Legitimate Interest

Legitimate interest is a legal basis under the GDPR that permits processing of personal data without consent. It requires that your organisation's interest outweighs the data subject's rights, and that you document a balancing test.

Back to Dictionary

What is legitimate interest?

Legitimate interest is one of the six legal bases in GDPR Article 6(1)(f). It allows you to process personal data without consent when your organisation\’s (or a third party\’s) interest is sufficiently compelling.

Legitimate interest is the most flexible legal basis, but also the most demanding to document. You must carry out a specific balancing test (Legitimate Interest Assessment, LIA) for each processing activity, and you must be able to present it during inspections.

Note that public authorities cannot use legitimate interest for processing carried out as part of their tasks. They must instead use Article 6(1)(e) (public interest).

The three-step test

To use legitimate interest, you must complete a three-step assessment:

1. Purpose test: Do you have a genuine and lawful interest? The interest must be concrete and current, not hypothetical. Examples: fraud prevention, IT security, direct marketing to existing customers.
2. Necessity test: Is the processing necessary to pursue the interest? Can you achieve the purpose in a less intrusive way? If so, you cannot use legitimate interest.
3. Balancing test: Do the data subject's rights and freedoms outweigh your interest? Here you assess the impact of the processing, the data subject's reasonable expectations, the data type and the safeguards you apply.

All three steps must be satisfied. If even one fails, you cannot use legitimate interest.

Examples of legitimate interest

GDPR Recitals 47-49 mention several examples:

Direct marketing: The GDPR recognises direct marketing as a legitimate interest, but the data subject has an unconditional right to opt out.
Fraud prevention: Processing data to prevent fraud.
IT security: Processing necessary to secure networks and systems.
Internal administration: Transfer of data within a group of undertakings for administrative purposes.

For sensitive personal data, you cannot use legitimate interest. A basis in Article 9 is required.

Documentation and right to object

Your balancing test must be documented in writing and stored as part of your record. The Danish Data Protection Agency may ask to see it during inspections.

The data subject has a specific right to object to processing based on legitimate interest (Article 21). When you receive an objection, you must cease processing unless you can demonstrate compelling legitimate grounds that override the data subject's interests.

Your duty to inform requires you to tell the data subject that you use legitimate interest, what the interest is, and their right to object. This must appear in your privacy policy.

Frequently Asked Questions about Legitimate Interest

What is legitimate interest under the GDPR?

Legitimate interest is a legal basis in GDPR Article 6(1)(f). It permits processing without consent when the data controller's or a third party's legitimate interest outweighs the data subject's rights and interests.

When can you use legitimate interest?

You can use it when three conditions are met: you have a genuine and lawful interest (purpose test), the processing is necessary to pursue it (necessity test), and the data subject's rights do not outweigh your interest (balancing test).

What is a Legitimate Interest Assessment (LIA)?

An LIA is the documented assessment you must carry out before using legitimate interest. It must show that your interest is genuine, that the processing is necessary, and that the data subject's rights do not outweigh it.

Can the data subject object to legitimate interest?

Yes. The data subject has a right to object under Article 21. You must then cease processing unless you can demonstrate compelling legitimate grounds that override the data subject's interests.