legitimate interest under the GDPR

Legitimate Interest Guide Under the GDPR

GDPR lists six lawful bases for processing of personal data, and legitimate interest is one of them.

  • There is no particular purpose defined, therefore, it is the most flexible from all the other legal bases;
  • Does not require specifically agreed consent from the data subject;
  • The processing is in the interest of the company → benefits the company or others;
  • Overridden in the case of fundamental rights → when the rights and interests of the data subjects need protection over the company’s own interests. For example, the protection of data from a child, criminal offences.

But how to know, what is considered a legitimate interest? The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. Legitimate interests can be applied in a wide range of circumstances. Therefore, it’s left for the company to balance their interests against the interests of an individual and their personal data.

The Three-Part Test

The key elements of the legitimate interests provision can be broken down into a three-part test.

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? (social and economic disadvantage, loss of control of the data, inability to exercise rights)

It’s not sufficient for a company to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.

Legitimate Interest Under the GDPR

Legitimate interest is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing. If you choose to rely on legitimate interests, companies take on extra responsibility for ensuring people’s rights and interests are fully considered and protected. Therefore, before base data processing on a legitimate interest, a company must be sure about:

  • The minimal privacy impact
  • The proportionate use of data
  • Customers can reasonably expect such usage (would they object?)

As mentioned, a wide range of interests may be legitimate interests. They can be companies interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test. To understand, what constitutes as a legitimate interest, see the table below.

CONSTITUTESMAYBE (if precise purpose)
  • Fraud prevention
  • Ensuring network and information security
  • Public Security and criminal acts’ indication
  • The process of employee’s and client’s data
  • Direct Marketing (compliance with e-privacy rules)
  • Administrative transfers within a group of companies

Legal Interest Application Examples

Example NR. 1

An individual uploads it’s CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.

It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.

The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients; indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.

Example NR. 2

An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests.

Firstly, it considers the purpose test. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However, at the same time, the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.

As it has met the purpose test the insurance company can then go onto consider the necessity test and then the balancing test.

Example NR. 3

A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved to a new house without notifying the finance company of their new address. The finance company wants to engage a debt collection agency to find the customer and seek repayment of the debt. It wants to disclose the customer’s personal data to the agency for this purpose.

The finance company has a legitimate interest in recovering the debt it is owed and to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer for payment owed.

The finance company considers the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. The interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to evade paying their outstanding debt.

However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.

Read more about Legitimate interests under the GDPR.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data