GDPR Legitimate Interest Assessment
In-depth guide to using legitimate interest under Article 6(1)(f) of the GDPR, covering the three-part test (purpose, necessity, balancing), conducting and documenting a Legitimate Interest Assessment, common scenarios, and situations where legitimate interest is not appropriate.
- 1
Legitimate interest requires a three-part test — purpose, necessity, and balancing — that must be conducted and documented before processing begins.
- 2
The balancing test is the most demanding element: it requires qualitative analysis of the data subject's interests, expectations, and rights weighed against the controller's specific interest.
- 3
Fraud prevention, network security, and direct marketing to existing customers are well-established legitimate interest scenarios, but each still requires a documented LIA.
- 4
Legitimate interest is not appropriate for special category data, situations with significant power imbalances, or processing fundamentally incompatible with the original collection purpose.
- 5
LIAs must be reviewed periodically and reassessed when material changes in context, scope, or regulatory environment occur.
1. Legitimate Interest as a Legal Basis Under GDPR
Article 6(1)(f) provides that processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Unlike consent (Article 6(1)(a)) or contractual necessity (Article 6(1)(b)), legitimate interest requires the controller to conduct a self-assessment balancing its own interests against the data subject's rights — a balancing test that is inherently contextual and must be documented to demonstrate accountability under Article 5(2).
Legitimate interest is often described as the most flexible of the six legal bases, but this flexibility comes with the burden of justification. The controller must be able to articulate a specific, real, and present interest (not speculative or hypothetical), demonstrate that the processing is genuinely necessary to achieve that interest (not merely convenient), and show that the data subject's interests, rights, and freedoms do not override the controller's legitimate interest. Each element requires substantive analysis, not a formulaic box-ticking exercise. Supervisory authorities and courts have consistently rejected legitimate interest claims that lack rigorous balancing.
It is worth noting that Article 6(1) second subparagraph provides that point (f) does not apply to processing carried out by public authorities in the performance of their tasks. Public sector organisations cannot rely on legitimate interest as a legal basis for processing activities carried out in their public function capacity — they must look to legal obligation (Article 6(1)(c)) or public interest (Article 6(1)(e)) instead. Private organisations providing services to or on behalf of public authorities should also assess carefully whether the processing is more properly characterised as a public task than a private interest.
Legitimate interest is not available to public authorities processing data in the performance of their tasks (Article 6(1) second subparagraph). Public bodies must rely on legal obligation or public interest as their legal basis.
2. The Three-Part Test: Purpose, Necessity, Balancing
The legitimate interest assessment follows a three-part test established in the case law of the Court of Justice of the European Union (CJEU) and codified in EDPB guidance. The first part is the purpose test: identifying a legitimate interest that is specific, real, and lawful. The interest must be clearly articulated — 'business purposes' or 'commercial interests' are too vague. Acceptable interests include: fraud prevention, network and information security, direct marketing to existing customers, intra-group data transfers for administrative purposes, and enforcing legal claims. Recital 47 provides illustrative examples, noting that direct marketing and processing within a group of undertakings for internal administrative purposes may constitute legitimate interests.
The second part is the necessity test: establishing that the processing is necessary to achieve the identified interest. 'Necessary' in this context does not mean absolutely indispensable, but it does mean more than merely useful or desirable. The controller must demonstrate that the processing is a proportionate way to achieve the interest, and that the interest cannot reasonably be achieved by less intrusive means. If the same purpose can be achieved by processing less data, processing data in a less intrusive way (e.g., pseudonymisation), or not processing personal data at all, then the processing fails the necessity test. This element prevents legitimate interest from becoming a catch-all basis for any processing that serves a commercial objective.
The third and most demanding part is the balancing test: weighing the controller's legitimate interest against the interests, fundamental rights, and freedoms of the data subject. This assessment considers the nature of the personal data (sensitive data weighs heavily against the controller), the reasonable expectations of the data subject (processing that aligns with what the data subject would expect carries less risk of override), the relationship between the controller and the data subject (closer relationships create stronger expectations), the impact of the processing on the data subject (profiling, automated decision-making, and processing affecting children increase the risk of override), and the safeguards the controller has put in place (pseudonymisation, access controls, retention limits, and transparency measures can tip the balance). The balancing test is not a mathematical calculation — it requires qualitative judgment that must be documented thoroughly.
3. Conducting and Documenting a Legitimate Interest Assessment
A Legitimate Interest Assessment (LIA) is the documented analysis that demonstrates the controller has applied the three-part test to a specific processing activity. While the GDPR does not prescribe a specific format for the LIA, the accountability principle under Article 5(2) requires documentation sufficient to demonstrate compliance. The LIA should be a written record that could be presented to a supervisory authority on request, with sufficient detail to show that the assessment was genuine, thorough, and conducted before the processing commenced (or promptly after a change in circumstances that warranted reassessment).
Structure the LIA with the following sections: (1) Description of the processing activity — what personal data is processed, for what purpose, and how; (2) Identification of the legitimate interest — a specific articulation of the interest pursued, with an explanation of why it is legitimate; (3) Necessity analysis — why the processing is necessary for the identified interest and whether less intrusive alternatives were considered and rejected (with reasons); (4) Balancing assessment — a structured analysis of the data subject's interests, rights, and expectations weighed against the controller's interest, including consideration of the data types involved, the impact on data subjects, any vulnerable individuals affected, and the safeguards in place; (5) Conclusion — a clear statement of whether the legitimate interest is upheld or overridden, with the key factors that determined the outcome; and (6) Review schedule — when the LIA will be reassessed (at minimum annually, or triggered by material changes in the processing or its context).
The quality of the balancing section determines the defensibility of the LIA. Avoid conclusory statements such as 'our interest outweighs the data subject's rights.' Instead, explain why: the data subjects are existing customers who reasonably expect the processing, the data involved is not sensitive, the impact on data subjects is minimal because the processing does not affect their legal rights or financial position, and safeguards including pseudonymisation, access controls, and a clear opt-out mechanism are in place. Where the balance is close, document it as close and explain what safeguard or mitigation tipped the conclusion. Supervisory authorities are more tolerant of genuine assessment with a debatable conclusion than of superficial analysis with an unquestioned conclusion.
Conduct and document the LIA before the processing begins. A retroactive LIA created in response to a supervisory authority inquiry is less credible than one that demonstrably informed the decision to proceed with processing.
4. Common Legitimate Interest Scenarios
Fraud prevention is one of the most widely accepted legitimate interests, explicitly recognised in Recital 47. Processing personal data for the purpose of detecting, preventing, and investigating fraud serves both the controller's commercial interest and a broader societal interest. The necessity and balancing tests are typically straightforward: fraud detection requires analysis of transaction patterns and user behaviour, data subjects have a shared interest in fraud prevention, and the processing does not ordinarily affect data subjects adversely (except where a legitimate transaction is incorrectly flagged, which should be addressed through a human review mechanism).
Network and information security is another strong legitimate interest scenario, explicitly referenced in Recital 49. Processing personal data — such as IP addresses, access logs, and device identifiers — to ensure the security of network and information systems is recognised as a legitimate interest of the controller or third party. This basis supports security monitoring, threat detection, incident investigation, and vulnerability management. For organisations also subject to NIS2, the legal obligation under NIS2 Article 21 to implement security measures may provide an alternative or complementary legal basis under Article 6(1)(c), but legitimate interest remains available and may be preferable where the NIS2 obligation does not precisely mandate the specific processing activity in question.
Direct marketing to existing customers is recognised as a potential legitimate interest in Recital 47, which states that 'the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.' However, this is not a blanket authorisation. The LIA must consider the nature of the marketing (relevant product recommendations to existing customers vs. unsolicited outreach to prospects), the data subject's reasonable expectations (existing customers may expect marketing; individuals who provided their data in a non-commercial context likely do not), the availability and prominence of an opt-out mechanism (Article 21(2) provides an absolute right to object to direct marketing), and applicable e-privacy rules (the ePrivacy Directive's consent requirement for electronic marketing communications applies independently of the GDPR legal basis). Legitimate interest for direct marketing works best for existing customer relationships with relevant, non-intrusive communications and a conspicuous unsubscribe mechanism.
5. When Legitimate Interest Is NOT Appropriate
Legitimate interest is not a fallback legal basis for processing that should properly be based on consent. Where the processing involves sensitive personal data (Article 9 special categories), legitimate interest under Article 6(1)(f) does not provide a standalone legal basis — the controller must also satisfy one of the conditions in Article 9(2), most of which require explicit consent, substantial public interest, or other specific grounds. Attempting to process health data, biometric data, or data concerning political opinions solely on the basis of legitimate interest is a fundamental compliance error.
Legitimate interest is also inappropriate where there is a significant power imbalance between the controller and the data subject. The EDPB has consistently emphasised that the employment context presents particular challenges for legitimate interest (and for consent), because the employer-employee power dynamic may undermine the data subject's ability to exercise their right to object effectively. While legitimate interest is not categorically excluded in the employment context, the balancing test must account for the power imbalance, and alternative legal bases (contractual necessity, legal obligation) should be considered first.
Processing that involves systematic monitoring, profiling, or large-scale tracking of individuals is generally difficult to justify under legitimate interest because the impact on data subjects is high and their reasonable expectations are unlikely to encompass such processing. Where processing meets the criteria for a Data Protection Impact Assessment under Article 35 — systematic and extensive evaluation of personal aspects based on automated processing, large-scale processing of special categories, or systematic monitoring of publicly accessible areas — the balancing test under legitimate interest is correspondingly more demanding. The DPIA may reveal that the processing cannot proceed on legitimate interest grounds and requires a different legal basis or additional safeguards.
