When conducting an legitimate interests assessment (LIA), consider these three questions to determine which processing activities might fit under this legal basis: 

  1. What are the legitimate interests you are pursuing with this processing of personal information? Examples of processing that may be necessary (this is not a blanket rule, you still must conduct an LIA in the specific instance) for your legitimate interests include direct marketing, preventing fraud, and ensuring network and information security — including preventing unauthorized access. 
  2. How is this processing of personal information necessary to achieve those interests? 
  3. Do your users’ rights and interests override the legitimate interests you identified? Consider whether your users would reasonably expect how you are processing their personal information or if the processing of their personal information would cause your users unjustified harm. In those cases, your users’ rights and interests might override your legitimate interests. 

You should keep a record of your LIA as a means to demonstrate your compliance if needed. Your privacy policy must include details about your legitimate interests when applicable.