Legitimate Interest

A flexible lawful basis under GDPR Article 6(1)(f) allowing processing when necessary for legitimate interests pursued by the controller or third party, except where overridden by individual interests or fundamental rights. Legitimate interest involves a three-part test: identifying a legitimate interest (must be lawful, clearly articulated, and real), establishing that processing is necessary for that interest (couldn't reasonably achieve it another way), and balancing the interest against individual rights and freedoms. Common legitimate interests include fraud prevention, network security, direct marketing to existing customers, internal administration, and improving services. Legitimate interest provides flexibility but requires careful assessment and documentation. Organizations must conduct legitimate interest assessments (LIAs), balance organizational needs against individual impact, provide transparency about reliance on legitimate interests, and honor objection rights. Legitimate interest can't be used for everything—it requires genuine balancing.