EDPB (European Data Protection Board) je objavio javno savjetovanje na prijedlog Smjernica o obradi osobnih podataka na temelju legitimnog interesa, prijedlog je dostupan ovdje:

https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en

i svatko ga može komentirati do 20.11.2024.

 

Ova tema je jako važna jer se prečesto susrećemo s dvojbenim poznavanjem temeljnih kriterija za određivanja valjanosti legitimnog interesa kao jednog od 6 mogućih pravnih temelja za obradu osobnih podataka, a još češće viđamo da „papir sve trpi“ na način da su testovi razmjernosti valjanosti legitimnog interesa samo igra riječi.

Stoga i posebne zahvale AZOP-u čiji je tim bio dijelom uže radne skupine na razini EU koja je iznjedrila ovaj itekako potreban dokument, kojeg svakako treba dobro proučiti svaki Službenik za zaštitu podataka i svatko tko o toj temi brine u svojoj organizaciji.

 

Iz Smjernica izdvajamo zanimljive dijelove na engleskom jeziku:

 

Primjer videonadzora u kvartu kojeg bi „neki“ sugrađani rado instalirali pod krinkom općeg nedefiniranog dobra

A “neighbourhood watch” organisation has decided that, “for the greater good of society”, it wishes to install a video surveillance system in a given neighbourhood to monitor possible criminal activities in the area. While the protection of property, health and life may in some circumstances be characterised as a legitimate interest, the interest as expressed by the controller with reference to the processing which is occurring in the present case is very vague, as it is phrased in general terms and does not refer to any specific safety issues. Thus, it is not sufficiently articulated in order to assess its legitimacy and eventually pursue the rest of the three-step assessment process under Article 6(1)(f) GDPR.

 

Primjer bivših korisnika, koji su svojim odustajanjem od pretplate dali do znanja da nisu zainteresirani

A newspaper envisages to create a database consisting of former subscribers who have not renewed their subscription in order to be able to retrieve such contacts in the event of a launch of a new magazine, as part of their client relationship. At the time of the creation of the database, the newspaper has no concrete plan to develop and launch a new magazine.

In the present case, the interest pursued by the controller through the population of its database – a processing falling under the scope of the GDPR – cannot be considered as real and present, as the launch of a new magazine is only hypothetical at this stage. Therefore, the interest pursued by the controller may not be considered “legitimate”.

 

Primjer korištenja fotografija pojedinca za tisak svojih letaka koje je neka organizacija pronašla na internetu

A company is printing marketing flyers using images of people’s faces publicly available on the internet and social media platforms. The people appearing in the photos are the ones who have published them. In this case, even when the photos were made public by the data subjects themselv

 

Ne možemo se oslanjati na legitimni interes kad je u pitanju obrada osjetljivih osobnih podataka, kao npr.

  • Podaci koji se odnose na zdravlje
  • Podaci o kaznenim postupcima
  • Financijski podaci, podaci o lokaciji kretanja i osobito privatni podaci…

 

I zapamtimo zauvijek, s osobnim podacima djece se nikako ne smijemo poigravati i ne može tu biti legitimnog interesa već se primarno gleda najbolji interes djeteta (UN konvencija o pravima djeteta).

 

Legitimni interes obrade osobnih podataka može biti opravdan u svrhe sprječavanja prijevara:

In the context of the balancing exercise to be carried out, the interest of a controller to report fraudulent behaviour to competent law enforcement authorities124 may possibly outweigh the interests, rights and freedoms of the data subjects only if the controller processes data that is accurate and demonstrably relevant to assess whether a data subject is at risk of becoming the victim of fraud or is (un)reliable. For example, the controller may have an overriding legitimate interest in checking the veracity of a specific professional certification mentioned in a CV provided in the context of a job application, when it constitutes an essential criterion for the good performance of the professional position. Controllers should be specific about what type of fraud they are trying to prevent, and what data they really need to process in order to prevent that type of fraud.

 

Ako razmatramo legitimni interes obrade osobnih podataka, uvijek prethodno pogledajmo što kaže ePrivacy Uredba kao lex specialis. Ona je u RH transponirana kroz Zakon o elektroničkim komunikacijama.

 

I na kraju, ako smo žrtve kibernetičkog napada, mogli bismo se pozvati na legitimni interes u svrhe otkrivanja identiteta napadača:

A controller is victim of a cyber-attack resulting in a personal data breach that is likely to result in a risk to the rights and freedoms of the data subjects whose data have been leaked. In accordance with Article 33 GDPR, the controller notifies without undue delay the personal data breach to the supervisory authority, including some personal data necessary to determine the level and likely consequences of the personal data breach. By doing so, the controller is processing data to comply with a legal obligation to which it is subject, on the basis of Article 6(1)(c) GDPR. However, the attacked controller is also in possession of other personal data in relation to the cyber-attack and its perpetrators, such as IP addresses and online identifiers. The controller may want to share these data with the law enforcement authority competent in the area of cybercrime and the competent authority responsible for cybersecurity,163 where such notification is not already compulsory under national and or Union law,164 to help prevent potential future cyber-attacks and thus protect data subjects. This processing could be based on Article 6(1)(f) GDPR if, in each specific case, it is necessary and the legitimate interest pursued by the controller to indicate possible criminal acts or threats to public security is not outweighed by the interests and rights and freedoms of concerned data subjects. The processing must also be compatible with legal, professional or other binding obligation of secrecy of the controller.

 

#gdprcroatia