D

GDPR Legitimate Interest: When and How to Use It

Learn when legitimate interest applies as a lawful basis under GDPR Article 6(1)(f), how to conduct the three-part balancing test, and common mistakes to avoid.

TD
Dr. Thiébaut Devergranne
February 17, 20267 min read

GDPR legitimate interest is one of six lawful bases for processing personal data under the General Data Protection Regulation. Codified in Article 6(1)(f) GDPR, it allows organisations to process personal data without obtaining consent when a genuine interest exists, the processing is necessary to pursue that interest, and the individual’s rights do not override it. It is the most flexible legal basis available, but also the most frequently misapplied. Supervisory authorities across the EEA have issued over EUR 5.5 billion in cumulative fines since the regulation took effect, with a significant share tied to organisations that selected the wrong legal basis or failed to document their reasoning.

This guide explains when GDPR legitimate interest applies, how to conduct the required three-part assessment, and the most common pitfalls organisations encounter in practice.

What Is Legitimate Interest Under the GDPR?

Legitimate interest is a lawful basis that permits data processing when three conditions are simultaneously met: the controller (or a third party) pursues a genuine interest, the processing is necessary to achieve that interest, and the interests or fundamental rights of the data subject do not override it. Unlike consent, legitimate interest does not require the individual to opt in. Unlike a legal obligation or contractual necessity, it demands an active balancing exercise that must be documented.

The GDPR does not define “legitimate interest” exhaustively, but Recitals 47 to 49 provide concrete examples: fraud prevention, network and information security, direct marketing, and intra-group data transfers for internal administrative purposes. The European Data Protection Board (EDPB) has further clarified that the interest must be lawful, sufficiently specific, and real rather than speculative.

The most critical distinction is control. Valid GDPR consent places the decision in the data subject’s hands: processing may only occur after an affirmative, informed, and freely given agreement. GDPR legitimate interest shifts the burden to the controller, who must demonstrate through a documented assessment that processing is justified even without the individual’s prior agreement.

A survey by the International Association of Privacy Professionals (IAPP) found that 68% of organisations across Europe rely on legitimate interest for at least one major processing activity, making it the second most commonly invoked legal basis after consent. Yet supervisory authorities regularly sanction controllers who treat legitimate interest as a shortcut to avoid the stricter requirements of consent.

Common scenarios for legitimate interest

Legitimate interest is appropriate when the processing serves a genuine, documented purpose that cannot reasonably be achieved through other means, and the impact on individuals is proportionate. Typical scenarios include:

  • Fraud prevention and detection – processing transaction data to identify unusual patterns
  • IT security – logging access attempts and monitoring network integrity
  • Direct marketing to existing customers – sending promotional communications based on a prior purchase relationship
  • Internal administration – sharing employee data within a corporate group for payroll, compliance, or operational purposes

It is generally not appropriate when special categories of personal data are involved, when the processing would be unexpected from the individual’s perspective, or when a power imbalance exists between the controller and the data subject.

How to Conduct the Three-Part Balancing Test

Every reliance on GDPR legitimate interest must be supported by a documented assessment known as the Legitimate Interest Assessment (LIA), also called the triple test. This assessment has three sequential stages, and failure at any stage means the legal basis cannot be used.

Identify a legitimate interest

The controller must articulate what interest it pursues and confirm that the interest is lawful. Recital 47 GDPR notes that the existence of a legitimate interest requires “careful assessment” and that the data subject should reasonably expect the processing at the time and in the context of data collection. The interest can belong to the controller, a third party, or the broader public. A vague or generic statement such as “business purposes” is insufficient. Supervisory authorities have consistently required controllers to be specific – for instance, “reducing credit card fraud losses” is far more defensible than “improving business operations.”

Demonstrate necessity

The processing must be genuinely necessary to achieve the stated interest. “Necessary” does not mean indispensable, but it does mean that no less intrusive alternative would achieve the same result. The purpose limitation principle is directly relevant here: the data collected must be adequate, relevant, and limited to what is needed. If the same objective can be achieved by processing fewer data points, by anonymising the data, or by using a different method entirely, the necessity test fails.

For example, monitoring every keystroke of an employee to prevent data leaks would likely fail the necessity test when less intrusive measures – such as restricting access to sensitive files – could achieve the same security objective.

Balance interests against data subject rights

The final and most fact-sensitive stage requires the controller to weigh its legitimate interest against the impact on the data subject’s rights and freedoms. According to EDPB guidance, factors to consider include:

  • The nature and sensitivity of the personal data involved
  • The reasonable expectations of the data subject
  • The status of the data subject (children require heightened protection)
  • The relationship between the controller and the data subject
  • The safeguards in place to mitigate any negative impact

The ICO’s legitimate interest assessment template is a practical resource that walks controllers through this balancing exercise step by step. The balancing test must be recorded and maintained: supervisory authorities can request it at any time during an investigation.

