Legitimate interest of the data controller New data protection paradigm: legitimacy grounded on appropriate protection

The finding of an appropriate balance between data subjects' rights and safeguards and the free flow of information is the common scope of both Directive 95/46/EC and the new data protection framework proposed by the European Commission. It can be argued that the Draft Regulation contains a set of requirements and obligations related to corporate organization in order to handle personal data adequately. This can be described as a comprehensive 'Data Protection Compliance Program' which becomes "the" requirement that makes data processing legitimate on its ground; while other more traditional legal bases of achieving legitimacy, such as data subject consent to processing, may be less relevant, because they do not necessarily offer an appropriate level of protection of personal data, nor do they support a flexible implementation of the user control paradigm. This paper proposes that organizations should be allowed to process personal data upon the condition that they have implemented (and can prove they have implemented) the Data Protection Compliance Program; by organizations acting in this way, the 'appropriate balance' would be achieved, because data subjects' rights would be properly safeguarded, while processing of personal data by controllers and free flow of information would not be unnecessarily impinged.