Two new instructive documents published by the European Data Protection Board (EDPB) clarify the responsibilities of controllers in verifying processers’ ability to provide adequate data protection, and when “legitimate interests” can be relied on as the legal basis for processing.
According to the EDPB's opinion on the controller's oversight responsibilities, controllers must actively verify sufficient compliance by processors and sub-processors, and not rely solely on self-reporting. In doing so, controllers must identify and maintain information of all actors in the “processing chain” and verify their compliance with data protection regulations, regardless of the processors' obligation to do so. The scope and nature of the processors' assurances to the controller that data is processed lawfully, is case specific and should be determined by the level of risk to data subjects’ rights or by the technological and organizational mitigatory measures taken by the processor. Additionally, the opinion requires data processing contracts to expressly state the instructions for data processing that the controller issues to the processor.
According to the EDPB's guidelines on legitimate interests as a legal basis, there are three cumulative conditions for a legitimate interest analysis:
- The pursuit of a legitimate interest; and
- That data processing is required for the purposes of the legitimate interest, subject to the data minimization principle; and
- The interests or fundamental freedoms and rights of the data subjects concerned do not override the legitimate interest.
The EDPB clarifies which interests were already recognized as legitimate by law or jurisprudence, including access to online information, ensuring the continued functioning of publicly accessible websites, obtaining the information of an individual who harms property to file a lawsuit, protection of property or health, product improvement, and assessing the creditworthiness of individuals. This is not an exhaustive list, and other interests may be deemed legitimate, subject to the interest being lawful, clearly and precisely articulated, and not speculative at the time of data processing.
Finally, the controller is required to weigh the interests or fundamental freedoms and rights of data subjects compared to the controller's interest, and in doing so consider the nature of the data to be processed, the context of the processing, consequences of the processing, reasonable expectation of the data subjects and the possibility of further mitigating measures.