Once again the Netherlands is leading the discussions on GDPR Legitimate Interest and businesses’ reliance on this legal basis for their commercial activity. Following the recent VoetballTV case which weakened the Dutch DPA’s over-restrictive interpretation of Legitimate Interest for merely commercial purposes, the Dutch Highest Court referred preliminary questions to the CJEU about the scope of legitimate interest in the context of another case. The case started in 2018 wheb the Dutch DPA imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association (KNLTB) for sharing the personal data of its members with two of its sponsors on the basis of its own commercial interests.After a lengthy legal procedure, the case has been brought in front of the CJEU, including the following key preliminary questions:
- How should the court interpret the term “legitimate interest”?
- Should the term “legitimate interest” be interpreted as the [Dutch DPA] interprets it, namely can legitimate interests only be interests that have a basis in the law?
- Or can any interest be a legitimate interest, provided that the interest is not in conflict with any provision in the law? More specifically: can a purely commercial interest be regarded as a legitimate interest under certain circumstances? And can the interest of the matter at hand, namely providing personal data to a third party in exchange for money without the consent of the person concerned, be regarded as a legitimate interest under certain circumstances? If the answer is yes, what circumstances determine whether a purely commercial interest can constitute as a legitimate interest?
FEDMA has always advocated for a balanced interpretation and application of the GDPR which does not set a hierarchy among the different legal basis under Article 6(1). In line with Recital 47 GDPR and WP29’s Opinion, we believe that legitimate interest can constitute a valid legal basis for purely commercial purposes, including marketing activities.
Legitimate interest does not mean a blank check for data controllers to process individuals’ personal data without restrictions. A GDPR-compliant application of Legitimate Interest requires data controllers to carry out a balancing test, implement enhanced transparency measures and enable the data subject to object to the data processing at any moment.Hence, we see in the referral to the CJEU an opportunity to restore the reputation of Legitimate Interest, clearing any uncertainty which too often hurts marketers and consumers alike.