The Court of Justice of the European Union (CJEU) addressed how organisations can rely on the “legitimate interest” basis under the GDPR when processing personal data for commercial purposes, such as marketing, without user consent. The CJEU clarified that a controller’s commercial interest may be necessary for the legitimate interest pursued by that controller.
The dispute arose from the actions of the Royal Dutch Lawn Tennis Association (KNLTB) sharing member data with sponsors for marketing without consent, resulting in a €525,000 fine from the Dutch Data Protection Authority (AP) for GDPR violations. KNLTB argued its “legitimate interest” in engaging members with promotional offers justified the data use. Following an appeal, the Amsterdam District Court sought clarification from the CJEU on whether selling member data for direct marketing without consent aligns with GDPR’s “legitimate interest” clause.
Article 6(1)(f) of the GDPR provides that processing of personal data is lawful if it is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of such personal data. The CJEU recalled the three-prong criteria it has set for determining whether a processing can be justified under Article 6(1)(f) of the GDPR. The CJEU outlined three conditions for determining this:
- Pursuit of a lawful, legitimate interest by the data controller or third party.
The CJEU stated that a wide range of interests can be regarded as legitimate, and the GDPR does not require that the interest pursued by a controller be provided for by law. It is particularly noted that Recital 47 cites direct marketing purposes as an example of legitimate interests that a controller may pursue.
- Necessity of data processing for this interest.
The CJEU held that this condition requires the referring court to ascertain that the legitimate interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of data subjects’ fundamental rights and freedoms.
- Ensuring the interest isn’t outweighed by data subjects’ rights.
The CJEU recalled that this condition entails balancing the opposing rights and interests of the data controller / third party and the data subject, and the referring court should carry out this exercise.
Recommendations of ECOVIS ProventusLaw
Based on the CJEU ruling regarding the application of “legitimate interest” for personal data processing under the GDPR, it is recommended that organisations processing data for commercial purposes based on legitimate interest take the following actions:
1. Conduct a balancing test for each processing purpose: Before processing personal data for a specific purpose based on “legitimate interest,” perform a thorough balancing test to determine if this interest is justified and to assess whether the data subject’s rights are not infringed. This test should be carried out for each specific processing purpose, as different purposes may pose different risks to the rights and freedoms of data subjects.
2. Regularly review the results of balancing tests, especially if there are changes in the data processing purposes or methods. This will ensure that the use of legitimate interest remains relevant and compliant with GDPR requirements.
Newsletter Subscription
Get in touch