Why It Matters
Legitimate interest is the most flexible legal basis under GDPR — but also the most misused. Organizations often claim legitimate interest to avoid obtaining consent, without properly documenting why their interest outweighs the individual's rights. This shortcut leads to enforcement actions. A proper Legitimate Interest Assessment (LIA) is essential.
The Three-Part Test (LIA)
To rely on legitimate interest, you must pass all three parts:
Purpose test — Is the interest legitimate? Is it lawful, clearly identified, and real (not speculative)?
- Examples: fraud prevention, network security, direct marketing to existing customers, employee monitoring for safety
Necessity test — Is the processing actually necessary to achieve the purpose? Could you achieve the same goal with less data or a less intrusive method?
Balancing test — Do the individual's rights and freedoms override the legitimate interest? Consider the nature of the data, the expectations of the data subject, the impact on the individual, and any safeguards in place.
Common Use Cases
- Fraud prevention and network security — widely accepted as legitimate interests
- Direct marketing to existing customers — permitted under the "soft opt-in" exception, but data subjects must be able to opt out easily
- Employee monitoring — may be legitimate for safety or security, but requires careful balancing
- B2B marketing — contacting business contacts about relevant services
- Sharing data within a corporate group for internal administrative purposes
When NOT to Use Legitimate Interest
- Processing special category data (health, biometrics) — legitimate interest is not available
- When the power imbalance is too great (employer-employee, government-citizen)
- When processing would be unexpected by the data subject
- When you could reasonably obtain consent instead
- For children's data — the bar is much higher
Documentation
You must document the LIA before processing begins. The assessment should be written, retained, and available for inspection by the supervisory authority. There is no prescribed format, but it must clearly show the three-part analysis.
Key Regulation
- GDPR Article 6(1)(f) — legitimate interest as a legal basis
- GDPR Recital 47 — examples of legitimate interests
- EDPB Opinion on legitimate interest — interpretive guidance