CJEU & legitimate interest in scope: what the controller should remember of.

CJEU gave the Judgement in the course of a preliminary ruling on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC) precluded national law from allowing installation of a CCTV system in the common parts of a residential building, relying on a legitimate interest (Case C-708/18).  

The overall answer is “No, it didn’t”. But what else is inside for data protection pros? 

Well, CJEU re-brought to the attention of data controllers critical cornerstones of the legitimate interest as a legal basis:

– there must be present and effective legitimate interest (‘purpose test’);

– processing at issue must be strictly necessary, i.e. the purpose “cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms. (‘necessity test’). This is closely intertwined with the ‘data minimisation’ principle; 

– a balancing test must be conducted (ref. WP29 Opinion 06/2014 on the notion of legitimate interests).

More to read:


One Reply to “CJEU & legitimate interest in scope: what the controller should remember of.”

  1. This is really useful tool, cut&paste from the article

    Remember to carry out the three-stage test, namely the “purpose test”, the “necessity test” and the “balancing test”, when weighing up the processing of personal data on the legitimate interests basis. Also, don’t forget to assess whether alternative means are available to meet the same objective of the processing and to apply the condition only in so far as is strictly necessary,

    A decision was just made in Sweden on the use of CCTV in apartment blocks. It’s in Swedish unfortunately, but maybe Google translate can work it out 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.