Library / Glossary

Legitimate Interests

A lawful basis under GDPR Article 6(1)(f) allowing processing necessary for the legitimate interests of the controller or a third party, balanced against data subject rights.

Also: LIA (Legitimate Interests Assessment)

Legitimate interests is the most flexible of the six GDPR lawful bases — and the most often misused. Article 6(1)(f) permits processing where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

The flexibility comes with a documentation burden: to rely on legitimate interests, the controller must conduct and record a three-part test, often called a Legitimate Interests Assessment (LIA):

  1. Purpose test. Is there a real, specific, legitimate interest? "We want to grow the business" is too vague; "we want to detect and prevent fraudulent transactions" is concrete enough.
  2. Necessity test. Is the processing actually necessary for that purpose, or could you achieve it with less data, with a less intrusive method, or with consent?
  3. Balancing test. Does the data subject's reasonable expectation, the nature of the data, and the impact on the data subject override the controller's interest?

Common applications

Where legitimate interests is most defensible:

  • Fraud detection and security monitoring. Strong legitimate interest, expected by data subjects.
  • Direct marketing to existing customers. Recital 47 explicitly mentions this, with a Right to Object backstop.
  • Internal administration within a corporate group. Recital 48 mentions this.
  • Service improvement using existing customer telemetry. Defensible if narrowly scoped, less so if it expands into AI training.

Where it tends to fail:

  • Profiling for behavioural advertising to non-customers.
  • Selling derived insights to third parties.
  • Training large AI models on customer data without an explicit basis.

Why this matters for vendor monitoring

When a vendor adds "improving our services" or "training our models" or "developing new products" to the purposes in their privacy notice, they are typically relying on legitimate interests for that processing — and they are now the controller of it. That should trigger a re-evaluation of the relationship, including whether the vendor's LIA holds up and whether your data subjects' Right to Object pathway is meaningful.

Related terms