[gog]

Are you sure about this? Parsing the logs stored for legitimate interest and then aggregating from that data for another purpose without storing PII seems to me like fair game.

[morelisp]

You can't process personal data "for legitimate interest" per se. This is the biggest lie the adtech industry keeps telling themselves. The LI exception is that you can process personal data to do X with fewer restrictions, if you have a legitimate interest in X. For example, all companies have a legitimate interest in certain employee data e.g. legal names / tax identification. More complex, if you run an insurance company, you have some legitimate interest in a broad swath of your customer's demographic data.

The case for legitimate interest in parsing logs is extremely weak. There are situations where you could claim it but it still must be with a clear purpose. E.g. a Spanish company considering opening a branch in France might collect IPs to make a heatmap of where its French customers are. But they would not be able to use those IPs generally, to the extent e.g. they might be expected to delete the IP and only store aggregated by department.

You also said PII, not PD - note that some PII is sensitive data, which cannot be collected under LI provisions at all.

(This is not legal advice. If you think you can collect personal data with the LI exception, godspeed and I hope you have a good lawyer.)