As every processing of personal data restricts the data protection right, each of these restrictions needs a justification based on the law. Justifications may derive from right and interests of the controller, from rights and interests of a third party or from public interests.
The GDPR, however, does not contain a coherent concept of how and when the data protection right is lawfully limited. The rights and interests that conflict with the data protection right are only regulated in a fragmentary and erratic manner:
Any legitimate interest of the controller or a third party may justify the processing of data (Art. 6 I f GDPR). Some legitimate interests are mentioned in the GDPR (e.g. direct marketing, Rec. 47 (6) GDPR). However, this apparent emphasis says nothing about the weight of the interest in the balancing of interests. Other interests are not mentioned in the GDPR (e.g. credit checks), although they are, of course, also legitimate.
The balancing of interests clause is broad and initially seems to cover all necessary legitimate interests. However, it must be remembered that any processing of personal data is subject to the performance of a documented balancing of interests. This in itself is an encroachment on the general freedom of action protected by fundamental rights, which is particularly problematic in the case of fundamental rights that are traditionally guaranteed unconditionally (such as freedom of expression).
The processing of sensitive data (Art. 9 GDPR) is not even possible according to a balancing of interests. Here, the encroachment on the fundamental rights of the data processor is even more serious.
Even if data processing is covered by an authorisation (e.g. the balance of interests is in favour of the controller), the numerous accompanying obligations (information, documentation, verification obligations) can make data processing effectively impossible (stifling effect).
Public interests can also justify processing. However, they must be explicitly enshrined either in the GDPR or in national law (on the basis of an opening clause). Various public interests are mentioned directly in various places in the GDPR. There is no discernible system behind this. The opening clauses of the GDPR (in particular Art. 6 I c/e and IV, Art. 9 II, Art. 49) give the Member States far-reaching powers to shape the law in favour of public interests. However, it is unclear whether only the public task (according to the EU Commission) or also the specific purpose of processing (according to the predominant view in Germany) must be regulated by law.
Furthermore, it is unclear whether and to what extent Member States may regulate the authority of non-public bodies to process data in the public interest. The public benefit of data processing (e.g. in the case of non-profit organisations or associations) is - as far as can be seen - not taken into account in the possible considerations of the GDPR.