The Dutch DPA has issued guidance on the use of “legitimate interest” as a legal basis for processing data under GDPR.

Key takeaways on what constitutes “legitimate”:

  • The interest needs to be pursuant to a written or unwritten legal principle.
  • Merely serving the interests of society or pure commercial interests, profit maximization, following the behavior of employees or the (buying) behavior of (potential) customers, etc. is not legitimate interest.
  • This position seems not to be in line with previously expressed positions in the EU.
  • For example, per the United Kingdom Information Commissioner’s Office, individual interests or broader societal benefits may all be legitimate.
  • The Article 29 Working Party in its opinion WP217 recognized legitimate interest as applying to certain types of marketing activities.

Per the Dutch DPA, Autoriteit Persoonsgegevens,  legitimate interest can be:

  • protection of property from imminent danger
  • protection of privacy
  • preventing infringement of a personality or property right
  • litigate and/or defend a legal claim
  • combat fraud, or unlawful conduct
  • hold someone liable for damage
  • inform existing customers about similar products or services
  • protect computer systems
  • fulfill duties of care for employees and/or customers
  • comply with all legal obligations