I need to bring my Luxembourg organisation into compliance with recital 47 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 47 is wrongly invoked by 80% of controllers who tick legitimate interest without ever conducting the balancing test (LIA, Legitimate Interest Assessment). The CNPD and the CNIL regularly sanction this ghost legal basis: no balancing document, no analysis of reasonable expectations, no consideration of the right to object. The EDPB recalls in its guidelines that legitimate interest is never a default basis, and is forbidden to public authorities in the performance of their tasks.The triple test imposed by Recital 47Recital 47 clarifies Article 6(1)(f) by implicitly imposing a three-step analysis grid. Any organisation relying on this basis must be able to demonstrate:Purpose test: is the interest pursued legitimate, real, current and clearly articulated (fraud prevention, B2B prospecting, IT security)?Necessity test: is the processing strictly necessary for that interest, or is there a less intrusive alternative (aggregated data, pseudonymisation, opt-in)?Balancing test: do the reasonable expectations of the data subject at the time of collection, the relationship with the controller (client, employee, cold prospect), and the safeguards in place (transparency, easy right to object) tip the balance in favour of the processing?Explicit exclusions: public authorities in their tasks (basis forbidden), minors, special category data, unforeseeable further processing.Favourable cases cited by the recital: fraud prevention, direct marketing (subject to the right to object under Article 21(2) and the ePrivacy Directive for email channels).The standard of proof before the CNPDIn case of an audit, the CNPD does not settle for a mere legitimate interest mention in the Article 30 register. It requires a dated LIA document, signed by the DPO, formalising the three tests, identifying compensating measures (enhanced information, one-click right to object, reduced retention period) and documenting re-testing when a purpose changes. Absence of an LIA equals absence of a legal basis: sanction under Article 6 and Article 5(2) accountability simultaneously.How Luxgap automates this riskOur Luxgap LIA Copilot turns the balancing test, dreaded by every DPO, into a guided 15-minute exercise that produces a file opposable to the CNPD. The tool embeds a specialised AI agent trained on EDPB guidelines, CJEU case law and published CNPD/CNIL decisions, which interrogates the business in natural language and automatically drafts the triple test at the standard expected by the authorities.Interrogates the controller via a conversational chat that reformulates each purpose in precise legal terms and detects blind spots (minors, Article 9 data, cold prospecting).Computes a balancing robustness score out of 100, based on 24 weighted criteria from EDPB 01/2025 guidelines on legitimate interest.Automatically detects purposes incompatible with legitimate interest (public authority, Article 9 data processing, systematic employee monitoring) and switches the ...

Recital 47 GDPR — Recital 47

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 47

General Data Protection Regulation · UE 2016/679

(47)

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Luxembourg specificity

loi du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the law of 1 August 2018 organising the CNPD confirms that public authorities (municipal administrations, ministries, public establishments) cannot rely on legitimate interest for their sovereign processing: such processing must be based on Article 6(1)(c) or (e) with an identifiable Luxembourg legal basis. The CNPD systematically checks, during its thematic audits (notably on the financial sector supervised by the CSSF and on fintechs), the presence of a documented and dated LIA.

Luxgap practice: for CSSF-regulated players (banks, PFS, fintechs), we recommend cross-referencing the LIA with CSSF Circular 22/806 on outsourcing, since a legitimate interest invoked to share data with a non-EU cloud processor must be articulated with the outsourcing authorisation.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 47 is wrongly invoked by 80% of controllers who tick legitimate interest without ever conducting the balancing test (LIA, Legitimate Interest Assessment). The CNPD and the CNIL regularly sanction this ghost legal basis: no balancing document, no analysis of reasonable expectations, no consideration of the right to object. The EDPB recalls in its guidelines that legitimate interest is never a default basis, and is forbidden to public authorities in the performance of their tasks.

The triple test imposed by Recital 47

Recital 47 clarifies Article 6(1)(f) by implicitly imposing a three-step analysis grid. Any organisation relying on this basis must be able to demonstrate:

Purpose test: is the interest pursued legitimate, real, current and clearly articulated (fraud prevention, B2B prospecting, IT security)?
Necessity test: is the processing strictly necessary for that interest, or is there a less intrusive alternative (aggregated data, pseudonymisation, opt-in)?
Balancing test: do the reasonable expectations of the data subject at the time of collection, the relationship with the controller (client, employee, cold prospect), and the safeguards in place (transparency, easy right to object) tip the balance in favour of the processing?
Explicit exclusions: public authorities in their tasks (basis forbidden), minors, special category data, unforeseeable further processing.
Favourable cases cited by the recital: fraud prevention, direct marketing (subject to the right to object under Article 21(2) and the ePrivacy Directive for email channels).

The standard of proof before the CNPD

In case of an audit, the CNPD does not settle for a mere legitimate interest mention in the Article 30 register. It requires a dated LIA document, signed by the DPO, formalising the three tests, identifying compensating measures (enhanced information, one-click right to object, reduced retention period) and documenting re-testing when a purpose changes. Absence of an LIA equals absence of a legal basis: sanction under Article 6 and Article 5(2) accountability simultaneously.

How Luxgap automates this risk

Our Luxgap LIA Copilot turns the balancing test, dreaded by every DPO, into a guided 15-minute exercise that produces a file opposable to the CNPD. The tool embeds a specialised AI agent trained on EDPB guidelines, CJEU case law and published CNPD/CNIL decisions, which interrogates the business in natural language and automatically drafts the triple test at the standard expected by the authorities.

Interrogates the controller via a conversational chat that reformulates each purpose in precise legal terms and detects blind spots (minors, Article 9 data, cold prospecting).
Computes a balancing robustness score out of 100, based on 24 weighted criteria from EDPB 01/2025 guidelines on legitimate interest.
Automatically detects purposes incompatible with legitimate interest (public authority, Article 9 data processing, systematic employee monitoring) and switches the suggestion to the correct legal basis.
Generates the finalised LIA document as a cryptographically time-stamped PDF, ready to be filed in the Article 30 register and opposable during an audit.
Automatically re-assesses each LIA every 12 months or whenever a purpose change is detected in your register, and alerts the DPO by email or Teams.
Publishes in one click the corresponding Article 13/14 transparency notice on your website, including the one-click Article 21 objection mechanism aligned with Recital 70.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a demonstration and our teams will run a free 48-hour blank audit of your declared legal bases to identify your missing LIAs before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 47

They trust us

Before we chat