Aristotelis Zervos
Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.
In practice, legitimate interest is often the „all-purpose“ legal basis and at the same time one of the most error-prone. Anyone who uses Art. 6 para. 1 lit. f GDPR must clearly justify in advance why there is a legitimate interest in the planned use of the Processing is required for this and why, in the end, there are no overriding rights of the data subjects to the contrary. The article systematically guides you through the three-stage test for determining the legitimate interest based on the questionnaire of the Hamburg Commissioner for Data Protection and Freedom of Information and uses practical examples (including direct marketing and Video surveillance), how a robust balancing of interests is established, documented and implemented in compliance practice in a consistent manner.
Legitimate interest as a DEGVO all-purpose weapon
Art. 6 para. 1 lit. f GDPR opens up a flexible legal basis for companies and authorities to Processing personal data, provided that legitimate interests of the controller or a third party and there are no overriding interests or fundamental rights of the data subjects to the contrary. However, this balancing clause requires a careful examination in each individual case.
Already the Federal Constitutional Court (BVerfG) emphasized in the 1983 census ruling that interference with the right to Informational self-determination are only permissible in the overriding public interest on the basis of a proportionate law. Accordingly, the European legislator has introduced the three-step test in Art. 6 para. 1 lit. f GDPR which is intended to ensure that every Processing in accordance with the law and proportionate to the legitimate interest.
In practice Responsible persons documented in advance,
- whether there is a legitimate interest,
- whether the Processing is required for this, and
- whether the interests or fundamental rights of the data subjects do not prevail.
On January 6, 2026, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published a list of questions that sets out criteria for each stage and enables a structured weighing of interests. The three test steps are systematically explained below and illustrated with practical examples.
Existence of a legitimate interest
The first step is to examine what interest the Responsible persons or a third party with the planned data processing. Art. 6 para. 1 lit. f GDPR expressly mentions both the controller's own interests and the interests of third parties (natural or legal persons, authorities, etc., see Art. 4 No. 10) GDPR). The decisive factor is that it is a „legitimate“ interest. This term is to be understood broadly: It can be of a legal, economic, non-material or factual nature. In principle, a wide range of interests can be considered, such as economic interests (e.g. increasing efficiency, reducing costs), security interests (protection against fraud, theft or cyber attacks) or social/internal interests (maintaining network security, quality assurance, customer care). However, some qualification criteria must be met for an interest to be recognized as „legitimate“:
- Legitimacy and legal conformity: The interest pursued must be legitimate. Interests that violate applicable EU or Member State law are not legitimate per se. For example, an „interest“ in discriminatory data use or in general data protection would be Data retention inadmissible without a purpose.
- Clarity and precision: The interest and specific purpose of the Processing must be formulated concretely and precisely. In the third step, only a clearly defined interest can be meaningfully compared against the Rights of data subjects weigh up. Vague or blanket statements („any business purposes“) are not sufficient.
- Topicality and relevance to reality: The interest must be real and present, not merely speculative or hypothetical. A merely possible benefit in the distant future does not justify current data processing. Example: The storage of customer data „in stock“ for as yet undefined future business ideas would not be a legitimate interest.
If these conditions are met, a legitimate interest (i.e. legitimate and worthy of protection) can be assumed. Typical examples can be found in the recitals: Recital 47, for example, explicitly mentions direct marketing as a possible case of legitimate interest. A company can therefore generally assume that the interest in direct marketing (especially to existing customers) can be legitimate.
6 Questions on legitimate interest
What is the interest in the processing activity?
This is about the general benefit that is expected from the processing activity, such as the „marketing of products“. Recitals 47 to 49 of the GDPR contain examples of legitimate interests.
What is the specific purpose of the planned processing?
This is about the objective or the specific reason for the planned data processing. Example: Direct advertising to own customers by postal letter (e.g. advertising catalog).
Who is following the interest?
Art. 6 para. 1 lit. f GDPR includes own and third-party (third) Interests. „Third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data, Art. 4 No. 10 GDPR.
Is the interest legitimate and does it not violate applicable law?
Interests that violate applicable EU or Member State law are not eligible.
