Even since before the General Data Protection Regulation (GDPR), legitimate interests have been one of the most frequent bases that organisations have relied upon to justify processing personal data. However, the GDPR placed increased obligations and scrutiny on this practice. Particularly in industries where business models are increasingly based around the use of personal information, understanding where organisations can legally rely on legitimate interests and where the rights of individuals will be considered “overriding”, is key to compliance.

Legitimate interests have been used as a flexible basis to justify data-driven operations since the Data Protection Directive in 1995. This rose to the fore with the Google Spain case (Case C-131/12 Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez, judgement of 13 May 2014). The Court of Justice of the European Union (CJEU) considered the assessment of the balance between the legitimate interests of the internet search engine providers and of internet users in receiving and having access to information in search results, on one side, and the rights of the data subject (here Mr. Gonzalez) in his privacy. Weighing these competing rights, the court considered both the centrality of the data processing to the commercial activity of a search engine and also the sensitivity of the information and the public profile of the data subject.

Under the GDPR, the legal test for legitimate interests means the onus is now on the controller to demonstrate that the interests or the fundamental rights and freedoms of the data subject do not “override” their interests – where formerly, such processing only needed to be “unwarranted” – a much higher hurdle. On top of the need for this new balance test, the legitimate interests relied upon must now be published in a Privacy Notice and individuals are able to request specific information on the legitimate interest assessment conducted. This increases the obligations and scrutiny on the controller to ensure a proper risk analysis is conducted.

On the plus side for companies, examples of legitimate interests are now specifically provided under the GDPR, and are being elaborated on in supervisory authority guidance This includes for example, situations including the prevention and detection of fraud, network security and employee monitoring. However, the weighting given to the priority of either the data subject or the controller’s interests, and subsequently, the protective safeguards that must be put into place such as increased notice to data subjects or reduction of the scope of processing. For certain ‘legitimate’ activities such as employee monitoring, this will differ vastly across EU member states.

A year on from the GDPR’s entry into force, the circumstances in which legitimate interests can be relied upon are still evolving, and as an area in which caselaw and best practice is likely to play a huge part, all organisations should keep themselves updated.

If you would like to learn more about Legitimate Interest Assessments, we will be running a webinar on Tuesday 11th June, which will include a question and answer session. You can sign up for this by clicking on the link below:

GemTalk Webinar – Legitimate Interest  Assessments


If you are unable to attend, then you can still register using the link above and we will send a recording of the webinar to watch at your own convenience.



Article Author.

Kaveh Cope-Lahooti

Data Protection Consultant
Kaveh is a Data Protection Consultant at Gemserv and is involved in delivering GDPR implementation projects and outsourced data protection officer... Read More From Kaveh Cope-Lahooti

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.


View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Gemserv will use your details to get in touch with you and to send you information about our products and services that you have requested, in accordance with our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Sectors Capabilities Our Insights Careers