What is Legitimate Interests Under the GDPR
“Legitimate interests” might be the GDPR’s most poorly-understood concept. This article will:
- Answer some of the most common questions on legitimate interests
- Explain why “legitimate interests” is not a loophole.
- Guide you through the steps you should take before relying on “legitimate interests”.
- Provide some real-life examples of where organisations have been challenged in court for relying on “legitimate interests”.
The GDPR’s Legal Bases
“Legitimate interests” is one of six “legal bases” (or “lawful bases”) for processing personal data under the GDPR.
You cannot process (collect, share, delete, or otherwise use) personal data without a legal basis. If none of the six legal bases applies, you can’t proceed with the processing.
Here are the six legal bases for processing under Article 6(1) of the GDPR:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
In all cases except “consent”, the processing must be “necessary” for the relevant purpose.
What Are “Legitimate Interests”?
According to the European Commission, you may have a “legitimate interest” in processing personal data when “you need to process personal data in order to carry out tasks related to your business activities”.
However, there are several caveats.
Here’s how the legal basis of “legitimate interests” appears at Art. 6(1)(f) GDPR:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Let’s break that down. Processing is lawful if:
- The processing is necessary for the purposes of legitimate interests.
- The interests are pursued by the controller or a third party.
- The interests are not overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
Later in the article, you’ll learn how to apply these three elements of legitimate interests in practice.
“Legitimate interests” is considered the most “flexible” of the GDPR’s legal bases. Controllers may seek to rely on legitimate interests if none of the other legal bases applies to their processing.
However, as noted by the Article 29 Working Party:
“This flexible wording leaves much room for interpretation and has sometimes—as experience has shown—led to lack of predictability and lack of legal certainty…”
At the end of the article, we’ll look at some real examples of organisations whose reliance on “legitimate interests” has been challenged.
Legitimate Interest Examples
There’s no list of legitimate interests in the GDPR. However, there are some examples mentioned through the GDPR’s recitals (a non-binding part of the law that helps with interpreting the legally-binding articles).
According to the recitals of the GDPR, the following purposes could be a legitimate interest:
- Preventing fraud (Recital 47).
- Direct marketing (Recital 47).
- Processing employees’ or clients’ personal data (Recital 48).
- Sharing personal data within a corporate group for “internal administrative purposes” (Recital 48).
- Ensuring network and information security (Recital 49).
- Indicating possible criminal acts or threats to public security (Recital 50).
Relying on “legitimate interests” for any of these activities is only legal under certain conditions. If you’re pursuing one of the above purposes, check the relevant recital and the various conditions that apply.
Is ‘Legitimate Interests’ a Loophole?
“Legitimate interests” is sometimes called a “loophole” in the GDPR. This assertion is incorrect.
As we’ll see below, you have some work to do before relying on legitimate interests. If another legal basis is more appropriate than legitimate interests, you must rely on that legal basis instead.
You must ensure data subjects are informed about your processing activities unless an exemption applies. You must consider any objections. And you still need to comply with the GDPR’s principles of data processing.
Relying on legitimate interests is not a loophole. In fact, it can involve more effort than getting consent.
Legitimate Interests Vs. Consent
There’s no hierarchy between the GDPR’s legal bases. “Consent” works best in some circumstances, and “legitimate interests” works best in others.
The GDPR’s conditions for consent are very strict. Sometimes you need to process personal data for a legitimate purpose, but you can’t meet all the conditions for consent.
For example, asking people if you can check whether they are committing fraud is probably counterproductive. Competent fraudsters are unlikely to say “yes”.
But you may be able to process personal data for fraud prevention without consent—if you have established that it is in your legitimate interests.
Can People Opt Out of Processing Based on Legitimate Interests?
People have the “right to object” to processing based on legitimate interests. This would enable them to “opt out” of the processing. Other data subject rights also apply.
However, the right to object is not absolute. If you can demonstrate that your interests in continuing the process outweigh the data subject’s right to object, you may be able to continue the processing.
There is an exception for direct marketing based on legitimate interests. People always have the right to object to direct marketing.
Now let’s look at a systematic way to assess whether you can rely on legitimate interests.
Try Wide Angle Analytics!
Legitimate Interests Assessment or ‘Three-Part Test’
To determine whether “legitimate interests” is the right legal basis for processing personal data, you should carry out a “legitimate interests assessment”.
The UK Information Commissioner’s Office (ICO) calls this the “three-part test”. The three parts of the test are:
- The necessity test.
- The purpose test.
- The balancing test.
The three-part test is not set out in the GDPR. But the test can be a valid way to assess your legitimate interests. It derives from an important 2017 EU court case known as “Rigas”.
It’s important to document your three-part test. You must also identify the legitimate interests you are pursuing in your privacy notice.
The Purpose Test
The purpose test involves identifying the legitimate interests you (the controller) or a third party (another organisation, an individual, or wider society) are pursuing.
To determine whether your purpose for processing personal data might be a legitimate interest, ask if the purpose is:
- Lawful, either under the GDPR or other relevant laws (such as the ePrivacy Directive or consumer protection law).
- Fair and ethical.
- For the benefit of you or a third party.
