Legitimate interest remains one of the most frequently used legal bases under the GDPR; however, supervisory authorities are scrutinising its applicability with increasing rigor. Through the lessons learned from dozens of cross-border cases, the new OSS Case Digest published by the European Data Protection Board (EDPB) demonstrates the criteria based on which European data protection authorities assess the existence of legitimate interest and the adequacy of the balancing test. In many respects, the decisions are consistent with the practice of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), and they also provide important guidance for Hungarian data controllers as to when reliance on legitimate interest as a legal basis for processing may be regarded as sufficiently substantiated. Our article presents the most important European trends and their practical implications for Hungarian businesses.
The European Data Protection Board (EDPB) has published the first edition of its One-Stop-Shop (OSS) Case Digest specifically addressing the application of legitimate interest as a legal basis under Article 6(1)(f) GDPR. The document illustrates how European data protection authorities interpret and apply legitimate interest as a legal basis for processing through the analysis of supervisory authority decisions adopted in 62 cross-border cases, as well as 5 EDPB decisions.
Although the publication is based on decisions adopted within the GDPR’s so-called One-Stop-Shop mechanism – meaning that it only includes cases with cross-border relevance – the principles reflected therein are also of particular importance for Hungarian data controllers. Indeed, the trends identified by the EDPB are, in many respects, aligned with the practice developed by NAIH in recent years.
Legitimate interest remains flexible, but it is not a catch-all “safety net”
One of the key messages of the analysis is that legitimate interest remains one of the most flexible legal bases for processing, but it cannot be applied automatically in situations where no other legal basis is available.
The publication emphasises that the application of Article 6(1)(f) GDPR requires the cumulative fulfilment of three conditions:
- the controller or a third party must pursue a genuine and lawful interest;
- the processing must be necessary for the purposes of pursuing that interest; and
- the interests, fundamental rights and freedoms of the data subjects must not override the interest pursued by the controller (or the third party).
The decisions clearly demonstrate that supervisory authorities are examining the fulfilment of all three elements in increasing detail.
A general reference to legitimate interest is not sufficient
One recurring issue identified in the examined cases was that controllers were unable to properly define the precise legitimate interest on which the processing was based. In several cases, supervisory authorities found that interests formulated in overly general terms not only failed to satisfy the requirements applicable to the balancing test but also infringed the transparency requirements imposed by the GDPR.
A business interest may also qualify as a legitimate interest
The analysis specifically refers to the recent preliminary ruling of the Court of Justice of the European Union in Case C-621/22 (Koninklijke Nederlandse Lawn Tennisbond), which addressed the question of whether a national sports federation could rely on legitimate interest in connection with processing operations involving the sale of its members’ personal data to sponsors. In its judgment, the Court confirmed that even a purely commercial interest may qualify as a legitimate interest. However, this does not mean that the controller will automatically succeed in the balancing test. In several cases, supervisory authorities emphasised that a purely economic interest will often carry less weight than the protection of the data subjects’ fundamental rights and freedoms.
Stricter expectations regarding the assessment of necessity
One of the most important lessons emerging from the decisions is that authorities are increasingly critically assessing whether the given processing activity is genuinely necessary for achieving the specified purpose. In several cases, reliance on legitimate interest was rejected because the controller was unable to demonstrate that no less data-intensive alternative existed that would interfere to a lesser extent with the data subjects’ right to privacy. The decisions send a clear message to controllers that, where they intend to rely on legitimate interest as a legal basis, they must be able to demonstrate – even before commencing the processing – that no alternative solution is available that would have a less intrusive impact on the data subjects’ private sphere. Accordingly, the assessment and documentation of alternatives are expected to receive even greater attention in future supervisory investigations.
Great – or at least reasonable - expectations…
Based on the decisions analysed in the publication, it can be established that the assessment of data subjects’ reasonable expectations is playing an increasingly prominent role in the balancing test. Authorities examine whether, considering the relationship between the data subject and the controller, the data subject could reasonably expect the processing in question.
In practice, situations may be particularly problematic where:
- data are used for purposes other than those for which they were originally collected;
- data are disclosed to third parties without adequate information being provided; or
- processing is carried out in a hidden or misleading manner.
One of the most interesting topics addressed in the analysis concerns the practice of so-called “shadow banning”, where an online platform restricts the visibility of users’ content without informing them thereof. From a data protection perspective, such practices do not correspond to the reasonable expectations of data subjects and infringe the requirement of transparency; therefore, in most cases, they are likely to be considered unlawful.
The primary case examined in this context concerned the processing activities of an online marketplace operator that reduced the visibility of certain users’ advertisements without informing the affected users thereof. The purpose of the platform was to curb abusive conduct and increase the security of the service. The supervisory authority acknowledged that maintaining platform security and filtering abusive user behaviour could constitute a lawful interest. Accordingly, the authority did not dispute the existence of a legitimate interest; rather, it found that the processing failed to satisfy the requirements of necessity and proportionality, since users were not informed that the platform was algorithmically restricting the visibility of their content. As a result, the data subjects could not understand the essence of the processing concerning them, challenge its lawfulness, or exercise their rights under the GDPR.
Legitimate interest as “Plan B” – a risky strategy
The analysis also addresses the question of whether a controller may subsequently rely on legitimate interest where the legal basis originally applied proves to be inappropriate. In most of the cases examined, supervisory authorities did not accept such an approach. According to their position, the rights of data subjects are infringed where the controller subsequently changes the legal basis for the processing, particularly where the data subjects were not properly informed and were unable to exercise their right to object. Nevertheless, it should also be noted that, in one case, the authority – in light of exceptional circumstances – did accept the subsequent modification of the legal basis. Therefore, although this cannot be regarded as general practice, it may still be worth considering as a last-resort solution in disputed cases where no other option remains viable.
Practical takeaways
One of the key messages of the analysis is that authorities are becoming increasingly reluctant to accept generic and/or entirely template-based justifications regarding necessity. In addition, where processing is based on legitimate interest, particular emphasis must be placed on:
- the precise and properly documented identification of the legitimate interest;
- the prior preparation of an adequate balancing test;
- the identification and assessment of alternative solutions; and
- considering the reasonable expectations of data subjects.
Although legitimate interest will continue to remain a widely applicable legal basis, the decisions demonstrate that authorities are placing increasing emphasis on the thorough documentation of the three-step test and the effective protection of data subjects’ rights. The analysis clearly conveys that legitimate interest cannot be regarded as a “default” legal basis. Controllers must, in every case, be able to demonstrate that the interest invoked is genuinely legitimate, that the processing is necessary, and that the rights of the data subjects do not take precedence under the given circumstances.
This approach is fully consistent with the practice of NAIH, which has repeatedly emphasised that the applicability of legitimate interest as a legal basis must be substantiated by the controller in a documented manner in advance, and that the mere existence of a balancing test is not sufficient – its substantive content is at least equally important. This is particularly evident in relation to CCTV surveillance, where NAIH expects detailed reasoning regarding the necessity of the processing in respect of each individual camera, considering their precise field of view and other functionalities. The balancing test is therefore not merely a box-ticking administrative formality or a paperwork exercise to be completed based on pre-prepared templates. In every case, the controller must carry out a genuine assessment tailored to the specific characteristics of the processing operation concerned, capable of demonstrating that the invoked legitimate interest genuinely exists, that the processing is necessary, and that the rights of the data subjects do not take precedence under the given circumstances.
Attention should be paid to processing operations involving customer profiling, marketing activities, fraud prevention, employee monitoring, or CCTV surveillance, as these areas are attracting heightened scrutiny from supervisory authorities both at the European and domestic level.




