Skip to main content
Home

When can we rely on legitimate interests?

Contents

In detail

When might legitimate interests be appropriate?

Legitimate interests is the most flexible lawful basis. It’s not focused on a particular purpose, so you have more scope to potentially rely on it in many different circumstances.

It may be the most appropriate basis when:

  • what you want to do isn’t required by law but has a clear benefit to you or others;
  • there’s a limited privacy impact on the person;
  • the person reasonably expects you to use their information in that way; and
  • consent isn’t appropriate, for example, because:
    • it’s not required;
    • you can’t, or don’t want to, give people full upfront control; or
    • you don’t want to bother them with disruptive consent requests when they’re unlikely to object to what you want to do.

The legitimate interests basis is likely to be most useful where there is a:

  • minimal impact on the person; or
  • compelling justification for what you want to do.

Can we use it as the default basis for everything we do with personal information?

No. Although legitimate interests is a flexible concept and is often relevant, you can’t use it as the default basis for all the personal information you handle.

None of the lawful bases take precedence over the others. You should always use the one that is most appropriate to the circumstances, considering the purpose of what you want to do.

You should carefully consider whether legitimate interests is the appropriate lawful basis. You should not try to rely on it simply because it initially seems easier to apply than other lawful bases. It’s not always the easiest option. In fact, it places more responsibility on you to justify what you want to do and what impact this may have on the person the information is about.

This means you should assess risk based on the specific context and circumstances to demonstrate that this basis is appropriate.

Further reading – ICO guidance

A guide to lawful basis

What are the benefits of choosing legitimate interests?

Because this basis isn’t purpose-specific, it’s flexible. This means it can apply in a wide range of different situations. It can also give you more control and security over your long-term use of people’s information than consent, which a person might withdraw at any time. But you must still consider any objections people make to your use of their information.

Legitimate interests also promotes a risk-based approach to compliance, as you should think about the impact of your use of information on people. This can:

  • help you identify risks and take appropriate safeguards;
  • support your obligation to ensure ‘data protection by design’; and
  • help you identify when you might need to do a data protection impact assessment (DPIA).

Using this basis to do things that are expected and have a low privacy impact may help you avoid sending people frequent consent requests (known as consent fatigue). If you do it properly, it can also be an effective way of protecting people’s interests. This is especially true when you combine it with clear privacy information and an upfront opportunity to opt out.

What are the disadvantages of choosing legitimate interests?

Legitimate interests places greater responsibility on you compared to some of the other lawful bases.

For example, legitimate interests doesn’t specify any particular purpose for using the personal information. But other lawful bases that include a necessity test do (eg for the contract lawful basis the purpose is a contract). For legitimate interests, you must:

  • identify your purpose and justify why it is in your legitimate interests; and
  • demonstrate that the processing is necessary.

You must also ensure you balance your interests against those of the person whose information you want to use.

You may find it harder to demonstrate compliance as there can be scope for disagreement over the outcome of the balancing test. You should be able to clearly justify your decision that the balance actually favours you using the personal information.

Using legitimate interests means that you take on the responsibility of protecting the interests of the person. If it’s more appropriate to give people responsibility for the use of their information, you should consider whether consent is the more appropriate lawful basis.

Legitimate interests requires more work to ensure transparency. You must clearly explain in your privacy policy what the legitimate interests are for what you want to do.

Further reading – ICO guidance

Consent

Can public authorities use legitimate interests?

Yes, but only in some instances. If you’re a public authority, you can’t rely on legitimate interests where you intend to use personal information to perform your public tasks.

The UK GDPR says this is because it’s the legislature’s role to give you the legal authority to use personal information. This means you’re only able to use people’s information for performing your tasks if the law authorises you to do so. This can include clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.

This is what the public task lawful basis is for. So, if you’re using personal information as part of performing your tasks as a public authority, you should use it.

But this restriction on using legitimate interests is about the nature of the task, not the nature of the organisation.

This means that legitimate interests may potentially be available for any use of personal information that’s not part of you performing your tasks. However, you must still:

  • be accountable and be able to demonstrate that this is the case; and
  • do the three-part test.

Further reading – ICO guidance

Public task

Are there cases when our purpose allows us to automatically rely on legitimate interests?

No, there are no purposes that automatically constitute a legitimate interest for this lawful basis. This means you must do the three-part test to work out whether you can rely on legitimate interests for what you want to do.

