Public Task and Legitimate Interests

Public Task and Legitimate Interests: A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Public task and legitimate interests are two of the six lawful bases for processing personal data under the General Data Protection Regulation (GDPR), specifically outlined in Article 6(1)(e) and Article 6(1)(f) respectively. Understanding these two legal bases is essential for anyone preparing for the CIPP/E certification exam, as they represent some of the most nuanced and frequently tested concepts in European data protection law.

Why Are Public Task and Legitimate Interests Important?

These two lawful bases are critically important for several reasons:

1. Wide applicability: Public task is the primary legal basis for public authorities and bodies carrying out their official functions, while legitimate interests is one of the most flexible and commonly relied-upon bases for private sector organisations.

2. Balancing rights: Both legal bases require a careful balancing exercise between the needs of the data controller and the rights and freedoms of the data subject, making them more complex than bases like consent or contractual necessity.

3. Practical significance: In practice, these are the legal bases that organisations most frequently analyse and debate, particularly when consent is not appropriate or practical.

4. Regulatory scrutiny: Supervisory authorities regularly examine whether organisations have correctly applied these legal bases, and misapplication can lead to significant fines and enforcement action.

5. Impact on data subject rights: The choice between these bases has a direct impact on which rights data subjects can exercise. Notably, the right to data portability does not apply to processing based on public task or legitimate interests, while the right to object applies to both.

What Is Public Task? (Article 6(1)(e))

Public task, formally described under Article 6(1)(e) GDPR, provides that processing is lawful when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Key elements of public task:

- Public interest or official authority: The processing must be connected to a task carried out in the public interest or to the exercise of official authority. This does not mean the controller must be a public body in every case, though it most commonly applies to public authorities.

- Basis in law: Article 6(3) GDPR requires that the basis for this processing must be laid down by EU law or Member State law. The law does not need to require the processing explicitly, but it must provide a lawful foundation for the task or authority in question.

- Necessity: The processing must be necessary for the performance of the task. This does not mean absolutely essential, but it must be more than merely useful. There must be a reasonable and proportionate connection between the processing and the task.

- Not limited to public authorities: While this basis is most commonly used by government bodies, courts, and public institutions, private organisations may also rely on it if they are carrying out a task in the public interest as established by law (for example, a private company performing a statutory regulatory function).

Examples of public task processing:
- A local authority processing personal data to administer housing benefits
- A public health body processing data for disease surveillance
- A university processing student data for educational administration
- A court processing data in the administration of justice
- A tax authority processing data for tax collection purposes

Important considerations for public task:

- Member States have significant discretion to specify and adapt the application of this legal basis through national law (Article 6(2) and 6(3) GDPR).
- Public authorities generally cannot rely on legitimate interests for processing carried out in the performance of their tasks (as stated in the last subparagraph of Article 6(1) GDPR). This is a crucial distinction for the CIPP/E exam.
- Data subjects have the right to object to processing based on public task under Article 21(1) GDPR.

What Is Legitimate Interests? (Article 6(1)(f))

Legitimate interests, set out in Article 6(1)(f) GDPR, provides that processing is lawful when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

Key elements of legitimate interests:

This legal basis involves a three-part test, often referred to as the Legitimate Interests Assessment (LIA) or balancing test:

1. Purpose test — Identify the legitimate interest:
- The controller (or a third party) must have a legitimate interest that is real, specific, and clearly articulated.
- The interest must be lawful (i.e., not contrary to law), clearly defined, and not overly vague or speculative.
- Recital 47 provides examples of legitimate interests, including processing for direct marketing purposes, processing within a group of undertakings for internal administrative purposes, and processing necessary to prevent fraud.
- Recital 49 mentions network and information security as a legitimate interest.

2. Necessity test — Is the processing necessary?
- The processing must be necessary for the pursuit of that legitimate interest.
- Could the same purpose be achieved in a less intrusive way? If so, the necessity test may not be satisfied.
- "Necessary" means more than merely convenient but does not require the processing to be absolutely indispensable.

3. Balancing test — Do the data subject's rights override?
- Even if a legitimate interest exists and the processing is necessary, the controller must weigh its interests against the interests, rights, and freedoms of the data subject.
- Factors to consider include: the nature of the personal data, the reasonable expectations of the data subject, the relationship between the controller and the data subject, the impact of the processing on the data subject, and whether the data subject is a child.
- If the data subject's interests, rights, or freedoms override the legitimate interest, this legal basis cannot be used.

