- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Rob Masson and Lenitha Bishop share the key to CRM success at Unlock & Unblock event
September 19, 2024
New UK Data (Use and Access) Bill introduced to Parliament
October 24, 2024
In a long-awaited ruling on 4 October 2024, the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) confirmed that Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. can include purely commercial interests under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
Case history
In 2019, the Dutch Data Protection Authority (AP) fined the Royal Lawn Tennis Federation (KNLT) €525,000 for unlawfully relying on Legitimate Interests as a legal basis for sharing its member’s data with sponsors for promotional use. AP argued that KNLT’s commercial interest didn’t qualify under the GDPR. KNLT appealed and the Amsterdam District Court referred the case to the CJEU.
CJEU decision
This significant decision is expected to provide more flexibility for businesses in processing personal dataInformation which relates to an identified or identifiable natural person. for commercial purposes.
However, the CJEU emphasised that Controllers must also:
- Ascertain that the processing is necessary
- Conduct a balancing test
- Implement appropriate transparency measures
- Ensure data subjects can object to data processing at any time
Ben Seretny, Head of DPOs at The DPO Centre, said ‘The ruling of the CJEU has affirmed that purely commercial interests can qualify as Legitimate Interests for processing in their own right and do not need to be grounded in legislation. This might bring some relief to businesses commonly relying on this lawful basis in their processing activities. However, the CJEU was crystal clear in its reminder and clarification that such reliance should not be used indiscriminately without considering the requirements for balancing tests, necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. assessments, and the usual notification and rights provisions applicable under the GDPR.’