Legitimate interest is the most flexible legal basis for processing personal data under GDPR and the most misused. Article 6(1)(f) allows you to process personal data when it is necessary for your legitimate interests, provided those interests are not overridden by the individual's rights and freedoms. The DPC describes it as a "versatile and flexible" basis, but flexibility comes with responsibility. You must conduct a structured assessment, document your reasoning, and respect the individual's right to object.
The DPC fined LinkedIn €310 million in 2024 for failures related to lawfulness, fairness, and transparency, with legitimate interest as a central issue. The EDPB published detailed Guidelines 1/2024 on legitimate interest processing. This is not a basis you can claim without evidence. This guide explains when legitimate interest applies, how to conduct the three-part test, and where Irish businesses get it wrong.
What is legitimate interest under GDPR? Legitimate interest is one of six legal bases for processing personal data under Article 6(1) of the GDPR. It allows processing when three conditions are met:
You have a legitimate interest in the processing The processing is necessary to pursue that interest Your interest is not overridden by the individual's rights and freedoms Unlike consent, legitimate interest does not require the individual's agreement. Unlike contractual necessity, it does not require a contract . This makes it useful for a wide range of business activities where processing is reasonable and expected but where obtaining consent would be impractical or inappropriate.
However, legitimate interest is not a default or fallback basis. The DPC's guidance on legal bases makes clear that it requires active analysis and documentation. You cannot simply assert legitimate interest without demonstrating that you have weighed your interests against the individual's rights.
Legitimate interest is not available to public authorities when processing personal data in the performance of their tasks. However, the DPC has noted that public bodies may rely on legitimate interest for ancillary purposes such as office management, financial year-end accountability, or transparency, just not for their core statutory functions.
For a broader overview of all legal bases, see our GDPR compliance guide for startups .
How does the three-part test work? The three-part test is not explicitly set out in the GDPR text, but it derives from the structure of Article 6(1)(f) and has been confirmed by court rulings and regulatory guidance. The EDPB's Guidelines 1/2024 and the ICO's guidance both structure the assessment this way.
Part 1: The purpose test: identify a legitimate interest First, identify the interest you are pursuing. It must be:
Lawful: The interest must not involve anything illegalClearly defined: Vague interests like "improving our business " are insufficient. Be specific: "Preventing fraud on customer accounts" or "Sending direct marketing to existing customers"Real and present: The interest must be current, not hypothetical or speculativeGDPR Recital 47 explicitly recognises certain interests as legitimate, including fraud prevention and direct marketing. The EDPB guidelines also acknowledge network and information risk management , processing within a corporate group for internal administrative purposes, and reporting possible criminal acts or threats to public security.
The interest does not have to be your own. Article 6(1)(f) also covers the legitimate interests of a third party, for example, sharing employee data with a payroll provider, or providing data to a fraud prevention service that protects multiple businesses.
Part 2: The necessity test, is processing essential? The processing must be necessary to achieve the legitimate interest. "Necessary" does not mean absolutely essential, it means there is no less intrusive way to achieve the same purpose.
In our experience, the following questions should be asked:
Could you achieve this purpose without processing personal data at all? Could you achieve it by processing less data? Could you achieve it using anonymised or pseudonymised data? Is the processing proportionate to the interest being pursued? If you can reasonably achieve the same objective through a less privacy-intrusive method, the processing fails the necessity test. For example, if you want to understand website traffic patterns, anonymised analytics may achieve the same purpose without processing identifiable personal data.
Part 3: The balancing test: weighing interests against rights This is the most important and most complex part. You must weigh your legitimate interest against the impact on the individual's rights and freedoms. The balance must tip in your favour for legitimate interest to apply.
Factors that weigh in your favour:
The processing is what the individual would reasonably expect given their relationship with you The data is not sensitive or special category The impact on the individual is minimal You have implemented internal controls (pseudonymisation, access controls, data minimisation) The individual can easily exercise their right to object Factors that weigh against you:
The processing involves children's data (the GDPR gives special weight to children's rights) The data is sensitive or relates to vulnerable individuals The processing would cause significant harm, distress, or disadvantage The individual would not reasonably expect this use of their data There is a significant power imbalance between you and the individual The EDPB emphasises that "reasonable expectations" are a key factor. If someone gives you their email to receive a product they purchased, they might reasonably expect you to send product-related communications. They would not reasonably expect you to share their data with unrelated third parties for behavioural advertising.
Author's tip: The balancing test is where most legitimate interest claims fail. If you cannot clearly articulate why your interest outweighs the individual's rights, with specific reference to the nature of the data, the relationship, and the likely impact, legitimate interest is probably not the right basis.
How do you conduct a Legitimate Interests Assessment? A Legitimate Interests Assessment (LIA) is the documented record of your three-part test. There is no prescribed format, but the ICO provides a downloadable template, and the EDPB guidelines set out the expected content.
