Updated: July 2026
The General Data Protection Regulation changed how organisations approach data processing, and one lawful basis keeps challenging businesses worldwide: legitimate interest. As the most flexible but most scrutinised basis under Article 6(1)(f), it gives organisations real opportunities while demanding careful justification.
A 2024 Court of Justice ruling (Case C-621/22) confirmed that commercial interests can qualify as legitimate interests, as long as they pass the three-part test.
Using legitimate interest properly is about more than ticking a compliance box. Done well, it supports lasting data processing that balances business needs with individual rights.
• Legitimate interest is a flexible lawful basis under the GDPR that lets you process personal data without explicit consent, if you can show a strong justification through the three-part test: purpose, necessity, and balancing.
• The three-part test means clearly defining your interest, showing the processing is necessary and proportionate, and weighing your interests against the rights and reasonable expectations of data subjects.
• Good documentation of your Legitimate Interest Assessment, and respecting data subject rights like the right to object, are essential for compliance and lower privacy risk.
Legitimate interest is one of six lawful bases for processing personal data, set out in Article 6(1)(f) of the GDPR. Unlike consent, which needs explicit permission, or legal obligation, which forces processing, legitimate interest gives the most flexible basis for your processing.
The law defines it as processing that is necessary for the legitimate interests of the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially where the data subject is a child.
This flexibility makes legitimate interest useful for many businesses. You can process personal data without prior consent, as long as you can show the processing serves a legitimate purpose and doesn’t unfairly affect people. That freedom comes with responsibility: you must run a careful assessment and keep a strong justification for what you do.
The features that set legitimate interest apart from other bases include:
• No need for explicit consent from data subjects.
• Ongoing validity that doesn’t expire the way consent might.
• Wider use, covering commercial interests, public benefits, and individual interests.
• Higher documentation standards that need detailed assessments.
• Stronger data subject rights, including the right to object.
Choosing legitimate interest over other bases takes thought. You can’t default to it for convenience. If a contract, a legal obligation, or vital interests clearly apply, those more specific bases should come first.
Every legitimate interests assessment must pass three parts at once. This is not pick-and-choose: all three must be met for processing to be lawful under Article 6(1)(f). If you can’t justify one part, the basis is unlikely to be valid.
The three-part test is your guide for showing compliance. Supervisory authorities and courts look at these parts when they judge whether an organisation properly relied on legitimate interest. Here is each part.
The purpose test asks you to identify and state your specific, lawful interest. Your purpose must be more than a vague business goal. It needs to be clearly defined, real rather than speculative, and lawful.
Valid legitimate interests cover a wide range:
• Direct marketing can be a valid legitimate interest under Recital 47 of GDPR, but electronic communications are also subject to ePrivacy rules, which often require consent unless the limited ‘soft opt-in’ exemption applies.
• Fraud prevention and information security measures protecting customers and business operations
• Network security activities safeguarding the IT infrastructure
• Customer relationship management for existing client relationships
• Employee monitoring for workplace safety and productivity
• Internal administration supporting business operations
Your interest must also be “present and effective” when you process the data. The Court of Justice has stressed that speculative future benefits don’t count: your interest must exist when you collect the data, not when you might need it later.
Common mistakes in the purpose test include:
• Stating broad goals like “business improvement”.
• Relying on hypothetical future needs.
• Not checking whether another lawful basis could achieve the same result.
• Ignoring industry-specific rules that might restrict the processing.
The necessity test asks whether your processing is targeted, proportionate, and genuinely needed to reach your stated purpose. “Necessary” doesn’t mean essential. It means the processing is a reasonable way to reach your interest and that you’ve looked at less intrusive options.
This involves a few key questions:
• Data minimisation: can you reach your purpose with less data? If you analyse customer preferences for marketing, do you need full postal addresses, or would regions do?
• Alternative methods: could you get the same result another way? To prevent fraud, could stronger authentication reduce the need for wide behavioural monitoring?
• Proportionality: does the scope of processing match how important your interest is? Collecting a lot of personal data for a minor admin task likely fails.
• Timing: is the processing needed now, or could it wait until a more suitable basis applies?
