What is Legitimate Interest Under GDPR? The Balancing Test Explained

Why It Matters

Legitimate interest is the most flexible legal basis under GDPR — but also the most misused. Organizations often claim legitimate interest to avoid obtaining consent, without properly documenting why their interest outweighs the individual's rights. This shortcut leads to enforcement actions. A proper Legitimate Interest Assessment (LIA) is essential.

The Three-Part Test (LIA)

To rely on legitimate interest, you must pass all three parts:

Purpose test — Is the interest legitimate? Is it lawful, clearly identified, and real (not speculative)?
- Examples: fraud prevention, network security, direct marketing to existing customers, employee monitoring for safety
Necessity test — Is the processing actually necessary to achieve the purpose? Could you achieve the same goal with less data or a less intrusive method?
Balancing test — Do the individual's rights and freedoms override the legitimate interest? Consider the nature of the data, the expectations of the data subject, the impact on the individual, and any safeguards in place.

Common Use Cases

Fraud prevention and network security — widely accepted as legitimate interests
Direct marketing to existing customers — permitted under the "soft opt-in" exception, but data subjects must be able to opt out easily
Employee monitoring — may be legitimate for safety or security, but requires careful balancing
B2B marketing — contacting business contacts about relevant services
Sharing data within a corporate group for internal administrative purposes

When NOT to Use Legitimate Interest

Processing special category data (health, biometrics) — legitimate interest is not available
When the power imbalance is too great (employer-employee, government-citizen)
When processing would be unexpected by the data subject
When you could reasonably obtain consent instead
For children's data — the bar is much higher

Documentation

You must document the LIA before processing begins. The assessment should be written, retained, and available for inspection by the supervisory authority. There is no prescribed format, but it must clearly show the three-part analysis.

Key Regulation

GDPR Article 6(1)(f) — legitimate interest as a legal basis
GDPR Recital 47 — examples of legitimate interests
EDPB Opinion on legitimate interest — interpretive guidance

Legitimate Interest

Why It Matters

The Three-Part Test (LIA)

Common Use Cases

When NOT to Use Legitimate Interest

Documentation

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?

Legitimate Interest

Why It Matters

The Three-Part Test (LIA)

Common Use Cases

When NOT to Use Legitimate Interest

Documentation

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?