Legitimate interest

On this page: proportionality, necessity, proportional, necessary, balancing test, legitimate interest, legal basis
Date of last review: 2023-10-02

Legitimate interest of the controller is a less frequently used legal basis in research. It is often used by companies to process personal data that are necessary for their company’s functioning, e.g., processing user data for fraud prevention, or keeping a registration system to provide better services.

When to (not) use legitimate interest as a legal basis?

In research, legitimate interest is often used for processing activities that have no direct research purpose. For example:

  • Research performed to improve the internal business operations of the university.
  • Research performed on behalf of third (commercial) parties usually does not aim to increase the general knowledge, but instead often aims to fulfil a specific company’s goal. In this case, consent or legitimate interest (depending on the specific case) are more suitable legal bases.

In almost all other cases, the legal bases of public interest or consent are likely more suitable to use in scientific research.

What are my obligations when using legitimate interest?

  1. Ascertain that you are performing scientific research
    A scientific research project is “a research project set up in accordance with relevant sector-related methodological and ethical standards” (Article 29 Working Party, 2018).
    Most research performed at a university and reviewed by an ethical committee meets this requirement.

  2. Inform data subjects
    Inform data subjects about what data you are using and why, and about their rights (as you always need to do), including the right to object to your processing of their personal data. Read how here.

  3. Plan your research project in line with the GDPR
    Plan your research as you would for all legal bases, using the GDPR principles and Privacy by Design strategies.

  4. Assess whether you can use legitimate interest as your legal basis
    Contact your privacy officer to do this. Together, you will weigh the interests of the controller (e.g., Utrecht University) and the data subjects in a legitimate interest assessment (art. 6). You must consider:
    • the purpose of your research: what is your interest? The interest (purpose) must be real, concrete, direct and lawful. In research, enabling you to perform your research is usually a legitimate purpose.
    • whether your processing is:
      • necessary: is the processing really necessary to accomplish your purpose? Can you reasonably achieve your purpose in a more privacy-friendly way?, and
      • proportionate: how many people will be affected, to what extent and how intrusive is your processing?
        See also this infographic from the European Data Protection Supervisor (2020) on how to assess necessity and proportionality.
    • your interests vs. those of data subjects (balancing test). Can data subjects expect you to process their data this way, what is the impact of your processing on data subjects, your project, and society, and which safeguards can you put in place to protect data subjects’ interests? Do the interests of your research outweigh the impact on data subjects and society?

  5. Contact your privacy officer when a data subject objects to your use of their personal data.
    Together, you will come up with a fitting response and plan of action.

Legitimate interest assessment

The above weighing of the interests of the controller against those of the data subjects should be done in a legitimate interest assessment. In principle, assessing the legitimacy of your processing is part of the privacy scan or, if applicable, a DPIA, and in most cases also of ethical review. If you do not use a privacy scan or DPIA and/or you have not performed this assessment (yet), but you do rely on legitimate interest, please contact your privacy officer as soon as possible to perform a privacy scan anyways.