Can a data processing activity rely on the legitimate interests of the data subjects?
Article 6 of the General Data Protection Regulation (GDPR) includes the “legitimate interests” of the data controller or a third party as one of the legal basis for processing personal data. This article 6.1.f is in certain way complex, as there are very few occasions when we can rely on this legal basis with complete legal certainty. At the same time, however, it is necessary, since there are numerous processing activities that could not be covered by any of the other basis offered to us by aforementioned article 6.
As a consequence of this lack of clarity, I observe how this legal basis is being used in practice to cover different data processing activities depending on the privacy expert who interpret it. In this context, a few weeks ago, I had the opportunity to review the record of processing activities of a European company and observed that the legitimate basis for various activities within the Human Resources department was “the legitimate interests of the employees”.
To be honest, I found this rather shocking. However, although at first glance seems wrong, I would like to review what arguments may exist to defend that position and, in this way, try to understand whether the interpretation made by other lawyers is correct.
May a data processing activity be based on the legitimate interests of the employees?
In order to answer the question, we must go to article 6.1.f GDPR:
Processing shall be lawful only if and to the extent that at least one of the following applies: […] f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…
As can be seen, this article clearly sets out two possible subjects who could pursue these legitimate interests that would enable the processing. The first of them is the data controller. The second is any “third party”, without this article specifying in more detail who can be understood as a third party for these purposes. It is clear that an employee could never fit into the first scenario because, basically, the data controller is the employer (the company, entity, etc.) and never the employee, who would be the data subject by definition. However, could the employee, in addition to being a data subject, be considered a “third party”?
Well, first of all, if we apply common sense, it does not feel right that the data subject can fit into the concept of “third party”. In fact, if we look at Article 6, we can see that, for example, paragraph (d) refers to the “vital interests of the data subject”. This clearly leads us to deduce that, if the legislators had wanted to refer to the data subject in paragraph (f), they would have used the word “data subject” directly – as in paragraph (d) – and not “third party”. So, who would be considered as a “third party”? In this case, it seems quite simple, since we have a wonderful article 4.10 GDPR that include de definition below:
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Thus, we clearly cannot consider the data subject within the concept of “third party”.
Finally, there could be a final argument in favour of this interpretation, which is the fact that article 35.7 GDPR, relating to data protection impact assessments, expressly mentions the “legitimate interests of data subjects”. However, the context in this case is completely different, as in no case does this article refer to it as a legal basis for a processing activity, but as something to be taken into account when identifying measures to mitigate privacy risks. In this way, I do not consider that this reference included in Article 35.7 GDPR is opposed to the explanation above.
In conclusion, having analysed it in more detail, I still believe that the legitimate interest of the data subjects is not a valid legitimate basis, simply because it does not exist. I think that if the legislator had wanted to foresee this possibility, they would have included a direct mention of data subjects in art. 6.1.f). I do not believe that this figure would be necessary either, since there would hardly be any processing activities that could be covered by it (in the case of the company I mentioned, they were processing activities that could rely on the “performance of a contract” by virtue of art. 6.1.b). Therefore, to carry out any data processing activity it would not be valid to rely on the legitimate interests of the employees or any other data subject.