Lithuania 

The legitimate interest, as TRINITI Lithuania legal practice shows, is one of the legitimate grounds for data processing and is used quite often in the activities of Lithuanian enterprises, but only in very specific and limited areas. Therefore, this, albeit flexible and useful legal ground for data processing, cannot be used unnecessarily.
The “legitimate interest” as the basis for personal data processing is often used by Lithuanian companies in a number of commonly occurring legal situations. What are they?

Use cases of legitimate interest:

• Firstly, this legal ground is used when an enterprise needs to perform tasks related to its activities, for example, to protect the company’s assets by installing video surveillance cameras.
• Secondly, the company uses this ground in the context of labor relations, i.e. in a relationship with its employees when the company wants to give them the privileges or benefits, for example, by congratulating employees of the company on their birthday, and etc.
• Thirdly, this legal basis is used by the company when transferring/sharing personal data of employees or clients inside the group of companies;
• Fourthly, according to the legal regulation of the General Data Protection Regulation (GDPR), companies may, in certain cases, use legitimate interest for the direct marketing purpose.

Nevertheless, the “legitimate interest” as a basis for the processing of personal data is usually used only when there is no other legal basis on which the company’s data protection operations could be relied on, and the use of this legal ground must conform to strictly assessed conditions, which complies with the requirements of the GDPR.

Herein TRINITI Lithuania team provides the main conditions for the use of the “legitimate interest” legal ground. These conditions must be strictly assessed before the data processing operations:

• a company must very clearly define the purpose of data processing and the legitimate interest itself, also a company must estimate the purposefulness of the purpose of data processing and legitimate interest;
• as with any data processing operations, it must be ensured that the data processing complies with the data processing principles laid down in the GDPR, including the principle of data minimization and accuracy;
• a company must carry out an assessment of the balance of both the company’s interests and rights and freedoms of natural persons which personal data are handled, i.e. the company must assess whether the interests of the natural person and his/her fundamental rights are not superior to the interests of the company, and, thus, the legitimate interests of the company will not have a significant effect on the rights of natural persons.

Hence, only when it is established that the above mentioned conditions exist in the context of the company’s data processing operations and after the objective assessment of these conditions, it is recommended for the companies to use the legitimate interest as the basis for personal data processing.

Latvia  

The legitimate interest as ground for processing of personal data was already widely used in Latvia before GDPR has entered into force. The legitimate interest as the ground for processing is adopted for identification, assurance of means of communication, performance of commercial activity. The most commonly it is used, however, to ensure safety:
to control access to premises, to assure the safety of staff and visitors, including prevention, detection and investigation of thefts, as well as prevention or detection of physical threats.

Use cases of legitimate interest:

Inspection of publicly available privacy policies indicate that personal data like name, surname, identity code, image and others might be processed on the basis of legitimate interest of the merchant (as well as third parties) while:

• Grocery shopping. Major retail operators process personal data on the basis of legitimate interest to ensure personal identification and safety. As indicated in privacy policy of one retailer, processing of personal data on the basis of legitimate interest takes place in order to identify the client or associate the client with the respective loyalty card user which gives certain privileges to its owner [1]. Another retailer ensures data processing on this ground as well to investigate complaints about the quality of service provision, conduct inspections to improve the provision of services and to provide evidence in case of claims [2].
• Clothes shopping. For example, while visiting events organized by one of the largest shopping malls in Riga, visitors of the event can be photographed, captured in video footage and may be asked to give interviews or views on the progress of the event. Later such video recordings and photographs may be published on the social networks of the shopping mall, as well as in any media [3]. The mall has legitimate interest in reflecting activities or events it organizes in the media and social media, thereby ensuring visibility of its brand.
• Doing sports. Gym may record your image on service deck, at wardrobe entrance, gym, studio, spa or swimming pool. The legitimate interest of the gym is legal ground for using security cameras for the sake of protection of property, customers and employees [4].
• Participating in public events. Data subject’s personal data will be processed on the basis of legitimate interest in case of participation in Riga Marathon. Riga Marathon, collecting more than 37 000 participants this year, under the terms of the privacy policy [5] and to ensure the participation in the event, will process your images (photographs and videos) when completing chosen distance.

