Of the six legal bases available under GDPR Article 6(1), legitimate interest is both the most flexible and the most frequently misapplied. It requires a three-part test — the interest must be legitimate, the processing must be necessary for that interest, and the data subject’s interests and fundamental rights must not override the controller’s interest — but in practice it is often invoked as a default basis when no other clearly applies. That approach creates serious compliance exposure, particularly when a supervisory authority reviews the basis in the context of a complaint or investigation.
This article examines what legitimate interest requires, why it is disproportionately applied to processing that would be better served by other bases, and how classification systems need to represent legal basis to support compliant processing decisions.
Why classification systems need to represent legal basis
An automated personal data classification system that identifies and categorises fields — name, email, IP address, device identifier, purchase history — without capturing the declared legal basis for each processing activity is half a compliance system. The classification answers: what is this data. The legal basis answers: why is processing this data lawful. Both must be present for a complete GDPR compliance picture.
This matters most in enforcement scenarios. When a supervisory authority investigates a complaint or conducts a formal audit, the question is not simply “did you process personal data” but “what was your legal basis and can you demonstrate it was properly assessed before processing began”. A classification graph that shows email addresses in a marketing pipeline without a documented legal basis assessment is evidence of incomplete compliance rather than a defence.
The three-part legitimate interest test
Article 6(1)(f) requires a three-component assessment. The first component is the legitimate interest identification: what is the commercial, operational, or social purpose being served by the processing? Broadly, this is the easiest component — most processing activities have an identifiable business purpose. The EDPB’s guidance identifies fraud prevention, network security, direct marketing to existing customers, and internal administrative purposes as examples of commonly accepted legitimate interests, though none are inherently legitimate without assessment.
The second component is necessity: is the processing actually necessary to achieve the identified interest, or could the interest be achieved through less privacy-invasive means? This is where legitimate interest assessments most often fail scrutiny. Processing a device fingerprint to serve behavioural advertising is not necessary in the same sense as processing a delivery address to ship an order; the advertising purpose could be served through less invasive contextual advertising. Necessity requires a genuine alternative analysis, not a checkbox.
The third component is the balancing test: do the data subject’s reasonable expectations and privacy interests override the controller’s interest? This requires considering the nature of the data, the relationship between the data subject and the controller, the likely impact of the processing on the data subject, and the data subject’s reasonable expectations at the time of data collection. No automated system can substitute for a privacy officer’s judgment on this component.
How automated classification supports the balancing test
Automated classification cannot complete the balancing test, but it can structure the inputs. If the classification system identifies that a field tagged personal_data_category: email appears in a model mart_marketing__campaign_targets, it can flag that this combination — email in a marketing context — requires a legitimate interest assessment. It can also surface whether the retention window for that field is proportionate to the declared purpose: keeping email addresses for 24 months after a contact relationship ends may be justifiable; keeping them indefinitely is harder to defend.
For large data estates with hundreds of processing activities, automated flagging of fields that lack a documented legal basis assessment — or where the declared basis is legitimate interest without a completed balancing test record — is operationally necessary. The privacy officer cannot manually audit every field; the classification system’s job is to ensure the privacy officer’s attention is directed to the cases that require it.
Legitimate interest documentation is not a one-time exercise. Any change in the processing activity — new data categories added, processing purpose expanded, new data flows created — may invalidate a prior legitimate interest assessment and require a fresh balancing test. Classification systems must flag these triggering changes.
Special-category data and the legitimate interest exclusion
A persistent and serious classification error is applying legitimate interest as the legal basis for Article 9 special-category data. Legitimate interest under Article 6(1)(f) is not available as a standalone basis for Article 9 processing. Special-category processing requires an Article 9(2) basis — explicit consent, employment and social security law, vital interests, public health, legitimate activities of non-profit bodies, publicly available data, legal claims, substantial public interest, medical purposes, archiving/research, or another basis specifically permitted under national Member State implementing law.
A classification system that identifies health indicator data, biometric data, or racial/ethnic origin fields and then checks them against a legitimate interest policy declaration should generate a hard violation record, not a warning. The combination of Article 9 data category and Article 6(1)(f) legal basis is a compliance failure by definition, and it should be surfaced as such in the compliance dashboard.
Documenting the legitimate interest assessment
The EDPB recommends that Legitimate Interest Assessments (LIAs) be documented in a structured form covering the three test components: interest identification, necessity analysis, and balancing test outcome. This documentation serves two purposes: it is the accountability evidence under Article 5(2) demonstrating that the assessment was conducted, and it is the record that can be reviewed if the basis is challenged by a data subject exercising objection rights under Article 21.
GDPR Article 21(1) gives data subjects the right to object to processing based on legitimate interest, and the controller must demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms to continue processing. Without a documented LIA, the controller has no structured basis from which to respond to an Article 21 objection. The documentation and the operational response are the same record — which is why the compliance system needs to maintain it in a queryable form, not buried in a legal document.
Practical classification state per field
For compliance systems aiming to capture legal basis accurately, the minimum classification state per personal data field should include: data category (GDPR Article 4(1) taxonomy); declared legal basis (one of the six Article 6(1) options, or Article 9(2) basis for special-category); processing purpose description; retention schedule; and — where the basis is legitimate interest — a link to the completed LIA record with assessment date and reviewing DPO or privacy officer.
Fields lacking a declared legal basis should appear as open compliance items requiring resolution, not as implicitly compliant. Fields where legitimate interest is declared without a completed LIA should be flagged at medium severity. Fields where Article 9 data appears with a legitimate interest legal basis should be flagged at critical severity and escalated immediately. The classification system’s violation ranking should reflect the regulatory consequence of each gap, not just the presence or absence of documentation.
Conclusion
Legitimate interest is a legitimate and useful GDPR legal basis when properly assessed. The compliance risk comes from treating it as a residual default rather than as the outcome of a structured three-part analysis. Classification systems that surface legal basis gaps, flag LIA completion requirements, and enforce the Article 9 exclusion rule give privacy officers the visibility to manage legitimate interest assessments as a continuous compliance discipline rather than a one-time project.
Source notes
- GDPR Articles 6(1)(f), 9, and 21 — legitimate interest legal basis, special-category processing, and data subject right to object
- European Data Protection Board, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR — legitimate interest scope analysis in B2B financial services context
- Article 29 Working Party, Opinion 6/2014 on the notion of legitimate interests (WP217) — the three-part test and documented balancing test requirements
- Information Commissioner’s Office, Legitimate interests — guidance for data controllers (2023 edition) — practical LIA framework and documentation template
- FDPIC, Leitfaden zur Interessenabwägung nach DSG (2023) — Swiss nDSG equivalent legitimate interest analysis requirements
