Basis for Use
Annex 1. Quick guide on how to carry out the Article 7(f) balancing test
Step 1: Assessing which legal ground may potentially apply under Article 7(a)-(f)
Data processing can be implemented only if one or more of the six grounds – (a) through (f) – of
Article 7 applies (different grounds can be relied on at different stages of the same processing
activity). If it prima facie appears that Article 7(f) might be appropriate as a legal ground,
proceed to step 2.
Quick tips:
– Article 7(a) applies only if free, informed, specific and unambiguous consent is given; the fact
that an individual has not objected to a processing under Article 14 should not be confused with
Article 7(a) consent – however, an easy mechanism to object to a processing may be considered
as an important safeguard under Article 7(f);
– Article 7(b) covers processing that is necessary for the implementation of the contract; just
because the data processing is related to the contract, or foreseen somewhere in the terms and
conditions of the contract does not necessarily mean that this ground applies; where
appropriate, consider Article 7(f) as an alternative;
– Article 7(c) addresses only clear and specific legal obligations under the laws of the EU or a
Member State; in case of non-binding guidelines (for instance by regulatory agencies), or a
foreign legal obligation, consider Article 7(f) as an alternative.
Step 2: Qualifying an interest as ‘legitimate’ or ‘illegitimate’
To be considered as legitimate, an interest must cumulatively fulfil the following conditions:
– be lawful (i.e. in accordance with EU and national law);
– be sufficiently clearly articulated to allow the balancing test to be carried out against the
interests and fundamental rights of the data subject (i.e. sufficiently concrete);
– represent a real and present interest (i.e. not be speculative).
Step 3: Determining whether the processing is necessary to achieve the interest pursued
To meet this requirement, consider whether there are other less invasive means to reach the
identified purpose of the processing and serve the legitimate interest of the data controller.
Step 4: Establishing a provisional balance by assessing whether the data controller’s
interest is overridden by the fundamental rights or interests of the data subjects
– Consider the nature of the interests of the controller (fundamental right, other type of interest,
public interest);
– Evaluate the possible prejudice suffered by the controller, by third parties or the broader
community if the data processing does not take place;
– Take into account the nature of the data (sensitive in a strict or broader sense?);
– Consider the status of the data subject (minor, employee, etc.) and of the controller (e.g.
whether a business organisation is in a dominant market position);
– Take into account the way data are processed (large scale, data mining, profiling, disclosure to
a large number of people or publication);
– Identify the fundamental rights and/or interests of the data subject that could be impacted;
56
– Consider data subjects’ reasonable expectations;
– Evaluate impacts on the data subject and compare with the benefit expected from the
processing by the data controller.
Quick tip: Consider the effect of actual processing on particular individuals – do not see this as
an abstract or hypothetical exercise.
Step 5: Establishing a final balance by taking into account additional safeguards
Identify and implement appropriate additional safeguards resulting from the duty of care and
diligence such as:
– data minimisation (e.g. strict limitations on the collection of data, or immediate deletion of
data after use)
– technical and organisational measures to ensure that the data cannot be used to take decisions
or other actions with respect to individuals (‘functional separation’)
– wide use of anonymisation techniques, aggregation of data, privacy-enhancing technologies,
privacy by design, privacy and data protection impact assessments;
– increased transparency, general and unconditional right to object (opt-out), data portability &
related measures to empower data subjects.
Quick tip: Using privacy enhancing technologies and approaches can tip the balance in favour
of the data controller and protect individuals too.
Step 6: Demonstrate compliance and ensure transparency
– Draw a blueprint of steps 1 to 5 to justify the processing before its launch.
– Inform data subjects of the reasons for believing the balance tips in the controller’s favour.
– Keep documentation available to data protection authorities.
Quick tip: This step is scalable: details of assessment and documentation should be adapted to
the nature and context of the processing. These measures will be more extensive where a large
amount of information about many people is being processed, in a way that could have a
significant impact on them. A comprehensive privacy and data protection impact assessment
(under Article 33 of the proposed Regulation) will only be necessary when a processing
operation presents specific risks to the rights and freedoms of data subjects. In these cases, the
assessment under Article 7(f) could become a key part of this broader impact assessment.
Step 7: What if the data subject exercises his/her right to object?
– Where only a qualified right to opt-out is available as a safeguard (this is explicitly required
under Article 14(a) as a minimum safeguard): in case the data subject objects to the processing,
it should be ensured that an appropriate and user-friendly mechanism is in place to re-assess the
balance as for the individual concerned and stop processing his/her data if the re-assessment
shows that his/her interests prevail.
– Where an unconditional right to opt-out is provided as an additional safeguard (either
because this is explicitly required under Article 14(b) or because this is otherwise deemed a
necessary or helpful additional safeguard): in case the data subject objects to the processing, it
should be ensured that this choice is respected, without the need to take any further step or
assessment.
57