This file provides a broad and up-to-date view of legitimate interest in the AVG. Above you can navigate between the latest news, policies and Q&A on this topic, among others. The text below provides practical and general information on the topic. The text concludes with ways you can develop further on this topic.
Justified interest as a processing basis
The AVG a total of six processing bases to process personal data, listed in Article 6(1) AVG. One of those processing bases is the basis of legitimate interest. For the other processing bases, see the | AVG theme file.
The legitimate interest basis (Article 6(1)(f) AVG) reads as follows:
''1. Processing shall be lawful only if and to the extent that at least one of the following conditions is met: (...)
(...) f. the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject requiring protection of personal data outweigh those interests, in particular where the data subject is a child.''
The legitimate interest basis is a so-called residual basis and can be a solution for organizations when, for example, consent (Art. 6(1)(a) AVG) or necessity based on performance of the contract (Art. 6(1)(b) AVG) do not have preferences. On the other hand, it is not a "last resort" for rare or unexpected situations where the other legal grounds do not apply. (1) When you want to examine whether you can process personal data within your (government) organization on the basis of the legitimate interest, you must first consider the following:
1. Does the AVG apply?
The AVG is readily applicable, yet this is not always the case. For example, because the processing in question does not fall within the scope of the AVG. You can read more about the scope of the AVG in the AVG theme file. It is also possible that a different law than the AVG applies to the data processing, because there are sector-specific laws that take precedence. For example, consider the cases when personal data can be designated as police data under the Police Data Act (Wpg)
| File Police Data Act | Course on privacy legislation in detection
For public bodies only | 2. Do I want to use the legitimate interest basis for the purpose of creating a new public task?
Since the entry into force of the AVG, this is not (no longer) allowed (recital 47 AVG). As a public body you may only invoke the task of public interest (Article 6 paragraph 1 sub e AVG) or a legal duty (Article paragraph 1 sub c AVG). This is because the task for which a government body processes personal data must be legally created and must therefore be based on certain regulations. An example of such a legal basis is Section 172 of the Municipalities Act in conjunction with Section 13b of the Opium Act. Based on this basis, a mayor may process data in the context of the authority to shut down an illegal hemp farm. A public body is allowed to use the legitimate interest when it comes to internal business operations. (2)
Three-step test legitimate interest
Processing of personal data is allowed on the basis of legitimate interest if it is necessary to pursue a legitimate interest. You cannot use this basis just like that. Adequate use of the basis requires good and careful argumentation. This argumentation must be elaborated on the basis of the following three questions (3):
1. Does it involve a legitimate interest? If so, which one?
2. Is the personal data processing necessary to pursue the legitimate interest?
3. Is there another interest that outweighs the legitimate interest?
1. Does it involve a legitimate interest? If so, which one?
The AVG lists a number of examples of interests that can act as legitimate interests. Examples include fraud prevention and direct marketing (recital 47 AVG). The AP issued a standard explanation listing various interests. Examples include having a safe and healthy life , protection of deprivation, stopping unlawful conduct and holding someone liable for damages. You can find the standards explanation here (clickable link). (4) See also p. 69 of the Opinion 06/2014 of the EDPB, including: protect privacy, secure computer systems, investigate transgressive behavior in the workplace. (5) And also the website of the Belgian Data Protection Authority (GBA), among others: securing buildings and preventing fraud. (6)
The scope of the term justified has long been the subject of debate. That relates to this particular element in the AP's standards explanation: ''What also does not qualify as a legitimate interest is, for example: merely serving purely commercial interests, (...).''
