On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.

I. Breaking Down the Three-step Test for Legitimate Interest

The EDPB’s guidelines introduce a three-step test for determining whether a legitimate interest can lawfully justify processing personal data. It’s like a checklist, but with serious consequences if ignored. This assessment must be carried out with the involvement of the Data Protection Officer (DPO) (if designated) and should be documented.

1) First step – Is the processing “legitimate”?

First, the data controller must show that their interest is, well, legitimate. Not everything qualifies. The EDPB highlights several recognized examples, including:

• Accessing online information
• Keeping public websites running smoothly
• Protecting property or taking legal action against damage
• Improving products or assessing creditworthiness

But it’s not just about common sense; there are specific criteria:

• Lawfulness – i.e., Not contrary to EU or member state law
• Clarity – Precisely articulated, meaning that the perimeter of the legitimate interest pursued must be clearly identified
• Reality – The interest must be current and concrete—not a hypothetical “what if”

If the controller is acting on behalf of a third-party, the same rigor applies. For example, obtaining personal information for the exercise and defense of legal claims, or revealing executive salaries for accountability can count—but only if all the criteria are met.

2) Second step: is the processing “necessary”?

Next comes necessity. Could the same outcome be achieved with less intrusive methods? If the conclusion of that assessment is that there are less intrusive alternatives to achieve the same objectives, then the processing cannot be considered “necessary”. Necessity is closely tied to the data minimization principle, meaning that controllers should only process what’s absolutely needed.

The EDPB also points out how, in practice, it is typically easier for a controller to demonstrate that processing is necessary to pursue its own legitimate interests rather than those of a third party – also considering that data subjects are generally less likely to expect the latest.

3) Third step – The balancing test

Finally, the balancing test weighs the controller’s interests against the rights and freedoms of the data subjects. This isn’t about erasing all negative impacts; it’s about avoiding disproportionate ones.

Here’s what it’s needed to consider:

• Interests at stake – What rights or freedoms might be affected? (Think privacy, financial stability or even emotional wellbeing.)
• Impact Assessment – How might the data processing affect individuals?
• Reasonable Expectations – Would the average person expect their data to be used this way? (Hint: They probably won’t if it’s overly invasive or opaque.)
• Mitigation – What steps can be taken to reduce harm?

Once all the factors mentioned above have been considered, the EDPB states that “If the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects, in view of achieving a fair balance between the rights, freedoms and interests involved”[1].

If the scales still tip against the controller, “it may consider introducing mitigating measures to limit the impact of the processing on data subjects.” It is important to point out that these mitigating measures are not those that are legally required to comply with the GDPR as the balancing test already presupposes that such measures are in place. Once they are adopted, the balancing test should be performed again. If the result of such test is that even with the measures in place, the data subject´s interests, rights and freedoms still override the legitimate interests being pursued, the processing cannot be based on Article 6.1 (f) of the GDPR.

II. Contextual application of Article 6(1)(f) GDPR

The guidelines also offer comprehensive guidance and practical examples on applying Article 6(1)(f) GDPR in the following scenarios:

• Processing of children’s data – In this context, legitimate interest can be invoked as a legal basis by a controller where its legitimate interests match the ones of the child. In case of conflict, the interests or fundamental rights and freedoms of the child should in general prevail. Extensive profiling and targeted advertising generally do not align with the obligation to protect children.
• Processing by public authorities – Generally, legitimate interest isn’t an option for government tasks, with rare exceptions.
• Processing for fraud prevention – Such processing must be strictly necessary and adhere to the “data minimization” principle. Controllers should specify the type of fraud they aim to prevent, and the data required for that purpose.
• Processing for direct marketing – It might work, but national laws and the ePrivacy Directive could demand consent instead.
• Processing for internal administrative purposes within a group of undertakings – Controllers within a group of undertakings may have a legitimate interest in transferring personal data within the group for internal purposes. When this includes personal data of employees, transparency in relation to the legal basis should be ensured.
• Processing to ensure network and information security – The EDPB cautions that certain security measures may involve extensive (and potentially intrusive) analysis of communication content and metadata, impacting the balancing assessment.
• Transmission of personal data to competent authorities – A controller may have a legitimate interest in responding to such requests if they are subject to foreign laws, especially where non-compliance could result in sanctions. However, a balancing test must be conducted before disclosing any data.

Those are very precise use cases, and many organizations will find a relief in applying legitimate interest in instances where their use case is similar to those provided in the guidelines.

What Next?

The public consultation period has now ended. The EDPB will work on integrating comment received and release a final version, which will serve as the official interpretation of this critical lawful basis across all data protection authorities represented by the EDPB. While some adjustments may occur, it is likely that the core of the guidelines will remain consistent, making the current draft a reliable representation of the regulators’ approach in this area. A key resource for organizations as they define the boundaries and criteria for 

[1] EDPB Guidelines 1/2024, p.18-19