The necessity test often determines whether legitimate interest is appropriate for your specific use case. Many organisations discover that while their purpose is legitimate, their proposed processing method fails the proportionality assessment.
The balancing test is the heart of the assessment. Here you weigh your interests against the fundamental rights and freedoms of the people affected. It is not simple maths: it needs careful thought about factors that can tip the balance either way.
Factors that tend to support the organisation include:
• Broader societal benefits from your processing (such as fraud prevention, protecting all customers)
• Reasonable expectations of data subjects based on your relationship context
• Minimal impact on individual privacy
• Strong security measures protect processed data
• Clear opt-out mechanisms for objecting individuals
Factors that typically favour data subjects include:
• Sensitive or special category data requiring enhanced protection
• Processing children’s data where extra caution is always required
• Unexpected or intrusive processing that surprises individuals
• High privacy risks from your processing activities
• Vulnerable populations who may not fully understand the implications
The balancing test demands particular attention when processing involves:
• Children or individuals vulnerable to exploitation
• Data that includes the potential for physical, economic, or social harm
• Processing that people expect to require explicit consent
• Cross-border transfers are adding complexity to privacy protection
Review your balancing assessment regularly. Changes in scope, data sensitivity, or public expectations can shift the balance over time.
Direct marketing is one of the most common uses of legitimate interest, recognised in GDPR Recital 47. That marketing can be a legitimate interest doesn’t mean every marketing activity qualifies. You still have to pass the three-part test.
Your relationship with the person strongly affects whether legitimate interest works for marketing. Existing customers who bought similar products usually have reasonable expectations about relevant marketing. First-time website visitors may not expect a lot of marketing.
B2B and B2C need different approaches.
For B2B marketing, legitimate interest often applies more easily because:
• Business contacts expect professional communications
• Commercial relationships involve mutual business interests
• Professional email addresses suggest openness to relevant business communications
• Marketing often provides genuine business value to recipients
For B2C marketing, legitimate interest needs more careful justification:
• Individual consumers have stronger privacy expectations
• Personal email addresses suggest more restrictive communication preferences
• Consumer protection laws may impose additional requirements
• Marketing purposes must clearly benefit consumers, not just your organisation
Email marketing needs special attention to the ePrivacy Directive and its national versions. The GDPR may allow marketing under legitimate interest, but the ePrivacy rules often need explicit consent for electronic messages. Because of this overlap, many businesses need consent for email marketing, whatever the GDPR’s legitimate interest rules say.
Documentation for marketing legitimate interest should cover:
• Specific products or services being marketed
• Relationship history with targeted individuals
• Opt-out mechanisms and objection handling procedures
• Frequency and intrusive nature of planned communications
• Data sources and collection methods
• Measures to respect data subjects’ reasonable expectations
People have the right to object to direct marketing based on legitimate interest. You must honour objections at once and without charge, making opt-out as easy as opt-in was.
Reasonable expectations are central to the assessment. What people reasonably expect about your processing directly affects whether your interests can override their rights. These expectations aren’t fixed: they change with technology, industry practice, and social norms.
People have specific rights when you process their data under legitimate interest:
• Right to be informed: your privacy notices must clearly explain which activities rely on legitimate interest, sum up your reasoning, and say how people can use their rights.
• Right to object: unlike most other bases, legitimate interest gives people a general right to object. You must stop unless you can show strong overriding grounds that beat the person’s interests, rights, and freedoms.
• Right to object to direct marketing: this right is absolute. When someone objects to marketing under legitimate interest, you must stop all marketing to that person at once.
Other standard rights, including access, rectification, erasure (in some cases), and data portability, still apply as with other bases.
Reasonable expectations depend heavily on context:
• Website analytics for site improvement usually match visitor expectations, while wide behavioural profiling for third-party advertising often goes beyond them.
• Customer service improvements using existing customer data usually meet expectations, while sharing that data with outside marketing partners usually doesn’t.
• Security monitoring to prevent fraud usually matches expectations, while using security data for product development may not.
Assessing reasonable expectations means considering:
• Your relationship with data subjects
• How you originally collected their information
• Industry standards and common practices
• The transparency of your processing activities
• Cultural and demographic factors affecting expectations
You must also consider whether some groups need extra protection. Processing children’s data under legitimate interest faces much higher thresholds, because children can’t fully understand what’s happening or use their rights well.
