Legitimate interests
Latest updates - last updated 23 March 2026
23 March 2026 – We have updated this guidance to reflect amendments introduced by the Data (Use and Access) Act. We have also updated the guidance to follow the ICO's latest style guide.
About this guidance
This guidance discusses the legitimate interests lawful basis in detail. This complements the legitimate interests brief guidance on this topic.
If you haven’t yet read the brief guidance, read that first. It introduces this topic and sets out the key points you need to know, along with a practical checklist to help you comply.
Read this detailed guidance if you have questions not answered in the brief guidance, or if you need more information to help you apply the legitimate interests lawful basis. This guidance is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations.
Contents
- What is the ‘legitimate interests’ basis?
- What does the UK GDPR say about the legitimate interests lawful basis?
- What is the three-part test?
- What counts as a ‘legitimate interest’?
- When is using personal information ‘necessary’?
- What is the balancing test?
- What are the person’s ‘interests, rights and freedoms’?
- What is the importance of reasonable expectations?
- When do people’s interests override ours?
- What’s the difference between legitimate interests and the recognised legitimate interest basis?
- When can we rely on legitimate interests?
- When might legitimate interests be appropriate?
- Can we use it as the default basis for everything we do with personal information?
- What are the disadvantages of choosing legitimate interests?
- Can public authorities use legitimate interests?
- Are there cases when our purpose allows us to automatically rely on legitimate interests?
- Are there specific purposes when the legitimate interests basis may apply?
- Can we use legitimate interests for intra-group transmissions for internal administrative purposes?
- Can we use legitimate interests to ensure network and information security?
- Can we use legitimate interests for our direct marketing activities?
- Can we use legitimate interests for employee or client information?
- Can we use legitimate interests for our business-to-business contacts?
- Can we use legitimate interests for children’s information?
- Can we use legitimate interests to share personal information with third parties?
- Can we use legitimate interests for special category data?
- When might legitimate interests be inappropriate?
- What are the alternatives to legitimate interests?