The ICO exists to empower you through information.

About this detailed guidance

These pages sit alongside our Guide to the UK GDPR and provide more detailed guidance for UK organisations on legitimate interests under the GDPR.

This guidance will help you to decide when to rely on legitimate interests as your basis for processing personal data and when to look at alternatives. It explains when using legitimate interests as a lawful basis is appropriate, what it means, and how to decide whether it applies to your particular processing operation.

The concept of ‘legitimate interests’ also appears in connection with international transfers (Article 49). However this guidance focuses on legitimate interests in its role as a lawful basis in Article 6.

For an introduction to the key themes and provisions of the UK GDPR, you should refer back to the guide. You can navigate back to the guide at any time using the link at the top of this page. Links to other relevant guidance and sources of further information are also provided throughout.

When downloading this guidance, the corresponding content from the Guide to the UK GDPR will also be included so you will have all the relevant information on this topic.

Contents

What is the ‘legitimate interests’ basis?

When can we rely on legitimate interests?

What does Article 6(1)(f) say about legitimate interests?

What is the three-part test?

What counts as a ‘legitimate interest’?

When is processing ‘necessary’?

What is the balancing test?

What are the individual’s ‘interests, rights and freedoms’?

What is the importance of reasonable expectations?

When do individuals’ interests override ours?

 

When might legitimate interests be appropriate?

Can we use it as the default basis for all of our processing?

What are the benefits of choosing legitimate interests?

Are there any disadvantages?

Can public authorities use legitimate interests?

Are there cases when the purpose will constitute a legitimate interest?

Are there cases when legitimate interests is likely to apply?

Can we use legitimate interests for employee or client data?

Can we use legitimate interests for intra-group transfers?

Can we use legitimate interests for our marketing activities?

Can we use legitimate interests for our business to business contacts?

Can we use legitimate interests to process children’s personal data?

Can we use legitimate interests to disclose data to third parties?

What about special category data?

When should we avoid choosing legitimate interests?

What are the alternatives?

 

How do we apply legitimate interests in practice?

What else do we need to consider? 

What do we need to do in practice?

Why do we need to do an LIA?

What’s the process for an LIA?

(1) How do we do the purpose test?

(2) How do we do the necessity test?

(3) How do we do the balancing test?

How do we decide the outcome?

What happens next?

How does this tie in to DPIAs?

 

What do we need to tell people?

What if our purposes change?

What rights will individuals have?