A Legitimate Interests Assessment is a documented three-part test — purpose, necessity, balancing — that determines whether Article 6(1)(f) GDPR lawfully covers a processing activity; without a completed LIA on record before processing begins, the legal basis does not exist.
Key takeaways
- The EDPB's October 2024 Guidelines 1/2024 replaced previous Working Party opinions and set stricter criteria: the interest must be lawful, clearly articulated, and real — not speculative.
- Necessity means no reasonable, equally effective, less intrusive alternative exists. "Most convenient" does not pass.
- The balancing test weighs your interests against the reasonable expectations of the individual; if they would be surprised by the processing, that tips the scales against you.
- An LIA must be completed and documented before processing starts. Conducting it retrospectively does not create a valid lawful basis.
- Direct marketing is not automatically a legitimate interest. Recital 47 of GDPR acknowledges it as an example, but the EDPB's 2024 guidance explicitly clarifies it is not automatically sufficient — the three-part test must still be passed.
- LinkedIn's €310 million fine in 2024 and Amazon France Logistique's €32 million fine both partly rested on improper or undocumented reliance on legitimate interests.
Legitimate interests vs. other GDPR lawful bases at a glance
| Lawful basis | When to use | LIA required? | Data subject can object? |
|---|---|---|---|
| Consent (Art. 6(1)(a)) | Processing that requires freely given, specific opt-in; marketing to consumers | No | No (they withdraw consent instead) |
| Contract (Art. 6(1)(b)) | Processing strictly necessary to perform a contract with the data subject | No | No |
| Legal obligation (Art. 6(1)(c)) | Compliance with EU or member state law | No | No |
| Vital interests (Art. 6(1)(d)) | Life-or-death emergencies only; narrow | No | No |
| Public task (Art. 6(1)(e)) | Public authorities exercising official authority | No | Yes (Art. 21) |
| Legitimate interests (Art. 6(1)(f)) | Commercial, security, or administrative purposes that pass the three-part test | Yes — before processing begins | Yes (Art. 21) |
| Recognised legitimate interests (UK DUAA 2025) | Five specific public-interest categories only (crime prevention, safeguarding, national security, etc.) | No — Parliament has pre-determined the balance | No |
The recognized legitimate interests category was introduced by the UK's Data (Use and Access) Act 2025. It covers five tightly defined public-interest scenarios — crime prevention, safeguarding vulnerable individuals, emergency response, national security, and disclosures supporting official authority — where Parliament has determined the balance already. Commercial processing does not qualify; marketing, analytics, and intra-group data transfers still require a full LIA under Article 6(1)(f).
What legitimate interests actually means under GDPR
Article 6(1)(f) GDPR permits processing "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
Three cumulative conditions must be met before the basis applies at all. The EDPB Guidelines 1/2024 published 8 October 2024 are the authoritative current interpretation — they supersede Working Party Opinion 06/2014.
Condition 1 — A legitimate interest exists. The interest must be: lawful (not contrary to EU or member state law), clearly and precisely articulated (not "for marketing purposes" in general), and real and present (not speculative or contingent on future business decisions).
Condition 2 — Processing is necessary to pursue it. The processing must be genuinely required, not merely useful or convenient. If the same outcome could be achieved with less data or a less intrusive method, the necessity test fails.
Condition 3 — The interest is not overridden. The data subject's rights, freedoms, and interests must be weighed against the controller's interest. Where the individual would not reasonably expect the processing, or where the impact on them is significant, the balance tips against reliance on Article 6(1)(f).
The LIA is the document that tests and records whether all three conditions are met.
When legitimate interests is the right basis — and when it isn't
Where it commonly applies:
- IT security monitoring and fraud prevention, where individuals cannot practically consent to every security check the system performs
- Intra-group data transfers for administrative purposes within a corporate group, where the individual reasonably expects data to move between entities they interact with
- B2B direct marketing to professional contacts where there is a prior relevant relationship (though UK PECR and national ePrivacy rules may impose additional requirements — see the B2B worked example below)
- Personalization based on previous purchases or interactions, where the data is non-sensitive and the individual would expect it
Where it regularly fails:
- Analytics tracking of individual website visitors, where aggregate or pseudonymized analytics could achieve the same business purpose — the EDPB has specifically flagged that if anonymous data achieves the goal, the necessity test fails for individual-level tracking
- Cold marketing to individuals with no prior relationship, because the balancing test typically favors the individual's right not to be contacted by organizations they have never engaged with
- Processing of special-category data (health, biometrics, religious beliefs, etc.) — Article 9 sets separate, stricter conditions; Article 6(1)(f) alone is not sufficient
- Surveillance or behavioral profiling that goes beyond what individuals would reasonably expect based on their relationship with the organization
The legitimate interest vs. consent comparison covers the boundary between these two bases in more detail.
The three-part test in detail
Part 1: Purpose test
Define the legitimate interest precisely. Broad statements fail. "We want to market our products" is not sufficient. "We want to send product update emails to existing B2B customers who have purchased our software in the past 24 months, to inform them of features relevant to their current license tier" passes the clarity requirement.