Is the interest formulated clearly and precisely?
The scope of the legitimate interest pursued must be clearly defined so that it can be weighed against the interests and fundamental rights of the data subject in the third stage.
Is the interest real and present?
Speculative or hypothetical interests cannot be properly assessed and therefore cannot justify data processing. Example: A Data retention for future and as yet unspecified business ideas.
Necessity of the processing
If there is a legitimate interest, the second step is to Necessity and appropriateness of the planned Processing be examined for the pursuit of this interest. Art. 6 para. 1 lit. f GDPR requires that the Processing „is “necessary for the purposes of the legitimate interests". This reflects the general principle of proportionality: the measure must be suitable and necessary to achieve the legitimate objective. And it must not disproportionately interfere with the rights of the data subjects.
The key questions at this stage are: Is this specific data even needed for the purpose? And if so, is there no milder means of realizing the legitimate interest just as effectively? The wording of the GDPR and the principle of Data minimization (Art. 5 para. 1 lit. c GDPR) set the direction here: Only appropriate, relevant and absolutely necessary data may be processed. If an equally effective but less intrusive method exists, this must be chosen. Examples of milder means can be Anonymization or Pseudonymization of the data, the use of synthetic test data instead of real personal data or the limited evaluation of samples instead of a complete survey.
Another element of the Necessity is the scope limitation of the ProcessingThe planned measure should be kept as small and targeted as possible. In concrete terms, this means: data scope, group of persons and duration of the Processing should be reduced to the necessary minimum. Particular attention should also be paid to the storage period: Personal data may only be stored for as long as is necessary for the intended purpose. A Deletion concept with defined deadlines is essential. Once the purpose has ceased to exist, there is an obligation to erase (Art. 17 para. 1 lit. a GDPR; Recital 39). Example: With Video surveillance of a company premises could Necessity can be limited by automatically overwriting the recordings after a short time (e.g. 48 hours) if no security-relevant event has been detected.
The necessity test forces the person responsible to Processing critically scrutinized.
7 Questions on the necessity of processing
Is the processing absolutely necessary to achieve the interest or can milder means also be considered?
There must be no milder, less intrusive means. Alternatives must be examined. Example: Anonymization, Pseudonymization, synthetic data instead of real data.
Is the data to be processed limited to what is necessary?
The principle of Data minimization must be observed, Art. 5 para. 1 lit. c GDPR. Only data that is appropriate, relevant and necessary for the specific purpose may be processed. In particular, the Processing of sensitive data (Art. 9 GDPR) is only permitted in narrow, legally regulated exceptional cases (Art. 9 para. 2 GDPR) allowed.
Is the number of data subjects limited to the minimum necessary to achieve the purpose?
Example: Limiting the number of data records, random samples instead of full surveys, Anonymization.
Is the data processing one-off or continuous?
With continuous Processing the Necessity be permanent. Once a legitimate interest has been established, it does not automatically justify ongoing Processing of data.
Are all processing steps necessary for the purpose or can individual steps be omitted?
The processing steps must be considered and evaluated individually.
Is there a deletion concept? Is the storage period defined?
Personal data may only be stored for as long as they are necessary for the intended purpose (Rec. 39 and Art. 17 para. 1 lit. a GDPR). Once the purpose has ceased to exist, there is generally a deletion obligation. In contrast, there are statutory retention periods, e.g. from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Income Tax Act (EStG), social security law or the German Industrial Code. The storage period should be documented for each data category and automated deletion processes should be in place.
Is there an overview of the existing and planned data flows?
The data flow must also be Third be comprehensible and transparent. A data flow diagram is used for your own illustration and for accountability and illustration to management, customers, affected persons, supervisory authorities, etc.
Balancing of interests: Do the interests of the data subjects prevail?
Only when a legitimate interest has been identified and the measure has been qualified as necessary for this purpose does one reach the decisive balancing according to Art. 6 para. 1 lit. f half-sentence 2 GDPRDo the interests, fundamental rights and freedoms of the data subject outweigh the interests of the controller? This third The second review step ensures that even in the case of legitimate objectives and necessary data processing, the interests of the data subjects worthy of protection are not disproportionately impaired. This involves a comprehensive assessment of all circumstances of the individual case. Recital 47 sentence 1 emphasizes that the reasonable expectations of the data subject based on their relationship with the controller must be taken into account. As a result, the Processing only take place if the scales do not tip in favor of the parties concerned. Otherwise, the Processing unlawful.