On that last point: a legitimate interest must not be too broad or vague. For example, “growing our business” is probably not specific enough to pass the purpose test.
The Necessity Test
The necessity test involves assessing whether processing personal data is necessary to meet the purpose you are pursuing.
Consider questions such as:
- Do you need to process personal data to achieve your objectives?
- Can you achieve your purposes with less personal data?
- Can you achieve your purposes using less sensitive data?
- Can you link each aspect of the processing back to your purposes?
Some data protection authorities interpret “necessity” quite broadly. The processing might not need to be absolutely essential to achieve your purposes.
According to the ICO, the necessity test involves determining whether you are processing personal data in a “targeted and proportionate” way.
The Balancing Test
The balancing test involves weighing the benefits of the processing against the risks to data subjects’ interests and “rights and freedoms”.
A processing purpose may be fair, ethical, and necessary for pursuing a legitimate purpose. But if the risk to data subjects outweighs the benefits to you or a third party, you cannot rely on “legitimate interests”.
Here are some questions to consider for the “balancing test”, grouped into three categories:
- Nature of the personal data:
- Are you processing “special category data” or “criminal conviction data”?
- Are you processing private or confidential data?
- Are the data subjects children or vulnerable people?
- People’s reasonable expectations:
- Do you have a pre-existing relationship with the data subjects? What is the nature of the relationship?
- Did you obtain the personal data directly from data subjects?
- For what purpose was the personal data collected? Is it compatible with the purposes you are pursuing?
- How long ago was the personal data collected?
- Is the processing experimental or innovative?
- Have you researched people’s expectations?
- Possible impact:
- How might the processing affect the data subjects or others? Would people be surprised or upset by the processing?
- Can you facilitate data subjects’ rights over their personal data, e.g. offer them an opt-out?
- Can you notify people of the processing?
- What safeguards might mitigate the impact?
This process is designed to identify risks and issues. If you discover risks, you might be able to mitigate them. If not, you might still be able to proceed with the processing—but only if the benefits outweigh the risks.
Legitimate Interests: Three Real-Life Examples
Here are three important cases relating to “legitimate interests”.
Norway: Publication of Reviews of Health Professionals
This 2021 Norwegian Supreme Court case shows how the “balancing test” can sometimes favour a controller over data subjects.
A website called Legelisten.no published anonymous reviews of health professionals. The website owners relied on “legitimate interests” and argued that the benefits of the processing outweighed the interests of the data subjects.
The Norwegian data protection authority (DPA) found that the website owners did not have a legitimate interest in publishing the reviews. The decision was overturned at appeal and taken to the Supreme Court.
The Norwegian Supreme Court ruled that the website owners had a legitimate interest in publishing the health professionals’ personal data, in part because:
- The website was a useful source of information and served a public interest.
- The controller had applied some privacy protections.
- Forcing the website to close would impact freedom of expression.
As such, the website owner could rely on “legitimate interests”.
Dutch DPA: ‘Purely Commercial’ Legitimate Interests
This controversial Dutch case awaits a ruling from the Court of Justice of the European Union (CJEU). Depending on the outcome, the case could have profound implications for “legitimate interests”.
The Dutch DPA fined the Royal Lawn Tennis Federation (KNLT) €525,000 after the club sold the personal data of some of its members to sponsors. The club said it had a legitimate interest in the sale of the personal data.
The Dutch DPA decided that a “purely commercial interest” could not be a legitimate interest. The club appealed the decision and the appeal court referred the case to the CJEU.
The Dutch DPA’s decision has been criticised, including by the European Commission.
If the CJEU agrees with the Dutch DPA, this would significantly narrow the scope of the “purpose” test.
A purely commercial benefit to a controller would not constitute a “legitimate interest”—the processing would also need to bring about some other benefit to a third party or wider society.
UK Tribunal: People’s Reasonable Expectations
A 2023 case at the UK’s First Tier (Information Rights) Tribunal considered the “reasonable expectations” portion of the “balancing test”.
In 2020, the ICO issued an enforcement notice against the marketing division of credit rating agency Experian.
Among several violations, the ICO alleged that Experian should not be relying on “legitimate interests” to process personal data originally collected on the basis of “consent”.
Experian obtained personal data from third parties to perform a credit check. Those third parties had requested consent from the data subjects for this purpose.
In addition to performing a credit check, Experian relied on “legitimate interests” to process the personal data for direct marketing purposes. The ICO said that data subjects would not reasonably expect this further processing, particularly as it was considered intrusive.
Experian appealed the enforcement notice. The tribunal overturned most other elements of the ICO’s decision but agreed that relying on “legitimate interests” was not appropriate in this case.
Four Steps to Take Before Relying on Legitimate Interests
"Legitimate interests" is the most flexible GDPR legal basis. But before relying on your legitimate interests for processing personal data, take the following steps:
- Identify whether you're processing for a legitimate purpose that benefits your organisation or a third party.
- Consider whether processing personal data is necessary to meet that purpose.
- Weigh the benefits of your processing activity against the risks to data subjects and implement any necessary safeguards or mitigations.
- Document your assessment and explain your legitimate interests in your privacy notice.