Commercial Interest Can Be Lawful Basis for Data Processing: EU Court Overrules Dutch DPA

Published on Dec 30, 2024

On 4 October 2024, the Court of Justice of the European Union (CJEU) ruled that, under certain conditions, a purely commercial interest can be considered a legitimate interest and serve as a lawful basis for processing personal data under the General Data Protection Regulation (GDPR). This decision provides much-needed clarity and has significant implications for organisations in the Netherlands that rely on legitimate interests as a basis for processing personal data for commercial purposes. Read on to learn what this ruling means for your organisation.

The KNLTB/AP case

The CJEU judgment was issued in a case brought by the Dutch Data Protection Authority (AP) against the Royal Dutch Lawn Tennis Association (KNLTB). The KNLTB had sold member data to third-party sponsors for marketing purposes without consent, leading the AP to impose a substantial fine. The AP argued that the GDPR’s legitimate interest provision (Article 6(1)(f) GDPR) requires an interest explicitly protected by law, and that commercial interests could not satisfy this requirement. In contrast, the KNLTB contended that its data-sharing activities – aimed at generating revenue to support its broader organisational mission – were based on a valid legitimate interest.

The case attracted widespread attention because it highlights the tension within the GDPR between protecting the data privacy of individuals and allowing organisations the flexibility to pursue legitimate commercial interests. For years, the AP took a restrictive interpretation of legitimate interest, leaving businesses uncertain about their compliance obligations. The CJEU’s ruling overturns this approach, signaling a shift toward a more balanced interpretation, and offering greater flexibility for data controllers.

CJEU's ruling: a broader interpretation of legitimate interests

Data processors, especially those operating in the online domain, often avoid relying on consent as the legal basis for processing personal data. This is mainly because consent under Article 7 of the GDPR entails stringent conditions: it must be voluntary, specific to the purpose, informed, and given with clear affirmative action. Additionally, securing valid consent requires users to take active steps, such as ticking a box or clicking a button. However, many users tend to ignore or bypass these actions, leading to significantly low participation rates, and making consent a less practical choice for data controllers. That is where the legitimate interest legal basis comes in play.

The CJEU clarified in their answer on the preliminary questions from the KNLTB case that almost any interest can qualify as a legitimate interest, as long as the legitimate interest is found lawful following the legitimate interest balancing test provided for by the GDPR. This includes purely commercial interests, which could therefore serve as a valid basis for data processing.

The three-step test for legitimate interest

To assess the lawfulness of processing based on legitimate interest, the Court reiterated the importance of the GDPR’s three-step framework:

  1. Legitimacy: the pursued interest must be real, lawful, and concrete. For example, generating revenue through targeted marketing may be a legitimate interest if it aligns with the controller's overall business strategy. The interest, however, must be clearly defined and cannot be vague or speculative.
  2. Necessity: processing must be necessary to achieve the stated interest. If less intrusive means can be used to accomplish the same goal, those alternatives should be applied. The controller should be able to explain why the chosen method is the least intrusive option.
  3. Balancing rights: the rights and freedoms of the data subject must not override the legitimate interest. This balancing test requires controllers to consider factors such as the sensitivity of the data, the reasonable expectations of the data subjects, and the safeguards in place (e.g. pseudonymisation, data minimisation, or opt-out mechanisms). The balancing exercise must be documented, and the data subject’s interests, rights, and freedoms must be carefully weighed.

Limitations and considerations

While the ruling confirms that purely commercial interests can be legitimate, it does not  provide unrestricted permission for all processing activities. Each case must be assessed individually, with careful attention to the specific circumstances and the safeguards in place. Organisations must:

  • Document their assessments: comprehensive records of the necessity and balancing tests are critical to demonstrating compliance with GDPR principles.
  • Maintain transparency: controllers should inform data subjects clearly and comprehensively about the purposes of processing and their reliance on purely commercial legitimate interests.
  • Implement safeguards: measures such as data minimisation, encryption, and opt-out options can help ensure that the data subject’s rights are adequately protected.

Conclusion

For now, the case between the AP and the KNLTB will be reviewed by the Amsterdam District Court in light of the CJEU judgment. This judgment forces a significant shift in the perspective of the AP, offering businesses in the Netherlands the opportunity to process personal data purely on commercial interest, provided that they meet all conditions for the use of legitimate interest legal basis. Organisations, however, must be mindful of the need for careful documentation, transparency, and robust safeguards to protect data subjects’ rights.

For more information on how this ruling could affect your business, contact your CMS client partner or these CMS experts.