The separate lawful basis of recognised legitimate interest contains pre-approved purposes. But these are only relevant for that basis. These are:

  • preventing, detecting or investigating crimes (including fraud);
  • responding or dealing with an emergency event or situation;
  • safeguarding national security, protecting public security or for defence;
  • safeguarding "vulnerable" people; and
  • sharing personal information with another organisation at their request because they have confirmed they need it for their public tasks or official functions.

Further reading – ICO guidance

Recognised legitimate interest

Are there any specific purposes that the legitimate interests basis may apply to?

Yes. While legitimate interest can apply to any purpose, the UK GDPR sets out some purposes where the legitimate interests basis may apply. These are:

  • ensuring the security of network and information systems;
  • direct marketing; and
  • intra-group transmission for internal administrative purposes.

The UK GDPR says that these purposes "may" be a legitimate interest. This doesn’t mean they always are, or that the legitimate interests basis automatically applies. You must still do the three-part test to demonstrate that legitimate interests applies in the particular circumstances.

In addition, the UK GDPR says that a legitimate interest "could exist" for using the personal information of your employees or clients. But as with the three purposes above, you must still ensure you can meet all the requirements of the legitimate interests lawful basis.

Many other purposes that you want to use people’s information for may also be legitimate interests. The activities highlighted by the UK GDPR are non-exhaustive.

Can we use legitimate interests to ensure network and information security?

Yes, in some cases. But you must apply the three-part test.

Article 6(11)(c) of the UK GDPR says:

For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—

(c) processing that is necessary for the purposes of ensuring the security of network and information systems.

This means you "may" have a legitimate interest in using personal information to ensure the security of your systems. But it doesn’t say this always constitutes a legitimate interest.

The "security of network and information systems" is the ability of your systems to resist actions that might compromise the "availability, authenticity, integrity or confidentiality" of the personal information you use. This links to the UK GDPR’s security principle.

In many cases, it may be straightforward for you to meet the purpose test in these circumstances. For example, this may include cases where your use of the personal information is about preventing:

  • unauthorised access to your networks and systems;
  • malicious code distribution;
  • ‘denial of service’ and other common cyber attacks; and
  • damage to your computer and electronic communication systems.

But remember, you must ensure your use of personal information is necessary for these purposes. So you should demonstrate that it’s a reasonable and proportionate way to achieve your intended security outcomes. You must also complete the balancing test before you start using the personal information for these purposes.

Further reading – ICO guidance

Security and cyber security guidance

Can we use legitimate interests for intra-group transmissions for internal administrative purposes?

Yes, in some cases you can use legitimate interests to share personal information within your group of organisations. But you must consider the three-part test. Legitimate interests doesn’t automatically cover all such intra-group transmissions for administrative purposes.

Article 6(11)(b) of the UK GDPR says:

For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—

(b) intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes

This indicates that you "may" have a legitimate interest in transmitting personal information to other organisations within your group for internal administrative purposes. This can include information about:

  • your clients;
  • your employees; or
  • other people (eg contractors).

However, the UK GDPR doesn’t say this always counts as a legitimate interest.

The UK GDPR defines "intra-group transmissions" as the transmission of personal information between members of:

  • a group of undertakings; or
  • a group of institutions affiliated to a central body.

An ‘undertaking’ is any entity that is involved in economic activity. This can include offering goods or services. The entity’s legal status or how it finances itself doesn’t matter. For example, public authorities and charities may also be undertakings if they carry out an economic activity.

If you operate as part of a group of undertakings, you may be able to demonstrate that intra-group transmissions are necessary for internal administrative purposes. But you must:

  • identify your specific purpose;
  • show that your use of this personal information is necessary for that purpose; and
  • consider the balancing test.

Example

Company B is a subsidiary of Company A. Company B doesn’t have a HR department as this function is performed centrally at Company A. Company B wants to rely on legitimate interests as their lawful basis for passing employee information to Company A.

Company B decides that it is in their legitimate interests to disclose personal information (eg about leave, sickness and performance) to their parent company for group HR administration purposes.

However, before they can be sure their use of the personal information is lawful under the legitimate interests basis, Company B must:

  • consider whether transferring this information is necessary for this purpose; and
  • balance this against people’s interests.

As the information that Company B wants to transfer includes special category data, they must also identify a special category condition in compliance with article 9.

Intra-group transmission may involve international transfers (eg where entities located overseas perform certain functions). In these cases, you must also comply with the rules on international transfers.

Further reading – ICO guidance

International transfers

Special category data

Can we use legitimate interests for our direct marketing activities?

