Personal data processing based on legitimate interest
The GDPR provides several legal grounds for processing personal data, one of which (Article 6(f) of the Regulation) is Legitimate Interest. It is important to know about this legal basis that it does not give the controller the possibility to process personal data at any time and for any reason in the absence of any other possibility. What does this mean in practice?
Responsibility of the data controller
At first glance, this seems to be the most flexible legal basis, but by using it, the controller assumes a significant responsibility, as it must also comply with other safeguards related to the processing of personal data. One of these is the principle of accountability (Article 5(2) of the Regulation), which requires the controller to carry out personal data processing
transparency, accuracy and fairness of the administration of the
means the obligation to meet charges. It is not enough to repeat the provisions of the Regulation paper/pdf production, but is a substantive activity, which is particularly true for processing where the controller and the data subject are not
direct client or other legal relationship. In the absence of appropriate safeguards
because the risk of a breach of the rights of data subjects is such that
the result of the balancing of interests can only be that the legitimate interest of the third party
override the rights of data subjects because of the risks involved in the processing.
Purpose and justification of the processing
The purposes for which and the legitimate interests for which the controller intends to process personal data must be clearly justified, weighed and guaranteed by the controller, broken down to the level of data and purposes. These safeguards should ensure, inter alia, that the data subject is aware of the processing and can object to it before the processing takes place, since his or her right to object is exhausted after the processing, in particular in the case of processing for a short period of time or once only, and is not effectively guaranteed. For example, in the case of a one-off satisfaction email, it is explicitly true that once it has been sent, the objection has no substantive effect.
These aspects are to be examined and documented in the so-called Interest Weighing Test. All tests must be reviewed every 3 years at the most in accordance with Article 5(5) of Act CXII of 2011 ("Information Act")!
What might this mean in practice?
To test the above in practice, let's look at an uncomplicated real-life case (based on an NAIH decision):
The NAIH imposed a fine of HUF 5 million in an ex officio proceeding (i.e. not at the request of the Applicant). The decision concerned a satisfaction survey carried out by a car importer. The ex officio proceedings also concerned an investigation into the importer's general practices in relation to customer satisfaction surveys and the general qualification of its balancing of interests in this regard.
After the service visit, the customer who had his vehicle serviced received one (two) emails asking him to fill in a satisfaction questionnaire. The customer was unhappy about this, but did not contact the garage with his complaint, but reported the matter to the Authority, as he felt that he should not have received the emails from a source unknown to him in the first place.
A NAIH megállapította, hogy az email-t nem a szerviz küldte, hanem a márka importőre, a szerviztől kapott adatok alapján (ezért bevonta az eljárásba). Mivel az átadott adatok kezelésének célját nem a szerviz határozta meg – számára ezt az importőrrel kötött szerződés határozta meg – ezért az adatkezelésért az Importőr felelős, a szerviz “csak” adatfeldolgozó volt. Az említett szerződést a NAIH adatfeldolgozói szerződésként elfogadta, mivel definiálta, hogy az adatfeldolgozónak mit kell tennie (tájékoztatnia kell az ügyfelet a munkalapon, be kell gyűjtenie az adatokat és továbbítania kell az Importőrnek). Ez a márkaszerviz esetében azt jelentette, hogy a NAIH nem találta hibásnak az adatkezelésben… Ez a részlet is rámutat arra, hogy az adatfeldolgozói tevékenységet érdemes jól definiálni a szerződésben a különböző jogi entitások között, akár adatkezelők vagyunk, akár adatfeldolgozók vagy közös adatkezelők. Ez különösen fontos a szoros együttműködést igénylő adatkezelések esetén, pl. egy kiszervezett bérszámfejtésnél vagy akár egy anyavállalati együttműködésnél.
Appropriate information
The controller and its data processors under contract with the controller are not third parties (Article 4(10) of the General Data Protection Regulation).
This is interesting, because if we collect data as a processor, the controller must provide the appropriate information (even by entrusting the processor with the task of providing the information).
In the present case, the NAIH is of the view that this was not properly developed by the Importer, and therefore the customer was not able to exercise his rights in a meaningful way (e.g. by objecting). The NAIH in its reasoning refers to the enhanced information requirement in the case of processing based on Legitimate Interest: the Articles of the Regulation require the achievement of a result when determining the obligations of the controller, not only the demonstration of a certain minimum effort on the part of the controller.
