Pursuant to Art. 6 lit. f DSGVO, the processing of data is lawful if it is necessary to safeguard the legitimate interests of the data controller or a third party. However, proof of a legitimate interest is not sufficient. Rather, the interest pursued must prevail over an encroachment on fundamental rights and freedoms. However, it is precisely in this balancing of interests that opinions differ, since it is a point that is often discussed and which the DSGVO has brought with it. How and when companies have to carry out such a procedure has not yet been conclusively clarified.
A publication of the German Data Protection Conference with a list of case groups now contributes to resolving the question of how the balancing of interests under Art. 6 lit. f DSGVO should take place.
Specifically, the procedure is presented in five different scenarios:
1) Customer data for current contracts
The transfer of data here is based on the contractual relationship between the parties. The assumption of debt according to the German Civil Code is also seen as the approval for the transfer of personal data.
2) Existing customers without current contracts, the end of the last contractual relationship more than three years ago)
Data of such former customers can only be processed to a limited extent. According to DSK, they may be passed on, but may only be processed for the purpose of storage obligations. This has certain consequences for the balancing of interests, especially in the event that an insolvency administrator is involved.
3) Data of customers in an advanced “contract initiation relationship”, but without current contracts and with concluded contractual relationships that are less than three years old.
These data may also be transmitted subject to a time limit for objection. DSK emphasises that this possibility to object is “customer-friendly” and must be clearly structured, especially as many customers are likely to be surprised by the explicit granting of an objection period.
4) Customer data in the case of open claims
According to German civil law, data transfers of this kind are to be treated as transfers of claims. In principle, the cedant may also seek data transfers on the basis of the DSGVO. When weighing up the interests, however, it must be taken into account whether the transfer of data has been expressly excluded.
5) Customer data that fall under the special category of Art. 9 para. 1 DSGVO
The DSGVO provides for an obligation to provide information in such cases. The periods of three years occurring in two of these case groups refer to the regular limitation of claims in German law. In addition, the conference assumes that after three years most of the data on former business partners will no longer be actively usable because the data are outdated.