Free Legitimate Interest Assessment Template

LEGITIMATE INTEREST ASSESSMENT

UK GDPR Article 6(1)(F)  ·  ICO Three-part Test

This Legitimate Interest Assessment ("LIA") has been prepared by Jane Williams on behalf of Acme Solutions Ltd in accordance with Article 6(1)(f) of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, Recitals 47 and 48 to the UK GDPR, and the guidance of the Information Commissioner's Office (ICO) on legitimate interests (including the ICO Controllers Checklist and the three-part test endorsed by the Court of Justice in Rigas Satiksme (C-13/16) [2017] CJEU and Fashion ID (C-40/17) [2019] CJEU). It documents the three-part test — purpose test, necessity test, and balancing test — for the processing activity described below. The controller relies on this document to demonstrate compliance with the accountability principle in Article 5(2) UK GDPR.

Organisation (Controller): Acme Solutions Ltd
Assessor: Jane Williams
Date of Assessment: 2026-03-01
Processing Activity: Sending marketing emails to existing customers about related products and services
Categories of Personal Data: Names, Contact details

This record identifies the controller and the specific processing operation assessed, in line with Article 30 UK GDPR (records of processing activities) and Article 5(2) UK GDPR (accountability). Where special category data within the scope of Article 9 UK GDPR is involved, Article 6(1)(f) alone is insufficient and a separate Article 9(2) condition (read together with the substantial public interest conditions in Schedule 1 Part 2 of the Data Protection Act 2018) must also be identified.

The purpose test asks whether a legitimate interest is in fact being pursued. The interest must be real, specific, and lawful, consistent with Article 6(1)(f) UK GDPR and Recital 47 (interests of the controller, a third party, or the wider public). Recital 48 expressly recognises legitimate interests within a group of undertakings for internal administrative purposes. Where the controller pursues a further purpose, Article 6(4) UK GDPR requires a compatibility assessment with the original purpose for which the data were collected.

Legitimate Interest Pursued: We have a legitimate interest in sending targeted marketing communications to existing customers to promote products and services that are closely related to those they have previously purchased.

Purpose Category: Direct Marketing

Is the processing necessary for that purpose? Yes — the processing is necessary
Without processing customer purchase history and contact details, we cannot identify which products are relevant to each customer.

Are there less intrusive alternatives? Yes — alternatives considered and rejected
We considered only sending generic newsletters but this would be less effective and could result in more unwanted communications overall.

Where the purpose category is direct marketing, the controller acknowledges Recital 47's express recognition that processing for direct marketing purposes may be regarded as carried out for a legitimate interest, subject to the absolute right to object under Article 21(2)–(3) UK GDPR, and to the electronic marketing rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

The necessity test examines whether the processing is reasonably necessary to achieve the identified interest and whether the same outcome could be achieved by a less intrusive means. Necessity in this sense is not an absolute requirement of indispensability, but requires a close and substantial connection between the processing and the interest pursued (Rigas Satiksme, C-13/16 [2017] CJEU). The test also reflects the principle of data minimisation in Article 5(1)(c) UK GDPR.

Is the processing proportionate to the aim? Yes — proportionate to the aim
We only process the minimum data required (name, email, purchase history) to identify relevant product recommendations.

Could the same result be achieved without the processing? No — result cannot be achieved without the processing
Without analysing purchase history we would have to send blanket marketing to all customers, which would be less targeted and more intrusive.

Data actually needed: Customer name, email address, purchase history (product categories and dates), marketing consent status

Effectiveness of processing: Targeted marketing based on purchase history achieves a 15% higher engagement rate than untargeted communications, demonstrating its effectiveness.

The balancing test weighs the controller's legitimate interest against the interests, fundamental rights, and freedoms of the data subject under Article 6(1)(f) UK GDPR. Particular weight is given, per Recital 47, to the reasonable expectations of the data subject at the time and in the context of the collection of the personal data. The assessment takes into account the nature of the data (including any special categories within Article 9), the relationship with the subject, the reasonably foreseeable impact, and the availability of mitigating safeguards such as pseudonymisation, data minimisation, transparency, and opt-out mechanisms.

Nature of the data: Not sensitive / special category data

Relationship with data subjects: Existing customer

Reasonable expectations of data subjects: Customers who have purchased from us would reasonably expect to receive recommendations for similar products. Our privacy notice at point of purchase explains this use.

Impact on individuals: Positive: Customers receive relevant product information saving time. Negative: Some customers may find marketing communications unwanted. Risk of data breach could expose purchase history.

Safeguards implemented: Opt-out mechanism, Data minimisation, Transparency notice

Vulnerable data subjects: No

The controller notes that the right to object in Article 21(1) UK GDPR applies to processing based on legitimate interests and is absolute where the purpose is direct marketing (Article 21(2)–(3)). Where the processing involves profiling that produces legal or similarly significant effects on the data subject, Article 22 UK GDPR imposes additional restrictions and safeguards that cannot be satisfied by legitimate interests alone. Joint-controllership arrangements within the meaning of Article 26 are to be assessed in line with Fashion ID (C-40/17 [2019] CJEU), which confirms that each controller's legitimate interest must be identified separately.

Overall balance conclusion: Legitimate interests override individual rights

Final Decision: Proceed with safeguards

Conditions and Safeguards Applied:
1. Clear opt-out link in every email.
2. Monthly review of unsubscribe rates.
3. Data retention limited to 24 months of inactivity.
4. Annual review of this LIA.

Review Date: 2027-03-01
Approved By: Sarah Thompson, DPO

The outcome must be disclosed in the controller's privacy information under Article 13(1)(d) UK GDPR (where data are collected from the subject) or Article 14(2)(b) UK GDPR (where data are obtained from a third party), identifying both the legitimate interests pursued by the controller or a third party. Where the exemptions in Schedule 2 Part 2 of the Data Protection Act 2018 apply, the controller documents the specific paragraph relied upon. The assessment must be revisited before any material change in purpose, scope, technology, data categories, or risk profile.

Under the accountability principle (Article 5(2) UK GDPR), Acme Solutions Ltd must be able to demonstrate that its processing complies with data protection principles. This Legitimate Interest Assessment forms part of that accountability documentation alongside the Article 30 record of processing activities and, where triggered, any Data Protection Impact Assessment required under Article 35 UK GDPR.

Where the controller has designated a Data Protection Officer under Articles 37 to 39 UK GDPR, the DPO has been consulted on this LIA and its conclusions. This LIA will be retained on file and reviewed at the date specified above or whenever the processing activity, its purpose, scope, risk profile, or safeguards materially change. The controller acknowledges that the ICO may request this document as part of a regulatory investigation under sections 142–143 of the Data Protection Act 2018 (information notices) and that failure to demonstrate a proper Article 6(1)(f) analysis may, in the ICO's view, render the processing unlawful.