The Legal Framework of Legitimate Interests: A Comparative Analysis

(Ahmed M. Bamashmoos)

---

Abstract

This research paper conducts a comparative analysis of the "legitimate interests" basis for personal data processing under the General Data Protection Regulation (GDPR) and the Saudi Personal Data Protection Law (PDPL). The study aims to explore how each regulatory framework defines and regulates the use of legitimate interests, focusing on the balancing test required to ensure that data subjects' rights are respected. The research methodology involves doctrinal analysis of primary legislation and a comparative approach to identify differences in procedural requirements and safeguards. The analysis reveals that while both the GDPR and the PDPL permit the use of legitimate interests, the GDPR offers a more flexible approach with a detailed balancing test, whereas the PDPL imposes stricter limitations, particularly concerning sensitive data. Key judicial precedents are examined to illustrate the application of legitimate interests in various contexts, emphasizing the importance of proportionality, transparency, and accountability. The paper concludes by suggesting best practices for data controllers in both jurisdictions and advocating for greater harmonization and procedural guidance to ensure consistency and compliance. The findings underscore the need to balance organizational interests with individual privacy rights, especially in light of increasing digital data usage, to foster trust and ensure ethical data processing.
KEYWORDS
Balancing test, data protection, GDPR, PDPL, personal data, privacy rights

