Legitimate interest

Legitimate interest under Art. 6(1)(f) GDPR is one of the six legal bases on which the processing of personal data may be founded. It applies where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Unlike consent, legitimate interest does not require an active opt-in, but it does demand a careful and documented balancing test. Any legal, economic or non-material interest can qualify as legitimate, provided it is not unlawful or otherwise disapproved.

The core of this legal basis is the three-step balancing test. First, the legitimate interest must be identified concretely, for example direct marketing, fraud prevention, network and information security, or the establishment and defence of legal claims. Second, the necessity is assessed: processing must not go beyond what is required to achieve the purpose, and there must be no less intrusive, equally effective means available. Third, the actual balancing takes place against the protectable interests, fundamental rights and freedoms of the data subject, taking into account their reasonable expectations, the nature of the data and the potential consequences of the processing.

Recital 47 GDPR clarifies that the reasonable expectations of the data subject at the time and in the context of the collection are decisive, and expressly names direct marketing as a potential legitimate interest. Importantly, public authorities cannot rely on legitimate interest for processing carried out in the performance of their tasks (Art. 6(1) second subparagraph GDPR). Where processing is based on legitimate interest, the data subject also has a right to object under Art. 21 GDPR. The balancing exercise should be documented in writing (a Legitimate Interest Assessment) in order to satisfy the accountability principle under Art. 5(2) GDPR.