Privacy

Legitimate Interest

A legal basis for processing data when the controller's interest outweighs the data subject's rights.

Legitimate interest is one of the six legal bases for processing personal data under the GDPR. It allows processing when the data controller has a genuine reason that does not override the fundamental rights of the data subject.

The Three-Part Test

Before relying on legitimate interest, controllers must conduct a balancing test:

  1. Purpose test — Is there a legitimate interest? (e.g. fraud prevention, security, direct marketing)
  2. Necessity test — Is the processing necessary for that interest? Could a less intrusive alternative achieve the same goal?
  3. Balancing test — Do the data subject's interests, rights, or freedoms override the legitimate interest?

Common Examples

  • Preventing fraud and ensuring network security
  • Direct marketing to existing customers (with opt-out)
  • Internal administration and record-keeping
  • Processing for employment purposes

When NOT to Use Legitimate Interest

  • When consent is more appropriate (e.g. cookies, marketing to new contacts)
  • When there is a significant power imbalance (e.g. employer–employee in some contexts)
  • When processing sensitive data (requires explicit consent or another specific basis)

GDPR Article 6(1)(f). Recital 47 provides guidance on reasonable expectations.

Related Terms

Personal DataPrivacy

Any information that can identify a living individual, directly or indirectly.

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

ConsentPrivacy

A freely given, specific, informed, and unambiguous indication of agreement to data processing.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Legal BasisLegal

The lawful ground under which personal data may be processed — the GDPR defines six possible bases.

Legal BasisLocal Storage