GDPR

What Is a Legitimate Interest Assessment (LIA)?

4 min readUpdated 20 May 2026

Legitimate interest is the most flexible lawful basis under GDPR — and the most misused. Many companies apply it as a default when consent would be inconvenient, without conducting the required balancing assessment. Supervisory authorities have challenged this approach, and fines have been issued where legitimate interest was applied without proper analysis.

A Legitimate Interest Assessment (LIA) is the documented analysis you must complete before relying on legitimate interest as your lawful basis.

The Three-Part Test

GDPR Article 6(1)(f) allows processing where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

To rely on legitimate interest, you must satisfy three tests:

1. The Purpose Test: Is there a legitimate interest?

The interest must be:

  • Legal — not contrary to law
  • Sufficiently clear — articulated specifically enough to evaluate
  • Real and present — not hypothetical

Examples of recognised legitimate interests:

  • Fraud detection and prevention
  • Network and information security
  • Direct marketing to existing customers (B2B)
  • Processing employee data for payroll and HR management
  • Intra-group data transfers for administrative purposes

Examples of weak or contested legitimate interests:

  • General "service improvement" without a specific benefit identified
  • Commercial advertising to individuals without an existing relationship
  • Profiling individuals for commercial purposes where the individual would not expect this

2. The Necessity Test: Is the processing necessary for that interest?

Necessity means the processing is needed to achieve the interest and there is no less privacy-invasive means of doing so. This is not "convenient" or "useful" — it is necessary.

Ask: could the legitimate interest be achieved with less personal data, or with less intrusive processing? If yes, the necessity test fails.

3. The Balancing Test: Do the data subject's interests override?

This is the hardest part. Weigh:

Factors in favour of processing:

  • The data subject would reasonably expect this processing
  • The data is not sensitive
  • The impact on the individual is minimal or low
  • The purpose benefits the data subject or society

Factors against processing:

  • The data subject would not expect this processing
  • The data is sensitive (financial details, behavioural data, inferred attributes)
  • The purpose purely benefits the controller at the expense of the individual
  • The individual cannot easily object

If the balance is genuinely unclear, lean against relying on legitimate interest.

How to Write a Legitimate Interest Assessment

A completed LIA should be a documented record — not just a decision, but the reasoning behind it. Structure:

Section 1 — The Processing Activity

  • What data is being processed?
  • For what purpose?
  • By what means?

Section 2 — The Purpose Test

  • What is the legitimate interest claimed?
  • Is it a real and present interest?
  • Is it the controller's interest, a third party's, or both?

Section 3 — The Necessity Test

  • Is this processing necessary to achieve the interest?
  • Are there less privacy-intrusive alternatives?
  • Why are those alternatives not used?

Section 4 — The Balancing Test

  • What are the data subjects' reasonable expectations?
  • What is the likely impact on data subjects?
  • Are there safeguards that reduce the impact?
  • Does the balance tip in favour of processing or against?

Section 5 — Conclusion and Safeguards

  • Overall conclusion: legitimate interest applies / does not apply
  • What safeguards are in place (opt-out mechanism, data minimisation, etc.)?
  • Review date

Common Legitimate Interest Mistakes

Assuming legitimate interest is a safe default. If the processing would require consent to be done fairly, it probably does not survive the balancing test. Legitimate interest is not a way to avoid consent.

Not completing the balancing test. Many companies document that they have a legitimate interest without actually conducting the balancing analysis. Without the balancing test, the LIA is incomplete.

Using legitimate interest for special category data. Legitimate interest is not a valid basis for special category data. You still need an Article 9 basis.

Never revisiting the LIA. If processing changes — new use cases, new data sources, significant changes in scale — the LIA must be revisited.

Opt-Out Rights

Where processing relies on legitimate interest, data subjects have the right to object under GDPR Article 21. On receipt of a valid objection, you must stop the processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms.

In practice: you must have an accessible and easy opt-out mechanism wherever legitimate interest is relied on.

LIAs in Your Processing Register

Every processing activity relying on legitimate interest should have a corresponding LIA document referenced in your Article 30 Records of Processing Activities. Supervisory authorities may request these as part of investigations. Without a completed LIA, you cannot demonstrate that legitimate interest was properly assessed.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module