GDPR - "Legitimate interest" What's that about?
1. the controller of the personal data or a third party has a legitimate interest in the data processing.
2. processing is necessary to safeguard the legitimate interest.
3. the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail.
The term "legitimate interest" is an indefinite legal term whose actual content is to be determined by interpretation and was already in use in the previously valid EU Directive 95/46/EC. According to Opinion 06/2014 of the Article 29-Privacy-Group on the concept of the legitimate interest of the controller under Article 7 of Directive 95/46/EC, the interest is "the broader aim which a controller may have of such processing or the benefits which the controller may derive - or society may derive - from such processing".
Only the addition of "legitimate" limits this notion of interest to the effect that only those interests which do not conflict with it should be protected by the law.
According to the wording of the GDPR, the legitimate interest under Art. 6 I f may be the interest of the person responsible or of a third party. In addition to the legitimate interests of the controller, legitimate third party interests can also be considered as a basis for processing.
Recital 47 of the GDPR mentions, for example, the case where "there is a significant and appropriate relationship between the data subject and the data controller, e.g. if the data subject is a customer of the data controller or is in the data controller's service". There may also be a legitimate interest in the processing of personal data to prevent fraud and for the purpose of direct marketing.
Recital 48 of the GDPR mentions the "transfer between parts of groups of companies or groups of institutions for internal administrative purposes, including the processing of personal data of customers and employees". Here, too, it is possible that the data controller has a legitimate interest in the transfer.
Whether the data controller can base the data processing on Art. 6 I f GDPR depends ultimately on whether the processing is necessary to safeguard the legitimate interests and how the subsequent weighing of interests results in. This case-by-case assessment has a decisive function in the end.