Legitimate interest

Here we explain legitimate interest, one of the six legal bases for processing personal data under the GDPR.

Explained – what is legitimate interest under GDPR?

Legitimate interest is a legal basis under Article 6(1)(f) of the GDPR. It allows a controller to process personal data where the processing is necessary to pursue a legitimate and lawful interest, provided this does not override the data subject’s fundamental rights and freedoms.

To determine whether legitimate interest can be relied upon, the organisation must carry out a legitimate interest assessment (sometimes called a legitimate interest balancing test). This evaluates the organisation’s interest against the data subject’s fundamental rights and freedoms. The legal basis applies only if the assessment shows that the organisation’s interest outweighs the individual’s.

When does legitimate interest become relevant?

Legitimate interest is relevant where neither consent, contract, legal obligation nor another legal basis is appropriate, but the organisation still has a clear and legitimate purpose for the processing. It is often used where some flexibility is needed to achieve business objectives without burdening individuals with unnecessary requests for consent. In other words, it may be the legal basis for processing personal data when others do not fit.

Examples include targeted marketing to existing customers, security monitoring to prevent crime, or analysing user behaviour to improve services. However, whether legitimate interest applies must always be assessed case by case through a legitimate interest assessment.

Lawyer reviewing GDPR legitimate interest assessment (LIA) document at a desk, symbolizing privacy compliance and data protection.

Points to consider for legitimate interest

When relying on legitimate interest as the legal basis, the organisation should always consider the following:

  • Describe and document the specific interest to be pursued.
  • Ensure the purpose is lawful, legitimate and proportionate.
  • Carry out a legitimate interest assessment to confirm that privacy is not overridden.
  • Implement technical and organisational measures under GDPR to reduce risks to the data subject.
  • Be transparent about the processing and provide the right to object to processing under GDPR.
  • If the processing involves special category personal data, perform an additional, thorough risk assessment.

By working systematically through these steps, the organisation can demonstrate that the processing meets the requirements of the GDPR.

Legitimate interest

Why is legitimate interest important?

Legitimate interest provides flexibility to process personal data where other legal bases do not fit, without obstructing operational processes. It is particularly important for organisations that must act swiftly and efficiently whilst still respecting privacy.

At the same time, relying on this legal basis entails greater responsibility: it is for the controller to show that the judgement is correct. Without a well-founded and documented legitimate interest assessment, the processing may be deemed unlawful.

From a business perspective, proper use of legitimate interest enables value creation for both the organisation and the customer, while maintaining trust through transparency and respect for individual rights.

Frequently asked questions on legitimate interest

It is a legal basis that allows processing where there is a legitimate interest that outweighs the data subject’s right to privacy, confirmed by a legitimate interest assessment.

It can be used when other legal bases are not suitable and the purpose is lawful, legitimate and proportionate. A legitimate interest assessment is always required.

  • CCTV monitoring to prevent vandalism.
  • Direct marketing to existing customers (direct marketing legitimate interest).
  • IT security logs to detect intrusions.

Legitimate interest is the legal basis. The legitimate interest assessment is the process and documentation used to decide whether the basis can be applied in a specific case.

Risks include misjudgements, inadequate documentation and privacy breaches, which may result in sanctions and loss of trust.

  • Document the purpose and interest.
  • Conduct and retain the legitimate interest assessment.
  • Implement safeguards, including appropriate technical and organisational measures, and provide the right to object to processing under GDPR.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Porträtt av Felix Morling, jurist och legal consultant, kontakta oss för rådgivning.
Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields