Legitimate Interest Assessment (LIA) under GDPR: The Balancing Test Step by Step

Legitimate interest under Article 6(1)(f) GDPR is one of the six legal bases for processing personal data — and the one most often misused. Controllers reach for it whenever they would rather not ask for consent and see no other basis, treating it as a “default” fallback. That is a serious mistake. Relying on legitimate interest is not a declaration; it is the outcome of a documented, three-part assessment that must be carried out before processing begins.

The year 2024 put this basis in a new light. In its judgment of 4 October 2024 in case C-621/22 (KNLTB), the Court of Justice of the EU confirmed that a purely commercial interest can qualify as a legitimate interest within the meaning of Article 6(1)(f) GDPR. Four days later, the European Data Protection Board (EDPB) adopted its long-awaited Guidelines 1/2024 on processing based on this provision. Both documents point to the same conclusion: legitimate interest is a flexible basis, but a demanding one — and it can never be a “basis of last resort”.

This article explains what legitimate interest is, walks through the three cumulative conditions (the purpose test, the necessity test and the balancing test), and shows how to document a Legitimate Interest Assessment (LIA). At the end you will find a ready-to-use LIA template you can copy and apply in your own organisation.

What Legitimate Interest Means under the GDPR

Under Article 6(1)(f) GDPR, processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party — except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

The GDPR does not define “legitimate interest” itself. Guidance comes instead from Recital 47, which lists example situations: processing necessary to prevent fraud, direct marketing, and the “reasonable expectations” of data subjects arising from their relationship with the controller. Recital 48 addresses transmission of data within a group of undertakings for internal administrative purposes, and Recital 49 covers network and information security.

Two features set this basis apart from the others. First, it is the most “discretionary”: it is the controller, not the legislator, who weighs the arguments for and against. Second, it carries a built-in safeguard — the right to object under Article 21 GDPR. For these reasons, legitimate interest demands more diligence than, say, consent or contract performance, where the basis is easier to evidence. Legitimate interest is just one of the six bases for processing under Article 6 GDPR — it is worth knowing the full catalogue in order to choose the right basis deliberately.

Who cannot rely on legitimate interest. The second sentence of Article 6(1) GDPR expressly excludes public authorities from relying on this basis in the performance of their tasks. Public administration should ground its processing in a legal obligation (point (c)) or a task carried out in the public interest (point (e)). Legitimate interest remains available to private entities, and to public authorities in areas that fall outside the exercise of their official duties.

Three Cumulative Conditions: The Purpose, Necessity and Balancing Tests

The Court of Justice of the EU has consistently held that reliance on Article 6(1)(f) requires three cumulative conditions to be met. This three-part test was confirmed in, among others, Meta Platforms (C-252/21, judgment of 4 July 2023), SCHUFA Holding (joined cases C-26/22 and C-64/22, judgment of 7 December 2023), and again in 2024 in KNLTB (C-621/22).

The purpose test — the existence of a legitimate interest pursued by the controller or a third party.

The necessity test — the processing must be necessary to achieve that interest.

The balancing test — the interests or fundamental rights and freedoms of the data subject must not override the controller’s interest.

“Cumulative” means that failing any one condition rules out reliance on this basis. It is not enough to “have an interest” — you must show that processing is necessary for it and that it passes the balancing exercise. The combined evaluation of these three steps, written down and dated, is precisely what a Legitimate Interest Assessment (LIA) is.

Step 1. The Purpose Test — Is the Interest Legitimate

The first step is to name precisely the interest that is meant to justify the processing. The EDPB indicates that the interest must be lawful, real and present (not hypothetical or speculative) and sufficiently specific. A vague phrase such as “running a business” will not do — the interest must be described in enough detail to be weighed against the data subject’s rights.

This is where the KNLTB judgment comes in. The Dutch supervisory authority had fined the Royal Dutch Lawn Tennis Association EUR 525,000 for disclosing members’ data to sponsors for remuneration, taking the view that a “purely commercial” interest could not be legitimate. The CJEU rejected that strict reading: an interest need not be enshrined in law — it must simply be lawful. As a result, a commercial interest too — selling products, direct marketing, business development — can be a legitimate interest, provided it passes the other two tests.