Your LIA should document:
The legitimate interest: What it is, why it matters, and who benefitsThe necessity analysis: Why this processing is needed and whether less intrusive alternatives existThe balancing exercise: The factors considered, the weight given to each, and the conclusion reachedSafeguards applied: What measures you have implemented to protect the individual's rights (data minimisation, pseudonymisation, transparency, opt-out mechanisms)The outcome: Whether legitimate interest applies, with clear reasoningIt is important to be aware that an LIA is not a one-off exercise. It is recommended that LIAs be periodically reviewed and updated to reflect changes in processing activities or regulatory requirements. If your processing changes, your circumstances change, or new guidance is issued, revisit the assessment.
The DPC expects to see documented LIAs if it audits your organisation. An undocumented claim of legitimate interest is an unsupported claim and, in our experience, an unsupported claim will not withstand regulatory scrutiny .
What are common legitimate interest scenarios for Irish businesses? Direct marketing to existing customers Recital 47 explicitly states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." For existing customers, you can often rely on legitimate interest to send marketing communications related to similar products or services, this aligns with the "soft opt-in" under the ePrivacy Regulations.
However, this does not extend to:
Marketing to people who have never interacted with your business (use consent instead) Sharing customer data with third parties for their marketing Behavioural profiling for targeted advertising without proper assessment For guidance on when consent is required instead, see our GDPR consent guide .
Fraud prevention and IT security Processing personal data to prevent fraud, detect security threats, and protect your network and systems is widely recognised as a legitimate interest. Recital 49 specifically mentions network security as a legitimate interest.
This includes monitoring login attempts, flagging unusual account activity, scanning for malware, and maintaining access logs. The necessity and balancing tests are usually straightforward here, the processing is essential and the individual benefits from the security measures.
Internal administration and HR purposes Processing employee data for payroll, performance management, internal communications, and organisational planning can often rely on legitimate interest (or contractual necessity). The key is that the processing must be proportionate and expected.
Sharing employee data within a corporate group for internal administrative purposes is recognised by Recital 48 as a legitimate interest. However, this does not override the need for appropriate safeguards and data protection agreements between group entities.
Sharing data within a corporate group If your business is part of a group of companies, sharing personal data between entities for internal administrative purposes, consolidated reporting, centralised IT, group-wide HR functions, can rely on legitimate interest under Recital 48. You should document the specific purposes and ensure data processing agreements are in place between entities.
Where does legitimate interest go wrong? Using it as a default to avoid consent We tend to see this as the most common mistake. Some businesses default to legitimate interest for all processing because consent is harder to obtain and manage. But legitimate interest requires its own rigorous assessment. If you are using it simply to avoid the burden of consent, you have not conducted a genuine balancing exercise.
Failing to document the assessment Claiming legitimate interest without a documented LIA is like claiming you have a fire safety plan without writing one down. The DPC expects documentation. The EDPB expects documentation. If you cannot produce an LIA when asked, your processing is effectively unsupported.
Ignoring the right to object Under Article 21, individuals have the right to object to processing based on legitimate interest at any time. When they object, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests. For direct marketing, the right to object is absolute, there are no overriding grounds.
Many businesses fail to implement an effective objection mechanism. If individuals cannot easily find out how to object and exercise that right, your legitimate interest processing is not compliant.
Over-relying on legitimate interest for sensitive data Legitimate interest under Article 6(1)(f) is a legal basis for processing ordinary personal data. It does not, by itself, authorise the processing of special category data under Article 9. If you are processing health data, biometric data, or other sensitive categories, you need a separate legal basis under Article 9. It is important to be aware that legitimate interest is not one of the options listed there.
How do you handle the right to object? Article 21 gives individuals two distinct rights related to legitimate interest processing:
General right to object (Article 21(1)) Individuals can object to processing based on legitimate interest "on grounds relating to their particular situation." When you receive an objection:
Assess the grounds: Consider the individual's specific circumstancesDemonstrate compelling grounds (if applicable): You can continue processing only if you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or if the processing is necessary for establishing, exercising, or defending legal claimsStop if you cannot: If you cannot demonstrate compelling grounds, stop the processingRespond within one month: Inform the individual of your decisionAbsolute right to object to direct marketing (Article 21(2)) When someone objects to processing for direct marketing purposes, you must stop. No balancing exercise. No compelling grounds. The right is absolute. This includes profiling to the extent that it is related to direct marketing.
Build your objection handling process:
Include a clear "object" or "unsubscribe" mechanism in all communications Train staff to recognise and escalate objection requests Log all objections with dates and outcomes Ensure your systems can suppress processing for individuals who have objected Your privacy policy must inform individuals of their right to object. This is not optional, it is a transparency requirement.
Your next step For every processing activity that relies on legitimate interest, check whether you have a documented LIA. If you do not, create one now using the three-part test. If you do, review it and ask the following questions; has anything changed since it was written? Have your processing activities evolved? Has new guidance been issued?
Then check your objection mechanisms. Can individuals easily find out that they have the right to object? Can they exercise it without unnecessary friction? Are your systems configured to respect objections promptly?
Legitimate interest is a powerful and practical legal basis when used correctly. The DPC's €310 million LinkedIn decision shows what happens when it is used incorrectly. Document your reasoning, respect the balancing test, and build in the right to object from day one.
Need help assessing your legal bases for data processing? Get started with Open Forest