Questions to answer in writing:
- What is the specific, identified interest being pursued?
- Is it lawful under GDPR and any applicable national law?
- Is it current and concrete, or hypothetical?
- Who benefits — the controller, a third party, or potentially the data subject themselves?
The EDPB's 2024 guidelines confirm that purely commercial interests can be legitimate, but they must be substantive, not pretextual. An interest framed as "business development" that is actually a description of the processing activity itself (rather than the reason behind it) will not satisfy this test.
Part 2: Necessity test
Once the legitimate interest is established, test whether the specific processing is the minimum required to achieve it.
Questions to answer in writing:
- Is there any reasonable alternative that achieves the same result without processing personal data, or with less personal data?
- Is there any reasonable alternative that achieves the same result with less intrusive processing (e.g., pseudonymization, aggregation, shorter retention)?
- If yes to either: legitimate interests is not available unless you can show the alternative is not equally effective.
The word "necessary" in Article 6(1)(f) is the same word used in Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public task). The CJEU has consistently interpreted it strictly across all three contexts. "Necessary" does not mean "helps us run the business better" — it means "we cannot achieve the stated purpose without this specific processing."
Part 3: Balancing test
This is where most LIAs need the most analysis. The balancing test considers the interests of the controller against the rights and reasonable expectations of the data subject. Relevant factors, drawn from EDPB guidance and ICO practice:
Factors that increase the weight of the data subject's side:
- The data is sensitive in nature (financial information, health-adjacent, location data)
- The individual is in a vulnerable position (employee, child, patient)
- The processing is invisible to the individual (no awareness or reasonable expectation)
- The potential impact includes distress, financial harm, reputational damage, or discrimination
- The individual has already objected or opted out of similar processing
Factors that increase the weight of the controller's side:
- The individual would reasonably anticipate the processing based on their relationship with the organization
- The data is non-sensitive and already known to the individual
- The impact of the processing is minimal and reversible
- Meaningful safeguards are in place (opt-out, data minimization, retention limits, pseudonymization)
- The processing genuinely benefits the individual as well as the controller
The reasonable expectations test sits at the center of the balancing test. If an individual, fully informed of the processing, would not be surprised by it given the context in which they provided their data — that supports the controller. If they would find it unexpected or unsettling given that context, the balance tips against them.
Worked example: B2B marketing emails to existing software customers
Scenario: A B2B SaaS company wants to email existing customers (business contacts, not consumers) about upgrades available to their current licence tier. The contacts purchased the software 6-18 months ago and have not opted out of email communications.
Step 1: Purpose test
The interest: maintaining the commercial relationship with existing customers by informing them of product developments relevant to their current usage. This is specific, lawful, real, and not speculative.
Result: Purpose test passed.
Step 2: Necessity test
Could the same outcome be achieved without email? Direct postal mail is less effective and more expensive without materially reducing privacy impact — it is not an equally effective alternative. Phone calls are more intrusive, not less. In-app notifications only reach active users and would miss lapsed users who may benefit from the upgrade. Email to the contact who signed the licence is the minimum intrusive method for this specific purpose.
Data used: name, business email address, licence tier, purchase date — no sensitive data, no data beyond what was provided during purchase.
Result: Necessity test passed.
Step 3: Balancing test
The contacts are business professionals who entered a commercial relationship and provided their work email for contractual purposes. Receiving product-relevant email from a supplier they actively chose is within reasonable expectation. The email concerns their existing licence, not third-party marketing. Impact: receiving an email, with a clear unsubscribe link, about a product they already use. Safeguard: one-click unsubscribe honoured immediately.
Caveat: UK PECR and some national ePrivacy implementations may require opt-in consent even for B2B emails to individuals rather than corporate inboxes (e.g., sole traders). Verify the subscriber's entity type before relying solely on legitimate interests under national ePrivacy law. The GDPR consent requirements guide covers situations where consent is the safer choice.
Result: Balancing test passed. Legitimate interests is a valid basis for this processing activity, with the noted ePrivacy caveat.
When the same scenario fails
Change one variable: the company obtains a list of B2B contacts from a data broker and emails them cold. No prior relationship. No reasonable expectation. The balancing test now tips heavily against the controller — the individual has never interacted with this company, cannot have anticipated contact, and has no relationship that contextualizes the outreach.
The purpose test might still pass (commercial marketing interest is real). The necessity test might still pass (email is the least intrusive method for this particular outreach). But the balancing test fails because the individual's interest in not being contacted by a stranger outweighs the company's interest in cold prospecting. An LIA documenting this scenario would correctly conclude that legitimate interests is not available for this activity.
