Legitimate interests

At a glance

• You must have a lawful basis to use people’s information. Legitimate interests is one of the seven lawful bases in the UK GDPR.
• Legitimate interests is the most flexible lawful basis for processing personal information. But it won’t always be the most appropriate.
• It’s likely to be most appropriate where you use people’s information:
  • in ways they would reasonably expect;
  • in ways that have a minimal impact on their privacy; or
  • where there’s a compelling justification for what you want to do.
• If you choose to rely on legitimate interests, you’re taking on extra responsibility for considering and protecting people’s rights and interests.
• Public authorities may be able to rely on legitimate interests to handle personal information but only if they’re not performing their public tasks.
• There are three elements to the legitimate interests basis. For this three-part test, you must:
  • identify a legitimate interest;
  • show that the use of personal information is necessary to achieve it; and
  • balance it against the interests, rights and freedoms of the person whose information you want to use.
• Legitimate interests can be your own interests or those of third parties. This includes:
  • commercial interests;
  • individual interests; and
  • broader societal benefits.
• You must ensure that your use of personal information is necessary for the purposes of the legitimate interests you’ve identified. If you can reasonably achieve the same result in another less intrusive way, legitimate interests doesn’t apply.
• You must balance your interests against those of the person whose information you want to use. Their interests are likely to override your legitimate interests if:
  • they wouldn’t reasonably expect you to use the information in that way; or
  • your proposed use of their information would cause unjustified harm.
• You should keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if needed.
• You must include details of your legitimate interests in your privacy information.

In brief

• What is the ‘legitimate interests’ basis?
• When can we rely on legitimate interests?
• How do we apply legitimate interests in practice?
• What else do we need to consider?
• Where can we get more information?
• Checklist

What is the ‘legitimate interests’ basis?

You must have a lawful basis to use people’s information. Legitimate interests is one of the seven lawful bases in the UK GDPR. Legitimate interests applies when:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Legitimate interests can be broken down into a three-part test:

1. Purpose test: Are you pursuing a legitimate interest?
2. Necessity test: Is your use of personal information necessary for that purpose?
3. Balancing test: Do the person’s interests override the legitimate interest?

A wide range of interests can be legitimate interests. It can include:

• your own interests;
• the interests of a third-party;
• commercial interests; or
• wider societal benefits.

Legitimate interests may be compelling or trivial. But the balancing test may override trivial interests more easily.

The UK GDPR specifically mentions certain purposes as potential legitimate interests. These are:

• IT security;
• direct marketing; and
• "intra-group transmissions" for internal administrative purposes.

It also suggests that using client or employee information can potentially be a legitimate interest. But there is no exhaustive list.

‘Necessary’ means that you must use the personal information in a targeted and proportionate way to achieve your purpose. You can’t rely on legitimate interests if you have another reasonable and less intrusive way to achieve the same result.

You must balance your interests against those of the person whose information you want to use. Their interests are likely to override yours if:

• they wouldn’t reasonably expect you to use their information; or
• you would cause them unwarranted harm by using it.

However, your interests don’t always have to align with the person’s interests. If there’s a conflict, your interests can still prevail as long as you can clearly justify the impact on the person.

Legitimate interests is different from the recognised legitimate interest lawful basis. Legitimate interests can apply in a range of circumstances. Recognised legitimate interest only applies if you want to use personal information for specific purposes.

When can we rely on legitimate interests?

Legitimate interests is the most flexible lawful basis. But it won’t always be appropriate for everything you want to do with people’s information.

If you choose to rely on legitimate interests, it places more responsibility on you to justify what you want to do and to protect people’s rights, freedoms and interests.

Legitimate interests is most likely to be appropriate where:

• you use people’s information in ways that they would reasonably expect; and
• there is a minimal impact on their privacy.

Where there is an impact, legitimate interests may still apply if you can show:

• an even more compelling benefit; and
• justification for the impact.

Legitimate interests can apply for direct marketing but only where the Privacy and Electronic Communication Regulations (PECR) don’t require consent. Where this is the case, you must show that your use of personal information:

• is proportionate;
• has a minimal privacy impact; and
• isn’t something that will surprise people or that they’re likely to object to.

