TL;DR

This newsletter is about a decision by the Court of Justice of the European Union (CJEU) on legitimate interests under the GDPR. It looks the conditions under which a commercial interest can justify the processing of personal data.

Here are the key takeaways:

• In Koninklijke Nederlandse Lawn Tennisbond, the CJEU sought to answer the following question: for an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

• The short answer to this was in the negative. In other words, legitimate interests do not need to be derived from a law or be a legal norm.

• However, the Court emphasised that whilst this means that a commercial interest can be a legitimate interest under the GDPR, such an interest still needs to satisfy a three-part test:

  1. It needs to be shown that the controller or a third party is pursuing a legitimate interest.

  2. The processing of personal data must be necessary to pursue that legitimate interest

  3. The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects

• Only if the controller can demonstrate that the this three-part test has been satisfied may it rely on a commercial interest to process personal data.

A judgement from the Court of Justice of the European Union (CJEU) handed down in October 2024 answers this simple question:

For an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

In short, the CJEU's answer in Koninklijke Nederlandse Lawn Tennisbond to this was no - legitimate interests do not need to be derived from a law or be a legal norm. However, that still does not mean that any interest can be a legitimate interest and form as a legal basis for personal data processing.

Facts of the case

The Royal Dutch Lawn Tennis Association (Koninklijke Nederlandse Lawn Tennisbond, or KNLTB) is a sport federation in the Netherlands. When a person becomes a member of a tennis association affiliated with the KNLTB, they automatically become a member of the KNLTB.

In 2018, the KNLTB disclosed the personal data of its members to two of its sponsors. Those sponsors included a sporting retailer and a gambling company. The KNLTB received payment in exchange for this data, which included names, addresses, dates of birth, phone numbers and email addresses.

Some members of the KNLTB lodged a complaint with the Dutch data protection authority (DPA) regarding the sharing of their personal data. They contended that the KNLTB had shared their data with the sponsors without their consent and without any legitimate basis, as required by the GDPR. The Dutch DPA subsequently fined the KNLTB for these infringements of the GDPR.

The KNLTB challenged the DPA's decision before the District Court of Amsterdam. The Court then referred to the CJEU regarding the following questions of law:

1. How should the term 'legitimate interest' be interpreted under the GDPR?

2. Should the term by interpreted as referring to interests that are enshrined in and determined by law (which was the view of the Dutch DPA)?

3. Can any interest be a legitimate interest, provided that the interest is not in breach of the law (e.g., commercial interests)?

CJEU verdict

Under Article 6(1)(f) of the GDPR, the processing of personal data may take place if:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The CJEU essentially sought to answer this simple question:

Whether the selling of personal data to satisfy a commercial interest of the data controller constitutes a legitimate interest under the GDPR?

In answering this question, the Court made the following stipulations:

1. The objective of the GDPR is to ensure a "high level of protection of the fundamental rights and freedoms of [individuals], in particular their right to privacy with respect to the processing of personal data."1 Accordingly, any processing of personal data should conform with the data protection principles set out in Article 5.2

2. One of these principles states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.3 For personal data to be processed lawfully, one of the legal bases under Article 6(1) must apply.4

3. Under Article 6(1)(a), processing is lawful if the data subject has given their consent to the processing of their data.5 In the absence of consent, processing can only be lawful if it is necessary for some other reason, as set out in Article 6(1)(b)-(f).6

4. The burden is on the data controller to demonstrate that the processing of personal data complies with one of the legal bases under Article 6(1). Additionally, as per Article 13(1)(c), it is also the responsibility of the controller to inform the data subject of the processing purposes and the applicable legal basis for processing.7

With these interpretations set out, the Court went on to analyse the facts of the case and answer the central question of what may constitute a legitimate interest under the GDPR.

The Court firstly acknowledged that the members of the KNLTB had not given their consent to the sharing of their data. It therefore had to be determined whether one of the other legal bases could justify the sharing of the data by the KNLTB, in particular the pursuance of a legitimate interest.

The Court reiterated the three-part test that must be met to rely on legitimate interest as a legal basis for the processing of personal data.8 Cf. my post on the CJEU's Bundeskartellamt case:

1. It needs to be shown that the controller or a third party is pursuing a legitimate interest. This means that the controller must inform data subjects of the legitimate interests being pursued at the time that their data are collected.

