UK

A company claims 'legitimate interest' to process my data. Can I challenge this?

Right to object
Your legal right
1 month
Response deadline
Article 21
UK GDPR provision
ICO guidance
Key resource
The Short Answer

Yes, you can challenge a company's 'legitimate interest' claim under UK GDPR. You have the right to object at any time, and the company must stop processing unless it demonstrates compelling legitimate grounds that override your rights.

What the Law Says

The UK General Data Protection Regulation (UK GDPR) sets strict conditions for when an organisation may rely on 'legitimate interests' as a lawful basis for processing personal data — and gives individuals strong rights to challenge that reliance.

A company may only use 'legitimate interest' if it has conducted a Legitimate Interests Assessment (LIA) that balances its interests against your fundamental rights and freedoms. It must also inform you — typically in its privacy notice — that it is relying on this basis.

Under Article 21 of the UK GDPR, you have an absolute right to object to processing based on legitimate interests at any time. Once you object, the controller must stop processing unless it can demonstrate 'compelling legitimate grounds' that override your rights — a high bar.

The controller must respond to your objection without undue delay and within one month. This deadline can be extended by two further months where necessary, but they must inform you of the extension and reasons within one month of receiving your objection.

Statutory Text

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling...

UK GDPR, Art. 21(1) — Right to object
Statutory Text

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

UK GDPR, Art. 21(2) — Direct marketing exception
Statutory Text

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject...

UK GDPR, Art. 21(1) — Controller's burden

What to Do

1

Check the company’s privacy notice to confirm they cite 'legitimate interest' and identify the purpose (e.g., fraud prevention, direct marketing, IT security).

2

Send a clear written objection — email is acceptable — stating you are exercising your right to object under Article 21 UK GDPR and specifying the processing you object to.

3

If they refuse or fail to respond within one month, complain to the Information Commissioner’s Office (ICO) using their online form.

4

You do not need to give a reason for your objection — it is your right, and the burden shifts to the company to justify continued processing.

Sources

statuteUK GDPR, Art. 21 — Right to objectstatuteData Protection Act 2018, s. 235 — Interpretation of UK GDPRguidanceICO Guidance: Legitimate interests

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.