One interpretive caveat matters here: KNLTB does not mean data can be freely exploited for commercial purposes without consent. The Court merely removed the categorical exclusion of commercial interests from the set of legitimate interests. Every such interest must still pass the necessity and balancing tests, and the Court reiterated the transparency duty under Article 13(1)(d) GDPR — the controller must identify the specific legitimate interest at the time the data is collected.

Interests typically recognised as legitimate (subject to the other conditions) include: direct marketing to existing customers (Recital 47), fraud and abuse prevention, network and information system security (Recital 49), establishing and defending legal claims, transmission of data within a corporate group for administrative purposes (Recital 48), and the safety of persons and property, including CCTV monitoring.

Step 2. The Necessity Test — Is There No Other Way

The second step examines whether the processing is genuinely necessary to achieve the identified interest. “Necessary” does not mean “convenient” or “profitable”. The question is: could the same purpose be achieved in a less intrusive way — by processing less data, for a shorter time, by fewer recipients, or on anonymised data?

The necessity test is closely tied to the data minimisation principle (Article 5(1)(c) GDPR). If a reasonable, less intrusive alternative exists that achieves the purpose, the processing is not “necessary” within the meaning of the provision, and the legitimate-interest basis falls away. In practice, four control questions help at this stage: do I need all these categories of data, do I need them for this long, must I share them with these particular recipients, and could I achieve the purpose using pseudonymised or aggregated data.

Step 3. The Balancing Test — Weighing the Interests

The third and hardest step is the balancing test. It involves setting the controller’s interest against the interests, rights and freedoms of the data subject. If the latter prevail, processing under point (f) is not permitted. The balancing test is not mathematical — it is an assessment that weighs several factors.

The nature of the data. The more sensitive the data, the stronger the protection of the individual. Special categories of data under Article 9 GDPR (health, origin, beliefs, biometric data) in practice rule out reliance on legitimate interest alone — they require a separate condition under Article 9(2).

The data subject’s reasonable expectations (Recital 47). The key question: at the time of collection, could the person reasonably have expected their data to be processed for this purpose? If the processing is surprising or departs from the context in which the data was provided, the balance tips in their favour.

The relationship between controller and data subject. Processing the data of an existing customer is assessed differently from processing the data of someone with no relationship to the controller (for example, data acquired from an external database).

The potential impact on the individual. Real and possible consequences are taken into account: the risk of discrimination, exclusion, financial loss, excessive tracking or loss of control over one’s data.

The status of the data subject. The GDPR singles out children — where children’s data is processed, particular caution is required, and the controller’s interest is far harder to treat as overriding.

Safeguards. The outcome of the test is influenced by safeguards the controller adopts voluntarily: pseudonymisation, limiting the scope of data, shortening retention, clear information, and above all an easy mechanism to object or opt out. Well-chosen safeguards can tip the balance in the controller’s favour.

It is worth recalling a special case here: direct marketing and profiling. Although Recital 47 names direct marketing as a possible legitimate interest, marketing profiling and the use of cookies and device identifiers are governed by separate rules (the ePrivacy regime), which most often require consent — regardless of the Article 6 basis.

The Right to Object and the Duty to Inform

Legitimate interest is inseparable from the right to object under Article 21 GDPR. A data subject may object at any time to processing based on point (f) on grounds relating to their particular situation; the controller must then stop processing unless it demonstrates compelling legitimate grounds that override the individual’s interests. For direct marketing, the objection is absolute — the controller must always honour it, without exception.

Relying on legitimate interest also triggers an extended duty to inform. Under Article 13(1)(d) and Article 14(2)(b) GDPR, the controller must state which specific legitimate interests it pursues. A generic “we process your data in our legitimate interest” does not meet this requirement — the interest must be named explicitly.

When Not to Rely on Legitimate Interest

Legitimate interest is not a universal solution. You should not rely on it when you process special categories of data (Article 9) — a separate condition is required; when you are a public authority acting within its tasks; when you want to deploy cookies and similar technologies for marketing purposes — consent is usually required here; when the balancing test comes out against the controller and the risks cannot be mitigated by safeguards; and when the processing is surprising to the individual and exceeds their reasonable expectations. In these situations the appropriate basis will usually be consent, contract performance or a legal obligation.

