(47) 控管者（包括個人資料得向其揭露之控管者）或第三方之正當 利益，得作為資料處理之合法依據，但應兼顧該等利益或資料主體之 基本權及自由，且考慮到資料主體基於其與控管者間關係所生之合理 預期。正當利益可存在於諸如資料主體與控管者間具有相關且適當之 關係，例如資料主體係控管者之客戶或由控管者提供其服務等情。無 論如何，正當利益是否存在須審慎評估，包括資料主體於其個人資料 之蒐集過程中及其當下是否能合理預期到該目的之資料處理。於個人 資料處理係在資料主體無法合理預見其資料將被進一步處理之情況 下所為者，資料主體之利益及基本權得特別優先於資料控管者之利益。 鑑於公務機關處理個人資料之合法依據係由立法者以法律規範之，該 合法依據不得適用於公務機關執行職務所為之個人資料處理。基於防 範詐欺之目的而有個人資料處理之絕對需要者，亦得構成相關資料控 管者之正當利益。為直接行銷之目的所為個人資料處理，得被認定係 基於正當利益所為之。
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.