Common Mistakes to Avoid

Enforcement actions across Europe reveal recurring errors that organisations should actively guard against.

Treating legitimate interest as a default. Many controllers select GDPR legitimate interest simply because obtaining consent seems burdensome. The Irish Data Protection Commission’s decision against Meta Platforms, which resulted in a EUR 390 million fine, centred on this exact failure: Meta relied on legitimate interest and contractual necessity for behavioural advertising when the applicable legal basis was consent. This remains one of the largest fines ever imposed under the GDPR.

Failing to document the assessment. A legitimate interest assessment is not optional. The accountability principle requires controllers to demonstrate compliance proactively. Organisations that invoke legitimate interest without maintaining a written LIA face significant enforcement risk. In practice, the assessment should be reviewed whenever the nature, scope, or context of processing changes, and at minimum during annual compliance reviews as part of a broader GDPR compliance checklist.

Ignoring the right to object. Data subjects have the right to object to processing based on legitimate interest under Article 21 GDPR. Once an objection is received, the controller must stop processing unless it can demonstrate “compelling legitimate grounds” that override the individual’s interests. For direct marketing, the right to object is unconditional and processing must cease immediately. Failure to implement effective objection mechanisms has been the basis for multiple enforcement actions across Europe.

Skipping the DPIA. When processing based on legitimate interest is likely to result in a high risk to individuals, a Data Protection Impact Assessment (DPIA) is mandatory under Article 35 GDPR. The DPIA and the LIA serve complementary functions: the LIA establishes that the legal basis is valid, while the DPIA evaluates and mitigates risk.

Practical Steps for Organisations

Organisations intending to rely on GDPR legitimate interest should embed the following practices into their data privacy governance:

  1. Prepare a written LIA before processing begins. Document the interest, the necessity analysis, and the balancing test. Assign a reviewer, ideally the Data Protection Officer, to sign off on the assessment.
  2. Include legitimate interest in your privacy notice. Transparency is a legal requirement. Your privacy notice must identify the specific legitimate interest pursued for each relevant processing activity.
  3. Implement and test objection mechanisms. Ensure that data subjects can easily exercise their right to object and that objections are processed promptly.
  4. Review assessments regularly. A LIA is not a one-time exercise. Changes in business context, data volumes, technology, or regulatory guidance can shift the balance.
  5. Maintain records. Keep the LIA alongside your Records of Processing Activities (ROPA) so that it is immediately available if a supervisory authority requests it.

FAQ

Can legitimate interest be used for marketing purposes?

Yes, Recital 47 GDPR explicitly recognises direct marketing as a potential legitimate interest. However, the controller must still conduct the three-part balancing test and provide an easy opt-out mechanism. For electronic marketing (email, SMS), the ePrivacy Directive imposes additional requirements that often make consent the safer choice for new customer acquisition.

How is legitimate interest different from contractual necessity?

Contractual necessity under Article 6(1)(b) applies when processing is strictly required to perform a contract the data subject has entered into. Legitimate interest applies when there is no contract or when the processing goes beyond what the contract requires. The Meta decision demonstrated that conflating the two can lead to substantial penalties.

What happens if a supervisory authority rejects my legitimate interest assessment?

If the assessment is found inadequate, the supervisory authority may order the controller to stop processing and impose a fine of up to 4% of global annual turnover. The controller may also be required to notify affected data subjects and delete data that was processed without a valid legal basis.

Automate your GDPR compliance

Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.

Discover Legiscope
TD
Written by
Dr. Thiébaut Devergranne
Fondateur de Legiscope et expert RGPD

Docteur en droit de l'Université Panthéon-Assas (Paris II), 23 ans d'expérience en droit du numérique et conformité RGPD. Ancien conseiller de l'administration du Premier ministre sur la mise en œuvre du RGPD. Thiébaut est le fondateur de Legiscope, plateforme de conformité RGPD automatisée par l'IA.

Continue reading

Articles connexes

A step by step guide to e-commerce compliance under the GDPR
Data Privacy

A step by step guide to e-commerce compliance under the GDPR

Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
Data Privacy

Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies

Data Protection Impact Assessment: GDPR Guide
Data Privacy

Data Protection Impact Assessment: GDPR Guide

Data Subject Access Requests: A Practical GDPR Guide
Data Privacy

Data Subject Access Requests: A Practical GDPR Guide

Does GDPR Apply to Companies Outside of the European Union?
Data Privacy

Does GDPR Apply to Companies Outside of the European Union?

Does the GDPR Apply to Non-EU Organizations?
Data Privacy

Does the GDPR Apply to Non-EU Organizations?