2. The processing of personal data must be necessary to pursue that legitimate interest. This requires proof that "the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects."

3. The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects. This means that the rights of the data subjects and the interests of the controller must be balanced, taking into account the relevant context of the processing. (Emphasis added)

The crux of this case was on the first condition. On this, Court stated that a wide range of interests are capable of being regarded as 'legitimate'.9 Accordingly, it is not required that such an interest "be provided for by law".10 This is why Recital 47 of the GDPR provides examples of legitimate interests like direct marketing.11 However, whilst an interest does not need to be derived from a law, the interest itself must still be lawful.12

In this case, the Court identified the interest being pursued as the following:

...[a] commercial interest of the controller, that is to say a sports federation such as the KNLTB, which consists in the disclosure, for consideration, of the personal data of its members to third parties, namely, in this case, a company that sells sports products and a provider of games of chance and casino games in the Netherlands, for advertising or marketing purposes, in particular so that that company and provider may send advertising messages and special offers to those members.13

The CJEU stated that a commercial interest can be a legitimate interest under the GDPR.14 However, the other requirements for legitimate interests (the three-part test set out above) still need to be satisfied. Applying this test, the Court noted the following:

• On the necessity test, the Court pointed out that the KNLTB could have informed its members of the sharing their personal data with third parties for advertising or marketing purposes prior to doing so and ask whether they would like their data to be so shared.15 This would have enabled the KNLTB to abide by the data minimisation principle and ensure it only shares the data of members who were happy with their data to be shared.16

• On the balancing test, an important factor to consider is whether the sharing of the members' personal data for advertising and marketing purposes was within their reasonable expectations after becoming members of the KNLTB.17 Additionally, some thought should be had to the consequences of sharing data with a gambling company, in particular the "harmful effects on the members...since those activities may expose those members to the risks associated with the development of gambling addiction."18

With this, the Court made the following conclusion:

...the processing of personal data which consists in the disclosure, for consideration, of personal data of the members of a sports federation, in order to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller, within the meaning of that provision, only on condition that that processing is strictly necessary for the purposes of the legitimate interest in question and that, in the light of all the relevant circumstances, the interests or fundamental rights and freedoms of those members do not override that legitimate interest. While that provision does not require that such an interest be determined by law, it requires that the alleged legitimate interest be lawful.19

In other words, commercial interests can be legitimate interests so long as such interests also satisfy the other parts of the three-part test. This means that the processing of the personal data must be necessary to pursue the interest and that interest must be balanced with the rights and interests of the data subjects.

Thoughts on the case

The CJEU's judgment is consistent with previous verdicts regarding commercial interests as legitimate interests for which personal data can be processed.

This includes the CJEU's decision in the Google Spain Case, known as the right to be forgotten case. In this case, a national Spanish resident in Spain made a request to Google to remove links on its search engine to a newspaper article concerning his involvement in proceedings for the recovery of social security debts. Google initially refused the request on the grounds of freedom of expression and the public interest in access to information. The Spanish resident then made a complaint to the Spanish data protection authority, which also requested Google to remove the links. Google challenged the request and the case eventually went up to the CJEU.

The Court held that a search engine must comply with the right to be forgotten by removing links on its website to the personal data in question. In certain circumstances it is possible that other rights or interests can override a data subjects' right to be forgotten. To expand further:

• Under EU law, data subjects may exercise their right to be forgotten against a search engine operator. Where they do exercise such a right, the operator is obliged to remove links to webpages containing personal data published by third parties even where that data has been published lawfully by that third party.

• In certain circumstances, a data subjects' right to be forgotten can override the economic interest of the controller and the public interest in having access to the information in question. This is unless a case can be made that the public interest would actually prevail and therefore justify an interference with a data subjects' right to be forgotten.

So overall, in Google Spain, the CJEU found that the fundamental right to privacy is greater than the economic interest of commercial firms and can, in some circumstances, also be greater than the public interest of access to information.

The CJEU in both Koninklijke Nederlandse Lawn Tennisbond and Google Spain confirm that while commercial interests can be valid legitimate interests for processing personal data, such interests are still subject to the other elements of the three-part test. The commercial interest has to be balanced with the interests of the data subject, including the risks that may arise from the processing. This illustrates the importance of carrying out a legitimate interest assessment to ensure that processing can be carried out on this basis.