CJEU gave the Judgement in the course of a preliminary ruling on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC) precluded national law from allowing installation of a CCTV system in the common parts of a residential building, relying on a legitimate interest (Case C-708/18).
The overall answer is “No, it didn’t”. But what else is inside for data protection pros?
Well, CJEU re-brought to the attention of data controllers critical cornerstones of the legitimate interest as a legal basis:
– there must be present and effective legitimate interest (‘purpose test’);
– processing at issue must be strictly necessary, i.e. the purpose “cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms. (‘necessity test’). This is closely intertwined with the ‘data minimisation’ principle;
– a balancing test must be conducted (ref. WP29 Opinion 06/2014 on the notion of legitimate interests).
More to read:
https://www.rpc.co.uk/snapshots/data-protection/cjeus-cctv-ruling-guidance-on-legitimate-interests-processing/