In the Football TV case (7), the AP stated that a purely commercial interest is not a legitimate interest . As a result, they cannot a priori qualify as a legitimate interest and the balancing of interests (see below) is not done. In another case, the KNLTB case, the Amsterdam District Court has referred questions to the European Court of Justice about the scope of the concept in this context. (8) An answer is expected to follow in mid-2023. The EDPB, in a letter to the AP, has indicated that it will not go along with the AP's strict standards interpretation because it hinders free enterprise. (9) Experts also argue that from the Guidelines 08/2020 (recital 50) show that a legitimate interest can serve as a basis for social media targeting. (10) The AP's view would also deviate from the position of recital 47 of the AVG (direct marketing is a legitimate interest) and European case law, such as the Fashion ID ruling (see heading Practical examples).(11)
2. Is the personal data processing necessary to pursue the legitimate interest?
If the interest in itself can be considered justified, you have to look at whether the personal data processing is also necessary in the specific case. You then look at subsidiarity and proportionality: is the breach for the person concerned in proportion to the purpose of the data processing? And can the purpose not be achieved in another way that is less detrimental to the data subject? (12) More simply put: do I have other means by which I can achieve the goal? If the answer to this is positive, then there is no need, according to the Belgian Data Protection Authority. (13) Consider also small adjustments you can make. With camera surveillance, for example, you can think about turning off audio or applying a shorter retention period. An example where necessity did not apply was an old case in which an event recorder was used for the purpose of coaching truck drivers. (14) |Thematic dossier Camera surveillance | Camera Surveillance & Privacy Course
3. Is there another interest that outweighs the legitimate interest?
Is the processing necessary, but is there another interest that outweighs it? Then personal data processing is still not permitted. For a proper consideration, you look at the following elements, among others: the nature of the interest, impact on the data subject (likelihood of damage, for example, reputation damage, discrimination, exclusion, restriction of rights (also non-AVG), loss of (career) opportunities, financial loss, identity theft, fraud), nature of the data (how sensitive are the data and who has access to them?), reasonable expectation of data subject (can he know how the data will be processed?), relationship of controller and data subject (dependency relationship?), additional measures to minimize impact (privacy enhancing technologies), transparency about personal data processing, provide option for data subject not to process personal data). (15)
Closing Remarks
Do you want to use legitimate interest as your basis? Make sure you can substantiate this well using the questions above and the information in this file. Under the AVG you have an obligation to account for the personal data you process. See also the theme file AVG: Accountability obligation. This substantiation is also called a Legitimate interest assessment (LIA).
Practical examples
Online proctoring by university
Personal data processing for promotional purposes (KLNTB case)
Recording and broadcasting soccer games for increasing involvement and enjoyment of the game (Football TV)
Personal data processing to maximize advertising as a legitimate interest (Fashion ID)
Sharing personal data in the event of damage to property (Promusicae)
Monitoring employee in case of suspected fraud| See also theme file Privacy at work
Storing IP addresses for information security purposes, ensuring proper functioning of online medium (Breyer)| See also Information security theme file
Further learning
Current affairs course AVG
Camera Surveillance & Privacy Course
Footnotes
1. https://privacy-web.nl/publicaties/wp29-publiceert-advies-06-2014-over-het-gerechtvaardigd-belang/
2. https://www.privacycompany.eu/blogpost-nl/gerechtvaardigd-belang-niet-voor-de-overheid-mag-je-dan-niet-meer-efficient-werken
3. These three questions emerge in the Fashion ID ruling: https://privacy-web.nl/jurisprudentie/eclieuc2019629/
4. https://privacy-web.nl/publicaties/wp29-publiceert-advies-06-2014-over-het-gerechtvaardigd-belang/
5. https://privacy-web.nl/publicaties/wp29-publiceert-advies-06-2014-over-het-gerechtvaardigd-belang/
6. https://www.gegevensbeschermingsautoriteit.be/professioneel/avg/rechtsgronden/gerechtvaardigd-belang
7. https://privacy-web.nl/jurisprudentie/eclinlrvs20222173/
8. The interlocutory statement at issue: https://privacy-web.nl/jurisprudentie/eclinlrbams20225565/
11. https://privacy-web.nl/jurisprudentie/eclieuc2019629/
(Fashion ID)
13. https://www.gegevensbeschermingsautoriteit.be/professioneel/avg/rechtsgronden/gerechtvaardigd-belang
FootballTV: on the what, why and how to move forward
Background articlesEuropean Commission warns AP overly strict interpretation of AVG
News press releaseYour face in a deepfake: what's the AVG situation?
Legal ArticlesBig Boss is watching you: when is camera surveillance allowed in the workplace?
Article
