The Brazilian Data Protection Authority (ANPD) made available on August 16, 2023 (Wednesday), through this link, a public consultation regarding the Preliminary Study on the personal data processing legal basis of legitimate interest. Such consultation will be open for 30 days on the Participa Mais Brasil platform (between August 16 and September 15).
In more detail
The Preliminary Text aims at defining and providing guidance on the application of the legitimate interest of controllers and third parties, based on the Brazilian General Personal Data Protection Law (LGPD). It also includes a simplified step-by-step for the analysis of legitimate interest, as well as guidelines and a template for the Legitimate Interest Assessment (LIA).
Among the main points of the Preliminary Text, the following are worth highlighting:
- The interest will be considered legitimate when: (i) it is compatible with the legal system; (ii) it is based on concrete situations; and (iii) it is linked to legitimate, specific and explicit purposes.
- The personal data processing can be carried out in order to protect the controller’s and third parties’ legitimate interests, which includes the interests of the collectivity. When legitimate interest is used as a legal basis for personal data processing, the legitimate expectation of the data subject must be observed.
- The personal data processing based on legitimate interest must be preceded by a LIA, which must take into account the legitimacy of the interest, the necessity of the processing, the impacts on the data subjects’ rights and their legitimate expectations in comparison with the involved interests. To this end, the Preliminary Text presents a balancing test template segmented into the phases of (i) purpose; (ii) necessity; and (iii) balancing and safeguards.
- Regarding the personal data processing of children and adolescents based on legitimate interest, the Preliminary Text indicates that its enforcement tends to be residual. The controller must take into account, as a priority, the best interest of the child or adolescent. Moreover, they must prepare and keep a record of the reason for the processing, which must be appropriate to the case and capable of demonstrating:
(i) what was considered to be the best interest of the child or adolescent;
(ii) on the basis of which criteria their rights were balanced against the legitimate interest of the controller or a third party; and
(iii) that the processing does not generate disproportionate or excessive risks or impacts, considering the condition of children and adolescents as individuals with rights.
- According to the Preliminary Text, processing based on legitimate interest should not be considered if the LIA is not conclusive or if security and risk mitigation measures appropriate to the legal basis are not identified.
- When the personal data processing activity is based on legitimate interest, the Preliminary Text highlights the requirement of such activity being included in a Record of Processing Activities in detail and referring a LIA – and, if there is high-risk processing, the activity must also be included in a Data Protection Impact Assessment (DPIA).
- The Preliminary Text also emphasizes the need for compliance with the principles of necessity and transparency.
- The Preliminary Text emphasizes that the use of legitimate interest as a legal basis in the processing of personal data by the Public Authorities is not appropriate, due to the asymmetry of powers, and should be limited. Legitimate interest may be admitted as a legal basis when the use of the data is not compulsory or when the State’s actions are not based on the exercise of typical State prerogatives, which result from the carrying out of legal obligations and assignments.
Additionally, the Preliminary Text provides a discussion on the processing of sensitive personal data based on the legal basis of guaranteeing the prevention of fraud and the security of the data subject. The text highlights that there are similarities between the legal basis of guaranteeing prevention of fraud and security of the data subject and legitimate interest, and, therefore, the guidelines on the LIA can also be applied in cases of the use of the legal basis of guaranteeing the prevention of fraud and the security of the data subject. We emphasize here that the use of legitimate interest is not applicable to the processing of sensitive personal data.
Finally, it is important to point out that the Preliminary Text attempts to subsidize the content of the Guidelines on the legal basis of legitimate interest, based on the collaboration of processing agents and society, combined with the technical expertise of the ANPD.