EU flags waving in front of European Parliament building
Processing Personal Data on the Basis of “Legitimate Interests” Under the GDPR by Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity

Processing Personal Data on the Basis of “Legitimate Interests” Under the GDPR

As a basis for lawful processing, “legitimate interests” is not substantially changed by the General Data Protection Regulation (GDPR),1 except for in the case of public authorities. Legitimate interest is one of the primary methods relied upon by organisations for processing data. Article 7(1)(f) of Directive 95/46,2 as well as Article 6(1)(f) of the GDPR allow processing of personal data on the grounds of legitimate interests of the controller or third-parties. There are three elements for this lawful ground for processing to be applicable:

1. Necessity

The personal data being processed must be necessary for the legitimate interests to be achieved. Any data not directly linked to accomplishing the legitimate interests are therefore considered “unlawful”.

2. Existence of a Legitimate Interest

The interest must be real and present, something that corresponds with current activities or future benefits. This must be clearly articulated.

3. Balancing Exercise

A balancing exercise must be carried out, considering the nature and source of the legitimate interests balanced against the rights of the data subject. The more safeguards that the controller can bring towards the protection of the data subject, the more the balance will tip towards the controller.

Establishing a case for legitimate interests, therefore, involves a “balancing exercise” that must be conducted between the interests of the controller or third parties and the rights and freedoms of the data subjects. Of equal importance is the “necessity” of processing that data to accomplish that specific interest. Despite guidance from European DPAs (Data Protection Authorities) and other organisations, the legitimate interests ground is open to interpretation and difficult to grasp in practice. Deciphering when the courts will honour it can be complicated, so it is helpful to take a closer look at practical cases.

The following two cases show the legitimate interests ground being successfully and unsuccessfully applied at the member state level in the EEA (European Economic Area):

Case 1: Lawful use of legitimate interests

Disclosure of Health Data from Hospital to Attorney (Greece)3

Processing activity and source:

Disclosure of health data by a hospital at the request of a defense attorney for litigation purposes.


A hospital asked the Greek DPA if it is allowed to disclose certain medical information about a patient to a law firm requesting access. The law firm requested information regarding a patient’s stay at the hospital (date and length of time) and medical condition. The justification for the request was that the information was necessary in an open litigation initiated by the patient against the law firm’s client. The patient was claiming damage of €14,500, alleging building negligence led to his broken arm and hip.

In this case, the DPA decided that disclosure of sensitive records is permitted. It argued that under the national data protection law, such disclosure is allowed in exceptional circumstances, including litigation purposes. The DPA supported the legitimate interests ground, since the disclosure of data was proportionally necessary for rebuttal of allegations by the data subject against their landlord made in the lawsuit. The DPA also noted that the disclosure would only be lawful if the data subject was notified of the sharing of data. In this case, the hospital had already informed the data subject about the existence of the law firm’s request.

Case 2: Unlawful use of legitimate interests

Retaining Banking Data by an Online Retailer (France)4

Processing activity and source:

Retaining banking data by an online retailer in order to facilitate later payments and optimise business transactions.


The French DPA investigated an online retailer’s practice of retaining customer banking data longer than necessary for the transaction to take place. It was discovered that the company retained banking data by default, following every transaction (including name of cardholder, card number, validity date and some CVV codes). The retailer argued that it was retaining the data on two lawful grounds: necessity for entering or for the performance of a contract and necessity for its legitimate interests. The legitimate interests claimed were facilitation of later payments and optimisation of business transactions.

The DPA found that retaining banking details goes beyond the execution of a service contract for an online purchase, since the purpose would be to facilitate non-specific, hypothetical future purchases. It also found that the data processing was not lawfully based on the legitimate interests ground. The DPA acknowledged that there was a legitimate commercial interest of the retailer in facilitating later payments and optimising business transactions. However, this must be balanced against the rights of the data subjects concerned. Given the sensitivity of banking data, the right of the subject to have the data deleted after being retained for a period of time carries more weight than the interest of the controller. The DPA went on to point out that the retailer did not take steps to mitigate danger to the data subjects by implementing appropriate security measures, as the credit card details of millions of customers were stored in clear text, in a single database, making it vulnerable to malicious employees or external intrusions.


The controller had a legitimate interest for processing personal data. However, it did not take appropriate measures to ensure the data subject rights are protected as part of the balancing exercise. The DPA gave concrete examples of what those measures should have been, as well as specific guidance on an acceptable retention period for financial data.


While the legitimate interests ground for processing can be lawfully applied in many cases, after analyzing the two sides, a provisional balance should be established. The more safeguards the controller can bring towards the protection of the data subject, the more the balance will tip towards the controller.

To provide greater clarity on this balancing act, Nymity and The Future of Privacy Forum teamed up to author a report filled with practical cases entitled, “Processing Personal Data on the Basis of Legitimate Interests Under the GDPR”. Download the complete report.


1  Regulation (EU) 679/2016 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119.

2  Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281.

3  Data Protection Authority, Greece (Decision 98/2015).

4  Data Protection Authority, France. Deliberation No. 2012-214 (July 19, 2012).