Legitimate interests can also apply to:

• using personal information to ensure IT security;
• "intra-group transmissions" for internal administrative purposes; or
• client or employee information.

But you must still do the three-part test, as legitimate interests won’t automatically apply to these purposes.

Legitimate interests can apply if you intend to use children’s information. But you must take extra care to protect their interests.

Legitimate interests can also apply if you want to share personal information with someone else. But you must be able to justify this. You should consider:

• why they want the information;
• whether they actually need it for that purpose; and
• what they will do with it once you share it with them.

The other party is responsible for deciding which lawful basis is appropriate for their own use of the information.

You should avoid using legitimate interests where:

• you want to use personal information in ways people don’t understand and wouldn’t reasonably expect;
• you think some people would object if you explain to them what you want to do with their information; or
• your use of personal information might cause harm – unless you’re confident there is a compelling reason that justifies this impact.

If you’re a public authority, you can’t rely on legitimate interests for any personal information you use to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks, you may be able to consider legitimate interests. For example, you may be a public authority with commercial interests.

How do we apply legitimate interests in practice?

If you want to rely on legitimate interests, you must do the three-part test to assess whether it applies. You should do this test before you start using the personal information. You should also document the outcome to demonstrate that this basis applies. We refer to this as a 'legitimate interests assessment' (LIA).

An LIA is a type of light-touch risk assessment based on the specific context and circumstances. You should do an LIA to help ensure your processing is lawful. You should record your LIA to help demonstrate compliance with your accountability obligations. In some cases, your LIA may be quite short. In others, there may be more to consider.

First, identify the legitimate interest(s). You should consider the following:

• Why do you want to use the personal information – what are you trying to achieve?
• Who benefits from the use of that information? In what way?
• Are there any wider public benefits to the use of the personal information?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• Would your use of that information be unethical or unlawful in any way?

Second, apply the necessity test. You should consider the following:

• Does this use of the personal information actually help further that interest?
• Is it a reasonable way to go about it?
• Is there another less intrusive way to achieve the same result?

Third, do the balancing test. You must consider the person’s interests, rights and freedoms and whether these override the legitimate interest you've identified.

There’s no list of what to take into account for the balancing test. But you must consider people’s reasonable expectations – whether they can reasonably expect you to use their information for that purpose.

You should also think about the following:

• What's the nature of your relationship with the person?
• Is any of the information particularly sensitive or private?
• Are you happy to explain your use of the information to them?
• Are some people likely to object or find it intrusive?
• What's the possible impact on the person?
• How big an impact might it have on them?
• Are you using children’s information?
• Are any of the people whose information you want to use at increased risk of harm in any way?
• Are there any safeguards you can put in place to minimise the impact?
• Can you collect less personal information or let them opt out?

You should then decide whether you still think legitimate interests is the appropriate lawful basis. There’s no perfect formula for the outcome of the balancing test. But you should be confident that the risks you've identified don’t override your legitimate interests.

You should keep a record of your LIA and the outcome. This helps your decision-making process and shows you’ve justified the outcome. There’s no standard format for this, but you could use our sample LIA template.

You should keep your LIA under review. You should refresh it if there's a significant change in the purpose, nature or context of your use of the personal information.

If you’re not sure about the outcome of the balancing test, it may be safer to look for a different lawful basis. Legitimate interests is often not appropriate for using personal information in a way which is unexpected or high risk.

If your LIA identifies significant risks, you should consider whether you need to do a data protection impact assessment (DPIA) to assess the risk and potential mitigation in more detail.

What else do we need to consider?

In your privacy information, you must:

• tell people that you’re relying on legitimate interests; and
• explain what these interests are.

If you want to use the personal information for a new purpose, you may be able to use legitimate interests as your lawful basis. But you must ensure your new purpose is compatible with your original purpose. You should conduct a new LIA to help you demonstrate compatibility.

Most of the data protection rights are available to people when you rely on legitimate interests. But the right to data portability doesn’t apply.

People have a right to object to processing where your lawful basis is legitimate interests. For direct marketing, this is an absolute right. You must stop using someone’s information for direct marketing if they object to you doing so. For other purposes, you must stop unless you can show that you have compelling legitimate grounds to override that person’s rights.

Where can we get more information?

If having read this brief guidance you want to find out more, see our detailed guidance on legitimate interests.