GDPR Legitimate Interests Assessment: When Can SaaS Use Art. 6(1)(f)?
Legitimate Interests (LI) is probably the most misused lawful basis in GDPR. Developers love it because it feels flexible — you don't need consent banners, you don't need a contract clause, you just need to tick a box in your privacy notice and write "legitimate interests" next to a processing activity.
The problem is that "we have a business interest in this" is not how LI works. It requires a three-step balancing test, documented before processing begins. And DPAs have started asking to see that documentation.
This guide explains exactly when LI works for SaaS, when it doesn't, and how to document it properly. Use our GDPR LIA Generator to produce a ready-to-store assessment.
What Is Legitimate Interests Under GDPR?
GDPR Art. 6(1)(f) says personal data may be processed where "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
Three requirements are embedded in that sentence:
- A legitimate interest must exist (purpose test)
- Processing must be necessary for that interest (necessity test)
- Data subject interests must not override the controller's (balancing test)
All three must be satisfied. Failing any one = LI is not available as a lawful basis. Use consent or another basis instead.
When Legitimate Interests Works for SaaS
These are processing activities where LI is widely accepted by DPAs and regulators:
| Processing Activity | Why LI Works | Conditions |
|---|---|---|
| Security logging (access logs, anomaly detection) | CJEU C-807/21: security logging is a legitimate interest. ENISA guidelines confirm. | Logs must be retained only as long as necessary. No use for other purposes. |
| Fraud prevention and credit risk | WP29 Opinion 06/2014 explicitly cited fraud prevention as a legitimate interest. | Must be necessary and proportionate. Cannot be used as a backdoor for profiling. |
| B2B direct marketing to relevant contacts | GDPR Recital 47: direct marketing can constitute a legitimate interest. Soft opt-in for existing contacts. | Must be for relevant products/services. Must provide easy opt-out. Does NOT work for B2C cold marketing or cold email to individuals. |
| Internal analytics (pseudonymised, aggregated) | Product improvement is a legitimate interest. EDPB accepts pseudonymised analytics under LI where data subjects would expect it. | Must be pseudonymised or aggregated. No individual-level profiling. No sharing with third parties. |
| Intra-group data transfers | WP29 Opinion 06/2014: group companies sharing data for internal admin can rely on LI. | Must document the group structure and shared purposes. DPA or BCRs still required for international transfers. |
| Customer support and complaint handling | Processing data to resolve a complaint is necessary for a legitimate interest (and often also necessary for contract/legal obligation). | Retain records only as long as needed for legal claims. Usually 3-6 years. |
When Legitimate Interests Does NOT Work
| Processing Activity | Why LI Fails | Use Instead |
|---|---|---|
| Placing tracking/analytics cookies on devices | ePrivacy Directive Art. 5(3) requires consent for cookies regardless of GDPR lawful basis. LI does not override ePrivacy consent. | Consent (cookie banner) |
| Targeted advertising / behavioural profiling | EDPB Guidelines 8/2020: LI is not available for processing that involves systematic profiling, tracking, or behavioural advertising. | Consent |
| Selling data to third parties | Clearly fails the balancing test. Data subjects do not reasonably expect their data to be sold. | Explicit consent |
| Special category data (health, biometrics, religion, etc.) | LI (Art. 6(1)(f)) alone is insufficient. Art. 9(2) requires a separate additional basis. | Explicit consent (Art. 9(2)(a)) or other Art. 9(2) grounds |
| Cold B2C email marketing | GDPR Recital 47 explicitly says LI for direct marketing must consider reasonable expectations. Consumers don't expect cold emails from companies they've never interacted with. | Consent |
| Automated profiling for significant decisions | Art. 22 GDPR restricts solely automated decisions. LI cannot override Art. 22 rights. | Explicit consent, contract necessity, or legal obligation (as applicable) |
The 3-Step Legitimate Interests Assessment
Step 1: Purpose Test — Is There a Legitimate Interest?
The interest must be:
- Lawful — not prohibited by any law
- Real and present — not speculative or hypothetical
- Sufficiently specific — "we want to improve our business" is too vague. "We analyse pseudonymised feature usage data to prioritise product roadmap" is specific enough.
