Case name: C-621/22 (Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens)
Read more here.
A new dawn for legitimate interests
According to the General Data Protection Regulation (GDPR), companies can process personal data on the legal basis of ‘legitimate interests’ if certain conditions are met. However, what legitimate interests actually include is still unclear, 6 years after the GDPR came into effect.
Many data protection authorities, the Dutch Data Protection Authority in this specific case, generally adopt a narrow perspective of legitimate interests, focussing that they must be lawful and not just economic. This approach has caused significant confusion for organisations trying to apply Article 6(1)(f) GDPR as the legal basis for processing personal data.
For example, an organisation could use CCTV footage to maintain the security of its premises and prevent theft or damage. The footage is processed for legitimate security purposes and balances the rights of others by placing appropriate signage informing people CCTV is in operation and limiting data retention.
But a recent decision by the Court of Justice of the European Union (CJEU) has resulted in that vague term becoming a bit more clear. The CJEU’s ruling identified that commercial ones are valid as long as they are lawful. This landmark ruling is anticipated to have a significant impact on how organisations approach data processing under GDPR.
The Case that Shaped the Ruling
The CJEU’s ruling stems from a specific case involving the Royal Dutch Tennis Association (KNLTB). The KNLTB had shared personal data of its members with sponsors for marketing purposes in exchange for payment. The AP had fined the organisation for this practice, arguing that its commercial interests did not constitute a legitimate interest under the GDPR.
The Dutch Tennis Association appealed the decision, and the case eventually reached the CJEU. The court’s ruling in favour of the organisation clarified that commercial interests can indeed be legitimate, as long as they are lawful and meet specific safeguards.
Key Takeaways from the EUCJ’s ruling
Commercial Interest is a Valid LI: A legitimate interest legal basis for the processing of personal data under the General Data Protection Regulation (GDPR) can include a commercial interest, such as payment for data, so long as it does not violate any laws.
Necessity Test: The CJEU stresses the importance of performing a necessity test to ascertain whether the processing of personal data is actually required to attain the legitimate interest. Checking if the desired outcome may be attained using less invasive methods is part of this process.
Balancing of Interests: The ruling stresses the significance of juggling data subjects’ rights and interests with the data controller’s legitimate interests. Important considerations in this balancing act include processing scale, possible influence on data subjects, and reasonable expectations of data subjects.
Key Considerations for Data Controllers:
Legal Basis: Data controllers must assess their specific circumstances to determine if other legal bases, such as consent or contract, are more suitable and are appropriate than legitimate interest.
Necessity and Proportionality: Less intrusive alternatives should be considered before processing personal data, and processing must be both necessary and proportionate to achieve the legitimate interest.
Data Subject Rights: A data controller’s compliance with any and all other General Data Protection Regulation (GDPR) requirements, particularly those pertaining to data subjects’ rights, is of the greatest priority.
Transparency and Accountability: Data controllers are required to be open and honest about the data they collect and use, and they must keep proper records to prove they are in compliance with the General Data Protection Regulation (GDPR).