What is legitimate interest in the GDPR?

Under Article 6 of the GDPR, there are six lawful bases to process personal data. These are – consent, contractual, legal obligation, vital interest, public task and legitimate interest.

The legal basis of legitimate interest means that businesses (the data controller) can process personal data if they have a legitimate interest i.e. a valid reason for doing so. An example cited by Recital 47 of the GDPR says:

“…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

In Case C-13/16, the Court of Justice of the European Union (CJEU) noted that data processing based on “legitimate interests” is lawful only when three cumulative conditions are met: 

  1. The interest pursued by the controller should indeed be “legitimate”
  2. The data processed must be necessary 
  3. There should be a balance between the controller’s legitimate interests and the  fundamental rights and freedoms of the data subject