Case law (in particular the ECJ and national courts) and the supervisory authorities have developed numerous criteria that are included in the balancing of interests. An overall assessment is made on the basis of these criteria. No single criterion is decisive on its own; rather, a comprehensive balancing of interests must be carried out. The legitimate interests of the controller are compared with the adverse effects on the data subjects. Ultimately, this assessment is similar to a proportionality test in the narrower sense (weighing up the severity of the interference vs. the importance of the purpose). Recital 47 restricts that authorities should not rely on Art. 6 para. 1 lit. f when it comes to fulfilling their public tasks. Otherwise, the following applies: the more important the interest and the lower the weight of the interference, the more likely the controller's interest will prevail.
Reading tip: Intelligent data protection impact assessment in Ailance
Fundamental rights, freedoms and interests of the data subjects
Which fundamental rights of the data subjects are affected?
Right to Privacy, data protection, non-discrimination, freedom and security, freedom of expression and information, freedom of thought, conscience and religion, freedom of assembly and association, the prohibition of discrimination, the right to property or the right to physical and mental integrity, among others.
Are the fundamental freedoms of the data subjects affected?
This includes the free movement of goods, free movement of workers, freedom of establishment, freedom to provide services, freedom of capital and freedom of payment under the TFEU.
In addition to fundamental rights and freedoms, are the „interests“ of the persons concerned also taken into account?
This includes all interests that are affected by the Processing could be impaired.
- Financial interests: e.g. protection against effects on investments, employment opportunities, retirement provision, credit ratings and insurance cover.
- Social interests: e.g. protection of the social sphere, reputational damage, discrimination, unwanted contact
- Personal interests: e.g. protection of intimate and personal Privacy by processing data in connection with a person's sex life or sexual orientation
Type of personal data
What type of data should be processed?
In what capacity are the persons affected? Example: In their personal or professional capacity.
Are these special categories of personal data (Art. 9 GDPR)?
This sensitive data includes in particular
- Ethnic origin and race
- political opinions
- religious or ideological convictions
- Trade union membership
- Genetic and biometric data (e.g. fingerprint)
- Health data
- Data on a person's sex life or sexual orientation
If this data is processed, the potential interests of the data subjects are generally given a high weighting in the consideration. In addition, the requirements of Art. 9 para. 2 GDPR be fulfilled. Even if there is an exception pursuant to Art. 9 para. 2 GDPR the balancing of interests of Art. 6 para. 1 lit. f GDPR nevertheless turn out in favor of the interests of the data subject (see ECJ of 21 December 2023 (case C-667/21)).
Is it data from children?
The best interests of the child must be a primary consideration in all measures concerning children. All rights must be taken into account here, not just data protection rights, cf. rec. 38 on the GDPR.
Is it data on criminal convictions and offenses pursuant to Art. 10 GDPR?
This data (including the certificate of good conduct) is also particularly worthy of protection. A Processing should only take place under official supervision or if it would be permitted under Union or national law.
Is it private data?
Some data is considered particularly sensitive or private by data subjects, even if this is not specifically mentioned in Art. 9 GDPR. GDPR or Art. 10 GDPR are listed. Example: Financial, location or family data.
Reasonable expectations of the data subjects (Recital 47 p. 1 to the GDPR)
Where and when is the data collected?
An indication in favor of the data subject exists if the data is used for a completely new, unrecognizable purpose or a purpose that goes beyond the original purpose and the data subject could not reasonably have expected the data processing at the time of collection (see also Art. 6 para. 4 GDPR).
How is the data collected?
What technologies and methods are used? Are these practices generally known and transparent for the persons concerned? Examples: Online surveys, Competitions, Web scraping.
How is data processing made transparent to the data subjects?
