I would like to have known whether it is possible that jointly responsible persons can assert a legitimate interest as a legal basis?
Example: 4 independent organizations/companies want to share their customer and supplier data because they partially overlap. If one of the four companies wants to create a new customer, they should first be able to search in a joint program to determine whether it already exists so that they do not have to create it again. Each of these four companies can view this customer record and change it if necessary.
Can I assert a legitimate interest here and say that it makes work easier for the four companies and also means data minimization?
Thank you in advance for your help!
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I would like to have known whether it is possible that jointly responsible persons can assert a legitimate interest as a legal basis?
Legitimate interest is more deeply explained in the preamble of GDPR. Paragraph 47 of GDPR explains how to use legitimate interest as a legal ground.
The key element of legitimate interest as a legal ground of data processing is the existence of a relevant and appropriate relationship between “the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” (see paragraph 47 of the Preamble of GDPR)
Therefore, you must assess whether the four companies have a relevant and appropriate relationship with the customer (i.e. they all provide a service to the customer like sales of goods and logistics).
It must be assessed whether “a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” It means that the customer who disclosed his personal data for a certain purpose can reasonably expect that his data will be processed by all the four companies because of the nature of the service provided.
In those cases only legitimate interest can be used as a legal ground of data processing by co-controllers.
Example: 4 independent organizations/companies want to share their customer and supplier data because they partially overlap. If one of the four companies wants to create a new customer, they should first be able to search in a joint program to determine whether it already exists so that they do not have to create it again. Each of these four companies can view this customer record and change it if necessary.
Can I assert a legitimate interest here and say that it makes work easier for the four companies and also means data minimization?
Paragraph 48 in preamble rules the situation of group companies or grouped undertakers which jointly process personal data.
According to paragraph 48 of the GDPR Preamble, the controllers “may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data.”
Comment as guest or Sign in
Jan 31, 2020