Legitimate Interest
A legal basis under GDPR that allows data processing without consent when the controller’s interests are not overridden by the data subject’s rights.
Legitimate interest is one of six legal bases for processing personal data under the GDPR (Article 6(1)(f)). It allows organizations to process data without explicit consent when they have a genuine and lawful reason, the processing is necessary for that purpose, and the individual’s rights and interests do not override the organization’s interests. Common examples include fraud prevention, network security, direct marketing to existing customers, and intra-group data transfers for administrative purposes.
Using legitimate interest as a legal basis requires conducting a Legitimate Interest Assessment (LIA) — a documented three-part test. First, the purpose test: Is there a legitimate interest being pursued? Second, the necessity test: Is the processing necessary for that purpose, or could it be achieved less intrusively? Third, the balancing test: Do the individual’s interests, rights, or freedoms override the legitimate interest? This assessment must be documented and reviewed periodically. Legitimate interest cannot be used for processing that individuals would not reasonably expect or that would cause unjustified harm.