This file provides a broad and up-to-date overview of legitimate interest as a basis in the AVG. You will find the latest news, policies and common questions, in addition to practical and legal background information. Finally, you will receive tips for further in-depth study.

Justified interest as a processing basis

The AVG distinguishes six bases for the lawful processing of personal data (Article 6(1) AVG). One is the legitimate interest, intended as a 'residual basis' for situations in which, for example, consent or the performance of a contract is not appropriate. However, this basis is not a 'last resort' for exceptional cases.

Article 6(1)(f) AVG states:
"Processing shall be lawful only if and to the extent that at least one of the following conditions is met: (...) f. processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject outweigh those interests, in particular where the data subject is a child."

Recent case law: commercial interest also counts

The interpretation of the term "legitimate interest" has evolved significantly in recent years. Until October 2024, the Autoriteit Persoonsgegevens (AP) held that purely commercial interests could not qualify as a legitimate interest. The European Court of Justice (CJEU) has explicitly rejected this premise: purely commercial interests can also qualify as a legitimate interest, provided the interest is legitimate and not contrary to law. Any interest that is not prohibited can in principle qualify as a legitimate interest. The condition remains that the processing is strictly necessary and a careful balancing of interests takes place.

This scope for commercial interests also applies in the Netherlands. The EDPB (the European umbrella of privacy regulators) has recently adjusted its guidelines accordingly.

For government organizations, the following still applies: public tasks must fall back on public law bases (general interest or legal obligation), except for internal business operations.

Three-step test

To successfully invoke the legitimate interest, three cumulative conditions are necessary:

1. Is there a legitimate (lawful) interest?

2. Is the processing necessary for the interest?

3. Do the interests or rights of data subject not outweigh the interests or rights of the data subject?

In answering these questions, the principles of proportionality and subsidiarity always apply. The nature of the data, the nature of the interest and the reasonable expectation of the data subject are taken into account.

Practical application and examples

There are now numerous examples and court rulings on legitimate interest, for example on commercial communications, information security, sharing personal data in claims and camera surveillance. Organizations are advised to follow these rulings, take into account the latest guidance and document a thorough interest assessment (Legitimate Interest Assessment, LIA).

Practical examples

Online proctoring by university
Personal data processing for promotional purposes (KLNTB case)
Recording and broadcasting soccer games for increasing involvement and enjoyment of the game (Football TV)
Personal data processing to maximize advertising as a legitimate interest (Fashion ID)
Sharing personal data in the event of damage to property (Promusicae)
Monitoring employee in case of suspected fraud| See also theme file Privacy at work
Storing IP addresses for information security purposes, ensuring proper functioning of online medium (Breyer)| See also Information security theme file

Further learning

Current affairs course AVG
Camera Surveillance & Privacy Course