This cartoon focuses on the lawful processing requirement. Under the EU’s General Data Protection Regulation G(DPR), the collection and processing of personal data must be for “specified, explicit and legitimate purposes.” This is in contrast to the United States where the processing of personal information is permitted unless a law forbids it.
Under the GDPR, data processing must be “lawful” – it must be justified by a legitimate purpose in order to be permissible. Article 6 of the GDPR sets forth the grounds for the lawfulness of processing personal data. These grounds include the consent of the data subject, when processing is necessary to perform a contract where the data subject is a party, when processing is necessary to comply with a legal obligation, when processing is necessary to protect a person’s vital interests, or when processing is necessary to perform a task carried out in the public interest. The final ground for lawful processing is when processing is necessary for the “legitimate interests” of a data controller or third party.
It is far from clear that there are legitimate interests in the cartoon above. Organizations often think that “legitimate interests” mean any interests that are important to their business, but that’s not the case. This ground for lawful processing is much narrower. And, legitimate interests must not be overridden by the data subject’s interests or rights.