Finally, legitimate interest should not be used to circumvent data subject expectations or to process data for a purpose fundamentally incompatible with the original collection purpose. Article 6(4) permits further processing compatible with the original purpose, considering factors including any link between the original and further purposes, the context of collection, the nature of the data, possible consequences, and the existence of appropriate safeguards. But where the further purpose is genuinely incompatible — such as using customer service data for automated credit scoring — legitimate interest cannot launder an incompatible purpose into a lawful one.
Legitimate interest cannot be used as a legal basis for processing special category data under Article 9. Health data, biometric data, and data on political opinions require a separate condition under Article 9(2) — legitimate interest under Article 6(1)(f) alone is insufficient.
6. Ongoing Compliance and LIA Review
A Legitimate Interest Assessment is not a one-time document filed and forgotten. The balancing test is context-dependent, and changes in context can shift the outcome. The LIA should be reviewed periodically — at minimum annually — and reassessed whenever material changes occur in the processing activity, the volume or sensitivity of data processed, the categories of data subjects, the technological means of processing, or the regulatory environment. A processing activity that was lawfully based on legitimate interest when it involved limited data from existing customers may not withstand the balancing test when scaled to include new data sources, broader profiling, or different data subject populations.
Maintain a register of all processing activities relying on legitimate interest, linked to their corresponding LIAs. This register serves the dual purpose of supporting your Article 30 record of processing activities and ensuring that LIA reviews are scheduled and tracked. When a LIA is reviewed and the conclusion reaffirmed, document the review date and the rationale for continued reliance on legitimate interest. When a review reveals that the balance has shifted, transition to an alternative legal basis (consent, contractual necessity) before the current processing becomes non-compliant — not after.
Transparency obligations under Articles 13 and 14 require the controller to inform data subjects of the legitimate interests pursued when relying on Article 6(1)(f). This information must be provided at the time of data collection (Article 13(1)(d)) or within a reasonable period for data obtained indirectly (Article 14(2)). The privacy notice should describe the specific legitimate interest, not merely state 'legitimate interest' as the legal basis. Data subjects must also be informed of their right to object under Article 21 — and the objection mechanism must be genuinely accessible and effective. Monitor objection rates as an indicator of whether data subjects' actual expectations align with the assessment documented in your LIA.
Is legitimate interest the 'easiest' legal basis to use under GDPR?
No. While legitimate interest is the most flexible legal basis, it imposes the highest documentation burden. The controller must conduct and document a Legitimate Interest Assessment before processing begins, demonstrate that the three-part test is satisfied, inform data subjects of the specific interest pursued, and honour objection rights under Article 21. Consent, by contrast, requires affirmative action from the data subject but involves a simpler compliance analysis. Contractual necessity requires even less documentation where the processing is genuinely necessary for contract performance. Choose the legal basis that most accurately reflects the nature of the processing relationship — do not default to legitimate interest for convenience.
What happens if a data subject objects to processing based on legitimate interest?
Under Article 21(1), when a data subject objects to processing based on legitimate interest, the controller must cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. The burden is on the controller to demonstrate these compelling grounds — not on the data subject to justify their objection. For direct marketing, Article 21(2) provides an absolute right to object, with no override available to the controller. When an objection is received, assess it promptly and cease processing pending that assessment.
Can legitimate interest be used for profiling and automated decision-making?
Legitimate interest can serve as the legal basis for profiling that does not produce legal effects or similarly significant effects on the data subject. However, the balancing test becomes more demanding as the intrusiveness and impact of profiling increase. Where profiling produces legal effects or similarly significantly affects individuals, Article 22 imposes additional restrictions that may require explicit consent or authorisation by law. The EDPB has emphasised that extensive profiling, particularly involving sensitive inferences about individuals, is difficult to justify under legitimate interest because the impact on data subjects' rights is high. Conduct a DPIA under Article 35 for systematic profiling activities and consider whether legitimate interest genuinely withstands the balancing test.
How does legitimate interest interact with the ePrivacy Directive?
The ePrivacy Directive (2002/58/EC) operates as lex specialis to the GDPR for electronic communications. Even where a controller has a legitimate interest under GDPR Article 6(1)(f), the ePrivacy Directive may independently require consent — for example, for the use of cookies and similar tracking technologies (Article 5(3)), or for unsolicited electronic marketing communications (Article 13). The GDPR legal basis and the ePrivacy consent requirement must both be satisfied. A common error is concluding that legitimate interest under GDPR eliminates the need for cookie consent — it does not. The two frameworks operate in parallel, and compliance with one does not discharge obligations under the other.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.