Examples of legitimate interests processing:
- A company processing employee data for IT network security purposes
- An organisation sending direct marketing communications to existing customers (subject to the balancing test and applicable e-privacy rules)
- Fraud prevention and detection activities
- Intra-group data transfers for internal administrative purposes
- A company processing CCTV footage for the security of its premises
- A creditor processing debtor information for debt recovery

Important considerations for legitimate interests:

- Public authorities restriction: The last subparagraph of Article 6(1) states that legitimate interests shall not apply to processing carried out by public authorities in the performance of their tasks. This is a commonly tested point.
- Documentation: Controllers should document their Legitimate Interests Assessment (LIA). While the GDPR does not prescribe a specific format, accountability requires that the balancing exercise be recorded.
- Right to object: Data subjects have the right to object to processing based on legitimate interests under Article 21(1). Upon objection, the controller must cease processing unless it can demonstrate compelling legitimate grounds that override the interests of the data subject.
- Direct marketing: Article 21(2) provides an absolute right to object to processing for direct marketing purposes. When the data subject objects, the processing must cease — no balancing test applies.
- Children: Special attention must be paid where the data subject is a child, as the GDPR specifically highlights this in Article 6(1)(f).
- Transparency: Under Articles 13 and 14, when relying on legitimate interests, the controller must inform the data subject of the legitimate interests pursued.

How Public Task and Legitimate Interests Work in Practice

Choosing between the two:

The choice between public task and legitimate interests often depends on the nature of the controller:

- Public authorities performing their official functions should rely on public task (Article 6(1)(e)) and generally cannot use legitimate interests for those activities.
- Private organisations most commonly rely on legitimate interests (Article 6(1)(f)) when processing does not fall under consent, contract, or legal obligation.
- Private organisations performing public functions may use public task if their activity is grounded in law as being in the public interest.

The role of Member State law:

Both legal bases are subject to Member State variation. For public task, Article 6(3) explicitly allows Member States to define the tasks and purposes more specifically. For legitimate interests, while the GDPR provides a harmonised framework, some Member States have introduced additional guidance or conditions through national legislation.

Interaction with other GDPR provisions:

- Article 9 (Special categories of data): Neither public task nor legitimate interests alone is sufficient to process special category data. A separate condition under Article 9(2) must also be met. However, Article 9(2)(g) provides an exception for reasons of substantial public interest, which may complement the public task basis.
- Article 10 (Criminal conviction data): Processing of data relating to criminal convictions may be carried out under public task where authorised by law, but legitimate interests alone is generally not sufficient — additional safeguards under national law are typically required.
- Data Protection Impact Assessments (DPIAs): Processing based on public task or legitimate interests may trigger the requirement for a DPIA under Article 35, particularly where the processing is likely to result in a high risk to data subjects' rights and freedoms.

Key Differences Between Public Task and Legitimate Interests

Understanding the distinctions is vital for exam success:

- Who can use it: Public task is primarily for public bodies and those exercising public authority; legitimate interests is primarily for private sector controllers (and public bodies acting outside their official tasks).
- Legal foundation: Public task requires a basis in EU or Member State law; legitimate interests does not require a specific legal mandate but requires a documented balancing test.
- Balancing exercise: Public task involves a necessity assessment in relation to the task; legitimate interests involves a three-part test including a balancing of interests against data subject rights.
- Right to object: Both are subject to the right to object under Article 21(1), but the controller's response differs. For legitimate interests, the controller must demonstrate compelling legitimate grounds; for public task, the controller must also demonstrate compelling legitimate grounds or that processing is necessary for legal claims.
- Data portability: The right to data portability (Article 20) does not apply to processing based on either public task or legitimate interests — it only applies to processing based on consent or contract.
- Automated decision-making: Article 22 restricts automated individual decision-making. For public task, automated decisions may be authorised by EU or Member State law; legitimate interests alone does not provide an exception under Article 22(2).

Relevant Case Law and Guidance

- CJEU — Google Spain (C-131/12): The Court considered the balance between a search engine operator's legitimate interest in processing personal data and the data subject's right to privacy, ultimately recognising the data subject's right to delisting under certain circumstances.
- CJEU — Rigas (C-13/16): The Court confirmed that the legitimate interests basis requires a balancing of interests and that the list of legitimate interests is not exhaustive.
- Article 29 Working Party Opinion 06/2014 on Legitimate Interests: This opinion (now endorsed by the EDPB) provides detailed guidance on conducting the balancing test, including practical examples and the factors to consider.
- EDPB Guidelines: The European Data Protection Board has issued various guidelines that touch on the application of both legal bases, particularly in the context of public sector data processing and direct marketing.