How to document your LIA
An LIA does not need to follow a specific format, but it must exist in writing and must record enough detail to demonstrate that the three-part test was genuinely applied — not rubber-stamped. The ICO provides a sample template; the structure below covers the minimum required:
| Field | What to record |
|---|---|
| Processing activity | Specific description of what data, by whom, for what system |
| Controller/third party interest | The legitimate interest, stated specifically |
| Purpose test outcome | Pass/fail and the reasoning |
| Alternatives considered | What less intrusive options were evaluated and why they were rejected |
| Necessity test outcome | Pass/fail and the reasoning |
| Data involved | Categories, sensitivity level, volume |
| Relationship with data subjects | Nature of relationship, what they would reasonably expect |
| Potential impact | How processing could affect individuals |
| Safeguards applied | Opt-out, retention limits, pseudonymisation, access controls |
| Balancing test outcome | Pass/fail and the reasoning |
| Overall conclusion | Legitimate interests available / not available |
| Review date | When this LIA should be reassessed |
| Completed by | Name and role |
| Date completed | Must be before processing begins |
The LIA document should be stored as part of your Article 30 Record of Processing Activities. For organizations using a consent management platform, some platforms support attaching LIA records to specific processing activities within the platform's data inventory.
Five common mistakes that invalidate an LIA
1. Completing it after the fact. If processing has already started, the LIA cannot retroactively create a lawful basis. The European Court of Justice has confirmed that lawful basis must be in place before processing begins. If you discover a gap, you need a different basis (or to stop the processing) — an LIA written today does not cure processing that happened last month.
2. Using a generic template without specificity. A filed LIA that says "we have a legitimate interest in marketing our services" for every processing activity in the business is not an LIA — it is a checkbox. Each processing activity requires its own assessment.
3. Skipping the alternatives analysis. The necessity test requires you to actively consider and document whether less intrusive alternatives exist. An LIA that asserts "processing is necessary" without showing you evaluated alternatives will not survive regulatory scrutiny.
4. Ignoring the expectation gap. If individuals provided data in one context (e.g., during a support call) and you plan to use it in a materially different context (e.g., for personalized advertising), the balancing test is much harder. The LinkedIn fine included findings that users did not reasonably expect their behavioral data to be used for targeted advertising under the legitimate interests basis.
5. Treating the LIA as a one-time document. Processing activities change. If the volume of data grows substantially, if the purpose expands, or if the regulatory environment shifts (new guidance, a DPA enforcement decision in your sector), the LIA should be reviewed and updated. A review date written into the document makes this reviewable.
What the EDPB's 2024 guidelines changed
The EDPB Guidelines 1/2024 are the most significant update to legitimate interests interpretation since GDPR took effect. Key changes from the prior Working Party opinion:
- Direct marketing is not automatically legitimate. Recital 47 is an example, not a blanket permission. The three-part test must be applied and documented for every direct marketing activity individually.
- The interest must be "real and present" — not speculative. An interest in potential future commercial relationships does not satisfy this criterion.
- Third-party interests are in scope. A controller can rely on a legitimate interest pursued by a third party (e.g., a parent company, a partner), but only if the three-part test is passed from the perspective of that third party's interest.
- The necessity test has no flexibility for convenience. The EDPB rejected formulations suggesting that "necessary" can mean "reasonably required" or "highly useful." If a less intrusive equally effective alternative exists, legitimate interests is unavailable.
Frequently asked questions
Do I need a DPO to complete an LIA?
No. The GDPR does not require a DPO to complete an LIA. It requires the controller to document the assessment. In practice, DPOs often lead or review LIAs, but a privacy lead, legal counsel, or compliance officer can conduct and document one. The key requirement is that it is done before processing begins and retained for accountability purposes.
How long does an LIA need to be?
Proportionate to the risk and complexity of the processing activity. A simple, low-risk activity (e.g., retaining server logs for 30 days for security monitoring) might need half a page. A complex processing activity involving large volumes of data or intrusive profiling could require several pages of analysis. The ICO's guidance is that the documentation must demonstrate genuine analysis — there is no minimum word count and no maximum.
Can we use legitimate interests for employee data?
With difficulty. The EDPB and national DPAs have consistently held that the power imbalance in the employment relationship means employees often cannot freely object to their employer's processing, which skews the balancing test against the controller. Performance monitoring, IT security monitoring, and similar activities may pass, but the assessment must engage directly with the imbalance and the specific processing, not assume that an employment relationship resolves the balancing test in the employer's favour.
Does the LIA need to be shared with data subjects?
The LIA itself does not need to be published. However, under Article 13/14, the privacy notice must identify the lawful basis as legitimate interests and, for Article 13/14 purposes, must also identify the specific legitimate interest being pursued. Data subjects have the right to object under Article 21 to processing based on legitimate interests, so the privacy notice must clearly indicate this right.
What happens if we start processing without an LIA and then write one?
The retrospective document demonstrates you can articulate the analysis — it does not cure the absence of a lawful basis at the time processing began. DPAs can fine for processing without a valid lawful basis even if the controller later produces documentation showing legitimate interests would have been available. The fine is for the period of unlawful processing, not for the current state.
Does legitimate interests work under UK GDPR as well as EU GDPR?
Yes, with the same structure. The UK ICO's guidance on legitimate interests largely mirrors the EU approach. One practical difference: the ICO has historically been somewhat more permissive on legitimate interests for direct marketing (partially because PECR's opt-in requirement for electronic marketing reduces the GDPR overlap), but the three-part test and documentation requirement are identical.
