Back to European Data Protection Law and Regulation

Legitimate Interests Assessment (EDPB Guidelines 1/2024)

5 minutes 5 Questions

The Legitimate Interests Assessment (LIA), as outlined in EDPB Guidelines 1/2024, is a structured three-step test that data controllers must conduct when relying on Article 6(1)(f) of the GDPR as a lawful basis for processing personal data. This assessment ensures that the processing is necessary a…

Legitimate Interests Assessment (EDPB Guidelines 1/2024) – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

The legitimate interests basis for processing personal data under Article 6(1)(f) of the GDPR is one of the most flexible yet complex legal bases available to data controllers. The European Data Protection Board (EDPB) adopted Guidelines 1/2024 on the processing of personal data based on Article 6(1)(f) GDPR to provide much-needed clarity on how to properly conduct a Legitimate Interests Assessment (LIA). For CIPP/E candidates, understanding these guidelines is essential, as this topic frequently appears in exam questions and requires a nuanced appreciation of the three-part test, balancing considerations, and practical application scenarios.

Why Is the Legitimate Interests Assessment Important?

Legitimate interests is often the legal basis of choice when consent is impractical, when processing is not strictly necessary for a contract, or when no specific legal obligation or public interest mandate applies. However, unlike consent or contractual necessity, legitimate interests requires the controller to actively demonstrate that the processing is justified through a structured assessment. Its importance can be summarized as follows:

1. Accountability and Transparency: The GDPR's accountability principle (Article 5(2)) requires controllers to demonstrate compliance. A properly documented LIA serves as evidence that the controller has carefully weighed its interests against the rights and freedoms of data subjects.

2. Balancing Rights: Unlike other legal bases, Article 6(1)(f) inherently requires a balancing exercise between the controller's (or third party's) legitimate interest and the data subject's fundamental rights and freedoms. Without this balancing, processing may be unlawful.

3. Regulatory Scrutiny: Supervisory authorities increasingly expect controllers to produce documented LIAs upon request. The EDPB Guidelines 1/2024 set a benchmark for what regulators consider adequate.

4. Risk Mitigation: A thorough LIA helps organizations identify and mitigate privacy risks before they materialize, reducing the likelihood of enforcement actions, fines, and reputational damage.

5. Flexibility with Responsibility: Legitimate interests provides flexibility to process data in a wide range of scenarios, but this flexibility comes with the responsibility to conduct and document a proper assessment.

What Is the Legitimate Interests Assessment Under EDPB Guidelines 1/2024?

The EDPB Guidelines 1/2024 elaborate on the structured three-step test that must be satisfied before a controller can rely on Article 6(1)(f) GDPR. The three cumulative conditions are:

Step 1: Identification of a Legitimate Interest

The controller (or a third party) must identify a specific, concrete, and real interest that it pursues through the processing. The EDPB emphasizes that:

- The interest must be lawful (i.e., not contrary to EU or Member State law).
- The interest must be clearly and precisely articulated — vague or hypothetical interests are insufficient.
- The interest must be real and present, not speculative or remote.
- Both the controller's own interests and those of third parties can qualify.
- The EDPB provides examples of recognized legitimate interests, including: fraud prevention, network and information security, direct marketing (as referenced in Recital 47), intra-group data transfers for internal administrative purposes (Recital 48), and prevention of crime.
- The guidelines clarify that the interest need not be explicitly mentioned in the GDPR recitals to qualify as legitimate, but it must be assessed on a case-by-case basis.

Step 2: Necessity of the Processing

The processing must be necessary for the purposes of the legitimate interest pursued. This is a strict necessity test, meaning:

- There must be no less intrusive means available to achieve the same purpose.
- The processing must be proportionate — controllers should not collect more data than is needed.
- The EDPB aligns this necessity test with the principle of data minimization (Article 5(1)(c)).
- If the same goal can be achieved without processing personal data or by processing less data, the necessity test is not met.
- The necessity assessment also considers whether the specific types of data processed and the scope of processing are truly required.

Step 3: Balancing Test — Interests of the Controller vs. Rights and Freedoms of the Data Subject

This is the most complex and important step. Even if a legitimate interest exists and the processing is necessary, it must not proceed if the interests, rights, or fundamental freedoms of the data subject override those of the controller. The EDPB Guidelines 1/2024 provide detailed guidance on how to conduct this balancing exercise:

Factors Favoring the Controller's Interest:
- The interest is widely recognized (e.g., fraud prevention, security).
- The processing has a limited impact on data subjects.
- The controller has adopted robust safeguards.
- There is a relevant and appropriate relationship between the controller and the data subject.
- The processing is in line with reasonable expectations of the data subject.

Factors Favoring the Data Subject's Rights:
- The data is sensitive or of a particularly private nature (even if not special category data under Article 9).
- The data subject is a child or otherwise vulnerable individual.
- The processing produces legal or similarly significant effects on the data subject.
- There is a power imbalance between the controller and the data subject (e.g., employer-employee).
- The data subject would not reasonably expect such processing.
- The data is processed on a large scale or combined with other datasets in ways that could reveal intimate details about the data subject's life.

Role of Safeguards:
The EDPB emphasizes that supplementary safeguards can tip the balance in favor of the controller. These include:
- Pseudonymization or encryption.
- Strict access controls.
- Transparency measures (clear privacy notices).
- Effective opt-out mechanisms.
- Data minimization measures.
- Short retention periods.
- Regular reviews of the LIA.

Key Clarifications in EDPB Guidelines 1/2024

The EDPB Guidelines provide several important clarifications that CIPP/E candidates should be aware of:

1. Right to Object (Article 21): The guidelines reaffirm that where processing is based on legitimate interests, data subjects have the right to object at any time. Upon objection, the controller must cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms. For direct marketing purposes, the right to object is absolute — no balancing is required.

2. Legitimate Interests and Special Categories of Data: Article 6(1)(f) cannot be used as a standalone basis for processing special categories of data under Article 9. A separate exemption under Article 9(2) must also be met. However, the EDPB notes that data that is not technically special category data but is nonetheless highly sensitive (e.g., financial data, location data, communications metadata) should be given additional weight in the balancing exercise.

3. CJEU Case Law Integration: The guidelines incorporate and reference key Court of Justice of the European Union (CJEU) rulings, including:
- C-13/16 Rīgas (2017) — confirmed the three-part test structure.
- C-252/21 Meta Platforms (Bundeskartellamt) (2023) — clarified the strict necessity requirement and the relevance of data subjects' reasonable expectations.
- C-621/22 Koninklijke Nederlandse Lawn Tennisbond (Royal Dutch Tennis Association) (2024) — addressed the commercial use of member data and the need for a genuine balancing exercise.

4. Documentation Requirements: Controllers must be able to demonstrate that they have carried out the LIA. While the GDPR does not prescribe a particular format, the EDPB strongly recommends that the LIA be documented in writing and kept up to date.

5. No Blanket Reliance: Controllers cannot adopt a blanket or generic approach to legitimate interests. Each processing activity must be assessed individually, considering its specific context, scope, and impact.

6. Relationship with DPIA: Where the balancing test reveals high risks, the controller may need to carry out a Data Protection Impact Assessment (DPIA) under Article 35 in addition to the LIA. The LIA and DPIA serve different but complementary purposes.

How the Legitimate Interests Assessment Works in Practice

Here is a step-by-step practical framework for conducting an LIA in line with EDPB Guidelines 1/2024:

Phase 1: Identify and Articulate the Interest
- Clearly define what interest you are pursuing.
- Determine whether it is the controller's own interest or a third party's interest.
- Verify the interest is lawful.

Phase 2: Assess Necessity
- Determine if the processing is genuinely necessary to achieve the stated interest.
- Consider alternatives that would be less intrusive.
- Apply data minimization — only process what is strictly needed.

Phase 3: Conduct the Balancing Test
- Assess the nature and severity of the impact on data subjects.
- Consider the nature of the data (how sensitive is it?).
- Consider the nature of the relationship (is there a reasonable expectation?).
- Consider the status of the data subject (vulnerable individuals, children?).
- Consider the scale of processing and any aggregation effects.
- Evaluate what safeguards are in place and whether additional ones are needed.

Phase 4: Document and Review
- Record the outcome of the LIA in writing.
- Implement any safeguards identified as necessary.
- Ensure transparency — include adequate information in privacy notices about the legitimate interests relied upon (Articles 13(1)(d) and 14(2)(b)).
- Periodically review the LIA to ensure it remains valid as circumstances change.

Phase 5: Operationalize the Right to Object
- Ensure mechanisms are in place for data subjects to exercise their right to object.
- Have procedures ready to assess objections and determine whether compelling grounds exist to continue processing.

Common Exam Scenarios Involving Legitimate Interests

CIPP/E exams often test legitimate interests in the following contexts:

- Direct marketing: Recital 47 recognizes this as a potential legitimate interest, but the balancing test must still be applied, and the absolute right to object under Article 21(2) must be respected.
- Fraud prevention and network security: These are well-recognized legitimate interests, but necessity and proportionality must still be demonstrated.
- Employee monitoring: This raises significant balancing concerns due to power imbalances and reasonable expectations of privacy.
- Data sharing with third parties: The legitimate interest of the third party must be identified and balanced against the data subject's rights.
- CCTV surveillance: Often justified on security grounds but must be proportionate and subject to the balancing test.
- Processing children's data: The EDPB specifically warns that the interests of children carry significant weight and processing is more likely to be overridden.

