The Court of Justice of the European Union (CJEU) has confirmed today that processing of personal data of members of a sports associate in return for payment for the purposes of the pursuit of a commercial interest of the controller can be considered necessary for the purposes of a legitimate interest for the purposes of Article 6(1)(f) General Data Protection Regulation (GDPR). The CJEU explicitly referred to recital 47 GDPR to substantiate that a legitimate interest does not have to have an explicit statutory basis. The processing must be necessary for the legitimate interest and the interests or fundamental rights and freedoms of the data subject must not outweigh the legitimate interest. The interest does not need to be based on a statutory right, such as freedom of speech, but must be legitimate. 

The case originated following some controversial guidance published by the Dutch data protection authority (DPA) in 2019 on the interpretation of legitimate interests. In its guidance, the Dutch DPA states that purely commercial interests cannot qualify as legitimate interests. In 2020, the European Commission sent the Dutch DPA a letter setting out why its interpretation of legitimate interests was not supported by the GDPR, CJEU case law, and the EU Charter of Fundamental Rights. Despite this, the DPA started to enforce its guidance and issues various fines as a result of it. One of these was imposed on the Royal Dutch Lawn Tennis Association. The District Court of Amsterdam heard the appeal against the fine and referred the questions to the CJEU on whether legitimate interests are only those which are enshrined in law, and on whether and in what circumstances a purely commercial interest can be regarded as legitimate. 

Our take

Legitimate interests may be the only lawful basis available for some commercial activities, so a narrow interpretation from the CJEU could have had a dramatic impact on processing of personal data for commercial purposes. The GDPR sets a high bar for consent, and for many activities, gaining valid consent will not be practicable or possible, while the contractual necessity lawful basis requires a contract or contractual negotiations with the data subject themself. 

This will be a welcome judgment for controllers, who rely on legitimate interests as a lawful basis for a range of processing, from innovative uses like training AI models, to routine processing of customer data where they have no contract with the data subject. However, it is important to note that although the CJEU recognised that commercial interest can qualify as legitimate, controllers should assess on a case-by-case basis whether the purpose of the envisaged processing could also be achieved in a way that would be less intrusive for the affected individuals. In the case at hand, according to the CJEU, this implied notifying the members of the Royal Dutch Lawn Tennis Association upfront and providing them the option to opt-out.