The Dutch DPA has issued guidance on the use of “legitimate interest” as a legal basis for processing data under GDPR.
Key takeaways on what constitutes “legitimate”:
- The interest needs to be pursuant to a written or unwritten legal principle.
- Merely serving the interests of society or pure commercial interests, profit maximization, following the behavior of employees or the (buying) behavior of (potential) customers, etc. is not legitimate interest.
- This position seems not to be in line with previously expressed positions in the EU.
- For example, per the United Kingdom Information Commissioner’s Office, individual interests or broader societal benefits may all be legitimate.
- The Article 29 Working Party in its opinion WP217 recognized legitimate interest as applying to certain types of marketing activities.
Per the Dutch DPA, Autoriteit Persoonsgegevens, legitimate interest can be:
- protection of property from imminent danger
- protection of privacy
- preventing infringement of a personality or property right
- litigate and/or defend a legal claim
- combat fraud, or unlawful conduct
- hold someone liable for damage
- inform existing customers about similar products or services
- protect computer systems
- fulfill duties of care for employees and/or customers
- comply with all legal obligations