Yes, in some cases. But you must apply the three-part test and ensure you comply with other marketing laws. Article 6(11)(a) of the UK GDPR says:

For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include— 

(a) processing that is necessary for the purposes of direct marketing

This means that direct marketing "may" be a legitimate interest. However, the UK GDPR doesn’t say that direct marketing always constitutes a legitimate interest. Whether you can rely on legitimate interests depends on the particular circumstances.

In terms of the purpose test, some forms of direct marketing may not be legitimate if they don’t comply with:

  • other legal or ethical standards; or
  • industry codes of practice.

However, in most cases it’s likely that direct marketing can be a legitimate interest as long as you carry out the marketing in compliance with electronic marketing rules and other legal and industry standards.

But this doesn’t automatically mean that all uses of personal information for direct marketing purposes are lawful on this basis. You must still show that your use of the information passes the necessity and balancing tests.

For some types of marketing, you must be more specific about what you want to do and how you intend to do it. This is so you can demonstrate that:

  • it’s necessary; and
  • you’ve weighed things up in the balancing test.

For example, if you use profiling to target your direct marketing, you must be specific about this to show that it’s necessary.

For direct marketing purposes, you should focus your balancing test primarily on your own interests. You should not rely on vague statements about wider presumed benefits. For example, simply suggesting that direct marketing is in people’s interests (eg because they receive products at reduced prices or offers that may be relevant to their needs) is unlikely to have much impact on the outcome of your balancing test.

In some cases, direct marketing has the potential to have a significant negative effect on the person, depending on their circumstances. For example, direct marketing for high-interest loans targeted at someone who is known or likely to be in financial difficulties may lead to them signing up for these offers and potentially incurring further debt.

For the balancing test, you should also consider factors such as:

  • whether people would reasonably expect you to use their details in this way;
  • the potential nuisance caused by unwanted direct marketing messages; and
  • the effect of your chosen method and frequency of communication on people who are at more risk of harm.

People have the absolute right to object to direct marketing. You must make them aware of this right and clearly bring it to their attention. You should give people an easy way to object, and you must make it free of charge for them to do so. It’s more difficult to pass the balancing test if you don’t do this. The lack of any proactive opportunity for people to opt out in advance creates:

  • a risk of them losing control over their information; and
  • an unnecessary barrier to exercising their data protection rights.

So, you should give people a clear choice to opt out of direct marketing when you:

  • initially collect their details; or
  • communicate with them for the first time (if you didn’t collect the details directly from them).

If you include this sort of measure when you’re doing the balancing test, this can help you demonstrate that legitimate interests applies to your direct marketing activities.

Example

A charity wants to send fundraising material by post to people who have donated to them in the past and have not previously objected to receiving marketing material from them.

The charity’s purpose of direct marketing to seek funds to further their cause is a legitimate interest.

The charity then looks at whether sending the material is necessary for their fundraising purpose. They decide that:

  • it is necessary to process contact details for this purpose; and
  • sending the material is a proportionate way of approaching people for donations.

The charity considers the balancing test. They take into account that they are using only names and addresses. They also consider it would be reasonable for these people to expect that they may receive marketing material by post, given their previous relationship with the charity.

The charity determines that the impact of a fundraising mailing on these people is likely to be minimal.

However, they include details in the mailing (and each subsequent one) about how people can opt out of receiving postal marketing in future.

Legitimate interests may not always be available or appropriate if you intend to use personal information for the purposes of direct marketing by electronic means, for example, by:

  • email;
  • text message; or
  • automated phone calls.

This is because PECR mean that you must get consent for some forms of electronic marketing. PECR use the UK GDPR standard of consent.

If PECR require consent, you must not use legitimate interests as your lawful basis for using personal information for that purpose. This is because PECR limit what lawful basis is available to you.

If PECR require consent, you must use consent as your lawful basis as well. Otherwise, your use of the personal information is unlawful. Legitimate interests can’t legitimise unlawful processing.

If you’ve obtained consent in compliance with PECR, consent is also the appropriate lawful basis under the UK GDPR. Trying to apply legitimate interests when you already have UK GDPR-compliant consent would be unnecessary and cause people confusion.

If PECR don’t require consent, legitimate interests may be available. Taking these requirements into account, and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (ie marketing that someone proactively and specifically requests). It may also be appropriate for unsolicited marketing in the following circumstances:

Marketing method Is legitimate interests likely to be appropriate?
Post
‘Live’ phone calls to TPS/CPTS registered numbers
‘Live’ phone calls to those who have objected to your calls
‘Live’ phone calls where there is no TPS/CTPS registration or objection
Automated phone calls
Emails/text messages to people – obtained using a ‘soft opt-in’
Emails/text messages to people – without a ‘soft opt-in’
Emails/text messages to business contacts

Remember, the UK GDPR specifically gives people the right to object to the use of their personal information for the purposes of direct marketing. You must tell people they can object and make it easy for them to do so. If someone objects to you using their personal information for direct marketing purposes, this overrides your legitimate interests. This means you must stop using their information for direct marketing purposes.

