Loading…
Loading…
One of six lawful bases under GDPR Article 6 for processing personal data without requiring explicit consent. Processing on the basis of legitimate interest must satisfy a three-part test: the interest must be genuine and specific; the processing must be necessary for that interest; and the controller's interest must not be overridden by the data subject's rights and freedoms. AI use cases commonly relying on legitimate interest include fraud detection, network security, internal analytics, and product improvement. The legitimate interest basis requires a documented balancing test and cannot be applied retroactively if challenged.
Why this matters for your team
Legitimate interest is commonly misused as a catch-all legal basis when consent seems inconvenient. It requires a documented balancing test — you need to write it down, not just assume it applies. For AI analytics and profiling use cases, run the three-part test and keep the record in case of a regulatory inquiry.
A B2B SaaS company uses customer usage data to train a churn-prediction model, relying on legitimate interest as the legal basis — after documenting that the business interest in reducing churn outweighs the minimal privacy impact on users who have opted into the service.