On November 7, 2025, through Resolution No. SPDP-SPD-2025-0041-R, the Data Protection Authority (hereinafter, “DPA”) issued Regulations for the Application of Legitimate Interest as a Lawful Basis for the Processing of Personal Data (hereinafter, the “Regulation”).
The Regulation is mandatory whenever a legitimate interest is relied upon as a legal basis for processing personal data.
Below we highlight the most relevant aspects of the Regulation:
- Characteristic of legitimate interest
The Regulation establishes that legitimate interest must be:
i. Lawful: the processing activity must not pursue a purpose that is prohibited by law.
ii. Certain and specific: it cannot be substantiated upon hypothetical circumstances and must be clearly identified responding to concrete and verifiable needs.
iii. Proportionate: the processing must be adequate, necessary, timely, and not excessive.
iv. Within the data subject’s reasonable expectations: before carrying out the processing, the controller must provide the data subject with relevant information on the entire processing activity and must also include such information in the applicable privacy notice/policy.
2. Balancing Assessment
Any controller intending to rely on legitimate interest as a lawful basis must first carry out a balancing assessment with respect to the processing activity. This assessment, along with its outcome, must be available for review by the DPA and data subjects.
The balancing assessment will have to determine whether the interest relied upon by the controller prevails over the rights and freedoms of the data subjects. Failure to carry out such an assessment constitutes a serious infringement under the Data Protection Law.
The balancing assessment must include the criteria set out in Annex 1 of the Regulation, which, among other aspects, requires:
i. Identification and justification of the legitimate interest.
ii. Justification of the necessity, demonstrating that the processing is indispensable to achieve the intended purpose and that there are no less intrusive means available.
iii. A balance between the purpose pursued and the potential impact on the data subject’s rights.
iv. Implementation of technical, organizational, and mitigation measures, as well as documentation of the outcome of the assessment.
Controllers must maintain an up-to-date record of the balancing assessments they have performed. This record must be reviewed at least once every year, or whenever the purpose, the type of data, or the level of risk associated with the processing changes.
3. Permissible Scenarios
The DPA has limited the use of legitimate interest to the following purposes:
i. Direct marketing provided that no special categories of data or children’s data is used, and that a free and immediate mechanism to object to such processing activity is in place.
ii. Prevention, detection, reporting of fraud, money laundering, terrorism financing, and related crimes.
iii. Internal data sharing within a corporate group, limited to legitimate purposes and subject to transparency towards data subjects.
iv. Security of networks and IT systems, through the implementation of appropriate technical and organizational measures.
v. Video surveillance for the security of individuals, property, or facilities. The capture or recording of audio is not permitted in systems relying on legitimate interest.
In all cases, each processing activity must successfully pass the balancing assessment required under the Regulation. Data subjects may exercise their rights under the Data Protection Law at any time, in particular their rights to object and to access.
4. Prohibitions
Legitimate interest may not be relied upon in the following cases:
i. Processing of special categories of personal data, unless the processing is strictly indispensable, and reinforced security measures are in place.
ii. Processing involving automated profiling that produces legal effects concerning the data subject or significantly affects them similarly, except in cases expressly provided for the financial or insurance sectors with additional safeguards.
iii. Processing of personal data of children or adolescents, unless it can be justified based on the best interests of the child.
iv. Large-scale processing or further use of personal data for purposes that are different from, or incompatible with, the original purpose.