While refraining to analyze specific examples, it is worth mentioning that swapping lawful basis for the same processing is not compatible with GDPR and it is also not allowed to retrospectively utilise the legitimate interest basis in order to justify processing.

Estonia

Similarly, to Latvia Estonian companies are using legitimate interest as the grounds for processing for a range of different processing activities. Legitimate interest is not used as the last resort but rather as an all covering blanket for processing activities that can’t easily be fitted under other grounds for processing. However, use of legitimate interest has to be thoroughly pre-evaluated and documented before the use of such ground.

Most common use cases of legitimate interest are as follows:

• for the processing with the purpose of raising the quality of the service/product. Examples of processing activities under this purpose are: i) recording of sales calls; ii) carrying out client satisfaction surveys; iii) measuring the effectiveness of the performed marketing activities or iv) analysing the behaviour of the clients.
• for the processing activities with purpose of benefiting the company’s “culture”.  For example, publishing employee’s picture and main work assignments on the intranet (company’s inner web- not available to the outside public), so that employees would know each other better. Or filming the company’s events etc. It is important to acknowledge that usually in these kinds of work space traditions employees should have the right to deny mentioned processing on the basis of legitimate interest; so, the right to object would be considered as safeguard or compensation method in the evaluation of legitimate interest;
• for the processing activities with the purpose of ensuring safety. For example, use of cameras; use of IT surveillance systems; logging the key card information etc.

Legitimate interest is also used in marketing to send to already exciting clients offers and to give and get information from so called “black lists” (e.g. list of bad debtors). However, the usage of legitimate interest in these two cases is a bit more complicated.
Generally, the usage of legitimate interest as the grounds for processing in the case of direct marketing is not advised. Estonian Data Protection Inspectorate has published an FAQ answer on the usage of legitimate interest as the grounds of processing in the case of direct marketing [6]. Hence, sending targeted advertising to the exciting customer, is allowed under the legitimate interest ground, if some additional conditions are met (see e-Privacy directive art 13 (2) [7]) – the client has ordered a similar service/product from you before.

In case of processing personal data for the “black lists” Estonian Data Protection Inspectorate has given unofficial pointers to follow –

• The person to whom the debt information relates must be notified, the data verified and the data transfer recorded;
• The person to whom the information is provided has a legitimate interest (this has to be controlled);
• Transmitted data may not reach those who have no legitimate interest in receiving information. This means, among other things, that personal data must not be disclosed on the Internet.

In conclusion, legitimate interest can be used as grounds for processing for a wide variety of processing activities. Presented examples are not exhaustive. Legitimate interest is a useful and valid basis for processing if the pre-assessment is done right.

Authors of this blog post are Julianna Antonova, Arina Stivrina ,

Goda Sukackaite and Maarja Lehemets.

[1] https://www.rimi.lv/privatuma-politika/mans-rimi-lojalitates-programmas-privatuma-politika
Viewed 07.12.2018.
[2] https://www.maxima.lv/politika-personas-datu-apstradei-publisko-pasakumu
Viewed 07.12.2018.
[3] https://www.domina-shopping.lv/lv/privatuma-politika/fotografesana-un-filmesana-pasakumos/
Viewed 07.12.2018.
[4] https://www.myfitness.lv/par-myfitness/svariga-informacija/pazinojums-par-privatumu/
Viewed 07.12.2018.
[5] http://www.lattelecomrigasmaratons.lv/en/about/privacy-policy/
Viewed 05.12.2018.
[6] Available in Estonian: https://www.aki.ee/et/millist-otseturustust-saab-teha-oigustatud-huvi-alusel
(18.12.2018).
[7] e-Privacy directive nr 2002/58/EC available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058
(18.12.2018).