On February 2nd, 2024, the Brazilian National Data Protection Authority (“ANPD“) published the Guidelines for Legal Basis of Data Processing – Legitimate Interest. The Guide provides definitions and parameters for interpreting the legitimate interest of controllers or third parties and, thus, clarifies important points for the application of this legal hypothesis.
Article 7, IX of the General Data Protection Law (Law 13,709 of 2018) establishes that the processing of personal data may be carried out when “Necessary to meet the legitimate interests of the controller or of a third party, except in the event that the fundamental rights and freedoms of the data subject which require the protection of personal data prevail” and it’s on this forecast that the document seeks to provide further guidance. Some topics from the Guidelines for Legal Basis of Data Processing – Legitimate Interest deserve to be highlighted and will be listed below.
- On sensitive personal data
The Guide reinforces what has already been established by the Law, that the hypothesis of data processing for Legitimate Interest is not applicable to sensitive personal data, which are data that deal with “racial or ethnic origin, religious conviction, political opinion, membership in a trade union or organization of a religious, philosophical or political nature, data referring to health or sex life, genetic or biometric data, when linked to a natural person.”
- On data of children and adolescents
The Guide clarified, however, that in light of Statement 1/2023 of the ANPD, it is possible to use legitimate interest as a justification for the processing of personal data of children and adolescents, provided that their best interest is observed and prevails. In addition, it is necessary to comply with the parameters of article 14 of the LGPD, also on the processing of personal data of children and adolescents. Moreover, the processing of such data must not present disproportionate and excessive risks or impacts on children or adolescents.
- On legitimate interest
Interest is understood to be any benefit resulting from the processing of personal data. According to the ANPD, in order to be legitimate, the interest must be compatible with:
- Legal system – the processing of personal data shall not be prohibited by applicable legislation and may not, directly or indirectly, contravene legal provisions or principles applicable to the case;
- Based on concrete situations – it must be based on real, clear and precise situations, which aim at specific and well-defined interests, even if in the near future, which rules out interests considered from abstract or merely speculative situations;
- Connection to legitimate, specific and explicit purposes – the purpose is the specific goal that is intended to be achieved by carrying out the processing of the data, which must be considered based on concrete situations, with the use of personal data strictly necessary for the intended purpose.
On fundamental rights and freedoms
According to the ANPD Guide, the fundamental rights and freedoms of the personal data subject act as a limit to the controller’s freedom. This means that the Legitimate Interest cannot override the freedom and fundamental rights of the data subject. This analysis is done through the Balancing Test (or Legitimate Interest Assessment – LIA), so that controllers can assess whether the impacts caused by the processing are proportionate and compatible with these rights and what safeguards should be adopted.
Under this bias, the data subject is the protagonist in relation to the use of their data, and it must be ensured that they have knowledge and actively participate in decisions about the processing of their personal data. Therefore, it is essential to ensure the availability of accessible channels related to privacy and data protection.
- On Legitimate Expectation
With regard to the concept of legitimate expectation of data subjects, according to the ANPD, it means that the processing of personal data for the intended purpose must reasonably be what is expected by the data subjects in that context. The assessment does not need to be carried out in relation to specific data subjects, taking into account some factors such as: (i) existence of a prior relationship between the controller and the subject; (ii) the source and method of data collection; (iii) the context and period of data collection; and (iv) the intended purpose of the data collection and its compatibility with processing based on legitimate interest.
In the analysis of legitimate expectations, it is important to consider good faith and the principles of data protection, and the data subject must have elements made available by the controller, to assess whether the data processing meets its legitimate expectations.
- On the Necessity, Transparency, and Registration of Operations
The ANPD establishes that only data that is essential for the performance of the operation must be processed, and the data subject must have easy access to information about the processing of their data. All data processing operations based on legitimate interest must be properly recorded.
- On Legitimate Interest Assessmet – LIA
Prior to the processing of data based on legitimate interest, the ANPD determines that a proportionality assessment (balancing test) must be carried out, which must be applied for each specific purpose and involves weighing the legitimacy of the interest, the need for the processing, the impacts on the rights of the data subjects and their legitimate expectations compared to the interests involved. The ANPD Guide attaches a simplified balancing test model, which can serve as an example for companies to develop the most appropriate methods for their activities.
The Guide also mentions that in the case of processing personal data for the prevention of fraud and the security of the data subject, the same logic of Legitimate Interest must be used with regard to carrying out a LIA to assess the prevalence of the fundamental rights and freedoms of the data subject.
- On Legitimate Interest and the Public Authority
The Guide reinforces that the adoption of the legal basis of legitimate interest has limited applicability in the public sector, as it should not be used in cases where the processing of personal data is carried out compulsorily or when necessary for the fulfillment of legal obligations or attributions of the Pulic Authorities. An exceptional analysis of the specific situation is necessary and, in the event that it is the best legal basis in the specific case, its use by the Public Authorities must follow the same rules of transparency and respect for the fundamental rights of data subjects that are attributed to other data controllers.
For more information, please contact Saud Advogados team.