Legitimate Interests (LI) is the most flexible lawful basis for processing personal data under GDPR. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
However, if you choose to rely on legitimate interests, you are taking on extra responsibility and obligations for considering and balancing people’s rights and interests using a Legitimate Interest Assessment. The Information Commissioners Office (ICO) states clearly in their guidance that: the legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Defining Legitimate Interest sits at organisational level. For processing personal data for direct marketing it is the instigator of that marketing that must complete the Legitimate Interest Assessment (LIA) and associated balancing test to document their LI.
It could be the legitimate interest of a charity to increase its donor base.
It could be the legitimate interest of a new business to obtain new customers via a marketing campaign.