GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Article 6(1)(f) of the GDPR

Legitimate Interest as the Legal Basis

It is common to use legitimate interest as the legal basis for certain types of processing of personal data. Article 6(1)(f) of the GDPR states the legal basis “legitimate interest”. 

Legitimate interests assessment (LIA)

To determine whether the company has a legitimate interest or not, the company must carry out a legitimate interests assessment (LIA). It is important that the company documents the analysis in writing. The company may then process the personal data, provided that the legitimate interests assessment shows that 1) the data subject’s fundamental freedoms and rights and interests for the protection of his or her personal data do not override; and 2) the processing is necessary for the purposes of the legitimate interest in question.

Analyze the interest of the company and the data subject 

A company may base a personal data processing on legitimate interest as a legal basis, if the company’s interests for the processing outweigh the data subject’s interests for the protection of their personal data. If the data subject’s fundamental freedoms and rights and interests in the protection of his or her personal data prevail, the company may not conduct the processing on the basis of this legal basis. 

The more sensitive the personal data to which the processing relates, the higher the interest of the data subject in the protection of his or her personal data. Within the GDPR, there are four groups of privacy-sensitive personal data, one of which constitutes sensitive personal data. In the GDPR, sensitive personal data are referred to as “special categories of personal data”. Article 9 of the GDPR states the special categories of personal data.

Companies may use legitimate interest as the legal basis for certain types of processing of personal data

Below are some examples of when companies can use legitimate interest as a legal basis for certain types of processing of personal data. However, it is important to know that the data subject has the right to object to the processing based on legitimate interest. Article 21 of the GDPR states the data subject’s right to object.

Business relationship between the company and customers 

When a customer has a business relationship with a company, the company may usually process certain personal data belonging to the customer on legitimate interest as the legal basis. For example, the company may send an email to its previous customers. This is often made when the company launches a new product or service. Such processing may be conducted by the company based on its legitimate interest to market the company’s services or products.

Transfer personal data to third parties 

It is permissible for a company that is the data controller to transfer personal data to a third party. This applies if the third party has a legitimate interest in processing the personal data in question. However, the company should know the following information before the personal data is transferred:

  • Why the transfer takes place.
  • If it is really necessary.
  • How the personal data will be used by the third party.
  • Justify the transfer. However, please note that it is for the third party to determine which of the six legal bases they will support their own processing of the personal data.

More examples of when companies can use legitimate interest as the legal basis for processing personal data

Groups

If a company wants to transfer personal data within its group for administrative reasons. 

Direct marketing

Direct marketing, such as mailings, to previous customers. 

Preventing fraud

When the processing is necessary to prevent fraud. 

Safety of employees

A company with employees may process certain types of personal data for security reasons for the employees. However, it must be clear and justified. 

Objections by data subjects

Please note that data subjects have the right to object to the processing of their personal data based on legitimate interest as a legal basis. Article 21 of the GDPR states this explicit right.

If a company sends direct marketing via email and the data subject wants the company to cease this, the company shall stop the processing for this purpose with immediate effect. In addition, the company must inform the data subjects that they have this right. The company must to this in a clear way. If the company provides information society services, such as social media, the company shall also have a technical solution for data subjects to easily raise an objection. 

In some cases, the company may continue its processing even after an objection has been made by the data subject. However, it is not often that this can happen. When a data subject objects to the processing, the company must make a new analysis and legitimate interests assessment of the processing. For example, it may be permissible to continue processing if it is necessary to defend a legal claim.

Questions the company should answer before processing is based on legitimate interest as the legal basis

Here are six questions that a company should review and answer before processing personal data on the basis of legitimate interest: 

    • Is legitimate interest an appropriate legal basis in the specific case or is any other legal basis more appropriate? 
    • Is the processing in accordance with GDPR and other relevant laws? 
    • Does the company have to process this personal data in order to achieve the goal? 
    • Does the legitimate interests assessment show that the interest for the company is higher than for the data subject? 
    • Has the company taken appropriate organizational and technical measures? For example, to protect personal data, reduce the risks for data subjects, document the analysis, etc. 
    • Has the company informed the data subjects about the processing and included how the data subjects can object? 

    Here you can read more about these six phases to analyze a legitimate interest in detail and what they mean in practice. 

    More information about the legal and lawful bases of the GDPR

    Consent as a legal basis for processing personal data

    Consent is a relatively common legal basis to support the processing of personal dat. But it is not always appropriate and in some cases even unlawful. In short, the legal basis consent means that a person accepts that a company processes their personal data for a specified purpose. It must be active consent in order to be valid. In addition, the consent must be voluntarily provided. An example of when it is not allowed to use consent as a legal basis, is when there is an unequal power relationship between the controller and data subject. For example, between an employer and an employee. 

    Want to learn more?

    Read more
    Scroll to Top