Legitimate Interest as a Legal Basis for Data Processing
The collection and processing of personal data inevitably involve an intrusion into the privacy of the individuals whose data is being processed.
For this reason, the Law on Personal Data Protection (LPDP), enacted in 2018 to align with the General Data Protection Regulation (GDPR), introduced six legal bases for the lawful processing of personal data.
Legal Bases for Lawful Data Processing
Data processing is lawful only if it fulfils one of the following conditions:- Consent of the Data Subject: The individual has consented to the processing of their personal data. Consent is granted either by physically signing a document specifying the purposes and methods of data processing or by checking a box online (e.g., subscribing to a seller’s newsletter, making an online purchase, etc.).
- Contractual Necessity: Processing is necessary for the execution of a contract with the data subject or for actions prior to entering into a contract. For example, delivering purchased goods requires the seller to collect the buyer’s delivery address and phone number, which are often shared with delivery services.
- Legal Obligation: Processing is necessary for compliance with a legal obligation of the controller. For instance, an employer collects employee data not only to conclude an employment contract but also to fulfil mandatory insurance and tax obligations.
- Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person. For example, employers may process data of an employee’s dependents for health insurance registration.
- Public Interest or Legal Authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. For instance, the Statistical Office processes population data for census purposes.
- Legitimate Interest: Processing is necessary for the legitimate interests of the controller or a third party unless overridden by the interests, rights, or freedoms of the data subject, especially in the case of children.
Legal Basis
The legitimate interest of the controller or a third party is often considered when other legal bases cannot apply. However, this broad basis comes with certain prerequisites:- Necessity: The processing must be necessary for the controller or third party.
- Defined Interest: The controller must clearly define their interest.
- Non-Infringement: The processing must not harm the interests, rights, or freedoms of the data subject, especially if the subject is a minor.
The Balancing Test
Even if these conditions are met, the controller must conduct a balancing test:- Could the same outcome be achieved without data processing or with less processing?
- Would the data subject reasonably expect such processing, or would it be considered unacceptable?
- If the processing conflicts with the subject’s rights or causes harm, it is unlawful.
Examples
- Video Surveillance: Store owners may install cameras for security purposes, balancing this need with customers’ privacy.
- Personalized Marketing: Online stores analyze purchase data to tailor marketing campaigns. However, they must allow users to opt-out and ensure compliance with data protection laws.
- Public Transparency: A public enterprise may publish salaries of executives to foster credibility, despite the potential privacy concerns.
Misapplication
A common misuse is processing personal data for direct marketing. However, the Advertising Law and Consumer Protection Law prohibit direct marketing through unsolicited calls or emails. Such activities require explicit consent.Legal Act
The Commissioner recommends that controllers prepare a document outlining:- The legitimate interest and its necessity.
- The impact of data processing on the data subject.
- Justification that the controller’s interest outweighs the subject’s privacy rights.
Notification and Objection
Data subjects must be informed, typically through privacy policies or contractual documents. They have the right to object to such processing at any time. If the objection is valid, the controller must cease processing unless there are overriding legal grounds.Conclusion
Legitimate interest as a legal basis requires a cautious approach. Controllers must ensure that the processing is necessary, the interest is justified, and the rights of data subjects are not infringed. The balancing test and proper documentation are essential. Given the complexity of compliance, consulting a legal expert is highly recommended. Law Firm Petrovic Mojsic & Partners
Legitimate Interest as a Legal Basis for Data Processing
November 29, 2024
No Comments
Legitimate Interest as a Legal Basis for Data Processing The collection and processing of personal data inevitably involve an intrusion into the privacy of the
RECOGNITION AND ENFORCEMENT OF FOREIGN COURT JUDGMENTS IN SERBIA
November 24, 2024
No Comments
RECOGNITION AND ENFORCEMENT OF FOREIGN COURT JUDGMENTS IN SERBIA The recognition and enforcement of foreign court judgments in Serbia is a crucial aspect of international
Termination of Employment Contract During Probationary Period
November 19, 2024
No Comments
Termination of Employment Contract During Probationary Period While the probationary period is ongoing, if the employee does not meet reasonable expectations, the employment contract can
HOW TO DO BUSINESS IN THE REPUBLIC OF SERBIA
September 19, 2024
No Comments
Business entities can do business and be organized in form of: (i) Entrepreneur, (ii) General Partnership, (iii) Limited Partnership, (iv) Limited Liability Company, (v) Joint Stock Company, (vi) Representative Office of a foreign company, (vii) Branch Office of a company or Branch office of a foreign company, (viii) Cooperative and Cooperative Federation.
RESIDENCE AND WORK PERMIT OF FOREIGNERS IN THE REPUBLIC OF SERBIA 2024
June 17, 2024
No Comments
Amendments to the Law on Foreigners (2023) The 2023 amendments to the Law on Foreigners introduce several new features compared to the regulations from 2018
ELECTRONIC COMPANY REGISTRATION IN SERBIA
April 28, 2024
No Comments
In today’s digital age, the process of company registration has evolved significantly, with electronic company formation emerging as a convenient,
The post Legitimate Interest as a Legal Basis for Data Processing appeared first on Law Firm Belgrade, Serbia | Law Office Belgrade, Serbia.