FEDMA_LogoFinal-01FEDMA_LogoFinal-01FEDMA_LogoFinal-01FEDMA_LogoFinal-01
  • Home
  • About us
    • Our Principles
    • National Association Members
    • Corporate Members
    • Governance & team
  • Latest News
  • Policy Area
    • Position Papers
    • Consumer Protection
    • Data Transfers
    • Digital Economy
    • Privacy & Data Protection
  • FASt
  • Projects
    • Ethical AI-Powered Marketing Charter
    • AI Policy
    • Education – PEEAC
    • Educational Hub
    • Sustainability Best Practices Guide
    • Legal Fact pack
    • Code of Practice for the Use of Personal Data
  • Contact
Subscribe
✕

CJEU: Commercial interests can qualify as legitimate interests under the GDPR

4 October 2024

In today’s ruling in Case C‑621/22 (KNLT v. AP), the Court of Justice of the European Union (CJEU) has finally clarified that a commercial interest of a controller may be regarded as necessary for the purposes of the legitimate interests pursued by that controller.

Dr. Sachiko Scheuing, FEDMA Co-Chair: “The ruling brings significant relief to the industry, especially for small and medium-sized enterprises (SMEs) that face challenges in collecting consent at scale. After five years of uncertainty, we now have the long-awaited legal certainty that companies can continue using Legitimate Interest as a legal basis, as they have for decades.”

History of the case: In 2019, the Dutch Data Protection Authority (AP) fined the Royal Lawn Tennis Federation (KNLT) €525,000 for unlawfully relying on ‘legitimate interest’ (Art. 6(1)f of the GDPR) as a legal basis for sharing members’ data with sponsors for promotional use. In line with its 2019 publication on legitimate interest, the Dutch DPA argued that the KNLT’s solely commercial interest could not quality as a legitimate interest under the GDPR. The KNLT appealed to the Amsterdam District Court, claiming that a legitimate interest exists unless that interest is contrary to law. The Dutch DPA disagreed, arguing that for the purposes of the GDPR a legitimate interest must be a concrete interest pertaining to the law, constituting law, and enshrined in a law. The Amsterdam court referred the matter to the Court of Justice of the European Union (CJEU) on the following three questions:

  1. How should the District Court interpret the term ‘legitimate interest’?
  2. Should the term be interpreted as the [Dutch DPA] interprets it? Are these interests which exclusively pertain to the law, constitute law, are enshrined in a law? Or;
  3. Can any interest be a legitimate interest, provided that interest is not in breach of the law? More specifically: should a purely commercial interest, such as the interest at issue here, the provision of personal data in return for payment without the consent of the data subject concerned, be regarded as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

Answering these questions altogether, the CJEU recalled that the EU legislature did not require that the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by that controller to be legitimate within the meaning of Article 6(1)(f) of the GDPR. Instead, according to the Court, the EU legislature required that the alleged interest be lawful.

This does not mean that any organisation can rely on legitimate interest by simply claiming the lawfulness of their commercial purpose. As reminded by the CJEU, a controller must also ascertain that :

  • The processing is necessary, namely that the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, and
  • The rights and freedoms of data subjects do not override the controller’s interest, taking into account:
    • The reasonable expectations of the data subjects
    • The scale of the processing at issue
    • The impact of the processing on the data subjects

FEDMA welcomes the CJEU ruling which re-asserts the status of ‘legitimate interest’ as a valid legal basis, correctly referencing Recital 47 of the GDPR with direct marketing purposes as legitimate interests for data controllers. The Court also rightfully stresses that legitimate interest does not provide a blank check for controllers to process personal data without restrictions. To comply with the GDPR, controllers must conduct a balancing test, implement appropriate transparency measures, and ensure that data subjects have the right to object to data processing at any time.

Share

RECENT NEWS

  • GDPR record-keeping simplification: what difference will it really make?21 May 2025
  • Marketing, AI, and Ethics: BAM’s Perspective with Karine Ysebrant12 May 2025
  • FEDMA calls for a balanced and future-proof approach to pseudonymization in response to the EDPB’s consultation25 March 2025
  • Embedding Sustainability in Marketing: From Strategy to Impact19 March 2025

© Fedma 2024

Made with ❤️ by MFM Digital

Contact us

rue de la Loi, 155
BE-1040 Brussels, Belgium

+32 2 779 4268

info@fedma.org

Follow us

Support

Privacy Policy

Terms and Conditions

Intranet

Subscribe
Subscribe Become a member Intranet

Follow us

Support

Terms and conditionsPrivacy PolicyIntranet –

Become a member now

To discuss FEDMA Membership, please contact rdewouters@fedma.org or book an introductory call via Microsoft Bookings.

SEND EMAIL INTRODUCTORY CALL

Never see this message again.

DO NOT MISS OUR NEWS

Subscribe to our Newsletter