Skip to main content
aktuelle Themen
Featured Insights
alle Beratungsfelder anzeigen
alle Industrien anzeigen
Careers Overview
About Us Overview
  • Home
  • Insights
  • ICO Issues Guidance on Recognized Legitimate Interest
Juni 29. 2026

ICO Issues Guidance on Recognized Legitimate Interest

Authors:
Generate PDF
Share

On 23 March 2026, the UK Information Commissioner's Office (the "ICO") published its final guidance on the new "recognised legitimate interest" lawful basis for processing personal data under the UK General Data Protection Regulation (the "UK GDPR"). This new lawful basis was introduced by the Data (Use and Access) Act 2025 (the "DUA Act"), which received Royal Assent on 19 June 2025, with the relevant provisions coming into force on 5 February 2026.

Background and Scope of the Guidance

The DUA Act introduces a seventh lawful basis for processing personal data: "recognised legitimate interest" under Article 6(1)(ea) of the UK GDPR. This is distinct from the existing "legitimate interests" basis under Article 6(1)(f), which remains available and is broader in scope, permitting organisations to define their own processing purposes subject to a three-part test incorporating a balancing exercise.

The recognised legitimate interest basis provides a set of pre-approved processing purposes deemed to be in the public interest.

The Five Recognised Legitimate Interest Conditions

The recognised purposes are set out in five conditions contained in Annex 1 of the UK GDPR. Organisations may rely on the recognised legitimate interest basis where their processing is necessary for one of the following purposes:

  1. Public task disclosure response: This condition applies where an organisation voluntarily shares personal data in response to a request from another organisation that needs the data for its public tasks or official functions. The requesting organisation must state in its request that it needs the data for these purposes. For example, this may arise where a business receives a request from a regulatory authority (such as the Competition and Markets Authority, the Financial Conduct Authority, or HMRC) seeking customer or transaction data to support an ongoing investigation or enforcement action.

    The ICO recommends that requests be made in writing and that the disclosing organisation maintain an effective audit trail. Importantly, if an organisation is legally required to share data, the appropriate lawful basis is legal obligation, not recognised legitimate interest.

  2. National security, public security, and defence: This condition covers the processing of personal data where necessary for safeguarding national security, protecting public security, or for defence purposes. Many organisations processing data for these purposes may already rely on a different lawful basis (such as legal obligation or public task) or be subject to different parts of data protection law.

    A common instance of this is when a telecommunications provider shares network infrastructure data with GCHQ to support cybersecurity threat detection and national security monitoring.

  3. Emergencies: This condition permits the processing of personal data where necessary to respond to emergency events or situations as defined by Part 2 of the Civil Contingencies Act 2004, including events threatening serious damage to people's welfare or the environment, or war and acts of terrorism threatening serious damage to UK security. In instances of a gas pipeline rupture or water contamination incident, for example, such events would constitute an emergency that threatens serious damage to individuals welfare, falling within the scope of Part 2 of the Civil Contingencies Act 2004. The sharing of customer data is necessary in such cases to respond to the emergency.

    The ICO encourages organisations to include data protection considerations in their contingency planning.

  4. Crime: This condition applies where an organisation needs to process personal data to prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. If the data constitutes criminal offence data, the organisation must also identify a specific condition for processing under the Data Protection Act 2018 (the "DPA"), unless it has official authority to use such data. This condition is particularly relevant in fraud prevention contexts—for instance, an insurance company processing policyholder and claimant data to detect and investigate suspected insurance fraud, or a bank analysing transaction histories, IP addresses, device identifiers, and account holder details to identify foul play or cyber attacks.

    The ICO notes that where a purpose satisfies the crime condition, it is likely also to satisfy an appropriate condition under the DPA for processing criminal offence data.

  5. Safeguarding: This condition enables the processing of personal data to protect the physical, mental or emotional well-being of "vulnerable individuals" or to protect them from harm or neglect. A "vulnerable individual" is defined as a child (anyone under 18) or an "at risk" adult—being an adult whom the organisation has reasonable cause to suspect needs care or support and is experiencing, or is at risk of, harm and is unable to protect themselves. For example, an HR team may process personal data—including employment records, attendance patterns, occupational health notes, and internal incident reports—to assess whether an employee may be an "at risk" adult, if the employee has displayed behaviour warranting such suspicions.

This assessment must be kept under review, as an individual's circumstances may change such that the definition is no longer met.

Practical Implications and Next Steps

  • Organisations should review existing processing activities to identify those for which the new recognised legitimate interest basis may be appropriate. Where organisations choose to rely on a new basis, they should update their records of processing activities and privacy notices to reflect this, including specifying the relevant condition.
  • Organisations should keep their assessments under regular review, recognising that circumstances can change in ways that affect the continued applicability of the basis—for example, in the context of the safeguarding condition, where an individual may no longer meet the definition of a "vulnerable individual."
  • Organisations with cross-border operations should take particular care to maintain distinct compliance frameworks for their UK and EU processing activities, given that the recognised legitimate interest basis is not available under the EU GDPR.

Autoren

verwandte Beratungsfelder und Industrien

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.