EDPB introduces new draft guidelines on legitimate interest

Although it was already implemented in the practice of most national Data Protection Authorities, no unified guidelines have been issued since the entry into force of the GDPR on "legitimate interest" as a lawful basis for processing personal data. On 8 October 2024, the European Data Protection Board (EDPB) released a draft clarifying how organizations can rely on "legitimate interest" as a lawful basis for processing personal data under GDPR. This update is particularly relevant for businesses engaged in data processing activities such as direct marketing or AI model training.

To use legitimate interest as a lawful basis, three cumulative conditions must be met:

• Pursuit of a Legitimate Interest: The interest must be lawful and can include commercial objectives. However, it must be explicitly communicated to data subjects at the time of data collection.
• Necessity of Processing: Organizations must demonstrate that data processing is essential for achieving their stated legitimate interest and cannot be achieved by less intrusive means.
• Balancing Test: The fundamental rights and freedoms of data subjects must not outweigh the organization's interest. This involves considering the reasonable expectations of data subjects and ensuring transparent practices.

The draft guidelines provide more detailed guidance on applying the balancing test, including assessing the nature of the data and potential impacts on privacy. Organizations are required to document their assessments thoroughly to ensure compliance and transparency.

The consultation period for these guidelines was open until 20 November 2024. EDPB screens all replies provided, therefore it is expected that the final version, scheduled for the first quarter of 2025, may include additional practical examples and operational specifications requested by industry operators.