Legitimate Interest & Balance Test

Balance Test | GDPR Lawyer | Izmir Lawyer | Izmir Law Office

We briefly talked about the legitimate interest that caused some confusion in practice and the balance test application mentioned by the Law No.6698 in the relevant decisions.

Legitimate Interest as a Justification for Lawfulness

Conditions for processing personal data

ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the data subject. (2) In the presence of one of the following conditions, it is possible to process personal data without the explicit consent of the data subject: ….f) Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

For this provision to be applicable, the data processing must be necessary for the legitimate interests of the data controller and must not prejudice the fundamental rights and freedoms of the data subject.

Examples of Legitimate Interests

• In the event of a business being sold or acquired, it may be considered a legitimate interest for the prospective buyer to review certain information, including the personal data of the employees.
• An employer processing employees' personal data for the purpose of establishing workplace safety mechanisms to ensure the safety of employees at a nuclear power plant.

Balance Test

According to the Decision No. 2019/78 of the Personal Data Protection Authority, pursuant to subparagraph (f) of the second paragraph of Article 5 of Law No. 6698,“Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.”When determining this situation, data controllers are required to carry out the following investigations.

1. The benefit to be obtained as a result of the processing of personal data must be in competition with the fundamental rights and freedoms of the data subject.,
2. Processing personal data is necessary for achieving the aforementioned benefit.
3. The legitimate interest must be already existing, specific, and clear.
4. There must be a legitimate interest that is comparable to the fundamental rights and freedoms of the data subject, and obtaining this benefit would not be possible through any other means or method without processing the personal data.
5. When determining legitimate interest, criteria such as the benefit affecting a large number of people, not being solely aimed at profit or economic gain, and facilitating business processes or operations should be considered, along with other transparent and accountable qualities.
6. In this respect, the aim is to protect the fundamental rights and freedoms of the person concerned, primarily the protection of their personal data, by keeping them away from any foreseeable, clear and imminent danger.
7. Taking all necessary technical and administrative measures to ensure the lawful processing of personal data within a data recording system, limited to its intended purpose, and to prevent harm and breaches.,
8. Ensuring compliance with general principles in the processing of personal data.
9. In this context, a comparison is made between the fundamental rights and freedoms of the individual and the legitimate interests of the data controller.

The criteria should be examined separately in each specific case, and the applicability of legitimate interest should be assessed based on the answers given.

To access the decision issued by the Personal Data Protection Authority regarding this matter: You can click.

Address: Nergis Neighborhood, Girne Boulevard No: 83, Floor 2, Apartment 2, Karşıyaka, İzmir

E-mail: [email protected]

Phone: +90 534 415 52 56