Further reading – ICO guidance

Guide to PECR

Direct marketing guidance

Sending direct marketing: choosing your lawful basis

Right to object

Can we use legitimate interests for employee or client information?

Yes, in some cases, but it doesn’t always apply and you must consider the three-part test.

Recital 47 of the UK GDPR provides guidance on this:

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

An example of a "relevant and appropriate relationship" is where the person is your client or your employee. However, the UK GDPR doesn’t say that the legitimate interests basis always applies.

It may be more likely to apply because of:

  • the likelihood that you have a clear, legitimate purpose for using this personal information;
  • the nature of your relationship, which may mean that what you want to do is less likely to be unexpected or unwanted (making the balancing test easier); and
  • the extent to which your interests and those of the person are aligned or connected (eg supporting staff development or dealing with customer needs).

However, you must still:

  • specify your interests;
  • demonstrate that your use of the personal information is necessary; and
  • carry out the balancing test.

There’s likely to be some overlap with the contract lawful basis. If you need to use the personal information to perform your side of a contract with an employee or a client, the contract lawful basis is likely to apply.

Further reading – ICO guidance

Contract

Can we use legitimate interests for our business-to-business contacts?

Yes. When you use and hold the names and details of your contacts at other businesses, you’re handling personal information. You must have a lawful basis for this. It’s likely that much of what you want to do with this information is lawful on the basis of legitimate interests. But there’s no absolute rule here, and in all cases, you must apply the three-part test.

Remember, you’re still handling personal information when you’re using and holding the names and details of your individual contacts at other businesses. You must have a lawful basis for this.

If you want to use legitimate interests as your lawful basis to handle the personal information of your business contacts, you must:

  • identify your specific interest; and
  • ensure that it’s actually necessary for that purpose.

If you can meet the first two parts of the three-part test, you must also consider the balancing test. You may find this straightforward. Business contacts are more likely to reasonably expect you to use their personal information in a business context. Such use is less likely to have a significant impact on them personally.

Example

People attend a business seminar, and the organiser collects business cards from some of the delegates.

The organiser determines that they have a legitimate interest in networking and the growth of their business. They decide that collecting delegate contact details from business cards is necessary for this purpose.

Having considered purpose and necessity, the organiser then assesses that the balance favours what they want to do. They consider that:

  • it’s reasonable for delegates handing over business cards to expect that the organiser will use their business contact details; and
  • the impact on the delegates will be low.

The organiser also ensures that they provide delegates with privacy information, including details of their right to object. The organiser then collates the contact details of the delegates and adds them to their business contacts database.

Remember, if you intend to use the personal information of your business contacts, you must still comply with people’s rights. These include:

  • the right to be informed; and
  • the right to object.

Further reading – ICO guidance

Business-to-business marketing

Individual rights

Can we use legitimate interests for children’s information?

The UK GDPR doesn’t prevent you from relying on legitimate interests as your lawful basis for handling children’s personal information. However, it does specifically highlight that children’s information requires particular protection. This includes the legitimate interests basis, which emphasises the need to protect the interests, rights and freedoms of children.

If you rely on legitimate interests for handling children’s information, you are responsible for protecting them from:

  • risks that they may not fully appreciate; and
  • consequences that they may not expect.

You must ensure that you adequately protect their interests and include appropriate safeguards.

You must also take into account that children’s interests need particular protection. This may mean that you need a more compelling interest to justify any potential impact on children. A legitimate interests assessment (LIA) is a useful tool to help you ensure that you properly consider the children’s interests. (See the section What’s the process for an LIA? for more information.)

If you want to use children’s personal information for safeguarding purposes, you may wish to consider the recognised legitimate interest lawful basis. This lawful basis has a condition that specifically covers the safeguarding of people who need more support to protect themselves. The condition refers to these as "vulnerable individuals" and says that this includes children.

Further reading – ICO guidance

Using children’s information

Recognised legitimate interest

Can we use legitimate interests to share personal information with third parties?

You may be able to lawfully share personal information on the basis of legitimate interests. These might be:

  • your own interests;
  • the interests of the third party receiving the information; or
  • a combination of the two.

You should focus on justifying your disclosure when you carry out the three-part test. Although the third party’s intentions and interests are directly relevant, you should focus on whether you can justify the disclosure itself for that purpose.