Exam Tips: Answering Questions on Legitimate Interests Assessment (EDPB Guidelines 1/2024)

1. Always Apply the Three-Step Test: When an exam question asks about legitimate interests, structure your answer around the three cumulative steps: (i) identify the legitimate interest, (ii) assess necessity, and (iii) conduct the balancing test. Demonstrating this structured approach will earn maximum marks.

2. Be Specific About the Interest: Avoid vague statements like 'the company has a legitimate interest in processing data.' Instead, identify the specific interest (e.g., 'the company has a legitimate interest in preventing fraudulent transactions on its e-commerce platform').

3. Don't Skip the Necessity Test: Many candidates jump from identifying the interest straight to balancing. Remember that necessity is a distinct and mandatory step. Ask: Could the same goal be achieved with less data or without personal data at all?

4. Show Awareness of the Balancing Factors: In the balancing test, explicitly reference factors such as reasonable expectations of the data subject, the sensitivity of the data, the existence of a power imbalance, and the impact on the data subject. The EDPB guidelines make these factors central to the analysis.

5. Mention Safeguards: If the question involves a borderline scenario, suggest additional safeguards (pseudonymization, opt-out mechanisms, access controls) that could tip the balance in favor of allowing the processing. The EDPB specifically acknowledges that safeguards can be determinative.

6. Know the Right to Object Rules: Be prepared to explain that data subjects can object to processing under Article 21(1), and that for direct marketing under Article 21(2), the right to object is absolute. This distinction is commonly tested.

7. Remember Special Categories Limitation: If the question involves health data, biometric data, or other special categories, note that Article 6(1)(f) alone is insufficient — an Article 9(2) exemption is also required. However, also note that non-special-category data can still be highly sensitive and weigh heavily in the balancing test.

8. Reference Key CJEU Cases: If appropriate, briefly reference relevant CJEU judgments (e.g., Meta Platforms or Rīgas) to demonstrate deeper knowledge. This can distinguish a good answer from an excellent one.

9. Documentation and Accountability: Mention that the LIA should be documented and kept under review. This shows understanding of the GDPR's accountability principle and the EDPB's practical recommendations.

10. Watch for Trick Questions on Children: If the scenario involves children's data, flag that the EDPB Guidelines and Recital 38 emphasize that children merit specific protection. Processing children's data under legitimate interests faces a higher threshold in the balancing test.

11. Distinguish LIA from DPIA: If asked, be clear that an LIA (Legitimate Interests Assessment) is required for relying on Article 6(1)(f), whereas a DPIA (Data Protection Impact Assessment) under Article 35 may be required in addition if the processing is likely to result in high risk. They are separate but potentially overlapping exercises.

12. Use Process of Elimination on Multiple Choice: For multiple-choice questions, eliminate answers that suggest legitimate interests can be used without any balancing test, that it is an absolute right, or that it automatically overrides data subject rights. The correct answer will almost always reflect the conditional and context-dependent nature of this legal basis.

13. Understand the Relationship Between Legitimate Interests and Consent: If a question compares legal bases, remember that legitimate interests and consent are alternatives, not supplements. If relying on legitimate interests, the controller does not need consent — but must conduct the LIA. If the LIA fails, the controller may need to seek consent or find another legal basis.

14. Practice Scenario-Based Analysis: The CIPP/E exam often presents real-world scenarios. Practice applying the three-step test to common situations such as employee monitoring, marketing analytics, fraud detection, intra-group transfers, and sharing data with law enforcement. The more scenarios you practice, the more confident you will be.

Summary

The EDPB Guidelines 1/2024 on legitimate interests provide the most comprehensive official guidance to date on how controllers should apply Article 6(1)(f) GDPR. The key takeaways for CIPP/E candidates are:

- Legitimate interests requires a three-step cumulative test: identification of the interest, necessity, and balancing.
- The balancing test is the heart of the assessment and must consider the nature of the data, the relationship between controller and data subject, reasonable expectations, vulnerability, impact, and available safeguards.
- Documentation is essential for accountability.
- The right to object must be facilitated, and for direct marketing, it is absolute.
- Safeguards can tip the balance in favor of processing.
- Special care is required for children's data and sensitive (non-Article 9) data.
- Controllers cannot rely on generic or blanket legitimate interests claims — each processing activity must be individually assessed.

Mastering these principles will enable you to confidently tackle any CIPP/E exam question on legitimate interests and demonstrate a thorough understanding of one of the GDPR's most nuanced and practically important legal bases.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Master European Data Privacy Law

CIPP/E practice on GDPR & European data privacy

GDPR Deep Dive: Lawful bases, data subject rights, DPIA, transfers, and enforcement
European Privacy Framework: EU institutions, Council of Europe, and cross-border data flows
Compliance & Enforcement: DPA authority, penalties, and recent enforcement actions
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Legitimate Interests Assessment (EDPB Guidelines 1/2024) questions

30 questions (total)

Start 30 question test