Processing of personal data without the consent of the data subject when there is a legitimate interest to do so

Background

In our CAPSULAS 130 of November of 2011 we commented on the Judgment of the Court of Justice of the European Union (CJEU), of 24 of November 2011, regarding the possibility that the national law may establish that, in order to process personal data without the need to obtain the consent of the data subject, additional conditions or requirements not provided for in EU regulation need to be met.

The judgment of the CJEU was issued in response to a request for a preliminary ruling raised by the Spanish Supreme Court prior to rendering the Judgment that we will further analyze.

Decision of the Supreme Court

The issue analyzed by the Supreme Court is whether sections a) and b) of article 10.2 of Royal Decree (RD) 1720/2007, which approved the Regulation of the Organic Law on Personal Data Protection, are legal or not, because the requirements referred to in such regulation for the processing of personal data exceed those laid down by the EU regulations. According to the general rule, in order to be able to legitimately process personal data, it is necessary to have the prior consent of the data subject. However, sections a) and b) of Article 10.2 of RD 1720/2007, derogate from such general rule by allowing the processing of personal data even without having the consent of the data subject when:
• it is authorized by a regulation having the force of law or by a rule of European Community law;

• its purpose is to satisfy a legitimate interest of the data controller protected by a regulation with the force of law or by a rule of European Community law, unless the interest or the fundamental rights and freedoms of the data subject prevail;

• it is necessary in order for the data controller to fulfill an obligation imposed by a regulation having the force of law or by a rule of European Community law;

• the data to be processed are included in a publicly available source and the data controller has a legitimate interest in their processing, as long as the fundamental rights and freedoms of the data subject are not violated.

The Supreme Court, basing itself on the doctrine of the CJEU, considers that there is no doubt that the requirement established in the Spanish regulations that the personal data must be available in a publicly accessible source is a requirement that is not provided for in EU law, and that therefore the regulation that includes this requirement is contrary to law. Thus, in order to legitimately process personal data without having the prior consent of the data subject, it is sufficient that the processing satisfies a legitimate interest of the data controller and that the fundamental rights and freedoms of the data subject are not violated.