The legitimate interest of the controller, referred to in Article 6(1)(f) of the GDPR, is one of the most frequently used bases for processing personal data in marketing activities. Its attractiveness stems from its relative flexibility and the lack of the need to obtain prior consent from the data subject. However, the application of this basis is not unlimited and in many cases proves insufficient or even unacceptable.
Failure to meet the balance of interests test
The condition for the lawfulness of data processing based on a legitimate interest is to conduct a so-called balancing test, which consists of comparing the controller's interest with the rights and freedoms of the data subject.
Marketing cannot be based on this premise if:
- the interference with an individual's privacy is excessive,
- the data subject cannot reasonably expect such processing,
- processing leads to disproportionate effects (e.g. highly intrusive profiling).
In practice, this means that the more intense and automated the form of marketing, the more difficult it is to justify it in the interests of the controller.
Objection by the data subject
Pursuant to Article 21(2) of the GDPR, the data subject has the right to object at any time to the processing of his or her data for direct marketing purposes.
The effect of the objection is absolute – the controller loses the legal basis for further processing of the data for this purpose. In such a situation, invoking a legitimate interest becomes irrelevant.
Electronic marketing requiring consent
In many cases, specific regulations exclude the possibility of using legitimate interest as a basis for marketing. This applies in particular to:
- sending commercial information electronically (e-mail, SMS),
- use of user end devices (e.g. telemarketing, marketing cookies).
In such situations, it is necessary to obtain prior consent under sector-specific regulations (e.g., Telecommunications Law or the Act on the Provision of Electronic Services). Even if data processing itself could be justified by the controller's interests, failure to consent to a specific communication channel renders the action illegal.
Profiling with significant consequences for the person
Where marketing activities involve profiling leading to decisions that have significant consequences for or similarly affect an individual, the application of legitimate interest may not be sufficient.
In particular, this applies to situations:
- segmenting customers in a way that leads to discrimination,
- dynamic pricing (price discrimination),
- automatically rejecting offers or access to services.
In such cases, additional legal bases and specific information obligations are required.
Processing of sensitive data
Special categories of data (e.g. relating to health, political opinions or sexual orientation) cannot, in principle, be processed for marketing purposes based on legitimate interests.
Their processing requires compliance with Article 9(2) of the GDPR, most often in the form of the data subject's express consent. Attempting to base marketing on the controller's interests in this regard should be considered unacceptable.
Lack of transparency and information obligations
The controller cannot effectively rely on a legitimate interest if it has not fulfilled its information obligations towards the data subject.
In particular, this applies to:
- failure to inform about the marketing purpose,
- lack of indication of the legal basis,
- failure to indicate the right to object.
The lack of transparency leads to a violation of the principle of fairness and transparency of processing, which undermines the legality of the entire process.
Obtaining data in violation of the law
If personal data were obtained in a manner contrary to the law (e.g. purchase of an illegal database), the controller cannot "cure" the processing by invoking a legitimate interest.
The legality of the basis for processing does not eliminate the defectiveness of the data source.
Legitimate interest is a useful tool in marketing activities, but its use requires careful consideration on a case-by-case basis. It is not a universal or default basis.
In particular, it will not apply in the case of:
- objection of a person,
- violation of specific provisions,
- excessive interference with privacy,
- processing of sensitive data,
- lack of transparency or legal source of data.
Consequently, administrators should treat this premise as an exception requiring justification, and not as a basic tool for legalizing marketing activities.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of April 15, 2026.
Author:
Series editor:
