GDPR legitimate interests: when can you rely on it?
Art. 6(1)(f) GDPR explained — the three-part test, when it applies, when it fails, and real examples with statutory citations.
Legitimate interests requires a documented three-part test. If your processing would surprise or harm individuals, or if they would reasonably object, legitimate interests will not apply.
What is the legitimate interests basis?
Art. 6(1)(f) GDPR permits processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data — in particular where the data subject is a child.
Unlike consent, legitimate interests does not require the individual's agreement before processing begins. This makes it attractive for operational processing that would be impractical to obtain consent for — but it is not a free pass. The controller bears the burden of demonstrating that the balance tips in their favour, and that burden must be discharged before processing commences, not after a challenge is received.
Recital 47 GDPR identifies direct marketing as an example of processing that may be carried out for legitimate interests. It also notes that the existence of a legitimate interest needs careful assessment, including whether a data subject can reasonably expect, at the time and in the context of the collection, that processing may take place for that purpose.
The accountability principle (Art. 5(2) GDPR) requires that controllers be able to demonstrate compliance with all data protection principles — which means the balancing test must be documented before processing starts.
Art. 6(1)(f) GDPRRecital 47 GDPRThe three-part Legitimate Interests Assessment (LIA)
All three parts of the test must be satisfied. Failing any one part means legitimate interests cannot be relied upon.
- 1Purpose test — is the interest legitimate?The interest must be real, present, and not prohibited by law. Vague or speculative interests do not qualify. Examples of recognised legitimate interests include: fraud prevention, network and information security, direct marketing to existing customers (Recital 47), and intra-group employee data transfers for HR administration (Recital 48). The interest must be articulated clearly — "business interests" or "commercial interests" without more specificity will not pass this test.
- 2Necessity test — is the processing necessary?The processing must be necessary to achieve the legitimate interest — not merely useful or convenient. This requires that the processing be the least privacy-intrusive means of achieving the purpose. If the same result can be achieved with less data, less intrusive collection methods, or greater anonymisation, the necessity test is not met. Controllers must genuinely consider whether there is a less intrusive alternative before concluding processing is necessary.
- 3Balancing test — do individual rights override the interest?The interests, rights and freedoms of the data subject must be weighed against the controller's interest. Relevant factors include: the nature of the data (sensitive or special category data attracts higher protection), the reasonable expectations of the individual at the time data was collected, the severity and likelihood of impact on individuals, and the number of individuals affected. If individuals would be surprised by the processing, would suffer harm, or would reasonably object — the balancing test fails.
When legitimate interests works — examples
These are processing activities where the three-part test can typically be satisfied, subject to documented assessment.
Detecting unusual login patterns, blocking malicious IP addresses, and preventing account takeover. This is a clear, concrete interest that benefits both the controller and individuals. Proportionate processing of behavioural signals and IP data is justified.
Recital 47 GDPRMarketing your own similar products or services to customers who have already purchased from you. Individuals have a reasonable expectation of receiving marketing from companies they have transacted with. Must offer an easy opt-out mechanism.
Recital 47 GDPRSharing employee data across group entities for payroll, HR management, or organisational restructuring. There is a legitimate organisational interest in managing human resources across the group. A documented LIA must be completed.
Recital 48 GDPRMonitoring network traffic and system logs on your own infrastructure to detect intrusions, malware, or insider threats. The security interest is real, the processing is limited to what is necessary, and individuals have some expectation of monitoring on employer systems.
Recital 49 GDPRWhen legitimate interests fails — examples
These are processing activities where the balancing test cannot be satisfied regardless of how the interest is framed.
Tracking individuals across sites and building detailed profiles for targeted advertising fails the balancing test. The intrusion into privacy is high, the benefit to the individual is minimal, and individuals would not reasonably expect this processing. The EDPB has consistently found that LI cannot justify intrusive tracking-based advertising.
EDPB Opinion 06/2014Individuals would not reasonably expect their personal data to be sold to third parties. The commercial interest of the controller does not override the fundamental privacy rights of individuals. This processing fails the balancing test in virtually all circumstances.
Art. 6(1)(f) GDPRHealth data, ethnic origin, biometric data, and other special category data (Art. 9 GDPR) require an explicit legal basis under Art. 9(2). Legitimate interests under Art. 6(1)(f) does not provide a valid basis for processing special category data — a separate Art. 9(2) condition must be satisfied.
Art. 9 GDPRChildren deserve enhanced protection (Recital 38 GDPR). Legitimate interests fails the balancing test where children are involved in commercial processing contexts. Controllers targeting children or processing children's data for profiling or advertising cannot rely on LI.
Recital 38 GDPRLegitimate interests vs consent — which to choose?
