What is GDPR Legitimate Interest?

The “legitimate interest” is one of the lawful bases for processing personal data under GDPR. It means that you can process personal data if you have a legitimate reason to do so. It only applies to purposes that the user could reasonably expect and the purpose must be necessary, and there must be no other reasonable way of achieving it.

To determine if your use of legitimate interest is valid, the Information Commissioner’s Office (ICO) recommends using a three-part test called Legitimate Interest Assessment (LIA). This involves evaluating your purpose for processing data to determine if it is legitimate, ensuring that processing is necessary for that purpose, and weighing the individual’s rights or interests against your own legitimate interest to make sure they are not overridden.

Legitimate interest can be used for direct marketing, network and information security, fraud detection and crime prevention, and processing employee or client data.

Legitimate interest cannot be used as a basis for processing personal data through cookies as GDPR mandates obtaining user consent for using online identifiers.