Legitimate Interest
A lawful basis under GDPR for processing personal data when a controller has a genuine, proportionate interest that is not overridden by the data subject's rights.
Full Definition
Legitimate Interest (Article 6(1)(f) GDPR) is often described as the most flexible lawful basis but requires a three-part test: (1) the purpose must be legitimate, (2) processing must be necessary for that purpose, and (3) the individual's interests and fundamental rights must not override the legitimate interest. A Legitimate Interests Assessment (LIA) should be documented before relying on this basis. Common uses include fraud prevention, network security, direct marketing to existing customers, and intra-group transfers. Individuals retain a right to object to processing under legitimate interest, and organisations must comply unless they can demonstrate compelling legitimate grounds.
Related terms
Lawful Basis
A legal justification under GDPR for processing personal data — one of six bases must apply before processing can begin.
Data Controller
An entity that determines the purposes and means of processing personal data.
RoPA
Record of Processing Activities — a mandatory inventory of all personal data processing activities under GDPR Article 30.
Relevant regulations
Automate your privacy program
TruePrivacy handles DSRs, consent management, data mapping, and breach response — all in one platform.