Legitimate interests & the balancing test
Legitimate interests (6(1)(f)) is the most flexible basis and the one on which most processing relies, but public authorities cannot use it for their tasks. It needs a three-part test: (1) identify a legitimate interest; (2) show the processing is necessary; (3) balance it against the subject's interests, rights and freedoms - weighing reasonable expectations. Recitals flag fraud prevention, direct marketing, intra-group sharing and network security as legitimate interests. The LIA documents the test, and the subject has a right to object.
The balancing test is the basis on which most processing usually takes place. But public authorities can rely on it only in limited circumstances outside their tasks - Recital 47 says the legislator must provide the legal basis for authorities' processing.
| Step | Question |
|---|---|
| 1. Purpose test | Identify the legitimate interest of the controller or third party |
| 2. Necessity test | Show the processing is necessary to achieve it |
| 3. Balancing test | Weigh the interest against the subject's interests, rights and freedoms, including reasonable expectations |
The recitals expressly recognise: fraud prevention (Rec 47), direct marketing (Rec 47), intra-group sharing for internal administration (Rec 48), and network and information security (Rec 49) as capable of being legitimate interests.
- The ICO calls it the most flexible basis - appropriate where use is within reasonable expectations and impact is minimal, or there is a compelling justification
- Controllers should document a legitimate interest assessment (LIA)
- Interpretation has historically varied across member states (broad in UK/France; narrower, e.g. Italy's Garante set specific conditions)
- The data subject has a right to object; on a justified objection the controller must cease unless it shows compelling legitimate grounds