About this detailed guidance

These pages sit alongside our Guide to the GDPR and provide more detailed guidance for UK organisations on legitimate interests under the GDPR.

This guidance will help you to decide when to rely on legitimate interests as your basis for processing personal data and when to look at alternatives. It explains when using legitimate interests as a lawful basis is appropriate, what it means, and how to decide whether it applies to your particular processing operation.

The concept of ‘legitimate interests’ also appears in connection with international transfers (Article 49). However this guidance focuses on legitimate interests in its role as a lawful basis in Article 6.

For an introduction to the key themes and provisions of the GDPR, you should refer back to the guide. You can navigate back to the guide at any time using the link at the top of this page. Links to other relevant guidance and sources of further information are also provided throughout.

When downloading this guidance, the corresponding content from the Guide to the GDPR will also be included so you will have all the relevant information on this topic.


What’s new under the GDPR?

What is automated individual decision-making and profiling?

Is this a significant change?

What’s different from the 1998 Act?

Why the change in the law?

What changes do we need to make?

What is profiling?

What is automated decision-making?

What are the benefits of profiling and automated decision-making?

What are the risks? 

What does the GDPR say about automated decision-making and profiling?

When can we carry out this type of processing?

What type of processing is restricted?

What does ‘solely’ automated mean?

What types of decision have a legal or similarly significant effect?

Automated decision-making systems are a key part of our business operations – do the GDPR provisions mean we can’t use them?

We profile our customers to send relevant marketing to them – does Article 22 stop us doing this?

What are the exceptions?

What about special categories of personal data? 


What else do we need to consider if Article 22 applies?

What’s a DPIA?

What do we need to tell individuals and why?

How can we explain complicated processes in a way that people will understand?

What’s the best way to provide privacy information?

What other rights do individuals have?

Will we need to make any other changes to our systems?

What if Article 22 doesn’t apply to our processing?

Are there any key areas we should focus on?

Can individuals object to profiling?