Innovation Law Insights

Data Protection and Cybersecurity

EDPB's Guidelines on processing personal data based on legitimate interest

The European Data Protection Board (EDPB) published its Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR. The guidelines are designed to help data controllers in determining whether they can invoke Article 6(1)(f) as a valid legal basis while aligning with the accountability principle under GDPR.

The guidelines stress that identifying a legitimate interest alone is not sufficient to rely on Article 6(1)(f) GDPR. Data controllers must also ensure that the processing is strictly necessary for pursuing that interest and that it doesn't override the interests or fundamental rights and freedoms of the data subject. The guidelines lay out a three-step assessment process for determining whether Article 6(1)(f) is applicable as outlined below.

Step 1: Identifying a legitimate interest

The first step in determining whether Article 6(1)(f) can serve as a valid legal basis is identifying whether the controller’s or third party’s interest is “legitimate.” This is critical because not all interests automatically qualify under Article 6(1)(f). The Court of Justice of the European Union (CJEU) has emphasized that controllers must ensure their interests are legitimate before moving to the next stages of the assessment process.

While GDPR doesn't provide an exhaustive list of legitimate interests, both the GDPR and CJEU have recognized some interests as valid, such as protecting the property, health and life of the co-owners of a building, product improvement and assessing the creditworthiness of individuals. A controller’s interest may be deemed legitimate if it meets the following cumulative criteria:

• lawfulness: the interest must be lawful and not contradict any EU or member state law;
• clear and precise articulation: the interest must be clearly articulated to ensure a proper balance against the rights of the data subjects;
• real and present: the interest should be present and effective and not speculative at the time of processing.

Step 2: Assessing the necessity of processing

Once a legitimate interest is established, the next step is determining whether processing personal data is necessary to pursue that interest. In EU law, the concept of "necessity" has its own meaning and must align with the objectives of data protection law. This involves balancing the controller’s need for data against the fundamental rights of data subjects, including the right to privacy and protection of personal data.

According to the EDPB, the necessity test should consider whether the legitimate interest could be pursued through less intrusive means that would not affect the data subject’s rights. For example, if a controller can achieve its goals by processing less personal data or using non-personal data, then those alternatives should be considered.

A crucial element of this step is the principle of data minimization under Article 5(1)(c) GDPR. This principle mandates that personal data must be "adequate, relevant, and limited to what is necessary" for the purposes for which it is processed. The controller must ensure that any personal data used is essential for pursuing the legitimate interest and that no excessive data is processed.

Step 3: Conducting the balancing test

The final step is the balancing test, which requires controllers to weigh their legitimate interest against the rights and freedoms of the data subject. This is often the most complex part of the assessment process. Even if the controller has established a legitimate interest and proven that the processing is necessary, the processing cannot proceed if the data subject’s rights override that interest.

In this balancing exercise, the EDPB recommends that controllers consider the following factors:

• the data subjects’ interests, fundamental rights and freedoms, which do not include only the right to data protection and privacy but also other rights, such as freedom of expression and access to information. Controllers must evaluate the impact their processing will have on these rights as well.
• the impact of the processing on data subjects, including the nature of the data to be processed, the context of the processing, and any further consequences of the processing;
• the reasonable expectations of the data subjects, meaning that controllers must consider whether the data subject could reasonably expect their data to be processed in a particular way. For instance, just because certain data is typically processed within an industry doesn’t mean data subjects reasonably expects such processing;
• the final balancing of opposing rights and interests, including the possibility of further mitigating measures. Indeed, if the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects. But these measures must not replace the fundamental requirement for compliance with the GDPR.

Conclusion

The EDPB’s Guidelines provide a step-by-step framework for determining when a controller can rely on the legitimate interest provision under Article 6(1)(f) GDPR. While relying on legitimate interest may offer some flexibility, it must be balanced carefully against the rights of data subjects. All data controllers have to be able to demonstrate that all three steps – identifying a legitimate interest, ensuring necessity, and conducting the balancing test – are thoroughly evaluated before processing personal data on the basis of legitimate interest.

Author: Roxana Smeria

EDPB publishes guidelines on the relationship among data controller and its processor

The European Data Protection Board (EDPB) has issued an opinion on the obligations of data controllers in relation to the processing activity carried out by their processors and sub-processors.

In particular, the EDPB’s opinion have clarified certain aspects of Article 28 of the General Data Protection Regulation (GDPR), which deals with the relationship between controllers, processors and sub-processor and provides for an obligation to only engage processors that guarantee "sufficient safeguards."

The EDPB Opinion will have a strong impact on companies acting as controllers since the strict approach adopted by the EDPB imposes several obligations on the controller as well as liability for the activities of its processors and sub-processors.

Due diligence:

• The controller should have information on the identity of all processors and sub-processors.
• The obligation to verify should apply regardless of the degree of risk to the rights and freedoms of data subjects. But the risk-based approach must be taken into account. Therefore, the depth of the verification will vary according to the level of risk posed by the processor, for instance, taking into account the country of establishment.
• The verification also extends to the sub-processors appointed by the processor. In this regard, the EDPB clarified that, despite being responsible for verifying their activities, the obligation doesn't extend to a duty to systematically ask for sub-processing contracts entered into between the processors and the sub-processors. However, the controller should assess each case to decide whether requesting a copy of the contracts is necessary.
• The controller is still subject to verification where transfers of personal data outside of the EEA take place between two sub-processors.