Real examples make legitimate interest clearer by showing how the three-part test works in practice. These show both cases that work and cases where another basis fits better.
| Processing Activity | Legitimate Interest | Necessity Justification | Balancing Assessment | Outcome |
| Employee email monitoring for security | Protecting business assets and preventing data breaches | Targeted monitoring with clear policies | Strong business interest, employee awareness, proportionate measures | ✅ Likely Valid |
| Customer purchase analysis for inventory planning | Optimising product availability and reducing costs | Analysis is necessary for accurate forecasting | Minimal privacy impact, reasonable business expectation | ✅ Likely Valid |
| Sharing customer data with third-party advertisers | Advertising revenue generation | Not necessary – could use anonymised data | Individual privacy outweighs commercial interests | ❌ Likely Invalid |
| CCTV in retail stores | Preventing theft and ensuring customer safety | Proportionate to security risks | Clear signage, reasonable expectations, and limited access | ✅ Likely Valid |
| Analysing website behaviour for UX improvements | Improving user experience and site functionality | Direct connection between analysis and improvements | Minimal personal data, clear user benefit | ✅ Likely Valid |
Employee monitoring and workplace security often qualify when they are proportionate to the risks. Employers have interests in protecting assets, keeping people safe, and maintaining productivity. The necessity test needs targeted monitoring rather than blanket surveillance, and the balancing test needs you to weigh employee privacy expectations.
Fraud prevention and credit checks are classic examples. Financial firms and merchants have a strong interest in stopping financial crime, and customers benefit from less exposure to fraud. The processing is usually necessary because other methods work less well, and the wider benefits usually outweigh privacy concerns.
Customer relationship management for existing clients usually meets the requirements. Organisations have interests in keeping customer relationships, giving ongoing service, and offering relevant products. Customers reasonably expect continued contact within their relationship.
IT security and cybersecurity measures that protect infrastructure usually qualify. They serve both the organisation and wider society by stopping criminal acts and protecting systems many people depend on.
Internal administration and record keeping support normal operations. Organisations need operational records, HR management, and basic admin. The necessity test still requires record keeping to be proportionate rather than unlimited retention.
Knowing when legitimate interest doesn’t apply protects you from breaches and shows a solid grasp of the GDPR. Several situations consistently fail the three-part test or clash with other rules.
Processing that clashes with reasonable expectations rarely works. If people would be surprised or worried by what you do, legitimate interest is unlikely to fit. This includes using data for purposes unrelated to your original relationship.
High-risk processing that needs explicit consent under Article 9 can’t rely on legitimate interest. Special category data, including health, political opinions, religious beliefs, and biometric data, needs explicit consent or another specific basis under Article 9.
Children’s data faces very high thresholds. The GDPR says children need special protection, and their reasonable expectations differ from adults’. Most processing of children’s data needs consent from a parent or guardian.
Automated decision-making with significant effects on people usually needs a stronger basis than legitimate interest. It isn’t banned outright, but the high privacy risks and the chance of discrimination make it hard to justify for decisions about jobs, credit, or other major areas of life.
Use these decision points when choosing a basis:
• Does the processing involve special category or criminal conviction data? → Use Article 9 or 10 bases
• Are you processing children’s data? → Consider consent or other protective measures
• Would individuals be surprised by this processing? → Legitimate interest is likely inappropriate
• Does the processing carry high privacy risks? → Explicit consent may be required
• Are you legally required to process this data? → Use a legal obligation basis
• Is processing essential for contract performance? → Use contractual necessity
The following applies particularly to organisations considering legitimate interest for:
Extensive behavioural profiling across multiple websites or platforms typically exceeds reasonable expectations and fails the balancing tests due to high privacy risks.
Sharing personal data with multiple third parties for their own purposes is usually not justified under legitimate interest because the necessity test fails—sharing serves others’ interests rather than your own.
Marketing to individuals with no existing relationship presents significant challenges unless you can demonstrate compelling and legitimate interests that clearly outweigh privacy concerns.
