European data protection authorities adopt guidelines on legitimate interest
The European Data Protection Board (EDPB) has adopted guidelines on the legal basis ‘legitimate interest’.
The EDPB has also:
- published the work programme for 2025;
- adopted a statement about new European legislation for enforcement of the GDPR;
- adopted a recommendation on the obligations of controllers, processors, and sub-processors.
Guidelines on legitimate interest
The EDPB has adopted new guidelines on ‘legitimate interest’. This is one of the legal bases in the GDPR for being allowed to process personal data. The GDPR offers six possible legal bases, legitimate interest being one of them.
The EDPB guidelines help organisations determine whether they are allowed to process personal data on the basis of a ‘legitimate interest’. This is only permitted on these three conditions:
- There actually is a legitimate interest.
- Processing of personal data is necessary for representing this interest.
- The legitimate interest outweighs the interests of data subjects.
The guidelines provide an explanation of the steps to be taken and give examples of situations in which this legal basis can or cannot be relied on. The guidelines also explain what organisations have to take into account when relying on this legal basis for their processing. For example, data subjects have special rights if organisations use this legal basis.
A public consultation for the guidelines is ongoing. This means that everyone can give feedback on the guidelines on the EDPB website. This is possible up to and including 20 November 2024. Based on all feedback received, the EDPB will assess whether the guidelines require any adjustments.
EDPB work programme
Every year, the EDPB publishes a work programme based on the EDPB strategy. The EDPB has adopted the work programme for 2024 and 2025. Among other things, the work programme includes the adoption of guidelines on:
- data processing for scientific research;
- the relationship between the GDPR and other European legislation;
- new technologies, such as generative AI.
The EDPB is also committed to improving the cooperation between data protection authorities within and outside the EEA.
Statement on new European legislation for enforcing the GDPR
In 2023, the European Commission, at a request from the EDPB, submitted a legislative proposal to improve cooperation between the data protection authorities in the EEA. As many organisations are active at an international level, these data protection authorities sometimes have to work together when enforcing the GDPR. The legislative proposal aims to reinforce this enforcement.
The legislative procedure is at a very advanced stage by now, but not yet finished. This is why the EDPB has adopted a statement intended to help the European legislator make choices in the legislative process. The Dutch Data Protection Authority (Dutch DPA) was closely involved throughout the process.
EDPB recommendation on obligations of controllers, processors, and sub-processors
Finally, the EDPB has adopted a recommendation on the obligations of controllers, processors, and sub-processors. In this recommendation, the European data protection authorities explain how they interpret the law. This recommendation is about the situation in which a controller engages one or more processors and/or sub-processors. The recommendation provides an explanation about the mutual obligations and about processing agreements.
