GDPR - "Legitimate interest" What's that about?

The "legitimate interest" in Art. 6 I f GDPR is one of several possible legal bases for the processing of personal data. In order to base this processing on such a legitimate interest, the following three conditions must be met cumulatively:

1. the controller of the personal data or a third party has a legitimate interest in the data processing.
2. processing is necessary to safeguard the legitimate interest.
3. the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail.

The term "legitimate interest" is an indefinite legal term whose actual content is to be determined by interpretation and was already in use in the previously valid EU Directive 95/46/EC. According to Opinion 06/2014 of the Article 29-Privacy-Group on the concept of the legitimate interest of the controller under Article 7 of Directive 95/46/EC, the interest is "the broader aim which a controller may have of such processing or the benefits which the controller may derive - or society may derive - from such processing".

Only the addition of "legitimate" limits this notion of interest to the effect that only those interests which do not conflict with it should be protected by the law.

According to the wording of the GDPR, the legitimate interest under Art. 6 I f may be the interest of the person responsible or of a third party. In addition to the legitimate interests of the controller, legitimate third party interests can also be considered as a basis for processing.

Recital 47 of the GDPR mentions, for example, the case where "there is a significant and appropriate relationship between the data subject and the data controller, e.g. if the data subject is a customer of the data controller or is in the data controller's service". There may also be a legitimate interest in the processing of personal data to prevent fraud and for the purpose of direct marketing.

Recital 48 of the GDPR mentions the "transfer between parts of groups of companies or groups of institutions for internal administrative purposes, including the processing of personal data of customers and employees". Here, too, it is possible that the data controller has a legitimate interest in the transfer.

Whether the data controller can base the data processing on Art. 6 I f GDPR depends ultimately on whether the processing is necessary to safeguard the legitimate interests and how the subsequent weighing of interests results in. This case-by-case assessment has a decisive function in the end.

Sie können diese Website besuchen, ohne personenbezogene Daten zu hinterlassen. Diese Website nutzt z.B. keine Cookies. In technisch notwendigem Umfang werden in den Server Log Files Informationen gespeichert, die nicht bestimmten Personen zuzuordnen sind. Der Webhoster Ionos erhebt Daten über den Besuch der Webseite ohne die Verwendung von Cookies. Es werden dort IP-Adresse und Browser-Erkennung anonymisiert gespeichert, damit keine Rückschlüsse auf die einzelnen Besucher gezogen werden können. Alles Weitere zum Datenschutz auf dieser Webseite finden Sie unter „IMPRESSUM/DATENSCHUTZ/PGP KEY“

You can visit this website without leaving any personal data. For example, this website does not use any cookies. To the extent technically necessary, information is stored in the server log files that cannot be assigned to specific persons. The web hoster Ionos collects data about visits to the website without the use of cookies. The IP address and browser type are stored there anonymously so that no conclusions can be drawn about the individual visitors. All further information on data protection on this website can be found under "LEGAL NOTICE/DATA PRIVACY/PGP KEY".