Exam Tips: Answering Questions on Public Task and Legitimate Interests

1. Know the exact wording of Article 6(1)(e) and 6(1)(f):
Be able to distinguish the precise legal text. Exam questions may test whether you can identify the correct legal basis from a scenario. Remember that public task refers to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority, while legitimate interests refers to processing necessary for the purposes of the legitimate interests pursued by the controller or a third party.

2. Remember the public authority restriction:
One of the most frequently tested points is that public authorities cannot rely on legitimate interests when performing their tasks. If a question presents a public body processing data for its official functions, the answer is almost certainly public task, not legitimate interests.

3. Master the three-part legitimate interests test:
Many exam questions will test your ability to apply the three-part test: (i) identify the legitimate interest, (ii) assess necessity, and (iii) conduct the balancing test. Practice applying this framework to different scenarios.

4. Pay attention to children:
Article 6(1)(f) specifically mentions children. If a scenario involves processing data about minors, this should heighten your analysis of the balancing test and may tip the balance in favour of the data subject's interests.

5. Understand the right to object implications:
Know that both public task and legitimate interests are subject to the right to object under Article 21(1). For direct marketing based on legitimate interests, the right to object is absolute under Article 21(2). This is a very commonly tested point.

6. Know what rights do NOT apply:
The right to data portability (Article 20) does not apply to processing based on public task or legitimate interests. If a question asks about data portability in the context of these legal bases, the answer is that it does not apply.

7. Link to transparency obligations:
When relying on legitimate interests, the controller must inform data subjects of the specific legitimate interest being pursued (Articles 13(1)(d) and 14(2)(b)). This is an important accountability and transparency requirement that may be tested.

8. Consider special category data separately:
If a scenario involves special category data (Article 9), remember that public task and legitimate interests under Article 6 are not sufficient alone. You must also identify a condition under Article 9(2). Do not confuse Article 6 and Article 9 requirements.

9. Watch for scenario-based questions:
The CIPP/E exam often presents practical scenarios. When analysing a scenario:
- First, identify whether the controller is a public authority or a private organisation.
- Then, determine whether the processing relates to official tasks or private interests.
- Apply the appropriate legal basis and its associated requirements.
- Consider whether additional conditions apply (e.g., special categories, automated decision-making).

10. Remember the documentation requirement:
Under the accountability principle (Article 5(2)), controllers should document their Legitimate Interests Assessment. While this is not explicitly mandated in Article 6(1)(f), it flows from the broader accountability obligations and is considered best practice by supervisory authorities.

11. Distinguish between necessity and proportionality:
Both legal bases include a necessity requirement. Necessity does not mean indispensable — it means that the processing must be a proportionate and targeted way to achieve the purpose. If there is a less intrusive alternative that would achieve the same result, the necessity test may fail.

12. Know recital examples:
Recitals 47, 48, and 49 provide helpful examples of legitimate interests (direct marketing, intra-group transfers, network security). Recital 45 addresses the legal basis requirements for public task processing. Familiarity with these recitals can help you quickly identify the correct answer.

13. Be aware of Member State variations:
The CIPP/E exam may reference the fact that Member States can further specify the application of both legal bases. For public task, this includes defining the tasks more precisely; for legitimate interests, some jurisdictions may impose additional conditions.

14. Practice elimination strategy:
In multiple-choice questions, use the process of elimination. If a scenario involves a public authority performing its statutory duties, eliminate legitimate interests. If the processing could easily be done with less data, question whether the necessity test is met. If the data subject is a child, consider whether the balancing test tips against the controller.

15. Time management:
Do not spend too long on complex balancing test scenarios. Identify the key facts, apply the framework methodically, and move on. The exam rewards structured thinking over lengthy analysis.

Summary

Public task and legitimate interests are two of the most important and nuanced lawful bases under the GDPR. Public task applies primarily to public authorities exercising official functions grounded in law, while legitimate interests provides a flexible basis for private sector organisations subject to a rigorous three-part test. Understanding the distinctions between these bases, their requirements, their interaction with data subject rights, and their limitations is essential for success on the CIPP/E exam. Always approach exam questions methodically: identify the controller, determine the nature of the processing, apply the correct legal framework, and consider the implications for data subject rights and controller obligations.