The third party is responsible for ensuring that what they do with the personal information is fair and lawful. This includes doing their own three-part test if they plan to rely on legitimate interests as their lawful basis.

Further reading – ICO guidance

Data sharing

Can we use legitimate interests for special category data?

To use special category data lawfully, you must have:

  • a lawful basis under article 6 of the UK GDPR; and
  • a special category condition under article 9.

If you want to use special category data, legitimate interests may be an appropriate lawful basis for the purposes of article 6. But you must also meet a condition under article 9. If you can’t do this, you can’t use the special category data at all – regardless of whether legitimate interests may apply.

There’s no special category condition equivalent to legitimate interests. The article 9 conditions are designed to be more specific to the purpose of the processing. But there are 10 special category conditions available in the UK GDPR (some of which are supplemented by schedule 1 of the Data Protection Act 2018). You should consider whether any of these conditions fit the circumstances.

If you want to use special category data, in most cases, the sensitive nature of this information means there are greater risks to people’s interests and rights or freedoms. Therefore, you should consider whether:

  • you need a more compelling justification for what you want to do; or
  • you can put in place more robust safeguards to mitigate any impact or risks to people that may result from what you want to do.

You’re also more likely to need to consider carrying out a DPIA.

Further reading – ICO guidance

Special category data

Data protection impact assessments (DPIAs)

When might legitimate interests be inappropriate?

Several factors indicate legitimate interests may be inappropriate as your lawful basis, for example, if:

  • you’re a public authority and you want to use personal information to perform your tasks as a public authority;
  • your use of personal information doesn’t comply with broader legal, ethical or industry standards;
  • you don’t have a clear purpose and are keeping the personal information ‘just in case’ (in this case, your use of the information isn’t compliant on any basis);
  • your end result is achievable without using personal information;
  • you don’t want to take responsibility for protecting the person’s interests and would prefer to put the responsibility onto them (consent);
  • you intend to use the personal information in ways people are not aware of and don’t expect (unless you have a more compelling reason that justifies the unexpected nature of what you want to do);
  • there’s a risk of significant harm (unless you have a more compelling reason that justifies the impact);
  • you’re not confident in the outcome of the balancing test;
  • you would be embarrassed by any negative publicity about how you intend to use the personal information; or
  • another lawful basis more obviously applies to a particular purpose. In theory, more than one lawful basis may apply to your use of personal information. But in practice, legitimate interests may not be appropriate for a purpose where another basis objectively applies.

Example

A retailer operates a loyalty scheme. People sign up to be part of the scheme and collect loyalty points. They provide personal information in return for special offers. The retailer plans to use the personal information for different purposes and wants to use legitimate interests as their lawful basis.

The purposes for using the personal information are:

  1. to calculate the amount of vouchers and post vouchers to the customer;
  2. to profile these customers’ interests to post and email them targeted discounts; and
  3. to carry out data analytics so they can improve their products and services.

The terms and conditions of the loyalty scheme serve as a contract. The scope of the services determines what uses of personal information can be said to be ‘necessary for the contract’.

Purpose 1) is a core service, so using personal information for that purpose is necessary for the contract. As the processing is objectively lawful on the basis of contract, legitimate interests isn’t appropriate. This is because basing the processing on legitimate interests over contract would mean depriving people of their data portability rights.

Purpose 2) is not a core service. It is direct marketing, to which people have the right to object. Using personal information for this purpose isn’t necessary for the contract. The retailer may choose to consider consent or legitimate interests for this processing.

Purpose 3) is not a core service and so is not necessary for the contract. The retailer may consider consent or legitimate interests for this. An alternative approach is to anonymise the personal information before using it for data analytics. The retailer can do the anonymisation activity under legitimate interests.

What are the alternatives to legitimate interests?

You must have a lawful basis to process personal information. Legitimate interests is one of the seven lawful bases, but there are alternatives. In brief, these are the following:

  • Consent: The person has given consent for you to use their information for a specific purpose.
  • Contract: Using the personal information is necessary:
    • for a contract with the person; or
    • because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: Using the personal information is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: Using the personal information is necessary to protect someone’s life.
  • Public task: Using the personal information is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Recognised legitimate interest: Using the personal information is necessary for one of the pre-approved purposes listed in its conditions. These are:
    • emergencies;
    • crime;
    • national or public security and defence;
    • safeguarding; and
    • disclosing personal information that someone else needs for their public task.

You should always choose the basis that is most appropriate to the particular circumstances.

Further reading – ICO guidance

A guide to lawful basis