Paid · GDPR · LIA

Does your legitimate interest hold up?

Run the three-part GDPR test — purpose, necessity, and balancing — and get an AI-powered analysis of your Art. 6(1)(f) lawful basis with documentation guidance.

15 questions
~4 minutes
AI-powered analysis
GDPR Art. 6(1)(f)

Based on: Regulation (EU) 2016/679 — GDPR, Art. 6(1)(f) ↗

⚖️
Paid Assessment

Legitimate Interest Assessment

Run the three-part GDPR test — purpose, necessity, and balancing — and get an AI-powered analysis of your Art. 6(1)(f) lawful basis with a structured LIA record ready for your DPA.

Get access →

Questions? Contact us

Progress Step 1 of 6
Step 1 of 6 — Processing Activity

Tell us about the processing activity

Describe the processing for which you want to rely on legitimate interests as a lawful basis under GDPR Art. 6(1)(f).

Step 2 of 6 — Purpose Test

Is the purpose legitimate?

The GDPR requires a legitimate interest that is lawful and clearly defined. Under Recital 47–49 and Art. 6(1)(f), the purpose must be genuine and not override fundamental rights.

Is the purpose of the processing clearly and specifically defined before processing begins?
Art. 5(1)(b) — purpose limitation. Vague purposes such as "business improvement" are insufficient.
Is the interest a genuine business or organisational interest — not purely hypothetical?
Recital 47: examples include direct marketing, fraud prevention, IT security, and intra-group transfers. Courts and DPAs require a real, existing interest.
Is a public authority relying on legitimate interests to perform its public tasks?
Art. 6(1)(f): public authorities cannot rely on legitimate interests for tasks carried out in performance of their public duties. Answer Yes if this applies — it is a disqualifying factor.
Is the purpose compatible with the original purpose for which the data was collected (if applicable)?
Art. 6(4) + Recital 50: secondary use must be compatible. Consider: link between purposes, context, nature of data, consequences, safeguards.
Step 3 of 6 — Necessity Test

Is the processing necessary and proportionate?

Under Art. 6(1)(f) and Recital 47, processing must be necessary to achieve the purpose. A less privacy-intrusive alternative that achieves the same result makes legitimate interests unavailable.

Is the processing actually necessary to achieve the purpose — not merely useful or convenient?
The EDPB guidance (WP217, Opinion 6/2014) requires a direct and reasonably necessary link. Ask: could the purpose be achieved without this processing?
Is the minimum amount of personal data used — no more than what is needed for the purpose?
Art. 5(1)(c) — data minimisation. Collecting full profiles when only email addresses are needed would undermine the necessity test.
Have you considered and rejected less intrusive alternatives that could achieve the same purpose?
EDPB guidance requires a consideration of alternatives. Document why they were rejected — e.g. consent was impractical, anonymisation insufficient.
Is data retained only for as long as necessary to fulfil the stated purpose?
Art. 5(1)(e) — storage limitation. Indefinite retention is incompatible with the necessity test and undermines the balancing test.
Step 4 of 6 — Balancing Test

Do data subjects' interests override yours?

Art. 6(1)(f) requires that your interests do not override the interests, rights, and freedoms of data subjects — particularly where they have no reasonable expectation of processing.

Would data subjects reasonably expect this type of processing given the context of collection?
Recital 47: reasonable expectations are key. Customers buying a product may expect direct marketing; cold prospecting from scraped data is far less expected.
Does the processing involve vulnerable individuals (e.g. children, patients, financially distressed)?
Vulnerability significantly increases the weight given to individuals' interests in the balance. Children are always considered vulnerable. Recital 38.
Could the processing cause material harm, distress, or discrimination to data subjects?
Art. 6(1)(f) + EDPB: the nature and seriousness of potential impact matters. Financial loss, physical harm, or reputational damage weigh heavily against the controller.
Is the processing large-scale, involves profiling, or uses automated decision-making?
Scale, profiling, and automation amplify the impact on individuals and tip the balance away from the controller. Art. 22 applies to solely automated decisions with legal effect.
Step 5 of 6 — Safeguards & Rights

What safeguards are in place?

Safeguards can tip the balance in your favour. The presence of an opt-out mechanism, clear privacy notice, and documented LIA significantly strengthen the lawful basis.

Is data subjects' right to object (opt-out) clearly communicated and easy to exercise?
Art. 21(1): data subjects must be informed of the right to object. For direct marketing, an opt-out must be presented at first communication. Art. 21(2)–(3).
Is the processing activity and its lawful basis disclosed in your privacy notice (Art. 13/14)?
Art. 13(1)(c) / 14(1)(c): you must disclose the legitimate interest pursued in the privacy notice. Generic statements do not meet this requirement.
Is this LIA (or equivalent assessment) documented and kept on record for accountability purposes?
Art. 5(2) accountability principle: controllers must be able to demonstrate compliance. A documented LIA is your key evidence if challenged by a DPA or data subject.
Step 6 of 6 — Get your results

Where shall we send your LIA report?

Running your LIA…

Our AI is assessing all three tests against GDPR requirements.

Evaluating purpose test
Assessing necessity & proportionality
Running balancing analysis
Checking safeguards
Generating report
LIA Result
72
Overall LIA Score
Your legitimate interest basis shows reasonable foundations but requires strengthening in several areas before relying on Art. 6(1)(f).
Purpose Test
70
Purpose definition needs to be more specific
Genuine business interest identified
Necessity Test
68
Alternatives analysis not yet documented
Data minimisation appears adequate
Balancing Test
74
Reasonable expectations analysis incomplete
Low harm potential strengthens the balance

Top recommendations

1
Document a specific purpose statement that links the processing activity to a concrete legitimate interest — avoid generic language.
2
Complete a written alternatives analysis explaining why less intrusive options (e.g. consent, anonymisation) were not feasible.
3
Ensure your privacy notice identifies the specific legitimate interest pursued and clearly communicates the right to object.

Key GDPR references

Art. 6(1)(f) + Recital 47
Legitimate interests processing requires a three-part test: legitimate purpose, necessity, and a balancing exercise.
Art. 13(1)(c) / 14(1)(c)
The specific legitimate interest pursued must be disclosed in the privacy notice — generic statements are non-compliant.
Art. 21(1) — Right to object
Data subjects must be clearly informed of their right to object and it must be easy to exercise at any time.
This assessment is generated using AI (Claude by Anthropic) and is for informational purposes only. It does not constitute legal advice or a formal LIA document. Always involve qualified legal counsel before relying on Art. 6(1)(f). See our Privacy Policy for details on data handling.

Need a full GDPR compliance review?

Our GDPR Gap Assessment covers your entire processing register — ROPAs, lawful bases, DPIAs, data subject rights, and third-party transfers — with a personalised roadmap.

View GDPR Assessment →

Informational use only. This tool is provided for awareness purposes to help businesses understand their current situation regarding EU regulations. It does not constitute legal, regulatory, or professional advice. Results are indicative only and should not be relied upon as a substitute for qualified legal counsel. Verdaio accepts no liability for decisions made based on this tool’s output. Your inputs are processed ephemerally and are not stored or used for model training.