Commercial interests qualify. Security interests qualify. Public interest purposes can qualify. The WP29 (now EDPB) has confirmed fraud prevention, network security, and intra-group data transfers as legitimate interests.
Step 2: Necessity Test — Is Processing Necessary?
"Necessary" has a specific meaning under EU law — it doesn't mean "useful" or "convenient". It means the processing is a proportionate means of achieving the purpose and there is no less intrusive alternative that would work as well.
Ask:
- Can we achieve the same result with anonymised or aggregated data?
- Can we use a different lawful basis that's more appropriate (e.g., consent for optional analytics)?
- Are we collecting only the minimum data categories necessary for this purpose?
- Could we achieve this with individual-level data from fewer users?
If there's a less intrusive alternative that works, the processing is not necessary and LI is not available.
Step 3: Balancing Test — Do Data Subject Interests Override?
This is where most LI assessments fail because they treat it as a formality. The balancing test requires genuine analysis of:
| Factor | Questions to Ask |
|---|---|
| Reasonable expectation | Would a reasonable person in the data subject's position expect this processing? Context matters: an existing customer expects you to use their data to improve the product they paid for. A prospect expects basic CRM. A website visitor does not expect deep behavioural profiling. |
| Nature of the data | More sensitive = higher threshold. Special category data tips the balance against LI almost automatically. Technical data (IP, browser) is lower sensitivity than financial or health data. |
| Impact on data subjects | Certain vs probabilistic. Individual vs collective. Reversible vs irreversible. Financial or physical harm vs mild inconvenience. |
| Vulnerable individuals | Children require heightened protection (GDPR Recital 38). Processing data of children under LI should be avoided unless there's a compelling specific justification. |
| Safeguards | Pseudonymisation, access controls, retention limits, opt-out mechanisms — all shift the balance. The more safeguards, the more likely the balance tilts toward the controller. |
LIA Documentation: What to Write Down
The ICO's LIA template and the EDPB's guidance both indicate that a documented LIA should capture:
- The processing activity name and description
- The controller's identified legitimate interest(s)
- Why the processing is necessary (necessity analysis + alternatives considered)
- The balancing test analysis (expectation, impact, safeguards)
- The conclusion and whether processing proceeds
- Privacy notice disclosure commitment (Art. 13/14)
- How the Art. 21 objection right is made available
- Review date
This document should be stored in your compliance register alongside your RoPA. If a DPA investigates a complaint about this processing, the LIA is your primary defence.
The Art. 21 Objection Right
When you rely on legitimate interests, data subjects have an unconditional right to object under Art. 21(1). Once they object, you must stop processing unless you can demonstrate compelling legitimate grounds that override their interests, or the processing is for legal claims.
Practically, this means:
- Your privacy notice must clearly disclose LI processing and the right to object
- There must be a practical mechanism to exercise the objection right (email to privacy@, preference centre, account settings)
- When someone objects, you must stop processing their data for that activity
- You must log objections and ensure systems respect them
Failing to facilitate the Art. 21 right is itself a GDPR violation — separate from whether LI was correctly used as the lawful basis.
Common SaaS Mistakes
- Using LI as a blanket catch-all — "We rely on legitimate interests for all our data processing" is a red flag. LI requires activity-specific analysis.
- Not documenting the LIA before processing begins — the assessment must be done prospectively, not retroactively when a complaint arrives.
- Failing to disclose LI processing in the privacy notice — Art. 13/14 require disclosure of the lawful basis and the legitimate interest pursued.
- Using LI for cookies — cookies require consent under ePrivacy regardless of your GDPR lawful basis choice.
- Not providing the Art. 21 objection mechanism — disclosure of the right in a privacy policy is not sufficient; there must be a practical way to exercise it.
Generate your LIA with our GDPR LIA Generator — it walks through all three steps and produces a documented assessment ready for your compliance register.
Related guides: GDPR Legitimate Interests vs Consent · GDPR Consent Management 2026 · GDPR Data Subject Rights · DPIA Guide for SaaS
Tools: LIA Generator · Privacy Policy Generator · DPIA Template · Data Retention Policy
⚠️ This guide is for informational purposes and does not constitute legal advice. The applicability of legitimate interests as a lawful basis is a legal determination that depends on the specific facts of your processing activities. Consult a qualified data protection lawyer.