Controller-processor contracts

The EDPB also takes a position on the validity of the clause by which, in the case of international transfers, the processor is allowed to process personal data outside of the controller's instruction due to mandatory laws of the country of destination.

The EDPB clarifies that the wording “unless required to do so by law or binding order of a governmental body" is in principle valid. However, a distinction must be made between the level of protection guaranteed by the country of destination. If the third country doesn't provide sufficient measures and there might be abusive access from authorities, the clause may not be valid, and the controller would be liable for the processing. In such cases, the wording "unless required to do so by Union or Member State law to which the processor is subject" is highly recommended, to limit the exception to such cases in which the law of the country of destination provides for adequate protection.

Conclusions

Overall, the approach adopted by the EDPB is extremely strict and clearly clarifies that the controller has complete control and is ultimately responsible for ensuring that personal data is processed in compliance with the GDPR throughout the entire processing chain.
This will have a significant impact on businesses, which will have to implement a strong due diligence to avoid processing for which they would be liable.

The opinion is in contrast with the general practice of major tech companies that just provide a list of sub-processors that might be located in any part of the world and over which the company receiving the service has no control. We implemented solutions for our clients to reduce the risk of challenges in these cases, but they need to be negotiated with the other party.

Author: Federico Toscani

 

Intellectual Property

UPC: Milan Central Division clarifies prerequisites for third-party intervention in interlocutory proceedings

On 1 October, the Milan Central Division rejected the request of an Italian pharmaceutical company to intervene, pursuant to Rule 313 RoP, in a precautionary proceeding pending between a US company and a Korean company, both manufacturers of medical devices.

The claimant, which is the exclusive distributor of the Korean company's allegedly infringing products, was also a resistant in a parallel interlocutory proceeding brought by the same applicant before the Milan Local Division.

As grounds for its request to intervene, the Italian company alleged that the decision in the precautionary proceedings pending between the US company and the Korean company would have affected its contractual relations with the latter, the producer of the products distributed in Italy, and those with its customers.

But the court rejected the request, noting first of all that the intervention of third parties in interlocutory proceedings, due to the summary and expeditious nature of the latter, can be allowed only in exceptional cases, and that initiatives that could slow down their course must be avoided.

Having said that, the court pointed out more broadly that, under Rule 313 RoP, third party intervention in proceedings, whether interlocutory or on the merits, is normally granted to those who have a legal – and not merely factual – interest in the dispute. In this respect, according to the court, the third party must show that it is the holder of a legal situation connected with or dependent on the one at issue, and that such a connection may entail a total or partial impairment of its rights if the party in whose support it intervenes is unsuccessful.

In the present case, the court held that the request for intervention was intended solely to support a party's claims, and that the applicant's interest could be protected in the parallel proceedings without its intervention in the proceedings before the Milan Central Division being necessary. For these reasons, the court rejected the application.

One day after the decision of the Milan Central Division, the Munich Local Division also ruled on the same topic. On that occasion, the court clarified that a legal interest within the meaning of Article 313 RoP is to be understood as a direct and present interest in the issuance of the decision sought by the party that the claimant intends to support, and not merely an indirect interest in the outcome of the proceedings, motivated by similarities between its position and that of one of the parties.

Authors: Massimiliano Tiberio, Camila Francesca Crisci

 

Technology Media and Telecommunication

European Commission adopts new Work Programme for the Connecting Europe Facility

On 9 October the European Commission adopted the second Work Programme for the digital part of the Connecting Europe Facility (CEF Digital – CEF) – established by Regulation (EU) 2021/1153 – which outlines the scope and objectives of EU-funded actions to improve and develop Europe’s digital connectivity infrastructures.

The CEF aims to help develop connectivity projects and the deployment of high-performance infrastructures, such as Gigabit and 5G networks, across the EU by fostering both public and private investments.

Aligned with the EU’s Digital Decade connectivity goals, the main actions outlined by the CEF include:

• deploying high-capacity electronic communications networks, including 5G networks;
• guaranteeing uninterrupted coverage with 5G systems of all major transport paths, including European transport networks;
• deploying new backbone networks and the upgrade of existing ones, including submarine cables, within and between member states, as well as between member states and third countries;
• implementing and supporting digital connectivity infrastructures related to cross-border projects in the area of transport and energy.

The first CEF Work Programme was adopted at the end of 2021, with a particular focus on digital inclusion.

The new Work Programme will particularly support the following actions:

• deploying 5G and Gigabit infrastructure in Europe, through co-financing projects promoting the rollout of high-capacity networks and the integration of edge cloud and computing capabilities in vertical sectoral applications such as health, manufacturing, transport, and logistics;
• deploying and significantly upgrading backbone networks, including submarine cables;
• deploying digital platforms for transport and energy infrastructures that will build on and integrate with existing European data, cloud, edge computing, and connectivity infrastructures.

The second CEF Digital Work Programme will also help to stimulate the competitiveness of the European digital ecosystem, to address the geopolitical and geoeconomic challenges highlighted by the Commission in the White Paper How to master Europe’s digital infrastructure needs?

Authors: Massimo D'Andrea, Matilde Losa

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Noemi Canova, Gabriele Cattaneo, Noemi Canova, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo,  Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.