GDPR: The Legitimate Interests test

Share on twitter
Share on linkedin
Share on facebook

On 25 May the EU General Data Protection Regulation (GDPR) came into force. If you need help in working out whether or not your Australian business will be affected by GDPR, please get in touch with us without delay. We have offered updates recently on:

– Cross-country data transfer (;
– Consent (

GDPR legitimate interests

Photo by Yeo Khee on Unsplash

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter

Today we update you on one of the more perplexing aspects of the GDPR; the ‘legitimate interests’ ground for processing personal data. On the one hand, the GDPR makes it easier for organisations to know when personal data processing is permitted (or ‘lawful’). The clear-cut definition of ‘consent’ means all organisations can be on the same page as to whether consent holds. On the other hand, the ‘legitimate interests’ ground requires each organisation to engage in a ‘balancing’ exercise where they determine for themselves whether processing in a particular case is justified or not. We explain this ground below.

GDPR Legitimate Interests

Article 6(1) describes a range of grounds under which processing of personal data of EU data subjects is permitted (‘lawful’). Article 6(1)(f) of the GDPR provides that processing is lawful where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”[1]

This might be separated into three tests that the organisation can ask itself in determining whether or not the legitimate interests ground is met.[2]

Purpose test: are you pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?

Balancing test: do the individual’s interests override the legitimate interest?

While the necessity test is self-explanatory, we consider the other two tests below.

GDPR legitimate interests – Purpose test

No definition of a ‘legitimate interests’ is given in the GDPR to make it clear when a purpose will be a legitimate, or illegitimate interest. However, the EU’s Article 29 Data Protection working group offered the following in its guidance on the old EU Directive[3]:

  • The purpose must be lawful (i.e. in accordance with EU and national law);
  • be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently concrete);
  • represent a real and present interest (i.e. not be speculative).

On a practical level, an organisation using this ground must document a concrete purpose of the processing, that the purpose is lawful and that it represents a real, not hypothetical or possible future purpose for collecting the data. Other constraints on this test include:

  • it cannot be used by a public authority (art 6(1));
  • The processing of personal data strictly necessary for the purposes of preventing fraud is a legitimate interest (see recital 47);
  • The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (see recital 47).

Note that this advice is of a general nature (except in the case of fraud). Direct marketing is not automatically a legitimate interest. It may be a legitimate interest (i.e. in some cases) depending on the judgement of the organisation (and always subject to the balancing test besides).

GDPR legitimate interests – Balancing Test

Assuming that the first two tests are met, the organisation needs to then consider whether their legitimate interest is outweighed by the interests or fundamental rights and freedoms of data subjects. Recital 47 emphasises the need for “careful assessment as to whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

It is worth noting here that ‘interests’ is a broader term than rights, covering anything that might be important to the data subject. Note also that it need not be a ‘legitimate’ interest – even unlawful interests of the data subject need to be taken into consideration. In carrying out the balancing itself, it will be useful to consider:

  • how important the organisation’s ‘legitimate interest’ is;
  • the nature of the data;
  • the way in which the data are processed (e.g. large scale, data mining, profiling, disclosure to a large number of people or publication).[4]

If you think we could be of any assistance in carrying out a ‘legitimate interests’ assessment for the EU Personal data you control or process, please get in contact with us.


[1] For the full GDPR see

[2] See helpful guidance from the United Kingdom Information Commissioner’s Office at


[4] See, pp55-56.

More to explorer

notes on board

How to Manage Multiple Compliance Deadlines: A Case Study

Compliance managers in the energy sector are constantly juggling a large work load with competing deadlines. Managing time effectively is a core skill for compliance managers. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who has to juggle multiple compliance tasks and deadlines, and how they can use some strategies and tools to manage their workload and prioritise effectively. We will also share some insights and tips from Compliance Quarter,

laptop on table top

How to Avoid Compliance Risks by Effective Communication: A Case Study

Compliance managers in the energy sector face many challenges in ensuring that their businesses comply with the regulatory framework. One of the most common and frustrating situations is when their advice is ignored or overridden by senior management or other stakeholders, exposing the business to potential compliance risks and penalties. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who faced this scenario and how it affected the business outcomes. We

Contemporary design of multifamily living houses. Modern luxury apartments buildings.

Modernising Electricity Regulation: The AES Framework and Embedded Networks in Western Australia

Background The existing licensing framework overseeing the sale and supply of electricity in Western Australia (WA) has struggled to adapt to the rapid expansion of emerging and atypical electricity business models in recent years. To address this, in 2019, the then Minister for Energy commissioned Energy Policy WA to assess the regulatory framework in Western Australia. In 2020, Energy Policy WA initiated consultations on a proposed regulatory framework for various categories of ‘alternative electricity services’ called the Alternative Electricity Services

Leave a Reply

Your email address will not be published. Required fields are marked *