Regardless of the purpose, processing of personal data must be based on a lawful basis. Article 6 GDPR sets out different lawful bases for processing. Apart from consent or contract, the processing may also be justified by the ‘legitimate interests’ pursued by the controller (6(1)(f) GDPR). Although the purpose of the provision was to afford controllers a certain degree of flexibility, experience has shown that ‘legitimate interests’ may be abused by controllers when no other legal basis is suitable to justify the processing. noyb undertook to clarify the exact meaning of the ‘legitimate interests’ and the necessary conditions that must be fulfilled in order to rely on them. noyb is preparing to turn this research into enforcement actions.