Legitimate interest as a legal ground for data processing in a commercial context in Spain

The General Data Protection Regulation (GDPR) recognises legitimate interest as one of the legal bases for processing personal data. However, it does not define it exhaustively, leaving room for interpretation, which has been widely debated and analysed.

In essence, legitimate interest refers to a benefit or advantage that an organisation or a third party can obtain from the processing of personal data, as long as this benefit does not infringe the rights and freedoms of data subjects.

Common examples of legitimate interest include fraud prevention, protection against cyber-attacks, preservation of security on premises or optimisation of customer services. Although the concept of legitimate interest may seem flexible, its invocation is neither automatic nor straightforward as it must pass an analysis of the interests involved (on one side, the rights of the data processor and, on the other side, the rights of the data subjects). 

When is there a legitimate interest?

In order to determine whether an interest is legitimate, it must be lawful, real and present. In addition, the GDPR imposes an obligation to carry out a balancing of the interests at stake that demonstrates that the legitimate interest outweighs the rights and freedoms of the data subjects.

Furthermore, the data processing must be necessary to achieve the intended purpose: if this can be achieved by other means that are less intrusive to the privacy of the data subjects, the legitimate interest does not apply. Therefore, the data processed must be directly related and proportionate to the purpose pursued.

Commercial interest: a particular case

Commercial interest, understood as the pursuit of economic benefits or competitive advantage, can, in principle, be considered a legitimate interest under the GDPR if these requirements are met. However, both the Spanish Data Protection Agency (AEPD) and the Spanish Supreme Court have shown reservations regarding the precedence of commercial interests when these conflict with the fundamental rights of individuals. In particular, the AEPD has pointed out that, while obtaining an economic benefit through business activity may be considered a legitimate interest, it should never prevail over the fundamental right to data protection. Other data protection authorities have been even more restrictive, such as the Dutch Data Protection Authority.

However, other data protection authorities, such as the UK Information Commissioner's Office, have adopted a more flexible approach, allowing the processing of personal data for commercial purposes on the basis of legitimate interest under certain conditions.

This divergence of criteria has led to some legal uncertainty and has highlighted the need for a harmonised interpretation at European level. In this regard, the Court of Justice of the European Union (CJEU) issued a judgment on 4 October 2024 which has provided clarity on the interpretation of legitimate interest in the field of marketing.

Case C-621/22

The Royal Dutch Lawn Tennis Association (KNLTB) was sanctioned by the Dutch Data Protection Authority for communicating the personal data of its members to two of its sponsors, a sporting goods company and a provider of gambling and casino games, without having obtained the prior consent of the data subjects. This transfer of data was carried out for the purpose of conducting promotional activities and in exchange for financial remuneration.

In response to that sanction, the KNLTB brought an action claiming that the disclosure of the data was based on a legitimate interest in creating a close link between that association and its members and in providing added value to its members in the form of discounts and offers. The Amsterdam District Court decided to stay the proceedings and to refer a number of questions to the CJEU for a preliminary ruling in order to clarify whether the transfer of personal data for commercial purposes, in return for remuneration, can be justified by a legitimate interest.

Decision of the CJEU

In essence, the CJEU has clarified that the mere fact that the interest pursued has a commercial purpose does not exclude it from being considered a legitimate interest. However, for this to be the case, it is essential that this interest is lawful; that is, it does not contravene any law and all the other requirements set out in the GDPR are met. Furthermore, the judgment recalls that legitimate interest does not need to be expressly enshrined in a law and refers to the GDPR where direct marketing purposes are expressly contemplated as legitimate interests that may be pursued by a data controller.

With regard to the necessity of the data processing to satisfy the legitimate interest invoked, the CJEU underlines the importance of analysing this aspect in the light of the data minimisation principle. This principle requires that personal data be adequate, relevant and limited to what is necessary for the purposes pursued. In this case, the CJEU questions whether the association's legitimate interest could have been achieved equally effectively by other means less intrusive to the rights and freedoms of the data subjects. In particular, it points out that the association could have informed and consulted its members about this data processing, which would have resulted in less interference with the rights and freedoms of the data subjects.

As regards the balancing of interests, a key point of the judgment is the analysis of the reasonable expectations of the data subjects. It is difficult for this court to consider that, by joining a sports club, its members can expect their personal data to be marketed for advertising and marketing purposes, especially when it comes to sectors such as gambling. These activities, although a priori lawful, take place in a context that is not directly related to the purpose for which the data were collected (the practice of sport).

In conclusion, while the CJEU does not rule out the possibility of considering a commercial interest as a legitimate interest, it emphasises the need for a rigorous assessment of the necessity and proportionality of the processing of personal data, taking into account the specific circumstances of the particular case.

Osborne Clarke comment

This judgment, although not revolutionary, provides clarity and legal certainty in the business sphere. Its main relevance lies in the fact that the highest European court has explicitly confirmed that purely commercial interests can be considered legitimate and highlights that the interpretation of both the Dutch Data Protection Authority and the AEPD, as well as the Spanish Supreme Court, is excessively restrictive.

Businesses operating in the European Union will appreciate the legal certainty provided by this judgment, allowing them to conduct their activities with greater certainty about the limits and scope of data processing for commercial purposes on the basis of legitimate interest. However, it is essential to remember that this concept is not absolute and must be applied on a case-by-case basis. The balancing of interests remains key to determine whether the data processing is proportionate and necessary for the intended purpose.