To base your processing on the basis "necessary to pursue a legitimate interest," you must meet 3 conditions. These test whether your right to process personal data - because you have a legitimate interest to do so - outweighs the right to privacy of those involved. These are the people whose data you process.
Conditions basis legitimate interest
The 3 conditions are:
1. You actually have a legitimate interest. Not every interest qualifies as a legitimate interest.
2. The processing is necessary to satisfy this interest.
3. You have balanced your interests with those of the data subjects.
Condition 1: legitimate interest
Your interest is actually a legitimate interest if it is stated somewhere in law. And is recognized and protected. This may also be in an unwritten rule or principle of law.
As long as it is an interest that we in society have found should be protected by law. For examples of legitimate interests, see: What are examples of legitimate interests?
Note that what does not qualify as legitimate interest is, for example:
a purely commercial interest;
profit maximization;
monitor employee behavior without legitimate reason;
Tracking the (buying) behavior of (potential) customers without a legitimate reason.
Do you not have a legitimate interest? Then you cannot base your processing on the basis of legitimate interest. And so you may not process the personal data.
Condition 2: necessity
Do you actually have a legitimate interest? Then you must next check whether the processing of personal data is necessary to pursue this interest. You do this by checking:
Whether the purpose of your processing is proportionate to the invasion of privacy of data subjects. In the AVG, this is called "proportionality.
Whether you cannot achieve the goal in another way that is less intrusive to the data subjects. In the AVG, this is called "subsidiarity.
Do you not meet both of these requirements? Then your processing is not necessary. And therefore you cannot base your processing on the basis of 'necessary to pursue a legitimate interest'.
Condition 3: balancing interests
Do you have a legitimate interest and is the data processing necessary to pursue this interest? Then, finally, you must balance your interests against the interests of the data subjects.
In this consideration, you look at:
the impact on those affected;
How serious the invasion of privacy of data subjects is;
What (additional) measures you have taken to prevent or limit undesirable consequences for the data subjects;
Whether data subjects can more or less expect the processing, for example, as a continuation of a previous processing for which they have given consent or as a continuation of processing necessary to perform a contract.
Note: Do you want to process personal data of children (under 16 years of age)? If so, your legitimate interest is less likely to outweigh their rights and freedoms.
Your consideration may lead to 2 conclusions:
The interests of the data subject appear to outweigh the interests of the data subject. As a result, you cannot base your processing on the basis of legitimate interest. And you may therefore not process the data.
Your interests outweigh your interests. This gives you a basis for processing personal data. And you may therefore process the data.
Accountability
Are the personal data really necessary to pursue your legitimate interest? Make sure you can properly substantiate that you can rely on this basis. Under the AVG, you have an accountability obligation.
Learn more
Want more (background) information about this foundation? Then see the Explanation of the ground for legitimate interest from the Autoriteit Persoonsgegevens.
