What 'Legitimate Interest' Means When a Company Holds Your Data

What 'legitimate interest' actually means

Under the UK GDPR, an organisation cannot use your personal data just because it feels like it. It needs a lawful basis — one of six recognised reasons that make the processing legal. Consent, the one most people know, is only one of those six. Legitimate interest is another: it lets an organisation use your data when it has a genuine and necessary reason of its own, provided that reason does not override your interests, rights, and reasonable expectations.

The phrase can sound vague, but it has a real shape. A legitimate interest is a specific purpose the organisation can clearly state — for example, keeping a service secure, preventing fraud, or contacting existing customers about similar products. It is not a catch-all permission. The organisation has to be able to name the interest, show why using your data is necessary to achieve it, and accept that your rights can still tip the balance the other way.

It can be reassuring to know that legitimate interest is not a loophole that removes your protection. It is a structured judgement the organisation has to make and be able to defend. This is general information, not legal advice, but the core idea is simple: a company can sometimes act without asking first, yet it still has to act within limits that exist to protect you.

• It is one of six lawful bases under the UK GDPR, not a free pass.
• The organisation must name a specific, genuine purpose — not a vague 'business reason'.
• Your interests, rights, and reasonable expectations can still outweigh it.

The balancing test — how it is meant to work

Relying on legitimate interest is not automatic. An organisation is expected to work through what is often called a three-part balancing test before it depends on this basis. First, the purpose test: is there a genuine, lawful interest at stake? Second, the necessity test: is using your personal data actually necessary to achieve that purpose, or could it be done another way? Third, the balancing test itself: do your interests, rights, and freedoms override that purpose?

The third part is the one that protects you most directly. It asks the organisation to consider your reasonable expectations — whether you would be surprised or troubled by the use — and the impact on you. Using basic contact details to email an existing customer about a similar product sits at one end; using sensitive details in ways a person would never anticipate sits at the other, and would usually fail the test. The more intrusive or unexpected the use, the harder it is to justify on legitimate interest alone.

Children's data, and any especially sensitive information, raise the bar further. The point of the test is not to give organisations an easy answer; it is to make them pause, weigh the real effect on you, and be ready to show their working if asked. When the balance falls in your favour, legitimate interest does not apply, and the organisation needs a different lawful basis — or it should not use the data at all.

• Purpose test — is there a genuine, specific interest?
• Necessity test — is using your data truly needed to achieve it?
• Balancing test — do your rights and reasonable expectations override it?

The rights you keep — and how to use them

Even when an organisation lawfully relies on legitimate interest, you are not left without say. The clearest protection is the right to object under Article 21 of the UK GDPR: you can tell the organisation to stop using your data for that purpose, and it must stop unless it can show compelling legitimate grounds that override your interests. Where the processing is for direct marketing, the right to object is absolute — once you object, it must stop, with no balancing required.

You also keep the right of access. Under Article 15, you can make a Data Subject Access Request asking an organisation for a copy of the personal data it holds about you, together with the purposes and the lawful basis it is relying on. That is often the calmest way to find out whether a company is leaning on legitimate interest at all, and to replace assumption with something you can read for yourself. Privacy notices are also expected to name the lawful basis for each use, so they are a good first place to look.

OSINTA is a self-only tool: it helps you understand your own digital footprint from already-public information and frame and route your own requests, with your findings in front of you and your say-so at every step. It does not act on your behalf, does not watch anyone, and cannot promise an outcome, because the decision rests with the organisation you contact. This is general information, not legal advice; if you are unsure about your specific situation, consider speaking with a qualified professional or your data-protection regulator, the Information Commissioner's Office (ICO).

• Right to object (Article 21) — ask the organisation to stop; for direct marketing this is absolute.
• Right of access (Article 15) — ask, via a DSAR, what is held and on what lawful basis.
• You decide each step; nothing is done on your behalf without your say-so.

Frequently asked questions

Related terms

• GDPR (General Data Protection Regulation)
• Personal data
• Data controller
• Consent