Data Protection: How to Justify Legitimate Interest as a Legal Basis for Processing

Data Protection: How to Justify Legitimate Interest as a Legal Basis for Processing

Key Takeaway

Legitimate interest is one of the legal bases for processing personal data. Identifying legitimate interest as a legal basis requires conducting an analysis to justify the lawfulness of the processing.


When a company plans to launch a new website or a new service that requires the collection of personal data, one of the tasks is to identify the purpose of each data processing operation and then determine the legal basis applicable to each of them. The General Data Protection Regulation (GDPR) sets out six legal bases for processing personal data, including “legitimate interest.” (1)

Far from being a shortcut or a default option, identifying legitimate interest as the legal basis for processing requires conducting an analysis to justify the lawfulness of the data processing.

The purpose of this article is to outline the meaning of legitimate interest in the context of personal data processing, the methodology provided by the French Data Protection Authority (CNIL) for assessing legitimate interest, the application of this legal basis to processing carried out by AI systems, and finally, how courts have interpreted it in recent decisions.


1. What Is Legitimate Interest?

    1.1 Legitimate Interest as a Legal Basis for Processing

To be lawful, any personal data processing must be carried out for a specific purpose and based on a defined legal basis, with the controller’s legitimate interest being one of the options listed in Article 6 of the General Data Protection Regulation (GDPR). The legal basis must be identified before the processing is implemented.

If the legal basis is incorrectly identified or if the processing lacks a valid legal basis, the processing of personal data will be deemed unlawful. The data controller may then face an administrative fine of up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, pursuant to Article 83(5).

Article 6(1) GDPR provides that: “Processing shall be lawful only if and to the extent that at least one of the following applies: (…) (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. (…)”

Legitimate interest cannot be used as a legal basis for processing carried out by public authorities in the performance of their tasks.

The challenge, therefore, lies in correctly identifying the legal basis for the processing and properly understanding the notion of legitimate interest.

    1.2 Criteria for Assessing Legitimate Interest

To rely on the controller’s legitimate interest as a legal basis, three conditions must be met:

    a) The processing must pursue a “legitimate” interest. What constitutes a legitimate interest is not defined as such; it must be assessed on a case-by-case basis, with examples provided by case law (see below) helping to illustrate its nuances.

An interest may be presumed legitimate if it is clearly lawful, sufficiently specific and well-defined, and real and present (i.e., not hypothetical) for the organization.

Legitimate interest may be considered justified in the following examples: processing customer data for commercial management purposes (order processing); processing necessary for commercial prospecting operations (informing an existing customer base about the launch of new or similar products or services); processing to ensure network security or to prevent fraud; processing employee data for internal administrative or HR management purposes.

    b) Legitimate interest is justified only if the processing is necessary.

    c) The processing must not override the rights and interests of the individuals whose data are processed, taking into account their “reasonable” expectations. (2)

The rights of individuals, namely their fundamental rights and freedoms, must be weighed against the controller’s legitimate interest. In particular, individuals whose data are processed should not be surprised by the conditions under which the processing takes place. This criterion must be assessed in context. For example, an employee would not be surprised to receive communications from his company’s works council.

Where there is an imbalance between individuals’ fundamental rights and freedoms and the legitimate interest pursued, the individuals’ rights prevail.

Specific care must be taken when assessing the lawfulness of this legal basis where personal data relate to children or vulnerable individuals.


2. The CNIL’s Methodology for Defining Legitimate Interest

The CNIL provides a methodology for assessing the validity of legitimate interest as a legal basis for processing. This methodology must be applied in all situations, even when the legitimate interest appears obvious.

This methodology is based on the three conditions outlined above, namely:
    - Identifying the “legitimate” nature of the interest pursued by the controller and verifying the necessity of the processing in light of that objective;
    - Assessing the impact on individuals’ interests, rights, and freedoms, and taking into account their reasonable expectations regarding the processing of their personal data;
    - Weighing these factors and, where necessary, implementing additional measures (for example, an unconditional right to object or a limited retention period).

The CNIL recommends documenting this assessment to facilitate demonstrating the validity of the processing’s legal basis in the event of an audit.


3. Legitimate Interest in AI-Based Data Processing

On June 19, 2025, the CNIL published a new recommendation on the use of legitimate interest as a legal basis for developing an AI system involving the collection of personal data. (3)

The use of legitimate interest for AI systems is subject to the same conditions: the legitimacy of the interest, the necessity of the processing, and ensuring that the objective pursued does not jeopardize individuals’ rights and freedoms.

    a) Legitimacy of the interest may be presumed in cases where the development of an AI system aims to:
     - conduct scientific research;
     - facilitate public access to certain information;
     - develop new systems and features for users of a service;
     - offer a conversational agent service to assist users;
     - improve a product or service to enhance its performance;
     - detect fraudulent content or behavior.
A commercial interest may constitute a legitimate interest, provided it is lawful and the processing is necessary and proportionate.

The interest pursued must be defined with sufficient precision and communicated to individuals as part of the controller’s transparency obligations.

For general-purpose AI (GPAI) systems whose precise use is not known in advance, the CNIL recommends referring to the objective underlying the model’s development (for example, commercial, public, scientific research, etc.).

    b) The necessity of the processing requires ensuring that the intended processing allows the interest pursued to be achieved and that no less intrusive means exist for individuals’ privacy.
The controller must also take into account the principle of data minimization, to the extent possible and considering the state of the technology.

    c) Finally, the organization must ensure that the objective pursued does not threaten individuals’ interests, rights, and freedoms. To do so, the controller must balance its own interests against those of the individuals concerned by assessing both the anticipated benefits of the processing and its potential impact on individuals.

