The basis of the legitimate interest pursued by the Controller under Article 6(1)(f) of the GDPR has often been criticized for its potential misuse as a convenient or less stringent alternative to other legal bases for processing personal data. In order to address this, the European Data Protection Board (EDPB) issued Guidelines 1/2024, interpreting the Regulation and introducing a balancing exercise between the legitimate interest pursued and the subject’s rights. These guidelines clarify how controllers must weigh their legitimate interests against the rights and freedoms of data subjects, ensuring a fair and lawful application of this legal basis. The balancing exercise involves three cumulative conditions that must be met for Article 6(1)(f) GDPR to apply.

  1. Controllers must pursue a legitimate interest that is lawful, clearly articulated, and real rather than hypothetical. Controllers must identify the scope and specifics of their interest and confirm that it aligns with EU or Member State law.

  1. The processing must be necessary for achieving the legitimate interest. Controllers must evaluate whether their objectives could reasonably be accomplished through less intrusive means that have a smaller impact on data subjects. Processing should be carried out only in so far as it is strictly necessary for the purposes of the legitimate interest identified. When carrying out this assessment, the controller should examine if the data is relevant for the purpose pursued and limited to what is necessary to achieve this purpose (data minimization principle).

  1. The legitimate interest of the controller must outweigh the data subject’s rights and freedoms. This balancing test requires an assessment of all relevant factors. Controllers should consider the nature and sensitivity of the data, the context in which it is processed, and the potential positive or negative impacts on individuals.

After evaluating the legitimate interests being pursued, along with the relevant rights, freedoms, and reasonable expectations of the data subject, the controller must weigh these factors to determine whether the interests of the controller outweigh those of the data subject. If the assessment concludes that the legitimate interests are not overridden, the processing may proceed. Otherwise,  if the data subject’s rights and freedoms take precedence, the controller should explore implementing mitigating measures to reduce the impact on the data subject, aiming to achieve a fair balance between the competing rights and interests.

The balancing exercise must be documented and carried out individually for each processing activity relying on Article 6(1)(f).

Mitigating measures can help reduce the impact on data subjects, but they must go beyond the minimum requirements of the GDPR. Enhanced safeguards, such as granting broader rights to erasure or objection, may support the balancing exercise. However, compliance with GDPR obligations—like transparency, data minimization, and confidentiality—remains a baseline expectation and cannot serve as a substitute for meaningful mitigation.

Edited by Michales Kamposos