On 20 November 2024, the European Data Protection Board (EDPB) closes a public consultation on the guidelines for processing personal data under Article 6(1)(f) of the General Data Protection Regulation (GDPR) on the use of legitimate interests as a lawful basis for processing. The guidelines apply to data controllers and processors operating within the European Union. The guidelines require meeting conditions, including pursuing a lawful and clearly defined legitimate interest, proving the necessity of the data processing, and ensuring that the interests of data subjects are not overridden by those of the controller or third party. The guidelines also highlight the need for controllers to conduct assessments, document their decision-making process, and ensure transparency by informing data subjects of the legitimate interests involved. The guidelines explore specific contexts such as fraud prevention, direct marketing, and information security where this legal basis might be invoked.
Original source