Legitimate interest: One of six legal bases to process personal data

Executive summary 

We welcome the European Data Protection Board’s (EDPB) draft Guidelines on legitimate interest, which are crucial given evolving case law on the topic. The draft Guidelines are particularly relevant because legitimate interest is a key legal basis under the General Data Protection Regulation (GDPR) applicable to new and developing technologies.

Legitimate interest is one of six equally valid legal bases under the GDPR, and is particularly relevant in scenarios where other legal bases, such as consent, are impractical or insufficient. This is notably the case when addressing issues such as cybersecurity, automated decision-making or fraud prevention. Furthermore, legitimate interest is often the only viable legal basis to process large datasets, whether to develop AI tools or to build data sharing ecosystems.3 

Organisations require clarity and proportionality to apply legitimate interest effectively and responsibly. This paper outlines recommendations to avoid any complexities that would restrict legitimate interest’s practical utility: 

• To recognise that in some cases, such as with technologies that rely on wide datasets, legitimate interest can be the only available legal basis; 

• With respect to the GDPR’s risk-based approach, to note that the purpose for legitimate interest may evolve over time, without constantly being subject to full re-assessments; 

• To avoid that the controller is required to go ‘beyond what is strictly required’ by the GDPR to use legitimate interest as a legal basis; 

• To avoid additional burden placed on the controller in guidance on the use of legitimate interest for specific applications (inc. automated decision-making, security and fraud prevention).