Legal Bases for Processing
When can legitimate interest be used as a legal basis?
Legitimate interest is one of the most nuanced legal bases under GDPR. It requires a three-part assessment and is worth studying closely for the AIGP exam because it is easy to misapply.
Why this matters for the AIGP exam
Legitimate interest under Article 6(1)(f) GDPR is a flexible legal basis that applies when processing is necessary for a legitimate purpose and that purpose is not overridden by the data subject's rights. Because it involves a balancing test rather than a fixed rule, AIGP exam questions use it to test whether candidates can apply legal analysis to fact patterns, not just recall a definition.
Questions on this topic often present a scenario where legitimate interest appears to apply but where one of the three required conditions fails. The exam tests whether you can identify which condition is the problem.
The three-part legitimate interest assessment
Legitimate interest requires all three parts to be satisfied:
- Purpose test: There must be a legitimate interest being pursued by the controller or a third party. The interest must be real and specific, not vague. Fraud prevention, network security, and direct marketing of relevant products are recognized examples. The interest must also be lawful.
- Necessity test: The processing must be necessary to achieve the legitimate interest. If a less privacy-intrusive method would achieve the same result, the processing fails this test. Necessity is a strict standard, not simply "useful" or "helpful."
- Balancing test: The legitimate interest must not be overridden by the interests, rights, or freedoms of the data subject. This requires weighing the nature of the data, the reasonable expectations of the data subject, and the likely impact of the processing.
All three tests must pass. Failing any one of them means legitimate interest cannot be the legal basis for that processing activity.
Scenario example
A financial services company wants to process customer transaction data to detect unusual activity that may indicate account fraud. It argues that legitimate interest applies.
Applying the three-part test: fraud prevention is a recognized legitimate interest (purpose test passes). Analyzing transaction patterns is necessary to detect fraud since there is no less privacy-intrusive method that achieves the same result (necessity test passes). Customers have a reasonable expectation that their bank will monitor for fraud, and the impact of monitoring is low compared to the impact of undetected fraud (balancing test passes).
Legitimate interest is likely a valid legal basis here. Contrast this with a company that wants to process the same data to improve its product recommendations. The interest exists, but the same data could inform recommendations using aggregated or anonymized data, so the necessity test may fail.
Common confusion and exam trap
The most common exam trap is treating legitimate interest as a catch-all legal basis for processing that cannot find a cleaner fit under consent or contract. Legitimate interest is not a fallback. The three-part test is substantive, and many organizations apply it too loosely.
A second trap involves the special category data exception. Legitimate interest alone cannot serve as a legal basis for processing special category data under Article 9. That processing requires an additional condition from Article 9(2), such as explicit consent or substantial public interest.
A third trap is that legitimate interest does not apply to processing carried out by public authorities in the performance of their tasks. Public authorities need a different legal basis for their core functions.
Documentation requirement
Organizations relying on legitimate interest should document their Legitimate Interest Assessment. The LIA records the purpose being pursued, why processing is necessary, and how the balancing test was applied. This documentation supports accountability obligations and can be requested by supervisory authorities. Completing the documentation does not mean the legal basis is valid; the substance of the three-part test must pass regardless of whether it is documented.
Practice this concept in context
AIGP Decision Lab includes scenario questions on this topic with full rationale breakdowns. One time purchase. $39.99.
Join early accessIndependent AIGP prep tool. Not affiliated with IAPP.