August 10, 2025
2 min read
Under Article 6 of the General Data Protection Regulation (GDPR), “legitimate interest” is established as one of six lawful bases for processing personal data. The concept permits processing where the controller has a valid reason, provided specific conditions are fulfilled. The Court of Justice of the European Union (CJEU) in Case C-13/16 set out three cumulative requirements:
The interest must be legitimate:
The controller’s interest must be lawful, clearly articulated, and not contrary to law or public policy. For instance, Recital 47 of the GDPR recognizes that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” (GDPR, Recital 47).
Necessity of data processing:
The processing must be strictly necessary for the stated legitimate interest; alternative means less intrusive to the data subject’s rights should not be available. If the goal can be achieved without processing personal data, legitimate interest cannot be relied upon.
Balancing test:
The controller’s interest must not override the fundamental rights and freedoms of the data subject. This balancing test requires assessment of:
Several studies highlight that “the balancing test remains a subjective exercise, creating uncertainty for controllers” (Voigt & von dem Bussche, 2017, p. 55). Notably, direct marketing is expressly cited as a potential legitimate interest, but this does not exempt controllers from conducting the balancing test or providing transparency to data subjects.
Research further notes that “legitimate interest is often invoked in contexts where consent would be impractical, but controllers must adequately document their assessment and ensure ongoing review” (Kamarinou, Millard & Singh, 2016). The Article 29 Working Party (WP29) guidance emphasizes that the use of legitimate interest is not a blanket justification and must always be considered within the broader framework of GDPR accountability (WP29 Opinion 06/2014).
In summary, legitimate interest under GDPR provides a flexible basis for data processing but requires controllers to demonstrate necessity and proportionality, and to respect data subjects’ rights through robust balancing and transparency measures.
