Module 4 · Legitimate interests and the balancing test

Legitimate interests (Art 6(1)(f)) is a flexible "safety net," but it demands a Legitimate Interest Assessment (LIA). EDPB Guidelines 1/2024 set three cumulative conditions: a genuine legitimate interest, necessity, and a balance where the data subject's rights do not override. Public authorities cannot rely on it.

Legitimate interests is a safety net used with caution. The conditions: the purpose must be a genuine legitimate interest; processing must be necessary for it; data subjects must be informed at collection; the interest is balanced against their interests via a Legitimate Interest Assessment (LIA); and their fundamental rights are upheld.

EDPB Guidelines 1/2024 - three cumulative conditions

(1) Pursuit of a legitimate interest; (2) necessity of the processing for that interest; (3) the data subject's interests/rights do not override it. All three must be satisfied - they are cumulative.

The controller–data subject relationship shapes the data subject's reasonable expectations (client, employee, etc.). And the hard rule: public authorities cannot rely on legitimate interest for their tasks. (See also WP29 Opinion 06/2014 on legitimate interests.)

Key terms - quick answers

What is “Legitimate interests”?

Processing necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject's interests, rights or freedoms (Art 6(1)(f)).

What is “Legitimate Interest Assessment (LIA)”?

The documented balancing test weighing the controller's interest against the data subject's interests, rights and freedoms.

What is “EDPB Guidelines 1/2024”?

EDPB guidelines on processing based on legitimate interests under Article 6(1)(f), setting three cumulative conditions.