Law on Personal Data Protection (LPDP), enacted in 2018 to align with the General Data Protection Regulation (GDPR), introduced six legal bases for the lawful processing of personal data.
Legal Bases for Lawful Data Processing
Data processing is lawful only if it fulfils one of the following conditions:
- Consent of the Data Subject: The individual has consented to the processing of their personal data. Consent is granted either by physically signing a document specifying the purposes and methods of data processing or by checking a box online (e.g., subscribing to a seller’s newsletter, making an online purchase, etc.).
- Contractual Necessity: Processing is necessary for the execution of a contract with the data subject or for actions prior to entering into a contract. For example, delivering purchased goods requires the seller to collect the buyer’s delivery address and phone number, which are often shared with delivery services.
- Legal Obligation: Processing is necessary for compliance with a legal obligation of the controller. For instance, an employer collects employee data not only to conclude an employment contract but also to fulfil mandatory insurance and tax obligations.
- Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person. For example, employers may process data of an employee’s dependents for health insurance registration.
- Public Interest or Legal Authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. For instance, the Statistical Office processes population data for census purposes.
- Legitimate Interest: Processing is necessary for the legitimate interests of the controller or a third party unless overridden by the interests, rights, or freedoms of the data subject, especially in the case of children.
Controllers are required to identify the appropriate legal basis for each specific processing activity.
Legal Basis
The legitimate interest of the controller or a third party is often considered when other legal bases cannot apply. However, this broad basis comes with certain prerequisites:
- Necessity: The processing must be necessary for the controller or third party.
- Defined Interest: The controller must clearly define their interest.
- Non-Infringement: The processing must not harm the interests, rights, or freedoms of the data subject, especially if the subject is a minor.
The Balancing Test
Even if these conditions are met, the controller must conduct a balancing test:
- Could the same outcome be achieved without data processing or with less processing?
- Would the data subject reasonably expect such processing, or would it be considered unacceptable?
- If the processing conflicts with the subject’s rights or causes harm, it is unlawful.
If the balancing test favours processing, the Commissioner for Information of Public Importance and Personal Data Protection may require a documented justification.
Examples
- Video Surveillance: Store owners may install cameras for security purposes, balancing this need with customers’ privacy.
- Personalized Marketing: Online stores analyze purchase data to tailor marketing campaigns. However, they must allow users to opt-out and ensure compliance with data protection laws.
- Public Transparency: A public enterprise may publish salaries of executives to foster credibility, despite the potential privacy concerns.
Misapplication
A common misuse is processing personal data for direct marketing. However, the Advertising Law and Consumer Protection Law prohibit direct marketing through unsolicited calls or emails. Such activities require explicit consent.
Legal Act
The Commissioner recommends that controllers prepare a document outlining:
- The legitimate interest and its necessity.
- The impact of data processing on the data subject.
- Justification that the controller’s interest outweighs the subject’s privacy rights.
Notification and Objection
Data subjects must be informed, typically through privacy policies or contractual documents. They have the right to object to such processing at any time. If the objection is valid, the controller must cease processing unless there are overriding legal grounds.
Conclusion
Legitimate interest as a legal basis requires a cautious approach. Controllers must ensure that the processing is necessary, the interest is justified, and the rights of data subjects are not infringed. The balancing test and proper documentation are essential. Given the complexity of compliance, consulting a legal expert is highly recommended.
Law on Occupational Safety and Health – Applicable as of January 1, 2026
Amendments to the Law on Occupational Safety and Health (hereinafter: the Law), which entered into force on May 7, 2023, introduced a series of new
New Law on Information Security – what’s new?
The new Law on Information Security introduces significant changes and new protection measures – both for individuals and legal entities. Let’s take a look at
Distance selling and e-commerce: obligations of sellers and rights of consumers
Only a few years ago, an online store seemed like a novelty. Today, we order and shop “with a click,” pick up goods from parcel
Pledge over Aircraft in Serbia
Aircraft are, as a rule, objects of high value and are therefore very suitable as means of securing claims. Depending on whether the contracting parties
Aircraft Leasing under the Law of the Republic of Serbia and International Sources
Aircraft are essentially movable objects which, in legal transactions, enjoy the status of immovable property, and therefore aircraft leasing is a specific procedure.It is regulated
Redundancy pay on termination of employment due to redundancy (Serbia)
In the text Redundancy: a guide through a complex employment-law process we discussed what constitutes redundancy, in which situations an employer may declare it, and