The greater the expected benefits of the processing, the more likely it is that the controller’s legitimate interest will outweigh individuals’ rights and freedoms.


4. How the Courts Interpret Legitimate Interest

Legitimate interest is often invoked by organizations when the lawfulness of their processing activities is challenged in litigation.

Several CNIL decisions and court rulings have been issued, helping to clarify the concept. Below are examples of recent decisions that illustrate situations in which the legitimate interest relied upon for processing was contested.

In a decision from December 2020, the French Council of State (Conseil d’État) held that the processing carried out by CDiscount, namely, retaining customers’ bank card numbers after an online purchase to facilitate future purchases (“one-click payment”), could not be justified on the basis of legitimate interest, confirming the CNIL’s deliberation of September 6, 2018.

According to the judges, legitimate interest “cannot prevail over the customers’ interest in protecting this data, given the sensitivity of banking information and the potential harm resulting from its interception or misuse, and considering that many customers who use e-commerce websites for occasional purchases cannot reasonably expect companies to retain such data without their consent.” (4)

The retention of customers’ bank card numbers is not unlawful per se, provided that it is based on the customers’ consent.

In a decision dated February 2, 2024, the French Council of State upheld the legitimate interest of the Catholic Church in maintaining its baptism register, including storing data on baptized individuals even after their death. In this case, the Church’s legitimate interest in retaining data on baptized persons prevailed over the data subjects’ right to erasure. However, a baptized person may still exercise their right to object by requesting that the register include a note stating their decision to sever any religious affiliation. (5)

On May 22, 2025, the Chambéry Court of Appeals ordered Google to delete a Google My Business (GMB) listing, rejecting legitimate interest as the legal basis for processing. In this case, a dentist sued Google for unlawful data processing by the GMB service. To respond to user reviews left on GMB listings, professionals must create a Google account. Google argued that this processing was based on legitimate interest, specifically the users’ right to information on the search engine. The court found, however, that requiring a professional to create an account, even for free, to respond to reviews contributed to Google’s commercial development. The legitimate interest was not justified, rendering the data processing unlawful. (6)

Finally, in a decision issued on July 31, 2025, the French Council of State invalidated the legitimate interest relied upon for processing customers’ courtesy titles (“Monsieur” / “Madame”) by SNCF Connect. When travelers purchased train tickets online through the SNCF website, they were required to provide their courtesy title.

According to the judges, “while it is true that processing the data ‘Monsieur’ or ‘Madame’ enables the company to address the individual in a customary manner, (…) the same result could have been achieved (…) by allowing customers to provide their courtesy title on an optional rather than mandatory basis. (…) The interest linked to the performance of certain specific services offered by SNCF Connect could not justify the entire processing at issue. Consequently, this processing could not be considered strictly necessary to achieve a legitimate interest.” (7)


    Legitimate interest is often selected as a legal basis by data controllers, sometimes by default or out of convenience. However, legitimate interest must be justified through an analysis based on the three conditions outlined by the CNIL. If the legitimate nature of the processing cannot be demonstrated, one must rely on another legal basis, such as the data subject’s consent or the performance of a contract.

If you operate a website, our Firm is available to assist you in ensuring its legal compliance, particularly regarding legal notices, Terms of Use/Terms and Conditions, the GDPR, or cookies.


* * * * * * * * * * *


(1) Article 6(1) of the General Data Protection Regulation (GDPR) (“Lawfulness of processing”) sets out the six legal bases for processing personal data: consent, performance of a contract, compliance with a legal obligation, protection of the vital interests of the data subject, performance of a task carried out in the public interest, and legitimate interest.

(2) According to Recital 47 of the General Data Protection Regulation (GDPR), the data subject must reasonably expect, at the time and in the context of the collection of their data, that such data may be processed.

(3) CNIL Recommendation CNIL (in French) : “IA : Mobiliser la base légale de l’intérêt légitime pour développer un système d’IA

(4) CE, December 10, 2020, No429571

(5) CE, February 2, 2024, No461093

(6) CA Chambéry, May 22, 2025, No22/01814

(7) CE, July 31, 2025, No452850


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

November 2025

Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (8) adwords (3) ai (27) anssi (3) arcep (5) arcom (19) audiovisuel (4) audit (4) base de données (3) bitcoin (1) blockchain (8) cbpr (7) cgv (1) chine (1) cjue (1) cloud computing (3) cnil (19) commerce (4) communication (8) compliance (37) confidentialité (3) conformité (21) consommateurs (4) contrat (11) contrefaçon (10) cookies (6) copyright (5) cryptologie (1) csa (1) cybercriminalité (5) cybersquatting (3) data (1) data privacy framework (2) dma (4) données à caractère personnel (18) données personnelles (33) dpf (2) droit d'auteur (11) dsa (8) e-commerce (15) e-consommateurs (1) enfance (6) etats-unis (6) eu (18) europe (17) formation (4) fraude (3) gdpr (30) google (4) hébergeur (5) ia (19) ico (1) informatique (14) informatique et libertés (4) intelligence artificielle (18) internet (36) jeu vidéo (3) liberté d'expression (3) logiciel (13) loi informatique et libertés (5) loi sren (6) marque (3) métavers (3) méthode agile (2) monnaie électronique (1) moteur de recherche (7) nda (1) nft (4) nom de domaine (1) numérique (13) originalité (5) privacy shield (2) propriété intellectuelle (15) protection des données (11) publicité (6) référencement (4) réglementation (13) réseau (2) réseaux sociaux (11) responsabilité (10) responsable du traitement (13) rgpd (23) robotique (7) rpa (6) salariés (4) santé publique (1) sécurité (7) singapour (8) site web (5) us (3) vie privée (23)