The right to data protection is just as important as the right to privacy or social security. Thus, controllers or organisations processing personal data may have a time to assess whether the intended processing of data will not harm other rights or freedoms of the individual. This assessment is called balancing test, and its performance and meaning will be described in more detail in this note. The Data State Inspectorate will also develop more detailed guidelines on how to perform the balancing test directly.
When an organisation intends to process data, it is necessary to understand from the outset why data processing is necessary and what legal basis will be applied to it. When the legitimate basis for the processing of the data will be the exercise of the legitimate interests of the controller, it is necessary to carry out preliminary work or, more precisely, a balancing test prior to the processing of the data.
The interest balancing test is based on a comparison of the interests and rights of the controller and the data subject in order to assess whether the intended processing will result in a greater benefit from the processing of personal data than restrictions on the rights and freedoms of the data subject. With this balancing test, the controller must make sure that his/her benefit in processing this data outweighs the risk to the data subject’s rights. The organisation must understand that the general argument “no such data processing cannot be done and will not cause deliberate harm” to a person is not sufficient.
How can the balancing test be carried out in practice and what steps should be taken before the data are processed?
1. Define the purpose of the processing – it must be lawful, clear and realistic and answer the question why data processing is necessary?
For example, in cases where video surveillance is necessary to prevent a criminal offence. With the help of video surveillance, the crime is recorded and, if necessary, the recording is transferred to the police for examination of the case.
2. An assessment should be made as to why the processing of personal data is necessary to achieve the purpose. The question is why the objective cannot be achieved by means of less privacy-intrusive means, for example by introducing enhanced security and thus not processing data at all.
3. The interest of the organisation as controller in carrying out the data processing should be justified – which is a direct benefit for the organisation in the processing of this data (particularly in commercial processing).
4. The potential benefit should be mentioned if the processing is carried out, including the list of previous situations that reinforce the need for such data processing.
For example, video surveillance has to be introduced, as it has been found that vehicles are regularly damaged in the parking area. The benefit – locals will feel safer, while potential perpetrators are unlikely to want their crime to be recorded in the cameras. If, however, the wrongdoers decide to ignore cameras, the filmed material can help to detect them and bring them to justice.
5. List the possible categories of data subjects (e.g. minors, employees, visitors to the office, passers-by) and assess whether one of them is particularly protected, so that such processing could create additional risks for the category of persons to be protected. For example, the data of minors will be considered as special protection. Also, in the context of processing, the data of employees will be considered to be particularly protected in relation to the processing of data carried out by the employer.
6. The characteristics of the data to be processed must be carried out and the extent of their processing assessed. What are the personal data (categories) to be collected or to be obtained during the processing in order to achieve the intended purpose? Is the principle of data minimisation respected? The organisation must clearly define which data need to be collected and processed, and be able to justify the necessity of each category of data and the relevance of its processing to the intended purpose.
7. The fundamental rights and freedoms that may be restricted by data processing must be identified and assessed. The organisation must assess whether the planned data processing restricts individuals’ rights to privacy, data protection and possibly other fundamental rights. When describing the planned data processing, it may be useful for an organisation to carry out an impact assessment in order to understand the extent to which a person’s rights may be restricted.
8. Balance the benefits of the organisation as controller against potential (real or potential) losses of human beings as data subjects – what is to be achieved by the organisation when processing data, but what risks can it pose to humans?
9. Additional security measures (data minimisation, technical and organisational measures in place, etc.) should be listed, such as ensuring transparency, ensuring other rights of the data subject, which will be carried out so that data processing complies with the requirements of the Data Regulation, other laws and regulations (for example, not to use video surveillance to monitor other private property) and do not cause harm to data subjects. This list is necessary to enhance the security of data processing. In this case, it will not be sufficient for the organisation to list the requirements of the Data Regulation. It is necessary to clearly state what actions will actually be taken to enhance the security of human data, especially in cases of risk where data may be processed, such as minors.