When precisely is a data controller lawfully permitted to process personal data?
If a data controller does not have the consent of a data subject to process his or her data, when does the “legitimate interest” condition bite?
These are the million-dollar questions that the many EU entities (as well as those farther afield) that process data grapple with on a daily basis.
The EU Data Protection Directive (95/46/EC) sets out six grounds on which EU data controllers can lawfully process personal data. In addition to consent, the processing being “necessary” for the performance of a contract and so on, Article 7(f ) of the Directive also lists “legitimate interests” as a basis for lawful processing of personal data.
Originally published in World Data Protection Report on June 7, 2014.
Please see full publication below for more information.