The CJEU considered: (a) whether a legitimate interest of the controller or third party must be determined by law, and (b) whether provision of personal data of the members of a sports federation to third parties in return for remuneration, to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller or by a third party.
Background of the case
In December 2019, the Dutch supervisory authority (Dutch DPA) imposed a fine of EUR 525,000 on a Dutch tennis association De Koninklijke Nederlandse Lawn Tennisbond (KNLTB), for selling the personal data of KNLTB members to two organisations: a company that sells sports products and a company providing games of chance and casino games. The personal data provided to these organisations included the name, gender and address of 300,000 and 50,000 members respectively (link to the Dutch DPA decision). These organisations intended to approach the KNLTB members by phone or by post with tennis-related and other offers. The KNLTB claimed it had a legitimate interest in sharing the data. However, the Dutch DPA found that selling the personal data of individuals cannot be based on the legitimate interest ground and would always require a consent, and therefore imposed a fine. The KNLTB appealed the decision in court, which then referred the questions regarding the legitimate interest to the CJEU in September 2022.
CJEU decision
The CJEU narrowed down the questions asked by the referring court and concluded that Article 6(1)(f) GDPR means that:
- The processing of personal data which consists in the disclosure, for consideration, of personal data of the members of a sports federation, in order to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller;
- This is only possible if that processing is strictly necessary for the purposes of the legitimate interest in question and if the interests or fundamental rights and freedoms of the members do not override that legitimate interest; and
- While Art. 6(1)(f) GDPR does not require that such an interest be determined by law, it requires that the alleged legitimate interest be lawful.
In reaching this conclusion, the CJEU reaffirmed its previous position that ‘a wide range of interests is, in principle, capable of being regarded as legitimate’. It stated that the GDPR does not require that ‘the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by that controller to be legitimate within the meaning’ of Art. 6(1)(f) GDPR, in particular because ‘direct marketing purposes in general as legitimate interests that may be pursued by a controller’ are named expressly by recital 47 of the GDPR.
Conditions for relying on the legitimate interest legal basis
The CJEU recapped its previous case law on the three cumulative conditions for relying on the legitimate interest basis and analysed each of those in relation to the KNLTB case. The key takeaways include:
1) The pursuit of a legitimate interest by the data controller or by a third party
The CJEU emphasised that the alleged interest does not have to be enshrined in and determined by law but must be lawful. It also reminded the controller of its obligation, under Art. 13(1)(d) GDPR, to inform the data subjects of the legitimate interests pursued when relying on Art. 6(1)(f) GDPR, at the time of collecting their personal data.
In applying this criterion to the current case, the CJEU noted that a commercial interest of the controller (such as the sports federation) in disclosure, for consideration, of the members’ personal data to third parties for advertising or marketing purposes (including sending advertisements and special offers), could constitute a legitimate interest, provided that it is not contrary to the law. This should be assessed by the referring court, taking into account the applicable legal framework and all the circumstances of the case. In this context, the CJEU also reminded of its earlier decision in Google Spain and Google (C-131/12), where it already concluded that a commercial interest of the controller consisting of the promotion and sale of advertising space for marketing purposes may be regarded as a legitimate interest within the meaning of Art. 6(1)(f) GDPR.
The CJEU also stressed that, for the pursuit of the ‘legitimate’ interest to allow the processing of personal data on basis of Art. 6(1)(f) GDPR, the controller must comply with all its other obligations under the GDPR.
2) The necessity to process personal data for the purposes of the legitimate interests pursued
The CJEU reiterated that the referring court should verify that the legitimate interests pursued by the controller cannot reasonably be achieved just as effectively by other means that are less restrictive to the fundamental rights and freedoms of data subjects (and in particular their rights to privacy and to data protection). Moreover, the necessity for processing must also be examined in conjunction with the data minimisation principle of Art. 5(1)(c) GDPR, meaning that personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
The CJEU confirms that the referring court should ascertain whether this second condition is complied with in the case at hand. However, the CJEU pointed out that it would, in particular, be possible for a sports federation such as the KNLTB, wishing to disclose its members’ personal data to third parties for remuneration, to inform its members and ask them whether they want their data to be transmitted to those third parties for advertising or marketing purposes. This would allow the members to control the disclosure of their personal data and limit it (in accordance with data minimisation principle) to what is necessary and relevant in relation to the purpose of the data processing.
3) The rights and interests of the data subject do not outweigh the legitimate interest of the controller or of a third party
The CJEU confirmed that the balancing exercise should be performed by the referring court and reiterated that if personal data are processed in circumstances where data subjects do not reasonably expect such processing, the interests of the data subject may override the controller’s interest. Therefore, while performing the balancing test, the referring court must take into account the reasonable expectations of the data subject, the scale of the processing at hand and its impact on the data subject. Particular importance should be given to the reasonable expectations of the members of a tennis association, at the time when their personal data were collected for joining the association, i.e., that their data would be disclosed for advertising and marketing purposes (in the present case – to the sponsors of the KNLTB).
Implications of the decision
The decision provides important insights to any organisation that relies on the legitimate interests as a legal basis for processing personal data under Art.6(1)(f) GDPR.
By confirming that any lawful legitimate interest, including a purely commercial one, can be relied upon under Art. 6(1)(f) GDPR, the CJEU clarified this issue for the Dutch DPA and businesses operating in the Netherlands. Since November 2019, when the Dutch DPA issued its guidance on legitimate interest (Normuitleg grondslag ‘gerechtvaardigd belang’), the Dutch DPA had adopted a stricter interpretation than other data protection authorities in the EU, rejecting purely commercial interests of data controllers as legitimate interests within the meaning of Art. 6(1)(f) GDPR (available here in Dutch). This position was rejected by Dutch courts in at least one case (we summarised it in our blog here). The Dutch DPA has not yet reacted on the CJEU decision at the time of publishing this blog.
The European Data Protection Board (EDPB) is working on updating the guidance on the notion of legitimate interest, which is expected to harmonise the positions of EU data protection authorities on this topic. The updated guidance is scheduled for adoption during the EDPB plenary session on 7-9 October 2024 (view agenda).
The decision is available here.