Yes.
The GDPR prohibits a company from processing personal data unless one of six “lawful purposes” is present. One of those lawful purposes occurs when processing is necessary for a “legitimate interest pursued by the controller or by a third party.”1
While there are theoretically an infinite number of “legitimate interests” that a controller could point to when processing personal information, the recitals to the GDPR specifically call-out the processing of information necessary to “prevent[] fraud” as “constitut[ing] a legitimate interest of the controller.”2 The European Data Protection Board has reiterated that fraud detection could be justified based upon legitimate interest, but has also indicated that in some situations it might also be based upon the need to comply with a “legal obligation to which the controller is subject,” which is a recognized basis of processing under GDPR Article 6(1)(c).3 While the EDPB did not provide specific examples of situations in which the law would require fraud detection, this would likely form the basis of processing in industries such as banking where a Member State may require a financial institution to take steps to identify fraud, deception, or money laundering.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 6(1)(f).
2. GDPR, Recital 47.
3. EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0 8 October 2019 at para. 50.
[View source.]
