The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has published a structured questions catalog to help organizations perform a defensible “legitimate interests” assessment under the EU General Data Protection Regulation (GDPR). The resource is designed to guide controllers through the practical and documentation-heavy steps required when relying on GDPR Article 6(1)(f) as a legal basis for processing personal data.
Legitimate interests can be a powerful alternative to consent, but it is also one of the most commonly misunderstood GDPR legal bases. Regulators have repeatedly emphasized that it is not a “shortcut” and requires a disciplined evaluation of necessity, proportionality, and the impact on individuals’ rights. The HmbBfDI’s questionnaire is intended to make that evaluation more consistent, transparent, and audit-ready.
What “Legitimate Interests” Means Under the GDPR
Under GDPR Article 6(1)(f), a controller may process personal data when:
- The controller (or a third party) has a legitimate interest that is specific and lawful,
- The processing is necessary to achieve that interest, and
- The controller’s interest is not overridden by the data subject’s interests, fundamental rights, or freedoms.
This framework is typically operationalized through a Legitimate Interests Assessment (LIA). An LIA is not a single checkbox. It is a documented analysis that shows the controller thought critically about why the processing is justified, what risks it creates, and what safeguards reduce those risks.
Why the HmbBfDI Questionnaire Is Important
Many organizations struggle with the same recurring problems when attempting an LIA:
- Interests are described vaguely (e.g., “business purposes”) instead of being specific,
- Necessity is assumed rather than tested against less intrusive options,
- The balancing test is performed superficially, and
- Documentation is too thin to withstand scrutiny from a regulator, auditor, or opposing counsel.
The HmbBfDI’s questions catalog directly addresses these gaps by forcing clarity. It functions like a structured checklist that encourages teams to identify the real purpose of the processing, confirm that the processing is proportionate, and demonstrate they evaluated the impact on individuals in a methodical way.
Who Should Use This Guidance
The questionnaire is relevant for any controller relying on legitimate interest, including:
- Companies operating marketing, analytics, customer engagement, fraud prevention, and security workflows,
- Employers handling workforce-related processing where consent may not be “freely given,”
- Platforms and service providers processing data for service reliability, abuse prevention, and account security,
- Nonprofits balancing outreach needs with privacy expectations, and
- Public-sector entities that need consistent internal governance and documentation practices.
Even organizations that do not operate in Hamburg can use this as a strong reference point, because GDPR legitimate interest requirements are harmonized across the EU and frequently interpreted through regulator guidance and case-by-case enforcement.
How a Strong Legitimate Interests Assessment Typically Works
While organizations may structure LIAs differently, most defensible assessments align to three core steps. The HmbBfDI’s questionnaire is designed to support each of them.
1) Purpose Test: Identify the Legitimate Interest
This step clarifies what interest is being pursued and why it is legitimate. High-quality LIAs typically describe:
- The concrete business or operational objective (not a generic goal),
- Why that objective is lawful and reasonable, and
- Whether a third party is involved and what interest they have.
Organizations often improve defensibility by being explicit about the processing context (for example, “account security and fraud detection in response to suspicious logins” rather than “security”).
2) Necessity Test: Is the Processing Proportionate?
Legitimate interest requires that the processing be necessary to achieve the interest. “Necessary” does not mean “helpful.” It means the controller should be able to explain why the objective cannot reasonably be achieved with less intrusive processing.
Common necessity questions include:
- What specific data elements are processed, and are all of them required?
- Could the same objective be achieved with less data, lower retention, or reduced granularity?
- Are privacy-enhancing techniques possible (data minimization, pseudonymization, aggregation)?
- Are there alternative legal bases that fit better for this purpose?
This is where many LIAs fail in practice, because teams treat necessity as self-evident rather than tested.
3) Balancing Test: Do Individuals’ Rights Override the Interest?
The balancing test is the heart of GDPR Article 6(1)(f). It requires an objective evaluation of the impact on people, including their reasonable expectations and the risk of harm. A defensible balancing test typically considers:
- The nature of the data (basic identifiers versus special category data),
- The relationship with the individual (customer, employee, prospect, minor),
- Whether the processing would surprise the person in that context,
- Whether profiling, tracking, or automated decisions are involved,
- Potential consequences (exposure, discrimination, financial harm, intrusion), and
- Safeguards that reduce risk (opt-outs, transparency, access controls, retention limits).
If the risks to individuals are substantial, legitimate interest may be inappropriate unless strong safeguards are in place, or the processing design is narrowed.
What Organizations Should Do Next
Organizations that rely on legitimate interest should treat the HmbBfDI’s questionnaire as an opportunity to standardize internal governance. Practical next steps include:
- Map processing activities that currently rely on legitimate interest,
- Run an LIA for each activity using a consistent internal template,
- Document the purpose, necessity rationale, balancing factors, and safeguards,
- Ensure privacy notices clearly explain the processing and the legitimate interest relied upon,
- Implement operational opt-out mechanisms where appropriate, and
- Schedule periodic re-reviews, especially after product, vendor, or purpose changes.
Why This Matters for GDPR Audits and Enforcement Risk
Regulators increasingly expect organizations to demonstrate accountability with tangible evidence, not just policy statements. A structured LIA can serve as proof that the organization:
- Selected a lawful basis thoughtfully,
- Considered less intrusive alternatives,
- Evaluated risks to individuals, and
- Implemented controls to reduce privacy impact.
The HmbBfDI questionnaire reinforces a core GDPR reality: legitimate interest is viable, but only when organizations can show their analysis is rigorous, specific to the processing activity, and supported by meaningful safeguards.
HmbBfDI’s release of a legitimate interest
The HmbBfDI’s release of a legitimate interest questions catalog is a practical compliance development for organizations that rely on GDPR Article 6(1)(f). By providing a structured pathway through the purpose test, necessity test, and balancing test, the questionnaire helps organizations reduce ambiguity, improve documentation quality, and strengthen defensibility in the event of complaints, audits, or regulatory inquiries.
