European Union

A company says they need my data for 'legitimate interests'. Can I challenge this?

Art. 6(1)(f)
GDPR lawful basis
Art. 21(1)
Right to object
72 hours
Response deadline
Free of charge
Objection cost
The Short Answer

Yes, you can challenge a company's 'legitimate interests' claim under EU data protection law — they must conduct and disclose a balancing test, and you have the right to object at any time.

What the Law Says

The General Data Protection Regulation (GDPR) permits processing personal data based on 'legitimate interests' — but only if those interests are not overridden by your rights and freedoms. Companies must justify this basis transparently and allow you to object.

Under Article 6(1)(f) of the GDPR, processing is lawful if it is 'necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.'

Crucially, the controller must carry out a 'balancing test' — weighing their interests against your rights — and document it. This assessment must be available upon request.

Article 21(1) gives you an absolute right to object 'at any time to processing of personal data which is based on point (e) or (f) of Article 6(1)' — including legitimate interests. Once you object, the controller must stop processing unless they demonstrate 'compelling legitimate grounds' that override your rights.

Controllers must inform you about legitimate interests processing at the time of data collection (Article 13(1)(d) and 14(1)(d)) and respond to objections without undue delay — and in any case within one month (Article 12(3)).

Statutory Text

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

Regulation (EU) 2016/679, Art. 6(1)(f) — Lawfulness of processing
Statutory Text

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1)

Regulation (EU) 2016/679, Art. 21(1) — Right to object
Statutory Text

The controller shall provide information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request

Regulation (EU) 2016/679, Art. 12(3) — Information and communication

What to Do

1

Check the company’s privacy notice for their stated legitimate interests and balancing test summary.

2

Submit a clear written objection (email is sufficient), citing Article 21(1) GDPR.

3

If they refuse, ask for their 'compelling legitimate grounds' and supporting reasoning.

4

Lodge a complaint with your national data protection authority (e.g., CNIL in France, ICO in UK — though UK is no longer EU, similar rules apply post-Brexit; for EU residents, use local DPA).

5

You do not need to give a reason for your objection — it is unconditional under GDPR.

Sources

statuteRegulation (EU) 2016/679, Art. 6(1)(f) — Lawfulness of processingstatuteRegulation (EU) 2016/679, Art. 12(3) — Information and communicationstatuteRegulation (EU) 2016/679, Art. 13(1)(d) — Information to be provided where personal data are collected from the data subjectstatuteRegulation (EU) 2016/679, Art. 14(1)(d) — Information to be provided where personal data have not been obtained from the data subjectstatuteRegulation (EU) 2016/679, Art. 21(1) — Right to object

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.