The Duty to inform according to Art. 13 and 14 GDPR must be observed. This information must be provided directly when the data is collected. Otherwise, the lawfulness of the Processing already due to the missing Transparency.
Is there a relationship with the persons concerned?
If a relationship already exists between the data subject and the controller, this increases the foreseeability of data processing, Recital 47 p.2 to the GDPR. Example: The affected Person is already a customer.
How extensive is the data collection and how many people are affected?
The greater the scope of the data processing, the greater the risk that the rights of the data subjects will be impaired.
What are the possible negative effects of processing on data subjects?
If a Data protection impact assessment or threshold value analysis performed?
Are there any positive effects of processing on data subjects?
If the Processing in the objective, presumed interest of the data subject. Examples: Time savings, financial benefits.
Will data subjects lose control over the use of their personal data?
Are protective measures in place to minimize the effects? Can the affected persons take protective measures themselves if necessary?
Who processes the data? How many people have access?
What are the qualifications of the persons or companies processing the data? Is the data treated confidentially? Are there access restrictions within the meaning of Art. 32 para. 4 GDPR?
Examples of balancing interests
Direct advertising to existing customers:
A company would like to use customer data to send postal Advertising for similar products. Interest: effective marketing (legitimate economic interest, Recital 47). Data: Name and address. Normal data has already been collected as part of the customer relationship. NecessityDispatch impossible without this data; milder means would possibly be. Consent, However, in the case of direct advertising to existing customers, the law grants the company a legitimate interest. Consideration: Due to the business relationship, customers have a certain expectation of receiving occasional Advertising and the intervention is limited to moderate letter advertising. In addition, an opt-out option is clearly offered. Result: As a rule, the interests of the company prevail here, the Processing is permissible.
Video surveillance of a store:
A store operator installs surveillance cameras on the sales floor to prevent theft. Interest: Protection of property, safety of employees and customers (legitimate interest). Data: Video recordings of everyone in the store (potentially many Affected parties, partly sensitive behavioral data; possibly also employees = special protection needs according to BVerfG case law in employment relationships). NecessityCould alternatives such as more staff or security labels suffice? If not, is Video surveillance generally suitable as a last resort. Consideration: This must be carefully examined: The measure interferes with the right to Privacy of customers. Mitigation through Transparency (signs), limited camera angles (no surveillance of private areas such as toilets) and short storage periods are important. If the store is located in a high theft area and surveillance takes place during opening hours, the operator's interest (protection against significant damage) could just about outweigh the customer's interest in not being observed while shopping. Provided that no less intrusive solution is possible. However, if permanent filming were carried out without any indication or if areas were monitored that Privacy enjoy (e.g. changing rooms), the Rights of data subjects clearly predominate and the Processing would be inadmissible. The expectations of the employees are also relevant under labor law: Covert surveillance would be disproportionate, open camera with works council approval possibly permissible if no permanent stress/surveillance pressure arises. Courts (including the Federal Constitutional Court) demand strict proportionality and respect for employee rights.
Legitimate interest as legal basis
Examples such as these make it clear that the balancing of interests requires an individual assessment. Small changes in the facts of the case (different scope of data, different context) can shift the result. Therefore, the assessment must be specific and documented for each processing activity. If the rights of the data subjects are significantly impaired, the limit of what is permissible has been reached. Then the Rights of data subjects and Art. 6 para. 1 lit. f GDPR does not provide a basis for legitimacy.
Conversely, if the three-step test is carefully carried out and documented, Art. 6 para. 1 lit. f GDPR provide a reliable legal basis in many situations.
Source: List of questions on the balancing of interests according to the GDPR of the HmbBfDI
Implement processing intelligently with Ailance
You wish to carry out the three-step verification in accordance with Art. 6 para. 1 lit. f GDPR not only correctly, but also verifiably and scalably. Including clean Documentation, review workflow and regular re-evaluation? Ailance helps you to optimize processes for Transparency, Contradiction (Art. 21 GDPR) and Deletion (Art. 17 GDPR) efficiently.
Arrange a demo of Ailance and find out how you can legitimate interests document in an audit-proof manner and strengthen your data protection compliance in the long term.
Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French