Legitimate Interests Under GDPR: The Most Misused Lawful Basis

Elena: Legitimate interests — Article 6(1)(f) — is one of six lawful bases for processing personal data under GDPR. It's the one that doesn't require consent and doesn't require a contract. And it's the one that's most frequently abused, partly because it sounds permissive and partly because the test for it isn't well understood.

Elena: The legitimate interests test has three parts. First: do you have a genuine, real legitimate interest? This sounds circular, but the key word is "legitimate" — the interest must be lawful and not outweighed by other considerations. Business interests qualify, but they can't be pretextual.

Elena: Second: is the processing necessary for that interest? "Necessary" in GDPR has a specific meaning — it doesn't mean merely useful or convenient. It means you couldn't achieve the same purpose with less privacy impact. This is where most legitimate interests assessments fail: companies can't demonstrate why less invasive alternatives wouldn't work.

Elena: Third — and this is the balancing test — do the individual's privacy rights override your interest? You have to genuinely weigh both sides. Factors in your favour: the data is non-sensitive, the individual would expect this use, the privacy impact is minimal. Factors against: the data is sensitive, the individual would be surprised, you're building a profile, the potential harm is significant.

Elena: My practical advice: document all three steps in writing, keep the documentation on file, and review it whenever the processing changes. If you can't articulate a clear answer to all three parts, you're not ready to rely on legitimate interests.