Lawful grounds

Legitimate interests: POPIA’s workhorse ground

Section 11(1)(f) exists so ordinary, sensible business activity doesn’t need consent — but the interest must be earned, not assumed.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 11(1)(f) makes processing lawful where it is necessary to pursue the legitimate interests of the responsible party — or of a third party receiving the information. It carries fraud prevention, security, debt recovery, internal administration, IT security and employee references without consent. The trade-off: it requires a balancing exercise (your interest must not be overridden by the impact on the data subject), and the data subject may object.

On this page

What does section 11(1)(f) say?

Source — the actual words

“(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

Protection of Personal Information Act 4 of 2013, s 11(1)(f)Read it on Dept of JusticePDF

Two features deserve attention. First, “necessary” — the ground covers what the interest genuinely requires, not everything vaguely useful. Second, “or of a third party to whom the information is supplied” — the subsection expressly contemplates disclosure to others with legitimate interests, which is why it anchors so much lawful sharing.

What legitimate interests carries in practice

This is the ground that exists precisely so that ordinary, sensible business activity does not need consent: fraud prevention, physical and IT security, CCTV at premises, debt recovery and handing over defaulters, internal administration and reporting, giving a reference to a prospective employer, vetting counterparties, and sharing within a group of companies. In each case the question is the same: is this processing necessary for a real, lawful interest — and does that interest survive the balance against the data subject’s privacy?

The three-part assessment: purpose, necessity, balancing

Legitimate interest must be earned, not assumed. The Information Regulator’s Guidance Note on Direct Marketing (3 December 2024) says so directly — and although it speaks in the marketing context, its three-part assessment is the right discipline for any section 11(1)(f) reliance:

Source — the actual words

“The reliance on legitimate interest as a legal justification is not automatic. The onus is on the responsible party to justify the use of legitimate interests as the relevant basis for the processing of personal information.”

Guidance Note on Direct Marketing in terms of POPIA (3 December 2024), on legitimate interestRead it on Information RegulatorPDF

The assessment it prescribes: purpose — is there a real, lawful interest behind the processing? Necessity — is the processing actually needed to pursue it, or is there a less intrusive way? Balancing — does the interest outweigh the impact on the data subject, judged by their reasonable expectations and the sensitivity of the information? Write the three answers down. A one-page record is the difference between relying on the ground and merely hoping.

The limits: objection — and the section 69 carve-out

Legitimate interests is balanced by the data subject’s right to object on reasonable grounds — and if a valid objection lands, section 11(4) is blunt: the processing stops. And one whole territory is carved out entirely: electronic direct marketing. However legitimate your interest in selling, section 69 imposes its own consent-or-customer regime for email, SMS and (in the Regulator’s view) phone calls — legitimate interests cannot substitute for it. The split is mapped on the direct-marketing page.

Frequently asked questions

Do I need to document a legitimate-interest assessment?

The Act does not prescribe a form, but the Regulator’s guidance places the onus on you to justify the reliance — a short written assessment of purpose, necessity and balancing is how you discharge that onus when challenged.

Can marketing rest on legitimate interests?

Non-electronic marketing (post, in person) can — with an unconditional right to object. Electronic marketing cannot: section 69 imposes its own consent-or-customer regime regardless of your interests.

Whose interests count — only mine?

No. Section 11(1)(f) expressly covers the legitimate interests of "a third party to whom the information is supplied" — which is why giving a reference to a prospective employer, or vetting information to a counterparty, fits the ground.

What defeats a legitimate-interest claim?

Necessity and balance. If the processing is not actually necessary for the interest, or the impact on the data subject outweighs it, the ground fails. And a valid objection under section 11(3) stops the processing.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Lawful grounds

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub