-min.jpg)
There are numerous situations in a business that result in a company having to deal with personal data, and obtaining the data subject's consent is not always possible or even viable. Bearing this in mind the legislator made 9 other legal bases available in the Brazilian General Data Protection Act (LGPD) so that companies, controllers or operators of such personal data can use them to classify the processing of the respective data.
If one is not familiar with the Brazilian LGPD, even at a superficial level, the idea that someone could process personal data without prior consent might seem strange. However, in addition to the data subject's prior consent, there are 9 other legal bases provided for processing personal data, and an additional 7 bases are available for processing sensitive personal data.
One of these legal bases is legitimate interest, which is the focus of this article. This legal basis is provided for processing only personal data and does not apply to personal data relating to racial or ethnic background, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, and genetic or biometric data, when linked to a natural person. In other words, it is important to clarify for the reader that the legislator has not allowed the processing of sensitive personal data to be classified as a legitimate interest.
1.1. Legitimate Interest
Legitimate interest, in short, characterizes a company's willingness to process an individual's personal data to achieve a purpose related to its business operations. From this definition and the preceding text, one might conclude that a company could use the legitimate interest framework for any type of personal data processing, excluding sensitive personal data, right? This would be an incorrect conclusion. For legitimate interest to serve as a legal basis for a company's processing of personal data, it must meet certain legal requirements.
According to the Instructional Guide, both the public and the private sectors can use legitimate interest as a basis for processing personal data. However, in the public sector, the application of legitimate interest is very limited and should not be encouraged as it is not appropriate when the processing of personal data is carried out on a compulsory basis or when it is necessary to fulfill the legal obligations and responsibilities of the Government. Furthermore, it is not possible to carry out a detailed analysis of the data subjects' expectations, taking into account their fundamental rights and freedoms, and the supposed interests or obligations of the Government, due to the lack of a balance of power.
In practice, classifying the processing of personal data as a legitimate interest must always be preceded by a balancing test. Furthermore, an impact report must accompany the test, depending on the volume of personal data and the degree of risk posed to the respective data subjects.
If the balancing test concludes that fundamental rights and freedoms, as well as legitimate expectations of data subjects, should prevail, the company refrain from processing based on the legal hypothesis of legitimate interest. This holds true even after implementing risk mitigation safeguards.
1.2. Balancing Test
The balancing test is used to assess the proportionality between the legitimacy of a company's interest and the interests of the personal data subjects. It also takes into account the impacts and risks to their rights and freedoms. It also helps ensure compliance with the principles of responsibility and accountability, ensuring transparency in the processing of personal data, and enables the Brazilian Data Protection Authority (ANPD) to assess the adequacy of the respective data processing within the framework of applicable standards.
The balancing test must be considered for each specific purpose for which the data will be processed. In practice, this means that a balancing test must be applied to each purpose indicated for the processing of personal data, even if it is the same personal data.
It is important to highlight that the balancing test can also be used in the following scenarios: when classifying sensitive personal data on the legal basis of guaranteeing fraud prevention and the security of the data subject; during the processes of identification and authentication of registration in electronic systems, which safeguard the data subject's access rights to their data. However, this does not apply if the data subject's fundamental rights and freedoms, which require the protection of personal data, should prevail. This purpose must be interpreted in a restrictive manner and should be described as objectively and in as much detail as possible.
Three phases must be taken into account when preparing the balancing test:
1.3. Balancing Test Model
A Balancing test model made available by the ANPD is provided below:
PART 1: PURPOSE
Legal basis | Principle of purpose (Article 6, I, LGPD) and Article 10, head provision, LGPD - “The legitimate interest of the controller may only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to: (...)
Objective | Identify the nature of personal data and assess the applicability of the legal hypothesis of legitimate interest to the processing of personal data. This involves evaluating the legitimacy of the interest, i.e., its compatibility with the legal system, based on a specific situation and linked to a legitimate, specific, and explicit purpose.
General Guidance | Information should be presented in a clear, objective and precise manner, including all necessary details to facilitate understanding and provide an adequate outline of the processing objectives.
Nature of Personal Data
► What is the nature of the personal data? Is any sensitive personal data being processed? If so, the processing cannot be justified based on the legal hypothesis of legitimate interest.
Data from Children and Adolescents
► Will the data of children and adolescents be processed?
► If so, what factors were considered to be in the best interest of the data subjects? What criteria are used to balance the interests of the controller or third party and the rights of the data subjects? Does the processing generate disproportionate and excessive risks or impacts, especially considering the status of children and adolescents as subjects of rights?
► Does the controller have a pre-existing and direct relationship with the child and adolescent data subjects? Does the data processing aim to ensure the protection of the data subjects’ rights and interests, or to enable the provision of services that benefit them? If these conditions are not met, the controller must exercise additional caution, evaluating the existence of alternative and less invasive methods for the data subjects, and also implementing security and risk mitigation measures appropriate to the hypothesis.
Legitimate Interest and Purposes
► What benefits or privileges does the controller or third party gain from the processing of personal data?
► Is the interest in line with the legal system? In other words, is the processing in accordance with principles, legal standards, and fundamental rights? Are these principles applicable to the case, and do they exclude any legal hypotheses that would prohibit or prevent the data processing from being carried out? Does the data processing contravene, either directly or indirectly, any legal provisions or principles applicable to the case?
► What is the intended purpose of the data processing? Is the purpose legitimate, specific and explicit?
Concrete Situation
► Is the interest based on a clear, concrete and non-speculative situation?
► What is this concrete situation, in detail?
► What is the context in which the data processing is carried out?
PART 2: NECESSITY
Legal basis | Principle of necessity (Article 6, m, LGPD) and Article 10, paragraph 1, LGPD - “Paragraph 1. When processing is based on the legitimate interest of the controller, only personal data strictly necessary for the intended purpose can be processed.”
Objective | Identify whether processing based on legitimate interest is necessary to achieve the purposes outlined in the previous step, while also considering measures to minimize the use of personal data.
General guidelines | In this phase, it is important to evaluate the existence of less intrusive methods to carry out the processing, in addition to analyzing whether it is possible to achieve the purpose in a less costly manner and with lower risks for the data subject. Another important note is that if more than one purpose is described in Part 1, it is recommended to conduct another test to substantiate the additional purpose.
Processing and Intended Purpose
► Is the processing necessary to achieve the interests analyzed in the previous step?
► Are there other reasonable means available to achieve the same purpose in a less intrusive way for the data subject?
► Is the processing proportional and appropriate for the described purpose?
Minimization
► Is only the data that is strictly necessary to achieve the intended purpose being used?
► Are there methods that are less intrusive, less costly or less risky for the data subject that could be used to achieve the same purpose?
PART 3: BALANCING AND SAFEGUARDS
Legal basis | Article 7, IX, LGPD - “when necessary to meet the legitimate interests of the controller or a third party, except when the fundamental rights and freedoms of the data subject requiring the protection of personal data prevail”; Article 10, II, LGPD - “protection of the data subject's rights or the provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms, under the terms of this Law”; and Article 10, paragraph 2, LGPD - Paragraph 2 - “The controller must adopt measures to ensure the transparency of data processing based on its legitimate interests”.
Objective | Assess the risks and impacts on the rights of data subjects based on the interests and purposes identified in the previous phases, in addition to balancing these risks with the safeguards to be adopted and ensuring clear and accurate access for data subjects regarding the information related to the processing of their data.
General Guidance | In this phase, it is essential to adopt the data subject's perspective to ensure that their legitimate expectations, as well as their fundamental rights and freedoms, are respected. It is important to balance the interests of the controller or third party with those of the data subjects, taking into account the specifics of the situation, such as when the processing involves data from children and adolescents. Therefore, to obtain a more accurate analysis, it is important to consider a wide range of possible perspectives. It is worth noting that the existence of a potential risk or negative impact on data subjects does not solely prevent the processing of personal data based on legitimate interest. The LGPD does not require zero impact, but rather mandates that potential impacts be minimized and considered when adopting safeguards. This ensures that, in specific cases, the interests justifying the processing are compatible with respect for the human rights and fundamental freedoms of the data subject.
Legitimate Expectation
> Is the processing of personal data for the intended purpose reasonably expected by data subjects, given the context in which it is carried out?
> The assessment regarding legitimate expectations should take into account the following relevant factors, among others:
> Does a prior relationship exist between the controller and the data subject?
> What is the source and the method of data collection? In other words, was the data collected directly from the data subject, gathered from public sources, or obtained through third-party sharing?
> What are the context and timeframe of the personal data collection?
> Is the original purpose of the data collection compatible with the processing based on a legitimate interest?
Risks and Impacts on Fundamental Rights and Freedoms
► What will be the impact of data processing on the personal data subjects?
► Could the processing affect fundamental rights and guarantees, such as freedom of expression, movement, non-discrimination, privacy, physical, and moral integrity?
► What potential risks could data subjects face?
► Do the fundamental rights and freedoms of the data subjects take precedence over the interests of the controller or third party?
Safeguards, and Opt-out and Opposition Mechanisms
► What measures have been implemented to mitigate the identified risks?
► What transparency measures have been implemented? Will clear, accurate and easily accessible information about the processing and related processing agents be made available?
► Will an easily accessible channel be provided for data subjects to exercise the rights under the LGPD, particularly to unsubscribe, oppose processing, and request the termination of operations and deletion of their personal data?
CONCLUSION
Analyze the answers from Parts 1, 2, and 3 to determine whether the legal hypothesis of legitimate interest can be applied.
