GDPR Compliance
Legitimate Interests Assessment
Article 6(1)(f) UK GDPR — Three-Part Test Documentation
ICO Registered Data Controller — ZB812547
This Legitimate Interests Assessment (LIA) documents CourtCraft Advocate Ltd's three-part test for each processing activity relying on Article 6(1)(f) UK GDPR as its legal basis. This document was prepared in May 2026 and must be reviewed annually or when processing activities change.
What is a Legitimate Interests Assessment?
Under Article 6(1)(f) UK GDPR, processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The ICO requires controllers relying on legitimate interests to conduct a three-part test:
Purpose Test
Is there a legitimate interest? The interest must be real, present, and not trivial.
Necessity Test
Is the processing necessary? Could the same purpose be achieved with less privacy impact?
Balancing Test
Do the individual's interests override the legitimate interest? Consider impact, expectations, and safeguards.
⚠️ Important Note on Special Category Data
Legitimate interests cannot be used as the legal basis for processing special category data under Article 9 UK GDPR. All processing of special category data (health, domestic abuse, etc.) relies on Article 9(2)(a) explicit consent, Article 9(2)(f) legal claims, and/or Article 9(2)(g) substantial public interest. This LIA covers only Article 6 processing activities.
LIA 01
Platform Security & Fraud Prevention
Purpose
Protecting the platform and its users from unauthorised access, scraping, abuse, and fraud
1. Purpose Test
CourtCraft has a legitimate interest in maintaining the security and integrity of its platform. This protects both the business and the data subjects who use the service. Security monitoring is a recognised legitimate interest under Recital 47 UK GDPR.
2. Necessity Test
Processing IP addresses, session fingerprints, access timestamps, and usage patterns is necessary to detect and prevent security threats. No less privacy-intrusive alternative would achieve the same security outcome. Data is processed at the minimum level required for threat detection.
3. Balancing Test
Data subjects have a reasonable expectation that a platform handling their sensitive legal data will implement security monitoring. The processing is limited to security purposes only and is not used for profiling or marketing. The benefit to data subjects (protection of their sensitive data) outweighs the minimal privacy intrusion of security logging.
Safeguards in Place
LIA 02
Platform Improvement via Anonymised Analytics
Purpose
Improving platform features and user experience through analysis of anonymised usage patterns
1. Purpose Test
CourtCraft has a legitimate interest in improving its service. Better features directly benefit data subjects who rely on the platform for legal case preparation. This is a standard and widely recognised legitimate interest.
2. Necessity Test
Anonymised usage data (feature usage counts, navigation patterns, error rates) is the minimum necessary to identify improvement opportunities. Individual user data is not required for this purpose — aggregate anonymised data is sufficient.
3. Balancing Test
Data subjects benefit directly from platform improvements. Analytics data is anonymised before analysis. Data subjects can opt out of analytics via GDPR settings. The processing does not involve special category data and does not create individual profiles.
Safeguards in Place
LIA 03
Transactional Email Communications
Purpose
Sending account verification, court date reminders, booking confirmations, and service notifications
1. Purpose Test
CourtCraft has a legitimate interest in communicating with users about their account and service. Court date reminders in particular serve a direct benefit to data subjects who may miss critical court deadlines without them.
2. Necessity Test
Email is the minimum necessary channel for transactional communications. Users cannot receive court date reminders or booking confirmations without providing an email address. No less intrusive alternative achieves the same outcome.
3. Balancing Test
Data subjects have a reasonable expectation of receiving transactional communications when they create an account and book services. These communications are directly requested by or directly benefit the data subject. Marketing emails require separate consent and are not covered by this LIA.
Safeguards in Place
LIA 04
Session Fingerprinting for Account Security
Purpose
Detecting account takeover and session hijacking by comparing session characteristics
1. Purpose Test
CourtCraft has a legitimate interest in protecting user accounts from takeover. Given the sensitive nature of family law data (including domestic abuse disclosures), account security is particularly important.
2. Necessity Test
Session fingerprinting (browser characteristics, IP, device type) is necessary to detect anomalous access patterns that may indicate account compromise. Standard authentication alone is insufficient to detect session hijacking.
3. Balancing Test
The processing involves technical session data only — not content data. Data subjects benefit directly from account protection. The sensitivity of the data processed by CourtCraft (special category data) means the security benefit is proportionate to the privacy intrusion. Data subjects are informed in the Privacy Policy.
Safeguards in Place
LIA 05
Abuse Prevention & Rate Limiting
Purpose
Preventing automated abuse, scraping, and API misuse that could harm the platform and other users
1. Purpose Test
CourtCraft has a legitimate interest in preventing abuse of its AI systems and API. Automated abuse could degrade service quality for legitimate users and expose the platform to financial and reputational harm.
2. Necessity Test
Rate limiting and abuse detection require processing request metadata (IP, request frequency, patterns). This is the minimum necessary to identify and block abusive behaviour.
3. Balancing Test
Legitimate users are not affected by abuse prevention measures in normal use. The processing is limited to technical metadata and does not involve content data. The benefit to all users (maintained service quality) outweighs the minimal privacy intrusion.
Safeguards in Place
LIA 06
AI Conversation History Retention (30 days)
Purpose
Retaining AI conversation context to provide continuity of legal guidance across sessions
1. Purpose Test
CourtCraft has a legitimate interest in providing a coherent, contextual AI experience. Without conversation history, users must re-explain their case at every session, reducing the quality of legal guidance.
2. Necessity Test
Short-term retention (30 days) of conversation history is necessary to provide contextual AI responses. Longer retention is not necessary for this purpose. Users can delete their conversation history at any time.
3. Balancing Test
This is a borderline case because conversation history may contain special category data. The 30-day retention limit and user control (deletion on demand) mitigate the privacy risk. However, CourtCraft also relies on Article 9(2)(a) explicit consent for special category data in conversations, which provides an additional legal basis.
Safeguards in Place
Review Schedule
This LIA must be reviewed:
- Annually (next review: May 2027)
- When a new processing activity relying on legitimate interests is introduced
- When the nature of an existing processing activity changes significantly
- Following a data breach or ICO investigation
- When relevant ICO guidance or case law changes