8 Annex I. The balancing test

8.1 Introduction

The balancing test in the context of legitimate interest as a legal basis for processing

Legitimate interest is one of six legal bases for the processing of personal data stated in Article 6(1) of the GDRP. This legal basis requires that the legitimate interests of the controller or any third parties to whom the data are disclosed prevails over the interests, fundamental rights and freedoms of the data subjects (Article 6(1)(f). To verify that this is indeed the case, controllers can make use of a tool that is called balancing test, which has been recommended by the Article 29 Working Party, for instance14. This tool is aimed at ensuring that the legitimate interests of the controller or any third parties to whom the data are disclosed prevails over the interests and fundamental rights and freedoms of the data subjects.

When do fundamental rights and freedoms of the person concerned by the data protection do not take precedence?

Carrying out a balancing test involves considering several key factors that are decisive in determining which interests, freedoms or rights prevail, namely15: - The nature and source of the legitimate interest: whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned. Evaluating the possible prejudice suffered by the controller, by third parties or the broader community if the data processing does not take place is compulsory. - The power and status of the two parties (controller or third party and data subject). For instance, an employer intending to process the data of an employee is in a stronger position than the employee. If the data subject is a minor his/her interests, rights or freedoms should be overweighed. - The nature of the data. Special categories data, for instance, should be provided greater weigh. Similarly, data that people are likely to consider particularly ‘private’ (for example financial data), children’s data or data relating to other vulnerable individuals should be adequately weighed. - The impact of the processing on the data subjects. To this purpose, controllers should consider whether if processing might result in a high risk to individuals’ rights and freedoms. If this is the case, they must perform a DPIA. - The data subjects’ reasonable expectations about what will happen to their data. Controllers should be able to demonstrate that a reasonable person would expect the processing in light of the particular circumstances applicable. If the purpose and method of processing is not immediately obvious and there is the potential for a range of reasonable opinions about whether people would expect it, controllers may wish to carry out some form of consultation, focus group or market research with individuals to demonstrate expectations and support their position. If there are pre-existing studies in regard to reasonable expectations in a particular context, controllers may be able to draw on these as part of their determination of what individuals may or may not expect.16 - The way data are processed (large scale, data mining, profiling, disclosure to a large number of people or publication); - The additional safeguards which could limit undue impact on the data subject, such as data minimisation (e.g. strict limitations on the collection of data, or immediate deletion of data after use) - technical and organisational measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals (‘functional separation’) - wide use of anonymisation techniques, aggregation of data, privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments; - increased transparency, general and unconditional right to object (opt-out), data portability & related measures to empower data subjects, etc.

8.2 The issue of the additional safeguard

The Article 29 Working Party considers that mitigation measures and safeguards, such as organisational or technical measures adopted by the controller for the protection of the data subject rights should be included in the balancing test. There is, however, an alternative approach, which considers that article 6(1)(f) asks for a balancing test between two values, the legitimate interests of the controller (or a third party) and the interests, rights and freedoms of the data subject. Mitigation measures and safeguards do not fit well with any of these values. Therefore, they should not be considered. Otherwise, they would overweigh the controllers’ side since they would undermine the importance of the possible harm to be caused to the data subject interests, rights and freedoms. Kamara and De Hert have made some convincing statements on this concrete issue, by stating that17

“including mitigation measures in the assessment would lead to a representation of the actual expected impact of the processing to the data subjects’ rights, and would still allow the legitimate interests to prevail. This approach does not ‘punish’ the controller that takes mitigation measures and safeguards, by not including them in the balancing test. On the contrary it encourages the controller to do so. On the other hand, one should keep in mind that the weight of future safeguards and mitigation measures is always relevant to their realisation and effectiveness. Such measures therefore should be considered, but not play a significant role in determining to which side the scale leans.”

8.3 Some examples of balancing test

8.3.1 Example 118

Case: The newspaper Z is considering the publication of some photographs that show X, an actor, after being arrested for cocaine possession at a public parade. X is a famous public figure in his country as he plays a policeman in a TV series. Furthermore, he has conceded several interviews providing data about his private life publicly.

Balancing test: the data concerns the individual’s private life rather than professional life. The sharing of the data might contribute to significant harm to the individual. However, there is a public interest in reaching this information. The actor’s expectation that their privacy will be effectively protected has been reduced by the fact that he has disclosed data from his private life in several interviews. The outcome for the company having considered all the relevant factors must be that the famous actor interests do not outweigh its legitimate interests in obtaining legal advicepublishing the photographs, and processing is lawful on the basis of these legitimate interests. See: Axel Springer AG vs. Alemania

8.3.2 Example 219

Case: An employer monitors internet use during working hours by employees to check they are not making excessive personal use of the company’s IT. The data collected include temporary files and cookies generated on the employees’ computers, showing websites visited and downloads performed during working hours. The data is processed without prior consultation of data subjects and the trade union representatives/work council in the company. There is also insufficient information provided to the individuals concerned about these practices.

Balancing test: The amount and nature of the data collected represents a significant intrusion into the private life of the employees. In addition to proportionality issues, transparency about the practices, closely linked to the reasonable expectations of the data subjects, is also an important factor to be considered. Even if the employer has a legitimate interest in limiting the time spent by the employees visiting websites not directly relevant to their work, the methods used do not meet the balancing test of Article 7(f). The employer should use less intrusive methods (e.g. limiting accessibility of certain sites), which are, as best practice, discussed and agreed with employees’ representatives, and communicated to the employees in a transparent way.

8.4 DOs and DON’Ts

8.4.1 DOs

  • Check the nature of the data processed and take extra care about protecting children’s interests, rights and freedoms if they are at stake
  • Consider the reasonable expectations of the data subjects
  • Perform a DPIA if circumstances recommend it

8.4.2 DON’Ts

  • Don’t process children’s data if it is not absolutely necessary to reach the pursued interest
  • Don’t process the data if the balancing test is inconclusive
  • Don’t hesitate to introduce adequate safeguards to minimize prejudice to data subjects interests, rights and freedoms

8.4.3 Checklist

  • The controllers have made sure that the individual’s interests do not override legitimate interests of the controller or third parties.
  • The controllers use individuals’ data in ways they would reasonably expect.
  • The controllers are not using people’s data in a very intrusive way or in a way which could cause them harm, unless they have a particularly good reason.
  • The controllers do not process children’s data, or, if they do, they have taken extra care to make sure they protect their interests.
  • The controllers have considered safeguards to reduce the impact where possible.
  • The controllers have considered whether they need to conduct a DPIA.

8.4.4 Further readings

  1. A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 24. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020↩︎

  2. A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 24. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020.↩︎

  3. ICO, How do we apply legitimate interests in practice? At: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/ Accessed: 15 January 2020↩︎

  4. Kamara, Irene and De Hert, Paul, “Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach, Brussels Privacy Hub, Working paper, vol. 4, nº 12, 2018, p.17. At: https://brusselsprivacyhub.eu/BPH-Working-Paper-VOL4-N12.pdf Accessed: 17 January 2020↩︎

  5. Source: A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 63. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020↩︎

  6. Source: ICO. How do we apply legitimate interests in practice? At: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/ Accessed: 15 January 2020↩︎