PDF

References

Article 29 Data Protection Working Party. (2014). Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC (WP 217). Brussels: European Commission. Available at: 
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf (accessed on 10/07/2025).
Balboni, P., Cooper, D., Imperiali, R. and Macenaite, M. (2013). Legitimate interest of the data controller: New data protection paradigm legitimacy grounded on appropriate protection. International Data Privacy Law, 3(4), 244–61. DOI:10.1093/idpl/ipt019 
Brkan, M. (2019). Courts, Privacy and Data Protection in the EU: Economic Analysis and Impact on Fundamental Rights. Cheltenham, UK:Edward Elgar Publishing.
Council of Europe. (1950). Convention for the Protection of Human Rights and Fundamental Freedoms. Rome, 4.XI.1950. Available at: https://www.echr.coe.int/european-convention-on-human-rights (accessed on 10/07/2025).
Council of Europe. (1981). Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108). Strasbourg, 28.I.1981. Available at: https://rm.coe.int/1680078b37 (accessed on 08/07/2025).
Court of Justice of the European Union. (2010). Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, Joined Cases C 92/09 and C 93/09, ECLI:EU:C:2010:662. Available at: https://curia.europa.eu/juris/liste.jsf?num=C 92/09 (accessed on 07/07/2025).
Court of Justice of the European Union. (2016). Patrick Breyer v Bundesrepublik Deutschland, Case C 582/14, ECLI:EU:C:2016:779. Available at: https://curia.europa.eu/juris/liste.jsf?num=C 582/14 (accessed on 05/07/2025).
Court of Justice of the European Union. (2018). Tietosuojavaltuutettu v Jehovan Todistajat Uskonnollinen Yhdyskunta, Case C 25/17, ECLI:EU:C:2018:551. Available at: https://curia.europa.eu/juris/liste.jsf?num=C 25/17 (accessed on 01/07/2025).
Court of Justice of the European Union. (2019). Fashion ID GmbH and Co. KG v Verbraucherzentrale NRW eV, Case C 40/17, ECLI:EU:C:2019:629. Available at: https://curia.europa.eu/juris/liste.jsf?num=C 40/17 (accessed on 01/07/2025).
Dolenc, D. (2020). Legitimate interest as legal grounds for processing personal data. Bankarstvo, 49(3), 145–70. DOI:10.5937/bankarstvo2003145D
European Data Protection Board. (2019). Guidelines 3/2019 on Processing of Personal Data Through Video Devices (Rev. 29/01/2020). Available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en.pdf (accessed on 05/07/2025).
European Data Protection Board. (2021). Guidelines 8/2020 on the Targeting of Social Media Users (Final Version, 13/04/2021). Available at: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82020-targeting-social-media-users_en (accessed on 07/07/2025).
European Data Protection Board. (2024). Guidelines 1/2024 on Processing of Personal Data Based on Article 6(1)(f) GDPR (Legitimate Interest). Available at: https://edpb.europa.eu (accessed on 08/07/2025).
European Parliament and Council. (1995). Directive 95/46/EC on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data. Official Journal of the European Union, L 281, 31–50. Available at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML (accessed on 09/07/2025).
European Union Agency for Network and Information Security (ENISA). (2015). Privacy and Data Protection by Design – From Policy to Engineering. Heraklion/Athens: ENISA. Available at: https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design (accessed on 10/07/2025).
European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Official Journal of the European Union, L 119, 1–88. Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed on 01/07/2025).
Freitas, M.C. and Mira da Silva, M. (2018). GDPR compliance in SMEs: There is much to be done. Journal of Information Systems Engineering and Management, 3(4), 30. DOI:10.20897/jisem/3941
Gellert, R. (2018). Understanding the notion of risk in the General Data Protection Regulation. Computer Law and Security Review, 34(2), 279–88. DOI:10.1016/j.clsr.2017.12.003
Gellert, R. and Gutwirth, S. (2013). The legal construction of privacy and data protection. Computer Law and Security Review, 29(5),  522–30. DOI:10.1016/j.clsr.2013.07.005
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703–5. DOI:10.2501/IJMR 2017 050
González Fuster, G. (2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Dordrecht, Netherlands: Springer.
Greenleaf, G. (2021). Global data privacy laws 2021: Despite COVID delays, 145 laws show GDPR dominance. Privacy Laws and Business International Report,  170(n/a),  10–3.
Hijmans, H. (2016). The European Union as Guardian of Internet Privacy: The Story of Article 16 TFEU. Cham, Switzerland: Springer. DOI:10.1007/978 3 319 34090 6
Hutchinson, T. and Duncan, N. (2012). Defining and describing what we do: Doctrinal legal doctrinal legal research. Deakin Law Review, 17(1),  83–119. DOI:10.21153/dlr2012vol17no1art70
Information Commissioner’s Office. (2019). Guide to the General Data Protection Regulation (GDPR): Legitimate Interests. Wilmslow, UK: ICO. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/legitimate-interests/ (accessed on 02/07/2025).
Kamara, I. and De Hert, P. (2018). Understanding the Balancing Act Behind the Legitimate Interest of the Controller Ground: A Pragmatic Approach. Brussels Privacy Hub Working Paper, 4(12). Available at: https://papers.ssrn.com/abstract=3228369 (accessed on 04/07/2025).
Kuner, C., Bygrave, L.A. and Docksey, C. (2019). The EU General Data Protection Regulation (GDPR): A Commentary. Oxford, UK: Oxford University Press.
Lachaud, E. (2018). The balancing exercise under GDPR: Legitimacy, necessity and proportionality of data processing. Journal of Data Protection and Privacy, 2(3), 243–55.
Lynskey, O. (2015). The Foundations of EU Data Protection Law. Oxford, UK: Oxford University Press.
Mahieu, R., Van Hoboken, J. and Asghari, H. (2019). Responsibility for Data Protection in a Networked World. Journal of Intellectual Property, Information Technology and E-Commerce Law, 10, 85. Available at: https://papers.ssrn.com/abstract=3256743 (accessed on 05/07/2025).
Organisation for Economic Co-operation and Development. (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: OECD. Available at: https://web.archive.oecd.org/2013 09 05/247484-oecd_privacy_framework.pdf (accessed on 09/07/2025).
Personal Data Protection Law. (2021). Royal Decree M/19 of 09-02-1443H (16/09/2021), Amended by Royal Decree M/148 of 05-09-1444H (27/03/2023). Kingdom of Saudi Arabia. Available at: https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2 23April2023 Reviewed-.pdf (accessed on 02/07/2025).
Saudi Authority for Data and Artificial Intelligence. (n/a). Implementing Regulations of the Personal Data Protection Law. Riyadh: National Data Management Office. Available at: https://sdaia.gov.sa/en/SDAIA/about/Documents/ImplementingRegulation.pdf (accessed on 03/07/2025).
Svantesson,  D.J.B.  (2019). Introducing the global data privacy prize. International Data Privacy Law, 9(1), 64–8. DOI:10.1093/idpl/ipz002
Tene, O. and Polonetsky, J. (2013). Big data for all: Privacy and user control in the age of age of analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239–73.
Tikkinen Piri, C., Rohunen, A. and Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review, 34(1), 134–53. DOI:10.1016/j.clsr.2017.05.015
Voigt, P. and von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Cham, Switzerland: Springer. DOI:10.1007/978 3 319 57959 7
Wachter, S. and Mittelstadt, B. (2019). A right to reasonable inferences: Re thinking data protection law in the age of big data and AI. Columbia Business Law Review, 2019(2), 494–620. DOI:10.7916/cblr.v2019i2.3424
Watkins, D. and Burton, M. (2017). Research Methods in Law. 2nd edition. Abingdon, UK: Routledge.
Zufall, F., Kimura, R. and Peng, L. (2022). Towards a simple mathematical model for the legal concept of balancing of interests. Artificial Intelligence and Law, 31(4), 807–27. DOI:10.1007/s10506-022-09338-3