TL;DR

This newsletter is about a decision by the Court of Justice of the European Union (CJEU) on legitimate interests under the GDPR. It looks the conditions under which a commercial interest can justify the processing of personal data.

Here are the key takeaways:

• In Koninklijke Nederlandse Lawn Tennisbond, the CJEU sought to answer the following question: for an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

• The short answer to this was in the negative. In other words, legitimate interests do not need to be derived from a law or be a legal norm.

• However, the Court emphasised that whilst this means that a commercial interest can be a legitimate interest under the GDPR, such an interest still needs to satisfy a three-part test:

  1. It needs to be shown that the controller or a third party is pursuing a legitimate interest.

  2. The processing of personal data must be necessary to pursue that legitimate interest

  3. The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects

• Only if the controller can demonstrate that the this three-part test has been satisfied may it rely on a commercial interest to process personal data.

A judgement from the Court of Justice of the European Union (CJEU) handed down in October 2024 answers this simple question:

For an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

In short, the CJEU's answer in Koninklijke Nederlandse Lawn Tennisbond to this was no - legitimate interests do not need to be derived from a law or be a legal norm. However, that still does not mean that any interest can be a legitimate interest and form as a legal basis for personal data processing.