EDPB: Data subjects can obtain information on the balancing test under Art. 6 (1) f GDPR – really?
On the 9th?October, the EDPB published its (draft) “Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR”. The Guidelines are currently open subject to public consultation until 20th??November 2024.
Under para 68 of the Guidelines, the EDPB takes a practically very relevant view for controllers.?
“In any case, information to the data subjects should make it clear that they can obtain information on the balancing test upon request.”
According to the EDPB, the controller is not only legally obliged to inform about the specific legitimate interest(s) pursued in accordance with Art. 13 (1) d and 14 (2) b GDPR, but if the data subject asks to information on the balancing test, the controller has to provide such information.?
To be honest, I don’t think that there exists a legal obligation to provide this information. The EDPB argues that the provision of this additional information “is essential to ensure effective transparency and to allow data subjects to dispel possible doubts as to whether the balancing test has been carried out fairly by the controller or assess whether they might have grounds to file a complaint with a supervisory authority”.?
Furthermore, such “transparency obligation also follows from the accountability principle in Article 5(2) GDPR, which requires the controller to be able to demonstrate compliance with each of the principles set out in Article 5(1) GDPR, including the lawfulness principle”. The EDPB also refers to the Guidelines on transparency under Regulation 2016/679 (WP260 rev.01), page 36.
First, I would argue that the GDPR only obliges the controller to inform the legitimate interests as such. If the legislator would have had the intention to also provide data subjects with the balancing test, why did he not include this provision in the GDPR (e.g. in Art 13/14 GDPR or Art. 15 GDPR). Even under Art. 15 GDPR the GDPR does not foresee an obligation to provide this documentation. And the purpose of Art. 15 GDPR is specifically the one mentioned by the EDPB in its reasoning: “assess whether they might have grounds to file a complaint with a supervisory authority”.?
领英推荐
Second, the EDPB refers to Art. 5 (2) GDPR. But also, this Article does not foresee an information obligation towards data subjects. According to the ECJ in case C-757/22, it follows from Art. 5 GDPR that the processing of personal data must, inter alia, satisfy specific requirements of transparency with regard to the data subject concerned by such processing.?
And the ECJ clarifies whether these transparency obligations and “requirements” (just like the ones the EDPB creates in his Guidelines) originate in Art. 5 (2) GDPR: “To that end, in Chapter III, the GDPR, first, lays down precise obligations for the controller and, second, recognizes a whole range of rights for a subject of a personal data processing operation, including, inter alia, the right to obtain from the controller information about the purposes of that processing and about the specific recipients to whom the personal data concerning him or her have been or will be disclosed” (para 53).
The ECJ clearly refers to Chapter III regarding transparency rights (and obligations for the controller). Under para 56 of the judgement, the ECJ mentions Art. 13 GDPR and the obligations regulated in that Article. But the ECJ seems not to consider Art. 5 (2) GDPR as such as an obligation for controllers to provide information to data subjects.?
In my opinion, the accountability principle under Art. 5 (2) GDPR requires the controller to prove compliance with the principles under Art. 5 (1) GDPR towards the DPA – and the DPA or also national courts can of course require the controller to provide relevant documents and information. But I am not convinced that data subjects should have an enforceable right (and the controller should have an obligation) under Art. 5 (2) GDPR to provide the balancing test. Which of course does not exclude the possibility of the controller to provide the documents to the data subject on a voluntary basis.?
I am very curious to see whether this view of the EDPB will also be included in the final document.
EDPB Guidelines 1/2024:?https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
Check out my latest book: "Managing Subject Access Requests" now available in all good book stores
1 个月How could a Controller justify an overriding legitimate interest to a DS who objects to Processing without laying out the result of the balancing test? All a Controller does by stonewalling such a request is 1) Invite a complaint and 2) invite avoidable regulatory scrutiny. Even if it weren't patently obviously a legal obligation to be transparent, why wouldn't a Controller provide the information on their balancing test anyway. They did the LIA after all...it's just a case of cutting and pasting...right? That LIA wasn't a tick box exercise...right??
TechDigital Lawyer | Rechtsanwalt | Senior Associate @Clifford Chance | Lecturer for Data Protection Law (LIPIT LL.M. Uni G?ttingen) | Former Head of Data Protection eBay Marketplaces EMEA
1 个月The Article 29 Working Party/???????????????? ???????? ???????????????????? ?????????? has ???????????? ?????????? ???????? ????????????????. Guidelines on transparency under Regulation 2016/679, WP260 rev.01. https://ec.europa.eu/newsroom/article29/items/622227
Data protection expert (strictly in my personal capacity)
1 个月Well, the Hungarian DPA had a similar decision (NAIH/2019/2402), i.e. the controller is obliged to inform the data subject of the balancing test as well, AND the DPA said the balancing test cannot be considered as business secret! But in my view this decision is wrong: the GDPR obliges the controller to inform the data subject of the legitimate interest only, and, secondly, a good balancing test, in a given case, can be full of business secret!
Project Manager | Scrum Master | SAFe 6.0, PSM, Prince 2 | CIPP/E, CIPM, CEH | solely my views
1 个月If the Data Subject opposes the data processing or requests deletion of personal data, I don’t see how the Data Controller can circumvent the duty to explain in writing how their legitimate interest supersedes Data Subject’s privacy right. This explanation (not just a baseless claim “we have reached the conclusion that…”) will cover a great extent of the LIA.
Rechtsanwalt, Fachanwalt IT-Recht, Software-Systemingenieur
1 个月?To be honest, I don’t think that there exists a legal obligation to provide this information.“ - me, too