Since the entry into force of the GDPR, Data Protection Authorities (DPAs) have closely cooperated to adopt a growing number of one-stop-shop (OSS) decisions on the legal basis of "legitimate interest", as shown by the decisions on this matter available in the EDPB register.
The OSS decisions assess and present a wide range of factual contexts. This case digest provides useful examples of how DPAs analyse controllers’ reliance on the legal basis of “legitimate interest” in specific contexts, providing positive and negative compliance examples. The external expert who authored the digest explains and summarises how DPAs apply the three-step test to assess whether a controller can lawfully rely onlegitimate interests as a legal basis.. The case digest also takes into account the EDPB Guidelines 1/2024 on Processing of Personal Data Based on Article 6(1)(f) GDPR and illustrates how parts of these Guidelines apply in practice . Relevant cases before the Court of Justice of the EU are also mentioned. In addition, several DPA’s decisions and national court judgments are presented as examples of specific issues.
The EDPB commissioned the one-stop-shop case digest as part of the Support Pool of Experts programme, which aims to support cooperation among DPAs by providing expertise and tools related to enforcement.
Project conducted by external expert Dr. TJ McIntyre and completed in December 2025.
Objective
Thematic one-stop-shop case digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art. 60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providing an overview and aggregated results of relevant decisions on this theme.