Log in

← Back to Glossary

Three-step test under GDPR: Evaluating legitimate interest in data processing

The three-step test is a GDPR assessment that helps data controllers determine whether they can lawfully process personal data under the legitimate interest legal basis. It ensures that a controller’s interests do not override the fundamental rights and freedoms of data subjects.

If the three-step test is passed, the controller can proceed with processing under the legitimate interest legal ground.

What are the three steps of the test?

The three-step test consists of:

1. Purpose test – Is there a legitimate purpose for processing?

  • The controller must define a specific, lawful, and clearly justified purpose for processing the data.
  • The purpose must align with the organization’s objectives and not be misleading or unlawful.

2. Necessity test – Is processing necessary to achieve the purpose?

  • The controller must determine if the data processing is essential for achieving its goal.
  • If a less intrusive method can achieve the same result, the processing may not be justified.

3. Balancing test – Do data subject rights outweigh the controller’s interest?

  • The controller must assess whether the processing impacts the data subject’s rights, privacy, or freedoms.
  • If the individual’s rights outweigh the controller’s interests, processing cannot continue without a different legal basis.

If all three tests are passed, processing under legitimate interest is considered GDPR-compliant.

Try RESPONSUM for free

Set up your personalized environment and see how RESPONSUM’s powerful features simplify your compliance workflows. Our experts are here to guide you every step of the way.

Try for free
G2 badge fall 2024 easiest to do business with
G2 badge fall 2024 best support
G2 badge fall 2024 high performer
G2 badge fall 2024 high performer Europe
G2 badge fall 2024 high performer EMEA

How to apply the three-step test in GDPR compliance

1. Clearly define the purpose of processing

  • Identify why the data is being processed and whether it serves a legitimate business interest.
  • Ensure the purpose is specific, explicit, and lawful.

2. Assess the necessity of data processing

  • Determine whether the data processing is essential or if there’s a less intrusive alternative.
  • Minimize data collection to only what is strictly necessary.

3. Evaluate the impact on data subjects

  • Weigh the controller’s interest against the individual’s privacy rights.
  • If processing poses a high risk, consider obtaining consent or using another legal basis.

Book a demo to see RESPONSUM in action

Book your free demo and discover how RESPONSUM fits your needs. Get expert insights, a live platform walkthrough, and personalized tips to boost your compliance strategy.

Book a demo

Why the three-step test is essential for GDPR compliance

Applying the three-step test helps organizations:

  • Ensure lawful data processing under the legitimate interest legal basis.
  • Reduce legal risks by evaluating potential privacy concerns.
  • Improve transparency by documenting processing justifications.
  • Strengthen accountability by aligning with GDPR’s fairness principle.

By conducting a thorough three-step test, businesses can ensure compliance, protect data subject rights, and justify legitimate interest processing.

Try for free