GDPR Legitimate Interest: When and How to Use It

Legitimate interest is the most flexible of the six lawful bases the GDPR provides for processing personal data, and the one most often challenged by supervisory authorities. Enshrined in Article 6(1)(f) of the GDPR, it permits organisations to process personal data without consent when a genuine interest exists, the processing is necessary, and the data subject’s fundamental rights do not override it. According to an IAPP study, 68 percent of European organisations invoke GDPR legitimate interest for at least one major processing activity. Yet multiple fines exceeding EUR 100 million have been issued against controllers who selected this basis without conducting the required assessment.

This guide covers when GDPR legitimate interest applies, how to run the three-part balancing test, and where reliance on it will – and will not – survive regulatory scrutiny.

What Does Article 6(1)(f) Actually Require?

Article 6(1)(f) states that processing is lawful when it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” Three cumulative conditions follow:

1. A legitimate interest must exist – belonging to the controller, a third party, or the public.
2. The processing must be necessary to pursue that interest.
3. The data subject’s rights must not override the controller’s interest.

Unlike valid GDPR consent, legitimate interest requires no opt-in. The trade-off: the controller bears the full burden of justification and must document the reasoning before processing begins.

Recital 47 adds that the data subject should “reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” This reasonable-expectation standard is central to every enforcement decision on the topic.

The Three-Part Balancing Test in Detail

The European Data Protection Board (EDPB) has structured the assessment into three sequential stages. Each stage must be satisfied before moving to the next.

Step 1: Identify a legitimate interest

The controller must articulate the specific interest and confirm it is lawful. Vague formulations such as “improving our business” are consistently rejected. The interest must be real, current, and sufficiently specific. Recitals 47 through 49 list recognised interests: fraud prevention, network security, direct marketing to existing customers, and intra-group transfers for internal administration.

A landmark 2024 CJEU ruling (Case C-621/22, KNLTB v. Autoriteit Persoonsgegevens) confirmed that purely commercial interests, including marketing, can qualify under Article 6(1)(f), ending years of conflicting interpretations across member states.

Step 2: Apply the necessity test

“Necessary” does not mean indispensable, but it does mean no less intrusive alternative would achieve the same result. This step links directly to the purpose limitation principle: if anonymisation, aggregation, or collecting fewer data points can achieve the objective, the necessity test fails.

Example: an employer monitoring every keystroke to prevent data leaks would likely fail the necessity test because restricting file-access permissions achieves the same security objective with far less impact on privacy.

Step 3: Balance against data subject rights

The most fact-sensitive stage. The controller weighs its interest against the impact on individuals:

• Nature of the data – special categories tip the balance heavily toward the data subject.
• Reasonable expectations – would the individual expect this processing at the time of collection?
• Relationship – a direct customer relationship supports stronger expectations than third-party-sourced data.
• Safeguards – encryption, access controls, minimisation, and deletion schedules reduce impact.
• Vulnerability – children and vulnerable groups receive heightened protection (Recital 38).

The balancing exercise must be documented in a Legitimate Interest Assessment (LIA) and maintained alongside your Records of Processing Activities.

When Does Legitimate Interest Work?

Legitimate interest works best when the individual would reasonably expect the processing and adequate safeguards are in place. The main scenarios:

Fraud prevention and network security. Recital 47 explicitly cites fraud prevention; Recital 49 addresses network security. A 2023 CNIL decision confirmed that an online payment processor could rely on legitimate interest to flag fraudulent transactions, provided the processor maintained a documented LIA and deleted flagged data within 13 months.

Direct marketing to existing customers. Recital 47 states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” According to the UK ICO, approximately 74 percent of B2B marketing in the United Kingdom relies on legitimate interest rather than consent.

Intra-group data transfers. Recital 48 recognises that controllers within a group of undertakings may have a legitimate interest in transmitting personal data for internal administrative purposes – HR, centralised IT, group-wide compliance. The three-part test still applies to each transfer.

When Does Legitimate Interest Fail?

Does legitimate interest work for children’s data, power imbalances, or unexpected processing?

Children’s data – rarely. Recital 38 mandates that “children merit specific protection.” The Irish DPC’s decisions against TikTok (EUR 345 million) and Instagram (EUR 405 million) both rejected reliance on legitimate interest for processing children’s data.

Power imbalances pose similar problems. The Hamburg DPA fined a company EUR 35.3 million in 2020 for employee surveillance based on inadequately documented legitimate interest, finding that the imbalance rendered employees unable to meaningfully object.

Unexpected processing fails the balancing test by definition. Meta Platforms’ EUR 390 million fine from the Irish DPC (January 2023) turned on this point: users did not reasonably expect that agreeing to terms of service would authorise behavioural advertising under legitimate interest.

How to Document a Legitimate Interest Assessment

The GDPR accountability principle requires controllers to demonstrate compliance proactively. Supervisory authorities can request an LIA at any time. A robust LIA contains:

1. Processing description – what data, from whom, for what purpose.
2. Legitimate interest identification – stated in specific, concrete terms.
3. Necessity analysis – why less intrusive alternatives would not achieve the objective.
4. Balancing test – impact on data subjects, safeguards applied, and conclusion.
5. Review schedule – date of assessment and triggers for reassessment.

When the processing is likely to result in high risk, a Data Protection Impact Assessment (DPIA) is additionally required under Article 35. The LIA establishes legal basis validity; the DPIA evaluates and mitigates risk. Tools like Legiscope can streamline both by providing structured templates and automated workflows.

Store the completed LIA alongside your GDPR compliance checklist and Records of Processing Activities.

Real Enforcement Outcomes

How supervisory authorities have ruled on GDPR legitimate interest claims:

Case	Outcome	Fine
Meta Platforms – behavioural advertising (Irish DPC, 2023)	Rejected: users did not reasonably expect processing	EUR 390M
TikTok – children’s data (Irish DPC, 2023)	Rejected: insufficient protection for minors	EUR 345M
KNLTB – selling member data (Dutch AP, 2020)	Rejected: no documented LIA	EUR 525K
Payment processor – fraud detection (CNIL, 2023)	Accepted: proportionate, documented, safeguarded	None
Employee surveillance (Hamburg DPA, 2020)	Rejected: power imbalance, excessive scope	EUR 35.3M

The pattern: legitimate interest succeeds when backed by a documented, proportionate assessment. It fails when treated as a shortcut to avoid consent.

Practical Checklist for Getting It Right

1. Draft a written LIA before processing begins – not after a complaint arrives.
2. State the interest specifically: “reducing payment fraud by 15 percent,” not “security purposes.”
3. Test necessity: could anonymisation or data minimisation achieve the same result?
4. Evaluate impact from the data subject’s perspective.
5. Implement objection mechanisms under Article 21 – for direct marketing, the right to object is unconditional.
6. Review each LIA annually and whenever processing scope changes.
7. Align LIAs with your broader data privacy principles framework.

FAQ

Can I use GDPR legitimate interest instead of consent for email marketing?

Legitimate interest can support direct marketing to existing customers where a prior relationship exists and an easy opt-out is provided (Recital 47). However, the ePrivacy Directive imposes additional requirements for electronic communications in most EU member states, often making prior consent mandatory for new customer acquisition.

Is a Legitimate Interest Assessment legally required?

The GDPR does not use the term “LIA” explicitly, but the accountability principle in Article 5(2) and documentation obligations in Article 24 together require controllers to demonstrate that they have performed the balancing test. Every major supervisory authority expects a written LIA. The Dutch DPA’s EUR 525,000 fine against the KNLTB sports federation was based partly on the inability to produce a documented assessment.

What happens if a data subject objects to processing based on legitimate interest?

Under Article 21, the controller must cease processing unless it demonstrates “compelling legitimate grounds” that override the data subject’s interests. For direct marketing, the right to object is absolute – processing must stop immediately with no balancing test required.

When should I use a DPIA alongside a Legitimate Interest Assessment?

Whenever processing based on legitimate interest is likely to result in high risk to individuals. Article 35 and the DPIA guidelines list specific triggers: systematic monitoring, large-scale processing, and processing of vulnerable persons’ data. Both assessments should be completed before processing begins.