Documentation: The LIA and Accountability

EDPB Guidelines 1/2024 make clear that legitimate interest must not be chosen “by default” or as a basis of last resort. Before processing begins, the controller must carry out a careful assessment following the methodology described above. That assessment — written down, dated and retained — is the Legitimate Interest Assessment (LIA).

The LIA is the practical expression of the accountability principle under Article 5(2) GDPR. It is what lets you demonstrate, in the event of an inspection, that point (f) was chosen deliberately and that it passed the three-part test. The LIA should be linked to your record of processing activities (Article 30), where you state the legal basis for each activity, and — for high-risk operations — to a Data Protection Impact Assessment (DPIA). The LIA and DPIA are distinct documents, but they often complement each other.

Legitimate Interest Assessment (LIA) Template

You can copy and complete the template below for any processing activity based on Article 6(1)(f) GDPR. Keep it on file as evidence of accountability and update it whenever there is a material change.

LEGITIMATE INTEREST ASSESSMENT (LIA)

Controller: …………… | Processing activity: …………… | Date of assessment: …………… | Assessed by: …………… | Review date: ……………

Part A — Purpose test

1. What specific interest am I pursuing? (describe precisely)
2. Is the interest mine or a third party’s?
3. Is the interest lawful? YES / NO — justification
4. Is the interest real and present (not hypothetical)? YES / NO
5. What would be lost if the processing did not take place?

Part B — Necessity test

6. Is the processing necessary to achieve the interest? YES / NO
7. Is there a less intrusive way to achieve the same purpose? YES / NO — which
8. Is the scope of data limited to the minimum (Article 5(1)(c))? YES / NO
9. Is the retention period as short as possible? YES / NO

Part C — Balancing test

10. What is the nature of the data? (ordinary / sensitive — note: Article 9)
11. Could the individual reasonably have expected this processing? YES / NO — why
12. What is the relationship with the individual? (customer / employee / none / other)
13. What is the possible negative impact on the individual?
14. Does the processing concern children or vulnerable individuals? YES / NO
15. What risk-mitigating safeguards do I apply? (pseudonymisation, opt-out, short retention, transparency)
16. Do I provide an easy way to object (Article 21)? YES / NO
17. Do I meet the duty to inform and identify the specific interest (Article 13(1)(d))? YES / NO

Decision

• The controller’s interests are not overridden — processing may rely on Article 6(1)(f).
• The individual’s interests/rights override — seek another basis or do not process.

Signature / responsible person: ……………

Common Mistakes

Treating point (f) as a default basis when no other fits — the EDPB expressly rules this out.

No documented LIA — without it you cannot demonstrate accountability.

A vague interest such as “running a business” instead of a specific purpose.

Confusing necessity with convenience — skipping the analysis of less intrusive options.

Ignoring the right to object or making opt-out difficult.

Relying on point (f) for special-category data or for marketing cookies.

Failing to name the interest in the privacy notice, despite the requirement in Article 13(1)(d).

Checklist — Legitimate Interest Step by Step

1. Name a specific, lawful and current interest.
2. Demonstrate necessity and the absence of less intrusive alternatives.
3. Carry out the balancing test, considering the nature of the data, expectations and impact on the individual.
4. Check that the processing does not involve special-category data or children.
5. Implement risk-mitigating safeguards (pseudonymisation, retention, transparency).
6. Provide an easy mechanism to object (Article 21).
7. Name the specific interest in the privacy notice (Articles 13/14).
8. Write down and date the LIA and link it to the record of processing activities.
9. Schedule a periodic review of the assessment.

Need Help with a Legitimate Interest Assessment?

Legitimate interest is a flexible but demanding basis for processing — what counts is not the declaration but the documented, three-part assessment. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we support controllers in selecting legal bases for processing, preparing legitimate interest assessments (LIA) and balancing tests, and drafting GDPR-compliant privacy notices.