The choice of lawful basis has practical consequences for compliance obligations and the rights individuals can exercise.
| Legitimate Interests | Consent | |
|---|---|---|
| User action required | No — controller initiates | Yes — affirmative opt-in required |
| Documentation required | Legitimate Interests Assessment (LIA) | Consent record (who, when, what, how) |
| Can be withdrawn | Yes — right to object (Art. 21 GDPR) | Yes — withdrawal at any time (Art. 7(3) GDPR) |
| Effect of withdrawal | Must stop unless compelling legitimate grounds exist (no override for direct marketing) | Must stop all processing; cannot make withdrawal conditional |
| Best suited for | Security, fraud prevention, internal operations, existing customer marketing | Cookies, newsletters, profiling, sensitive data, new contacts |
| Risk if challenged | Must justify the balancing test with documented LIA | Must prove consent was freely given, specific, informed, and unambiguous |
The Legitimate Interests Assessment (LIA) — what to document
A Legitimate Interests Assessment is not explicitly mandated by the GDPR as a named document. However, the accountability principle (Art. 5(2) GDPR) requires that controllers be able to demonstrate compliance with all data protection principles — which in practice means the balancing test must be documented in a form that can be produced on request by a supervisory authority.
The LIA should be completed before processing commences, not after a challenge is received. It should be reviewed whenever the nature or scope of the processing changes materially. The completed LIA should be recorded in the Record of Processing Activities (ROPA) required under Art. 30 GDPR.
A LIA should cover the following:
- 1Identify the legitimate interestState what the interest is and why it is real, present, and not prohibited by law. Be specific — "business efficiency" is not sufficient. "Preventing fraudulent use of customer accounts by detecting anomalous login patterns" is.
- 2Demonstrate necessityExplain why the processing is necessary to achieve the interest. Confirm that there is no less privacy-intrusive way to achieve the same outcome. Document any alternatives considered and why they were rejected.
- 3Conduct the balancing testAssess the nature of the data, the context in which it was collected, the reasonable expectations of individuals, the likely impact of the processing, and any power imbalance between the controller and data subject.
- 4Identify safeguardsDocument any additional safeguards applied to mitigate impact on individuals — such as data minimisation, pseudonymisation, access controls, retention limits, or an easy opt-out mechanism.
- 5Record the conclusionState whether the balance tips in favour of the controller and why. If safeguards are required to achieve that conclusion, confirm they are in place. Reference the LIA in the ROPA entry for the processing activity.
Art. 5(2) GDPR — accountability principleArt. 30 GDPR — records of processing activitiesFrequently asked questions
Can I use legitimate interests instead of consent for cookies?
No. The ePrivacy Directive Art. 5(3) requires consent for non-strictly-necessary cookies regardless of which GDPR lawful basis would otherwise apply. Legitimate interests cannot override the ePrivacy consent requirement. Even where LI might satisfy GDPR Art. 6(1)(f) for the underlying processing, cookies and similar tracking technologies require a separate consent-based legal basis under the ePrivacy Directive.
What is the right to object under Art. 21 GDPR?
When processing is based on legitimate interests, individuals have a right to object under Art. 21(1) GDPR. You must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights and freedoms, or unless the processing relates to the establishment, exercise or defence of legal claims. For direct marketing specifically, the right to object is absolute — no override is possible. You must stop processing for direct marketing purposes upon receipt of an objection (Art. 21(2)–(3) GDPR).
Can a processor rely on legitimate interests?
Art. 6(1)(f) refers to the interests of "the controller or a third party." A processor acting on the controller's instructions processes under the controller's legal basis and does not separately need to justify a lawful basis for that processing. However, a processor acting for its own purposes — making it a controller in its own right with respect to that processing — can rely on legitimate interests for its own purposes, subject to the same three-part test.
Does legitimate interests apply to B2B marketing?
GDPR applies to the personal data of natural persons. B2B marketing directed at corporate entities (not identified individuals) falls outside GDPR scope. However, marketing to named individuals at businesses (e.g. john@company.com) involves personal data and requires a lawful basis. Legitimate interests may apply for existing business contacts where the individual would reasonably expect marketing communications and the content is relevant to their professional role.
How does legitimate interests interact with the UK GDPR?
UK GDPR Art. 6(1)(f) is substantively identical to EU GDPR Art. 6(1)(f). The three-part test — purpose, necessity, and balancing — applies in the same way. The UK ICO has published detailed Legitimate Interests guidance. The key practical difference is enforcement: violations of UK GDPR are assessed by the ICO, not EU DPAs. Controllers must ensure their LIA considers the applicable supervisory authority for the jurisdiction in which they operate.
Related privacy law guides
Find out which privacy laws apply to your business
Answer 13 questions and get a personalised privacy law checklist with statutory citations — including which lawful basis is appropriate for each processing activity.
Start free assessment →