Legitimate Interest, a permissive hypothesis for the processing of personal data provided for in the General Data Protection Law (Law No. 13,709/18 - "LGPD"), carries a number of questions for processing agents and professionals in the sector: what is a legitimate purpose? How can a Legitimate Interests Assessment (LIA) be carried out? What is the legitimate expectation of the data subject?
On February 2, 2024, the National Data Protection Authority (ANPD) launched a guide called “ Legal hypotheses for processing personal data - legitimate interest”, which aims to clarify topics related to the subject. Azevedo Sette Advogados, paying attention to the changes and developments in the Technology, Media, Telecommunications and Privacy and Data Protection areas, has compiled the most relevant topics in the Guide. Check them out below:
- Nature of the personal data: in order to know if it is applicable, the Controller must know that the Legitimate Interest is not applied to sensitive personal data, and must seek a hypothesis provided for in art. 11 of the LGPD.
- Data on underage individuals: for the second time, the ANPD is in favor of the use of legitimate interest for children and adolescents (the first time was in Statement No. 1, of May 22, 2023), provided that the processing agent is aware of the best interests of the individual. The ANPD also advised that if the balance is not conclusive, or if adequate safety and risk mitigation measures are not identified, the legitimate interest should not be used. The Controller must also be able to demonstrate: (i) what was considered to be in the best interests of the child or adolescent; (ii) on the basis of which criteria their rights were weighed against the legitimate interests of the controller or a third party; and (iii) that the treatment does not generate disproportionate and excessive risks or impacts, considering the condition of children and adolescents as subjects of rights. Finally, it is important to note that the ANPD defines high-risk processing as any use of personal data of children and adolescents, and the controller must prepare an impact report regardless of whether the balancing test is carried out.
- Definition of Legitimate Interest: according to the ANPD, an interest will be considered legitimate when it fulfills three conditions: (i) it is compatible with the legal system; (ii) it is based on concrete situations; and (iii) it is linked to legitimate, specific and explicit purposes.
- Fundamental rights and liberties: the guide states that the key to understanding respect for the fundamental freedom of the data subject is to identify the role of the data subject in the use of their data, in other words: ensuring that the data subject is able to know and actively participate in decisions regarding the processing of their data. Herein lies the importance of the availability of access channels related to privacy and data protection.
- Legitimate expectation: the analysis and identification of legitimate expectation does not have to be considered for a specific data subject, but can be based on various factors, in particular: (a) the existence of a previous relationship; (b) the source and form of the data collection; (c) the context and period of data collection; and (d) the intended purpose of the data collection and its compatibility with processing based on legitimate interest.
- Prevention of fraud and security and the LIA: Article 11, II, g, of LGPD authorizes the processing of sensitive personal data when essential to guarantee the prevention of fraud and the security of the data subject in the identification and authentication processes in electronic systems. The ANPD Guide made it clear that, despite the different legal basis used, the system for preventing fraud and security must be similar to that provided for legitimate interest, and the controller must consider the fundamental rights and freedoms of the data subject when basing its legal basis on Article 11 of the LGPD. In this way, the best way to assess the prevalence of the data subjects fundamental rights and freedoms is by carrying out the assessment.
The Technology, Media, Telecommunications, Privacy and Data Protection team at Azevedo Sette Advogados remains at your disposal for any clarifications on the matter.