The Dutch DPA gives its interpretation of the “legitimate interests” ground of Article 6(1)(f) of the GDPR Remarkably, the Dutch DPA advocates a much stricter interpretation than other national authorities do, including the guidelines provided by the now defunct EU Article 29 Working Party. This blog aims to set out when reliance on this ground is justified and, perhaps more importantly, when it is not.
Article 6 GDPR
The processing of personal data is lawful only if any of the grounds of Article 6 GDPR applies. Of the six grounds of Article 6 GDPR, the “legitimate interests” ground offers the most flexibility. For this reason, it is the one ground that (commercial) organisations rely on most. In a recent document, the Dutch DPA sets out when reliance on this ground is justified and, perhaps more importantly, when it is not.
The Dutch DPA's view of legitimate interests
First and foremost, the Dutch DPA holds that prior to any reliance on the legitimate interests ground the following three - cumulative - requirements must be met: (i) there must be a legitimate interest, (ii) the processing must be necessary to achieve this legitimate interest, and (iii) the interests of the controller must be balanced against the interests of the data subject. The Dutch DPA then addresses what it believes to be potential legitimate interests. The most remarkable statement in this respect is the following:
“What are not considered legitimate interests either, would be the following examples: processing personal data for purely commercial interests, profit maximisation, monitoring employee conduct without legitimate interest or tracking the (purchasing) behaviour of (potential) customers, etc.”
It follows that the Dutch DPA does not consider the processing of personal data for purely commercial interests and profit maximisation to constitute legitimate interests within the meaning of Article 6(1)(f) GDPR. In my opinion, the Dutch DPA's view that the commercial interest of an organisation does not constitute a legitimate interest is peculiar. It would make more sense if an organisation's commercial interest does constitute a legitimate interest per se, but that the lawfulness of the processing is contingent on the organisation's meeting the necessity criterion and the outcome of the balancing of interests.
The view of the Article 29 Working Party and of the ICO
The Dutch DPA's view differs from the opinion of the Article 29 Working Party (a now defunct European advisory body on data protection and privacy) on legitimate interests. In Opinion 06/2014, the Working Party held that the economic interest of a company to learn as much as possible about its potential customer may be an example of a legitimate interest. The Working Party also made the following consideration on legitimate interest:
“In the view of the Working Party, the notion of legitimate interest could include a broad range of interests, whether trival or very compelling, straightforward or more controversial. It will then be in a second step, when it comes to balancing these interests against the interests and fundamental rights of the data subjects, that a more restricted approach and more substantive analysis should be taken.”
Rather than a narrow interpretation of the notion of legitimate interest, the Working Party opts for a broad construction of the notion and a more restricted approach to the balancing of interests.
The Information Commissioner's Office (“ICO”), the leading English data protection authority, stands by the Working Party's opinion, explicitly stating on its website that the legitimate interests ground is a flexible one and that the commercial interest of a company can constitute a legitimate interest.
“The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”
The stance now taken by the Dutch DPA raises eyebrows. If they actually pursue this line of policy, many types of processing based on legitimate interest would stop being lawful, forcing the controllers relying on them to resort to seeking consent.
The European Data Protection Board (successor to the Article 29 Working Party) has announced that early 2020 it will update the Working Party's opinion as part of new guidelines on legitimate interests. Against that backdrop, the Dutch DPA's insistence to present its interpretation of legitimate interests early comes across as strange. Waiting would benefit the uniformity among EU Member States. Then again, the Dutch DPA's view might be a forerunner of the new European guidelines.
Legal advise or more information
If you wish to know how your organisation can successfully use the legitimate interests ground, then simply contact Martin Hemmer or Carmen Hermes.
Author of this blog: Carmen Hermes.
The Dutch DPA gives its interpretation of the “legitimate interests” ground of Article 6(1)(f) of the GDPR Remarkably, the Dutch DPA advocates a much stricter interpretation than other national authorities do, including the guidelines provided by the now defunct EU Article 29 Working Party. This blog aims to set out when reliance on this ground is justified and, perhaps more importantly, when it is not.
Article 6 GDPR
The processing of personal data is lawful only if any of the grounds of Article 6 GDPR applies. Of the six grounds of Article 6 GDPR, the “legitimate interests” ground offers the most flexibility. For this reason, it is the one ground that (commercial) organisations rely on most. In a recent document, the Dutch DPA sets out when reliance on this ground is justified and, perhaps more importantly, when it is not.
The Dutch DPA's view of legitimate interests
First and foremost, the Dutch DPA holds that prior to any reliance on the legitimate interests ground the following three - cumulative - requirements must be met: (i) there must be a legitimate interest, (ii) the processing must be necessary to achieve this legitimate interest, and (iii) the interests of the controller must be balanced against the interests of the data subject. The Dutch DPA then addresses what it believes to be potential legitimate interests. The most remarkable statement in this respect is the following:
“What are not considered legitimate interests either, would be the following examples: processing personal data for purely commercial interests, profit maximisation, monitoring employee conduct without legitimate interest or tracking the (purchasing) behaviour of (potential) customers, etc.”
It follows that the Dutch DPA does not consider the processing of personal data for purely commercial interests and profit maximisation to constitute legitimate interests within the meaning of Article 6(1)(f) GDPR. In my opinion, the Dutch DPA's view that the commercial interest of an organisation does not constitute a legitimate interest is peculiar. It would make more sense if an organisation's commercial interest does constitute a legitimate interest per se, but that the lawfulness of the processing is contingent on the organisation's meeting the necessity criterion and the outcome of the balancing of interests.
The view of the Article 29 Working Party and of the ICO
The Dutch DPA's view differs from the opinion of the Article 29 Working Party (a now defunct European advisory body on data protection and privacy) on legitimate interests. In Opinion 06/2014, the Working Party held that the economic interest of a company to learn as much as possible about its potential customer may be an example of a legitimate interest. The Working Party also made the following consideration on legitimate interest:
“In the view of the Working Party, the notion of legitimate interest could include a broad range of interests, whether trival or very compelling, straightforward or more controversial. It will then be in a second step, when it comes to balancing these interests against the interests and fundamental rights of the data subjects, that a more restricted approach and more substantive analysis should be taken.”
Rather than a narrow interpretation of the notion of legitimate interest, the Working Party opts for a broad construction of the notion and a more restricted approach to the balancing of interests.
The Information Commissioner's Office (“ICO”), the leading English data protection authority, stands by the Working Party's opinion, explicitly stating on its website that the legitimate interests ground is a flexible one and that the commercial interest of a company can constitute a legitimate interest.
“The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”
The stance now taken by the Dutch DPA raises eyebrows. If they actually pursue this line of policy, many types of processing based on legitimate interest would stop being lawful, forcing the controllers relying on them to resort to seeking consent.
The European Data Protection Board (successor to the Article 29 Working Party) has announced that early 2020 it will update the Working Party's opinion as part of new guidelines on legitimate interests. Against that backdrop, the Dutch DPA's insistence to present its interpretation of legitimate interests early comes across as strange. Waiting would benefit the uniformity among EU Member States. Then again, the Dutch DPA's view might be a forerunner of the new European guidelines.
Legal advise or more information
If you wish to know how your organisation can successfully use the legitimate interests ground, then simply contact Martin Hemmer or Carmen Hermes.
Author of this blog: Carmen Hermes.