In our response to the EDPB Guidelines on legitimate interest, we highlight areas of agreement as well as sections where further clarification or amendment may be beneficial to ensure a balanced application of legitimate interest provisions in the context of consumer credit information processing.
We commend the EDPB’s guidance that no hierarchy exists among legal bases under Article 6(1) GDPR. This aligns well with our operational requirements and validates the flexibility to choose the most appropriate legal basis, including legitimate interest, provided that specific criteria are met. We also appreciate the explicit recognition that legitimate interest does not exclusively refer to interests enshrined in or determined by law, as affirmed by the ECJ. We particularly welcome the EDPB’s clarification that not all profiling falls under Article 22 GDPR. Differentiating profiling activities from fully automated decisions allows for more context-appropriate applications and safeguards around data processing.
The guidelines state that the controller may rely on legitimate interest only if it has assessed and concluded that the envisaged processing is strictly necessary for pursuing such an interest. On this point, the guidelines introduce a processing restriction that is not generally supported by the GDPR. Furthermore, the guidelines should acknowledge that providers of credit information services have compelling and overriding legitimate grounds to maintain their databases as updated, accurate, and complete. The guidelines should provide a robust reference to the processing activities of credit information service providers, emphasising the necessity of keeping their information current and accurate to facilitate its sharing with those who require it.