Legitimate Interest Assessment (LIA) Template

Three-part Legitimate Interest Assessment for Article 6(1)(f) processing: purpose test, necessity test, and balancing test — including documentation for supervisory authority review.

Quick Answer

A GDPR Legitimate Interest Assessment has three parts: a purpose test (is the interest real and legitimate?), a necessity test (is processing the minimum required?), and a balancing test (do individual rights override the interest?) — all must be documented.

Compliance Checklist (8 items)

Part 1 — Purpose test: identify a specific, real, and non-trivial legitimate interest
Part 1 — Confirm the interest is not overridden by law or fundamental rights
Part 2 — Necessity test: confirm processing is necessary and no less privacy-intrusive means exists
Part 3 — Balancing test: weigh your interests against individual rights and expectations
Part 3 — Consider likely impact, reasonable expectations, and any vulnerable groups
Part 3 — Identify any safeguards that tip the balance (opt-out, pseudonymisation)
Document the LIA and retain it in the ROPA
Review the LIA if processing purpose or context changes materially

Penalty if not compliant

Up to €20 million or 4% of global annual turnover; processing relying on legitimate interests without a documented LIA is vulnerable to challenge and enforcement action.

Frequently Asked Questions

What is a "legitimate interest" under GDPR?

The GDPR does not define it exhaustively. Examples include processing for fraud prevention, network security, direct marketing to existing customers, intra-group administrative purposes, and employee monitoring for security reasons — provided the balancing test is passed.

Can legitimate interests be used for marketing to new contacts?

Generally no for direct electronic marketing to consumers (PECR requires consent). For B2B marketing via post or phone, legitimate interests may apply. Always conduct a full LIA and offer an easy opt-out.

Is legitimate interest the same as business need?

No. A business need is not automatically a legitimate interest. The interest must be lawful, clearly articulated, and pass the necessity and balancing tests. "We need it to run our business" alone is insufficient.

Need this turned into a real document?

Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.

Get Expert Help →Browse All Templates

legitimate interestLIAGDPR Article 6balancing testdata processing legal basis