Legitimate interest
Home » IoT » Lawfulness: Choosing a legal basis » Legitimate interest

Legitimate interest is one of six legal bases for the processing of personal data stated in Article 6(1) of the GDPR. This legal basis requires that the legitimate interests of the controller or any third parties to whom the data are disclosed prevails over the interests, fundamental rights and freedoms of the data subjects which require the protection of personal data (Article 6(1)(f)). To verify that this is indeed the case, controllers must conduct a balancing test, following the Article 29 Working Party guidelines [1] (see the “Balancing test”, within “Main Tools and Actions”, in Part II of these Guidelines). Of course, the same as other lawful basis from the processing even though the legitimate interest prevails and the assessment concludes the processing can take place, data subject rights still not apply (see “Data subject’ rights” within Part II of these Guidelines). Furthermore, adequate safeguards and mitigation measures aimed at minimizing risks and ensuring data subjects’ privacy protection should be implemented whenever possible, especially when the assessment concludes there is a high risk for the rights of the data subjects.

Checklist: legitimate interest

☐ The controllers have checked that legitimate interest is the most appropriate basis.

☐ The controllers have checked that the processing is necessary and there is no less intrusive way to achieve the same result.

☐ The controllers have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.

☐ The controllers only use individuals’ data in ways they would.

☐ The controllers are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

☐ If the controllers foresee the processing of children’s data, they have taken extra care to make sure they protect their interests.

☐ The controllers have considered safeguards to reduce the impact where possible.

☐ The controllers have implemented adequate tools to ensure data subjects’ rights.

☐ If they have identified a significant privacy impact, they have considered whether they also need to conduct a DPIA.

☐ The controllers include information about our legitimate interests in their privacy information.



1A29WP, Opinion 06/2014 on the notion of legitimate interests of the controller under Article 7 of Directive 95/46/EC. April 2014, p. 24. At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Accessed 05 January 2020


Skip to content