A commercial interest can be a legitimate interest under the GDPR– but it’s not that simple

Can a purely commercial interest justify processing personal data under the GDPR's legitimate interest legal basis? The CJEU says yes - but only if businesses follow strict conditions.

The European Court of Justice (CJEU) recently confirmed in a key decision of 4 October 2024 that legitimate interests, as set out in Article 6(1)(f) of the GDPR, can include commercial interests - as long as they are lawful and meet specific safeguards. Importantly, the CJEU emphasized that commercial interests do not need to be rooted in law to qualify as legitimate. This decision, while offering relief to businesses, introduces a more complex balancing act between business goals and data protection rights.

Background: The Dutch DPA’s strict stance on commercial interests

This ruling emerged from a dispute involving the Dutch Data Protection Authority (DPA, or the Autoriteit Persoonsgegevens) which had historically taken a hardline position against purely commercial interests as a basis for lawful data processing. In 2019 the Dutch DPA argued that using personal data solely for profit maximisation or commercial gain could never amount to a legitimate interest under the GDPR. It maintained that position in subsequent correspondence with the European Commission. This interpretation was heavily criticized by businesses, especially those involved in data-driven operations like marketing and customer profiling, where commercial interests play a significant role.

The case that triggered the ruling involved a tennis federation in the Netherlands that provided its members’ personal data to two of its sponsors (a sports company and a casino provider) in exchange for payment. Following complaints from its members, the Dutch DPA fined the federation €525,000 for what is deemed to be unlawful processing. The federation challenged the decision, leading the Netherlands District Court to seek a preliminary ruling from the CJEU.

Impact and reach of the CJEU’s decision

A. Commercial interests are valid – but with conditions

The CJEU’s ruling affirmed that a purely commercial interest can indeed be considered a legitimate interest under the GDPR, as long as the interest is not unlawful. The court emphasised that the GDPR’s failure to define legitimate interest means that a wide range of interests could qualify, including commercial goals. However, this does not grant businesses free rein to process personal data unchecked.

The ruling clarified several critical points:

• Data minimisation: the processing must be limited to what is strictly necessary for the stated legitimate interest. Businesses must ensure that the personal data collected and processed is limited to what is strictly necessary for the intended purpose.
• Necessity: the data controller must assess whether the legitimate interest can be achieved by less intrusive means. If the goal can be met without processing personal data or by using anonymized data, that route must be taken.
• Balancing test: even when a legitimate commercial interest is present, the rights of and expectations of the data subject may outweigh the controller’s interest. If the processing is unexpected or opaque, it may be deemed unlawful.

B. A balancing act between business and data protection

This decision marks a pivotal moment for businesses relying on commercial interests, such as marketing, customer profiling, or third-party data sharing, to justify data processing. It pushes back against the overly restrictive interpretation by the Dutch DPA, which could have stifled legitimate business operations across the EU. However, the court did not let businesses off the hook entirely.

The CJEU built on its earlier rulings, such as in the Meta Platforms case, although it did not specifically analyse commercial interests, and reiterated that data controllers must ensure:

• their legitimate interest is pursued transparently, with data subjects fully informed about how their data will be used;
• the processing adheres to the principle of data minimisation;
• data subjects’ rights take precedence if they would not reasonably expect their data to be processed in the way proposed.

The CJEU was especially critical of the tennis federation’s failure to properly inform its members about how their data was being used, highlighting the GDPR’s emphasis on transparency.

Key takeaways for businesses

The CJEU's ruling opens the door for commercial interests to be relied on as a legitimate basis for data processing under Article 6(1)(f) GDPR. However, businesses must proceed with caution and ensure compliance with the following steps:

• Legitimate Interests Assessment (LIA): conduct a thorough balancing test to evaluate the legitimate interest against the rights of data subjects. Document this assessment for accountability.
• Privacy policies and transparency: ensure privacy policies clearly explain how personal data will be processed under legitimate interests, making it clear to individuals and providing them with easy access to information on their rights, including their right to object.
• Data minimisation and necessity: perform a data audit to ensure the processing is limited to what is strictly necessary for the commercial purpose. If a less intrusive method is available, it must be considered.
• Safeguards for data subjects: implement practical safeguards, such as opt-out mechanisms and clear procedures to allow individuals to exercise their right to object or access their data.
• Ongoing review: regularly review data processing activities to ensure continued compliance with GDPR, especially when business operations or data usage practices evolve.

Related articles:

• International data transfers for Data Importers subject to the EU GDPR (GDPR): EU Standard Contractual Clauses (SCCs) – Second Wave
• Kennedys bolsters cyber and data offering with data protection and AI partner
• Understanding the main establishment concept under GDPR