|(38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.|
EDRi’s Proposed amendment
|(38) In exceptional circumstances, the legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden
This exception, as proposed by the European Commission, grants a very wide exception to data controllers to process data if they feel justified in undertaking such processing. This risks creating legal uncertainty and barriers to the single market. The European Data Protection Board should establish guidelines for acceptable “legitimate interests” in this context.