Documenting your assessment is not just good practice, it’s a legal requirement. Article 5(2) requires controllers to show they follow the data protection principles, and supervisory authorities expect detailed records of your reasoning.
Your Legitimate Interest Assessment (LIA) should include:
• Purpose identification and justification: state your interest clearly, explain why it is legitimate, and describe how it benefits your organisation, third parties, or society. Avoid vague terms like “business improvement”. Give exact goals, such as “reducing customer service response times” or “preventing payment fraud in online transactions”.
• Necessity assessment: record your review of other methods, your data minimisation choices, and your proportionality analysis. Say why your approach is the least intrusive way to reach your purpose.
• Balancing analysis: set out how you weighed the interests, the factors you considered, the people affected, the possible impacts, and the safeguards you use. Include any special cases like children’s data or sensitive information.
• Risk assessment and mitigation: name the privacy risks and the steps you take to reduce them. This shows you take privacy seriously.
• Review and update: say when you’ll reassess and what would trigger an earlier review. Changes in scope, law, or industry standards all call for a fresh look.
A practical LIA template should cover:
1. Processing description: What personal data is processed, how, and for what specific purpose?
2. Legitimate interest identification: What specific interest are you pursuing?
3. Legal compliance verification: Does your interest comply with all applicable laws?
4. Necessity analysis: Why is this processing method necessary for your interest?
5. Alternative consideration: What other methods did you evaluate, and why were they insufficient?
6. Data subject impact assessment: How does processing affect individuals?
7. Balancing rationale: Why do your interests outweigh data subject interests?
8. Safeguards and Controls: What Measures Protect Data Subjects?
9. Objection handling: How will you process data subject objections?
10. Review schedule: When will you reassess this determination?
Many businesses assume their interests justify the processing, but authorities expect detailed reasoning, not assumptions. Your records should let an outside reviewer follow and judge your decision.
The Court of Justice of the European Union issued an important ruling in 2024 (Case C-621/22) that clarified how legitimate interest applies to commercial purposes. It settled the question of whether purely commercial interests can qualify as “legitimate interests” under Article 6(1)(f).
The case came from the Dutch Data Protection Authority’s strict reading, which questioned whether commercial advertising interests could ever be legitimate interests. The Dutch authority argued that interests mainly serving profit shouldn’t qualify.
The Court’s key findings include:
• Commercial interests can indeed constitute legitimate interests under GDPR
• Economic interests of data controllers or third parties qualify as legitimate interests
• The legitimacy of commercial interests doesn’t depend on broader public benefits
• Commercial interests must still satisfy the full three-part test, including balancing against data subject rights
This ruling is not a free pass for commercial processing. You still have to show your commercial interests are lawful, clearly stated, and real rather than speculative. The necessity and balancing tests still apply in full.
GDPR legitimate interest is a powerful but complex lawful basis that needs careful thought and a thorough assessment. By passing the three-part test of purpose, necessity, and balancing, organisations can lawfully process data without explicit consent while respecting people’s rights and reasonable expectations. Good documentation through a Legitimate Interest Assessment and ongoing transparency are essential for compliance and trust.
Whether for marketing, fraud prevention, or internal operations, legitimate interest gives flexibility but demands responsibility. Applied with care, it lets organisations use data well while protecting privacy and data protection rights.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
GDPR legitimate interest is a lawful basis under Article 6(1)(f) that lets organisations process personal data without explicit consent, if they can show a strong justification through the three-part test: purpose, necessity, and balancing. You use it when processing is necessary for legitimate interests of the controller or a third party, except where the rights and freedoms of the data subject override them.
The three key elements, often referred to as the three-part test, include the purpose test (defining a specific, lawful interest), the necessity test (ensuring that processing is necessary and proportionate), and the balancing test (weighing the legitimate interests against the fundamental rights and freedoms of data subjects). All three must be satisfied for legitimate interest to apply.
Yes, legitimate interest can be a lawful basis for direct marketing purposes as recognised in GDPR Recital 47. However, organisations must carefully assess whether their marketing activities meet the three-part test and respect data subjects’ rights, including their right to object to marketing communications. Proper documentation and transparency are essential.