What is legitimate interest in the GDPR?

Under Article 6 of the GDPR, there are six lawful bases to process personal data. These are – consent, contractual, legal obligation, vital interest, public task and legitimate interest.

The legal basis of legitimate interest means that businesses (the data controller) can process personal data if they have a legitimate interest i.e. a valid reason for doing so. An example cited by Recital 47 of the GDPR says:

ā€œ…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestā€.

In Case C-13/16, the Court of Justice of the European Union (CJEU) noted that data processing based on ā€œlegitimate interestsā€ is lawful only when three cumulative conditions are met: 

  1. The interest pursued by the controller should indeed be ā€œlegitimateā€
  2. The data processed must be necessary 
  3. There should be a balance between the controllerā€™s legitimate interests and the  fundamental rights and freedoms of the data subject