The purpose of the information is to put the data subject in a position to make an informed choice about the exercise of his or her rights. Based on the facts found by the NAIH, there is no direct legal relationship between the Customer and the Importer. The fact that the Customer is a customer of the Brand Service and the Brand Service is a contractual partner of the Importer does not make the Customer a customer of the Importer, nor does it automatically create the relationship required under paragraph 47 of the GDPR.
The importance of identifiability
There would be a meaningful, demonstrable relationship between the Customer and the Importer if the Customer were aware of the Importer's activities, but this was not the case due to inadequate communication. The reference in very small print on a worksheet not filled in and signed by the Customer to a data management with a completely different legal basis for a different purpose (not satisfaction measurement) does not in any way meet the requirement of adequate, clear and transparent information under the General Data Protection Regulation, and could not in any way be linked by the Customer to the customer satisfaction measurement.
In one email sent by a separate IT service provider, there was no indication of the actual identity of the sender (the Importer) and the source of the personal data, and it is not the responsibility of the Customer as the data subject to find out. On this basis, the Applicant was entitled to believe that the sender of the email had unlawfully obtained his personal data and that this situation was caused by the improper conduct of the Importer as data controller. As unsolicited e-mails are very common nowadays, which may send links to typically harmful programs, it is of paramount importance to clearly identify the sender and to provide appropriate information in the case of an e-mail not sent at the request of the data subject, regardless of prior information.
What can be done to avoid a penalty?
The legal basis for the processing of data for the purpose of customer satisfaction surveys is the legitimate interest of the Importer, as the exclusive importer of motor vehicles in Hungary, to be able to verify that the Hungarian dealership and service partners meet the expected quality requirements. In this respect, the Importer also attached a balancing of interests test to its reply. According to the information notice, the data processed include the customer's first and last name, e-mail address, home address, telephone number, chassis number, registration number, technical data of the vehicle, the name of the dealer or service provider used, the date of the service used and the content of any feedback. According to the Importer's statement, it is standard industry practice to measure customer satisfaction.
A printed copy of the privacy notice is available at the reception desk or at the customer service desk. In addition, the Importer expects the standard procedure to be to inform the customer orally of the processing when the data is requested and to provide a printed version of the privacy notice as an annex to the worksheet. The oral information includes, inter alia, that the provision of an email address is not mandatory.
In the present specific case, the Service's employee failed to complete the worksheet, have it signed by the Data Subject and to provide a hard copy of the privacy notice as an attachment to the worksheet (this in itself constitutes a data breach). The Respondent has enclosed a sample of the unfilled worksheet, which contains a link to the Importer's website, but does not provide the link in relation to the customer satisfaction survey, but rather specifically in relation to the data processed in connection with the performance of the contract and the legal basis of the legal obligation to perform the service, as a source of more detailed information in relation to these data processing operations.
According to the importer, the nature, scope and purposes of the processing are not such as to intrude seriously into the privacy of data subjects, data subjects are not harmed and the processing is in the interest of data subjects.
According to the NAIH, the balancing of interests test did not support the need for the types of data treated. For example, why do I need a phone number and address for an e-mail inquiry? If the purpose is a general customer satisfaction survey, there is also no need for vehicle identifiers, because in the case of a result requiring action, the activity of the service could be identified by the worksheet number. The questionnaire also asked for the age and sex of the customer, which was not supported by the interest-weighting test. In any event, in order to establish the existence of a legitimate interest, it is necessary to carefully consider, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of the personal data, that processing for the purposes in question would take place.
The Authority underlines that the existence of a legitimate interest and, more generally, of legal grounds must be assessed in the context of the specific purpose of the processing. The fact that the Importer processes the same type of personal data of data subjects for other purposes under other legal bases and is therefore aware of them does not automatically make the use of these data for other purposes lawful, but at most may be a factor mitigating the actual data protection risk in determining the legal consequence.
In summary, the importer was fined - avoidably - because of an insufficiently elaborate data management procedure and the balancing of interests test based on it, as well as an inadequate communication procedure.
Need help?
In recent years, we have been commissioned by the business sector to provide information security and data protection system design and implementation services to dozens of multinational and domestic medium-sized and large companies, and we have helped them to date by providing a Data Protection Officer or regular support.
Have a question? Contact us!