Guidance on the use of Legitimate Interests under the GDPR

The purpose of this Guidance is to help commercial and notfor-profit organisations understand the circumstances in which Legitimate Interests may apply. This Guidance does not consider any other grounds for processing under the GDPR and is not intended for public authorities, as Article 6 restricts their ability to rely on Legitimate Interests under the GDPR.

This Guidance provides practical advice on assessing whether the processing might be considered “necessary” and meeting the crucial Balance of Interests Condition, whereby Controllers need to ensure their interests, or those of a Third Party, are not overridden by the interests or fundamental rights and freedoms of individuals.

This Guidance considers a wide spectrum of processing activities, both core and elective, which may be covered by Legitimate Interests. Our intention is to provide a framework that Controllers can apply to their own specific circumstances.

This Guidance underlines the importance of conducting and documenting Legitimate Interests Assessments (LIAs) wherever a Controller seeks to rely on Legitimate Interests, even where the balance of interests is clearly in favour of the Controller. The ICO has expressed full support for the central concept of a Legitimate Interests Assessment (LIA), and documenting this on a template. Such an assessment will certainly assist organisations in meeting their accountability and transparency requirements and ensure that individuals’ interests are put front and centre under the GDPR regime.

This Guidance also aims to offer clarity for individuals on why processing under Legitimate Interests may be advantageous to them, as well as to Controllers.