Legitimate interests: understanding this legal basis of GDPR

When an organization processes personal data, it must always rely on a legal basis provided GDPR by the GDPR ensure data protection: consent, contract, legal obligation, public interest mission, safeguarding vital interests, or legitimate interests.

The latter, legitimate interests, often raises questions as to its precise definition. The concept of legitimate interest requires a thorough understanding. It is flexible and useful for many types of processing, but is subject to strict conditions. Here is how to understand and use it correctly and rigorously.

1. What is the legal basis for legitimate interests?

Under the GDPR, all processing of personal data must have a legal basis. Of the six bases provided for in the regulation,legitimate interest is undoubtedly one of the most commonly used by private organizations.

In concrete terms, this basis allows an organization to process data if it pursues a legitimate objective (e.g., strengthening the security of its network, preventing fraud, managing its activities effectively), if such processing is necessary to achieve that objective, and if the rights and freedoms of the individuals concerned are not infringed upon.

Legitimate interest therefore plays abalancing role: it allows processing to serve the needs of the organization, while requiring particular vigilance to avoid Breach of privacy rights .

2. To whom does this legal basis apply?

The legal basis forlegitimate interest primarily concerns private organizations— controller, associations, or groups—which may invoke it provided that the three conditions defined by the CNIL (National Commission for Information Technology and Civil Liberties) met and that the risks to individuals are properly assessed.

Conversely, public authorities, when acting in the exercise of their public service missions, cannot in principle base their processing on this basis. They must give priority tothe legal obligation or public interest mission. This exclusion is an important principle of GDPR.

However, the CNIL (National Commission for Information Technology and Civil Liberties) that, in certain very specific cases—for example, the development of an AI tool or system that has no direct link to their main missions—the use of legitimate interest by a public authority may be considered, but under strict conditions and after in-depth analysis.

3. The three essential conditions according to the CNIL (National Commission for Information Technology and Civil Liberties)

Before legitimate interest can be invoked as a legal basis, the CNIL (National Commission for Information Technology and Civil Liberties) that three specific conditions must be verified. These conditions ensure that the processing is based on a solid foundation and that it respects the balance between the needs of the organization and the rights of the individuals concerned.

1. The interest pursued must be legitimate.

This interest is not freely defined, as its legitimacy must be demonstrated, but some typical examples are considered legitimate:

• ensure IT security or ensure network security,
• prevent fraud,
• conduct commercial prospecting operations with clients prospecting purposes,
• manage internal administration within a group, regardless of its size.

The CNIL (National Commission for Information Technology and Civil Liberties) that an interest is presumed to be legitimate if it is:

• clearly lawful under the law (e.g a company that secures access to its premises with identity checks to protect its employees and property).
• sufficiently clear and precise (e.g an association that collects its members' email addresses in order to send them its monthly newsletter. The objective is clearly defined and easily understandable).
• real and present, not fictitious (e.g., an e-commerce site that keeps a history of recent purchases in order to improve returns management. The benefit is concrete and immediate, unlike a vague or hypothetical objective).

2. Treatment must be necessary

The necessity of the processing must be established and it must enable the objective pursued to be achieved, without any less intrusive alternative for the persons concerned.

It must also be possible to demonstrate this choice; if the processing methods change (the purposes of the processing, data, Data retentionperiod Data retention), the justification based on legitimate interests must be renewed.

3. Balance between interests and individual rights

The processing must not create an imbalance to the detriment of individuals' rights, in particular taking into account their reasonable expectations.

The CNIL (National Commission for Information Technology and Civil Liberties) :

• identify possible intrusion into privacy and any potential harm (profiling, sensitive data, vulnerable individuals, etc.),
• assess the impacts on individuals' fundamental rights (freedom of expression, freedom of conscience, etc.),
• verify that the processing does not surprise individuals, i.e., that it is consistent with what they can reasonably anticipate.

For example:

• a program to retain clients may meet reasonable expectations,
• whereas massive profiling for advertising purposes, without transparency, could overwhelm them.

4. What rights do individuals have under the chosen legal basis?

The legal basis chosen directly affects the rights that data subjects can exercise:

Here is a summary table based on the CNIL (National Commission for Information Technology and Civil Liberties)

Legal basis	Right to object	Portability
Consent	No (1)	Yes
Legal obligation	No	Sometimes
Public interest mission	Yes	No
Legitimate interest	Yes	No

(1) Withdrawal of consent is possible, but objection is not applicable.

5. Six best practices to adopt before any processing based on legitimate interests

• Document the choice (in the treatment register or internal compliance areas).
• Perform a balancing test, taking into account the three conditions.
• Provide safeguards (pseudonymization, anonymization, access restrictions, etc.), as their implementation is essential to maintaining balance.
• Be transparent in the privacy policy on the dedicated page, emphasizingthe importance of this information, in particular by indicating the legal basis used.
• Enable data subjects to exercise their right to object under simple conditions.
• In the event of a change in processing (new Purpose, type of data, duration, etc.), reassess the validity of the legal basis.

6. Concrete example: B2B prospecting

Let's take the case of a company that wants to contact its own clients their workplace for sales follow-up purposes without using third parties:

• The interest ( clients loyalty) is legitimate, clear, lawful, and real.
• The processing (sending emails, reminders) is necessary to achieve the objective, and no less intrusive means exist.
• It is considered that clients reasonably expect this, as the consequences of the processing are foreseeable. The processing therefore does not pose a significant imbalance.

Result: in response to this analysis, the legal basis of legitimate interests may be retained, provided that the analysis is documented and a simple right of objection is offered.

Conclusion: Key points to remember

Legitimate interests are one of the six legal bases of GDPR the lawfulness of processing.

Three cumulative conditions must be met:

• The interest is legitimate, lawful, clear, and real.
• Treatment is necessary, with no less intrusive alternative.
• There is a balance with people's rights, in line with their reasonable expectations.

This basis should not be used by default, as the possibility of using other bases must be examined, and it does not generally apply to public authorities performing public service tasks.

It involves obligations of transparency and documentation, and guarantees certain rights such as the right to object, unlike prior consent from individuals, which can be withdrawn.

If you have any doubts or depending on the specific needs of your organization, expert guidance is often invaluable in ensuring your compliance, particularly in sensitive sectors such as healthcare and medical research. At Dipeeo, as an external DPO registered with the CNIL (National Commission for Information Technology and Civil Liberties), this is our core business: we help you to correctly interpret the obligations of GDPR, document your choices (particularly in terms of legitimate interests), and implement concrete practices tailored to your business.