Legitimate Interest Assessment under the GDPR

The Swedish Authority for Privacy Protection (IMY) Confirms the Importance of a Documented Legitimate Interest Assessment

It is not uncommon for companies to rely on “legitimate interest” as the legal basis for processing personal data under Article 6(1)(f) of the General Data Protection Regulation (GDPR). This basis is often perceived as both flexible and practical.

However, in order to lawfully rely on legitimate interest, the data controller must carry out and document a legitimate interest assessment (LIA), assessing whether their interest outweighs the fundamental rights and freedoms of the data subject. This requirement has been reaffirmed by the Swedish Authority for Privacy Protection (IMY) in a recent decision following an investigation into a company’s data processing practices prompted by a complaint from a data subject.

IMY’s Supervision and Decision

In its decision dated 28 April 2025, IMY found that the company had violated Article 6(1)(f) of the GDPR by processing personal data without meeting the conditions necessary to rely on legitimate interest.

The investigation revealed that the company could neither demonstrate a legitimate interest nor show that a legitimate interest assessment had been carried out. The company had referred to recommendations from its Consent Management Platform (CMP) provider, which suggested using legitimate interest as one of the legal bases. However, IMY emphasized – with reference to the accountability principle under the GDPR – that the responsibility to ensure compliance with Article 6(1)(f) rests with the data controller and cannot be delegated. The absence of a documented legitimate interest assessment meant, according to the authority, that the processing lacked a lawful basis.

Guidance on Legitimate Interest Assessments

According to the fundamental accountability principle in Article 5(2) GDPR, the data controller must be able to demonstrate that the processing of personal data is carried out in compliance with the GDPR. Therefore, in order to rely on legitimate interest as a legal basis, it is crucial that the data controller can, through a documented assessment, justify that there is a legitimate interest which outweighs the rights and interests of the individual.

The European Data Protection Board (EDPB) has published a draft of guidelines intended to help organisations properly assess whether legitimate interest can serve as a lawful basis for processing personal data. According to the EDPB, three cumulative conditions must be met:

1. The pursuit of a legitimate interest: The interest must be lawful, clearly defined, and present in reality – not hypothetical.
2. Necessity of the processing: It must be shown that the legitimate interest cannot be achieved equally effectively by less intrusive means.
3. Balancing test: The data subject’s interests or fundamental rights and freedoms must not override the legitimate interest.

The EDPB emphasizes that accurately assessing whether a legitimate interest exists is not a simple task. It requires a careful balancing of opposing interests and rights, along with documentation of the assessment before any data processing begins. The Board is currently reviewing the consultation responses on the draft guidelines and will publish a final version in due course.

Concluding Remarks

Relying on legitimate interest as a legal basis can offer flexibility – but it also entails significant responsibility. Merely invoking a legitimate interest is not enough; a structured and documented legitimate interest assessment is required under the GDPR. Without such documentation, the processing may be deemed unlawful.

To ensure proper application, organisations should:

• Identify and document the legitimate interest – ensure that it is legitimate and proportionate.
• Conduct a necessity assessment – consider whether the purpose could be achieved through less privacy-intrusive means.
• Perform a balancing test – weigh the organisation’s interest against the individual’s right to personal data protection, taking into account expectations and potential impact.
• Implement safeguards – such as restricted access, data minimisation, and clear communication with data subjects.
• Document the process and update the assessment whenever the processing activities change.

Legitimate interest is a useful tool – but one that demands insight, transparency, and accountability. By adhering to these principles, companies can strike the right balance between business needs and individual privacy.

Contact Us

Magnusson has extensive expertise in data protection law and offers both legal advice and training in the field. You are warmly welcome to contact Marie Segerholm or Caroline Landerfors for more information.

To learn more about our IT and data protection services, click here.