Processing of personal data is lawful if it is based on one of six legal bases stipulated in Article 12 of the Law on Personal Data Protection (Official Gazette of RS no. 87/2018) (“LPDP”). In other words, if processing is not founded on either of these bases, it is unlawful.

Unlike the previous law, the LPDP introduced into our legal system the legitimate interest of controller or a third party as one of the bases for personal data processing. More particularly, the LPDP stipulates that processing shall be lawful if it is necessary for the purpose of realising legitimate interests of controller or a third party, unless such interests are minor to the interests of fundamental rights and freedoms of the data subject that require personal data protection, notably if the data subject is a minor.

Data controllers often opt for such basis of processing because they consider it more suitable than e.g. consent of data subject, since it does not require any activity of the latter and particularly since they (wrongly) deem that (1) it is sufficiently general that it can cover various processing activities that they perform, and (2) it is sufficient to refer to it without further analysis, hence they often make mistakes in its application.

One can say that the essential problem with application of legitimate interest is substantial misunderstanding of the actual meaning of legitimate interest. According to the Commissioner for information of public importance and personal data protection (“Commissioner“), legitimate interest is reflected in “real, concrete and legally admissible benefit of controller or a third party, whose realisation requires the processing of certain personal data and which is not minor to the interests or fundamental rights and freedoms of the data subject“[1].

Although it undeniably represents the most flexible basis of processing, the fulfilment of requirements for application of legitimate interest may not be assumed. Namely, controller needs to perform several checks; firstly, it needs to verify the existence of relevant benefit that is sought through data processing, then to verify if processing is necessary for achieving such benefit, and whether interests or fundamental rights and freedoms of the data subjects prevail to such legitimate interest (so-called balancing test).

Referral to legitimate interest will be justified by default when the data are used in a manner expected by data subjects and when the processing has minimum impact on their privacy. If the same result can be achieved by less intrusion into data subject’s privacy, processing based on legitimate interest will not be lawful. If data subjects do not reasonably expect the particular processing or such processing would cause them unjustified damage, legitimate interest would also not be applicable because in such case the interests and fundamental freedoms and rights of such persons would prevail to the legitimate interest.

The above stated should not dissuade the controllers from legitimate interest as a basis of processing, it should rather help them properly and lawfully apply it. Also, legitimate interest should not be brought down only to situations where the achievement of wider social benefit is concerned, because its use can also be aimed at realisation of e.g. commercial interests, but with careful verification of fulfilment of the prescribed terms.

In relation to the above and according to the Commissioner, a controller needs to conduct a prior assessment of legitimate interest and draft a written act[2] thereon. Such obligation is not prescribed by the LPDP, but the Commissioner derived it from the obligation to respect the principle of lawfulness, fairness and transparency and the principle of accountability from Article 5 of the LPDP, in order for a controller to be able to prove that processing based on legitimate interest is done in accordance with the law, wherefore the fulfilment of requirements needs to be documented[3].

There is no binding form for such act, however the Commissioner drafted a Model act on assessment of legitimate interest as a legal basis for personal data processing and published it on its website (available here) so that it can help the controllers. The model contains three groups of questions that controller needs to answer and finally, based on the provided answers, decide whether the legal assumptions for referring to legitimate interest as a basis of processing have been met in a particular case.

In addition, the Commissioner also elaborated that the controllers who passed the act on data protection impact assessment, in terms of Article 54 of the LPDP, shall not be obliged to draft special acts on legitimate interest assessment, considering that the description of legitimate interest needs to be indicated within impact assessment[4].

It should also be noted that the controllers who found their processing on legitimate interest need also to notify the data subject, since this is a mandatory element of the privacy notice in terms of Art. 23 and 24 of the LPDP, and they need to notify them of the right to object in terms of Article 37 of the LPDP. 

[1] Legitimate interest as a legal basis for personal data processing – Most frequent questions regarding the application of Article 12, para. 1, item 6) of the Law on Personal Data Protection (“Official Gazette of RS”, no. 87/2018), Commissioner for Information of Public Importance and Personal Data Protection, Version 1.0 of 12 May 2020, page 2, available here.

[2] Ibid, page 3.

[3] Ibid.

[4] Ibid.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.