The European Data Protection Board publishes draft Guidelines on legitimate interest under GDPR for consultation

To rely on Art. 6(1)(f) GDPR, three cumulative conditions must be fulfilled: 

1. Pursuit of a legitimate interest: The interest must be lawful, precisely articulated, and present. Following last week’s CJEU decision in the KNLTB case (see our blog post on this for further details), the EDPB confirmed that the concept of legitimate interest is not limited to interests that are enshrined in and determined by law, but that the proposed legitimate interest must be lawful. 
2. Necessity of processing: The processing must be necessary for the purposes of the legitimate interest pursued. This involves assessing whether the legitimate interests cannot reasonably be achieved by other less privacy intrusive means. 
3. Balancing of interests: The balancing exercise involves weighing the legitimate interests of the controller against the fundamental rights and freedoms as well as interests of the data subjects. The guidance recommends performing a clear mapping of those freedoms, rights or interests of data subjects that may be affected by the processing and the impact of the processing on the data subject. It also lists the factors to consider in this regard (such as the nature of data, the context of processing, the impact of the processing on the data subject and his or her reasonable expectations, as well as any additional mitigating measures that may be taken to limit undue impact).

The EDPB also provides detailed guidance and practical examples on the application of Art.6(1)(f) GDPR in specific contexts, including:

• Processing of children’s data: Children’s interests will often outweigh the interests of the controller.  Extensive profiling and targeted advertising activities are generally not aligned with the obligations to ensure protection of children;
• Processing for fraud prevention: It must be strictly necessary and comply with the "data minimisation" principle. Controllers should be specific about the type of fraud they are trying to prevent, and the data needed for that purpose;
• Processing for direct marketing: While direct marketing can be a legitimate interest, its lawfulness and the reasonable expectations of data subjects about the use of their data must be considered. The lawfulness is impacted by other EU and national legislation on direct marketing, such as the ePrivacy Directive (which is lex specialis in relation to the GDPR). When consent is required under the ePrivacy Directive, the use of legitimate interest as a legal basis in this context is not possible;
• Intra-group processing for internal administrative purposes: Controllers that are part of a group of undertakings may have a legitimate interest in transmitting personal data within the group for internal administrative purposes, however, the EDPB also recommends considering other processing grounds; 
• Processing for ensuring network and information security: Such processing must also meet the requirements of necessity and balancing test. The EDPB warns that certain security solutions may lead to a large-scale (and intrusive) analysis of communications content and metadata, with a significant impact on the outcomes of the balancing test;
• Disclosure of data on request of third country authorities: A controller could have a legitimate interest in complying with such a request if the controller is subject to third country legislation and non-compliance would entail sanctions under foreign law. However, a balancing test would be necessary before disclosing the data. 

The draft Guidelines highlight documenting a legitimate interest assessment as part of complying with the accountability requirements of the GDPR.

The draft Guidelines are available here, and the press release here.