The European Data Protection Board adopted several significant documents Wednesday, including highly anticipated draft guidelines on the processing of personal data based on legitimate interest. The board also issued an opinion "on certain obligations following from the reliance on processor(s) and sub-processor(s)," after a request from Denmark's data protection authority, Datatilsynet, based on Article 64(2).

Legitimate interests under the GDPR

Among the six legal bases under the EU General Data Protection Regulation, legitimate interest requires a "balancing test." As IAPP Principal Researcher, Privacy Law and Policy Müge Fazlioglu, CIPP/E, CIPP/US, pointed out in a refresher chart on legal bases.

According to the EDPB's press release, for a controller to rely on legitimate interest, it must fulfill three "cumulative conditions." First, "only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate." Second, organizations must consider the necessity to process personal data and whether there are "less intrusive alternatives" while also examining the principles of data minimization. Finally, controllers must consider that the legitimate interest does not override the individual's interests and fundamental rights.

In the guidance, the EDPB also provides how the assessment "should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security."

Notably, the draft guidelines are now open for public consultation until 20 Nov.

The EDPB's guidelines on legitimate interests are timely and follow a recent, but long-awaited ruling by the Court of Justice of the EU on the Netherlands' DPA, Autoriteit Persoonsgegevens, enforcement fine of the Royal Dutch Tennis Association.

In its release Wednesday, the EDPB said it took into consideration the CJEU's decision on the AP's interpretation of legitimate interest in C-621/22 from 4 Oct. 2024.

The AP fined the Royal Dutch Tennis Association 525,000 euros for sharing personal information of its members under commercial interests. In 2019, the AP issued guidance that stated commercial interests were not suitable under legitimate interests.

In a recent blog post analyzing the recent CJEU decision, Hogan Lovells wrote, "Although the CJEU reminds that, as a general rule, the legal bases of Article 6 GDPR must be interpreted restrictively, it regards the viewpoint of the Dutch DPA as too restrictive. Commercial interests may not be categorically excluded from the legitimate interest ground, insofar as they are not contrary to the law."

EDPB's opinion on processor obligations

The EDPB also adopted an opinion on controller obligations on the reliance of processors and sub-processors. This follows a request from Denmark's Datatilsynet under Article 64(2).

Specifically, the opinion focuses on when controllers rely on one or multiple processors or sub-processors and addresses eight questions related to the duties of controllers, as well as wording in contracts between controllers and processors.

Notably, the EDPB states that "controllers should have the information on the identity (i.e. name, address, contract person) of all processors, sub-processors, etc. readily available at all times so they they can best fulfill their obligation under Article 28 GDPR." It also states that the "ultimate decision and responsibility on engaging a specific sub-processor remains with the controller."

If transfers of personal data take place between two sub-processors outside the European Economic Area, "the processor as data exporter should prepare the relevant documentation, such as the ground of transfer used, the transfer impact assessment and the possible supplementary measures," the EDPB press release stated, adding that controllers "should assess this documentation and be able to show it to the competent" DPA.

Industry responds to processor opinion

In response, BSA I The Software Alliance, raised concerns, arguing the opinion "challenges existing well-established practices and has major implications for businesses, especially those leveraging cloud services, to the detriment of both the controller (business customer) and processor (cloud service provider)."

In an extensive response, BSA also said the opinion "introduces a significant new requirement on data controllers to be aware of all processors in their entire sub-processing chain and on data processors to proactively provide such information to the controllers." It said this will "overburden businesses" without improving the level of data protection for individuals.

EDPB statement on draft regulation for GDPR enforcement

Additionally, following European Parliament and Council amendments to the European Commission's proposal for a new regulation for additional procedural rules relating to GDPR enforcement, the EDPB adopted a statement, which "generally welcomes" the amendments.

EDPB Chair Anu Talus said, "The draft regulation has the potential to greatly streamline GDPR enforcement by increasing the efficiency of case handling. More harmonisation is needed at EU level, in order to maximise the full effectiveness of the GDPR’s cooperation and consistency mechanisms."

Finally, in what was clearly a busy plenary this month, the EDPB adopted its work programme for 2024-2025 and agreed to grant the Kosovan Information and Privacy Agency with the status of observer.

Jedidiah Bracy is the editorial director for the IAPP.