CJEU sheds light: commercial interests can serve as legitimate interests

Following criticism from the European Commission of the Dutch Data Protection Authority’s  interpretation of what constitutes a legitimate interest in 2020, and a court ruling against the Dutch DPA in 2022, on 4 October 2024, the Court of Justice of the European Union confirmed that the Dutch DPA has been too strict in its interpretation of what constitutes a legitimate interest and that a commercial interest can serve as a legitimate interest within the meaning of Article (6)(1)(f) GDPR.

Background

In 2018, the Royal Dutch Lawn Tennis Association (KNLTB) disclosed its members' personal data to sponsors in exchange for remuneration. These sponsors, TennisDirect (a sports store) and Nederlandse Loterij Organisatie (NLO) (a provider of games of chance and casino games), used the personal data for promotional purposes. Complaints from KNLTB members led to an investigation by the Dutch DPA, which found that the association had violated GDPR requirements and imposed a €525,000 fine. The KNLTB brought an action against that decision before the referring Dutch district court of Amsterdam, which requested the CJEU to clarify whether the KNLTB’s disclosure of personal data, driven by a commercial interest, could be justified under the lawful basis of a legitimate interests.

CJEU Decision

The CJEU confirmed that a commercial interest can serve as a legitimate interest, and clarified the three cumulative conditions for processing personal data based on a legitimate interest:

• Legitimate interest: a wide range of interests can qualify as legitimate, including commercial interests. The GDPR does not require that the interest be enshrined in law in order to be legitimate. For example, direct marketing is explicitly mentioned as a potential legitimate interest in recital 47 of the GDPR. However, the interest must still be lawful and clearly communicated to data subjects.
• Necessity: the processing must be necessary to achieve the legitimate interests of the controller. Controllers must demonstrate that the legitimate data processing interests pursued cannot reasonably be achieved through less intrusive means. This requirement is closely linked to the principle of data minimisation, ensuring that only the data strictly needed for the purpose is processed.
• Balancing test: the interests or fundamental rights and freedoms of data subjects must not override the controller’s legitimate interests. Factors such as the reasonable expectations of data subjects and the context of data collection play a crucial role in this balancing exercise.

Key takeaway for organisations

This decision enhances legal certainty with regards to what constitutes a legitimate interest as a lawful basis for data processing. It acknowledges that commercial interests, when lawful and proportionate, can justify the processing of personal data. While this ruling broadens the interpretation of legitimate interests, it does not diminish the importance of a thorough case-by-case assessment. Organisations must ensure transparency, necessity, and a fair balancing of interests to comply with GDPR requirements effectively.