• Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

ECJ: How is “legitimate interest” to be interpreted in the GDPR?

2. January 2023
in Data protection Law
Reading Time: 6 mins read
0 0
A A
0
privacy policy 3583612 1920
Key Facts
  • The ECJ decides on the term "legitimate interest" in the GDPR on the basis of a request for a preliminary ruling.
  • The plaintiff, a sports association, is suing for a fine of 525,000 euros for data protection violations.
  • The central question is whether a commercial interest can fulfill the legal basis of the GDPR.
  • The defendant argues that only legally defined interests are to be regarded as legitimate.
  • The plaintiff claims that any interest can be justified as long as it does not contradict the law.
  • The referring court sees ambiguities in the definition of the term "legitimate interest" in the GDPR.
  • The decision could have a significant impact on the processing of personal data.

The ECJ, on the basis of a reference for a preliminary ruling under Art. 98 para. 1 of the Rules of Procedure of the Court of Justice to rule on an interesting point of law of the GDPR.

Content Hide
1. Original proceedings in the Netherlands
2. Subject matter and legal basis of the reference for a preliminary ruling
3. Template questions
4. Brief description of the facts and the main proceedings
5. Main arguments of the parties to the main proceedings
6. Brief presentation of the rationale of the template

Original proceedings in the Netherlands

The main proceedings relate to an action brought by the plaintiff before the Rechtbank Amsterdam (District Court Amsterdam, the Netherlands) against the defendant’s decision of July 30, 2020. By that decision, the defendant dismissed as unfounded the plaintiff’s appeal against the decision of December 20, 2019, by which it had imposed a fine of EUR 525,000 on the plaintiff for a breach of the General Data Protection Regulation (“GDPR”).

Subject matter and legal basis of the reference for a preliminary ruling

The reference for a preliminary ruling pursuant to Article 267 TFEU concerns the question whether the term “legitimate interest” within the meaning of Article 6 para. 1(f) GDPR extends exclusively to interests defined by law (positive test) or any interest provided that it is not contrary to law (negative test) and, in particular, whether a purely commercial interest – such as the interest in making personal data available for consideration without the data subject’s consent – can be considered legitimate in certain circumstances and, if so, which circumstances are decisive for this.

Template questions

  1. How must the law bank interpret the term “legitimate interest”?
  2. Is this term to be interpreted as the defendant interprets it? Does it cover only interests that are part of the law, legal and set forth in a statute? Or:
  3. Can any interest be a legitimate interest provided it is not contrary to law? More specifically: Can a purely commercial interest and the interest at hand, namely the provision of personal data against payment without the consent of the data subject, be classified as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

 

Brief description of the facts and the main proceedings

  • The plaintiff is a sports association. Its members are composed of the tennis clubs affiliated to it and their members. The plaintiff works with sponsors, including Nederlandse Loterij Organisatie BV and SportshopsDirect BV. In 2018, Plaintiff provided data on a portion of its members to these sponsors in exchange for a fee, which used the data for promotions via sales letters and telephone solicitation
  • Based on several advertisements alleging that the plaintiff had unlawfully disclosed personal data of its members to the aforementioned sponsors, the defendant initiated an investigation regarding the plaintiff’s compliance with the GDPR. According to the defendant, the plaintiff provided data of its members to the two sponsors in question without the members’ consent and without a lawful reason for sharing such data
  • By decision of December 20, 2019, the defendant imposed a fine of 525,000 euros on the plaintiff. The plaintiff appealed against this decision. By decision dated July 30, 2020, the defendant dismissed the complaint as unfounded. The plaintiff brought an action against the latter decision before the referring court.

Main arguments of the parties to the main proceedings

  • According to the GDPR, personal data may only be processed if this processing is based on a legal basis. Art. 1 GDPR lists these legal bases exhaustively. It is undisputed between the parties that Plaintiff did not have the consent of its members for the disclosure of those members’ data to the Sponsors. However, the plaintiff claims that he had a “legitimate interest” in this within the meaning of Art. 6 1 lit. f DSGVO, which the defendant denies. The parties thus disagree on the interpretation of the term “legitimate interest” and its scope.
  • According to the defendant, there must be a legitimate and thus concrete interest “belonging to the law, statutory and established in a law” (positive test).

In this regard, the defendant argues, inter alia, the following:

  • It follows from the 47th recital of the GDPR that the processing of personal data of persons who should not reasonably expect such processing cannot be based on a legitimate interest. It must be an interest of the controller that is recognizable in advance and that the data subject can expect. An interest that is not sufficiently identifiable in advance cannot be a legitimate interest. This interpretation also finds support in the position of the European Council in the context of the first reading of the GDPR.
  • According to Art. 52 of the Charter, restrictions with regard to Art. 8 of the Charter (right to protection of personal data) would have to be provided for by law and respect the essence of this right. It follows from the fourth recital of the GDPR that the GDPR in fact implements Article 52 of the Charter. In this light, an interest within the meaning of Art. 6 para. 1(f) of the GDPR, which is essentially a restriction of the right to the protection of personal data, must therefore at least affect public interest objectives recognized by the Union or be necessary to protect the rights and freedoms of others.
  • The collection and processing of personal data for the purpose of resale without the consent of the data subjects violates Article 8 ECHR. If the plaintiff has a legitimate interest, the limitation of Art. 8 ECHR is provided for by law, namely in the GDPR. Prior to the introduction of the GDPR, this restriction had not been provided for by law, so that the GDPR eliminates the previous contradiction with Art. 8 ECHR. The applicant’s position basically means that the protection now provided by the Charter and the GDPR is less than that guaranteed during the period when only the ECHR applied, which is incompatible with Article 53 of the Charter.
  • According to the plaintiff, there is a legitimate interest unless this interest runs counter to the law (negative test).
  • A “legitimate interest” need not be based on a fundamental right or a legal principle. It follows from the GDPR that other interests could also constitute a legitimate interest. Thus, the recital of the GDPR classifies “direct marketing” as a legitimate interest. Advocate General M. Bobek had stated in his opinion in the Fashion ID case (C-40/17) that no interest per se was excluded. In this sense, there was a decision of the Court of Justice that recognized a legitimate interest that did not correspond to a fundamental right or a principle of law (C-131/12, Google Spain). In addition, the Rechtbank Midden-Nederland (District Court of Midden- Nederland, the Netherlands) stated in a decision dated November 23, 2020, that a legitimate interest is established via a negative test.

Brief presentation of the rationale of the template

  • According to the referring court, the question of whether the plaintiff has a legitimate interest in processing the personal data of its members cannot be answered beyond reasonable doubt. Neither does the settled case law of the Court of Justice provide an answer to this question (there is no “acte éclairé”) nor does Art. 6 para. 1(f) GDPR clarifies the definition and scope of the term “legitimate interest” (there is no “acte clair”). Moreover, this provision is not formulated so clearly that there can be no doubt as to its interpretation and scope.
  • On the one hand, the referring court refers to the above-mentioned decision of the Rechtbank Midden-Nederland, in which reference is made to the opinion of Advocate General M. Bobek in the Fashion ID case. In that letter, he states that Directive 95/46 also contains neither a definition of the precise content of the concept of “legitimate interest” nor an enumeration thereof. In his opinion, this term is apparently quite elastic and open, no interest is excluded per se, provided that it is not illegal in itself, this term can encompass a wide variety of interests and therefore not only legal interests, but also quite a few factual, economic and ideal interests can constitute a legitimate interest. This seems to speak in favor of the plaintiff’s point of view, according to which any interest, consequently also a purely commercial interest, can be a legitimate interest. Furthermore, the referring court considers that the applicant’s view is also justifiable because the GDPR clearly prescribes when a processing operation must have a provision of law as its legal basis. On the other hand, according to the referring court, it seems difficult to reconcile the protection offered by the GDPR with the fact that the desire to make money from the personal data of data subjects without their consent is classified as a legitimate interest. In the view of the referring court, therefore, in the case of a fundamental right such as the right to protection of personal data, the defendant’s view is also justifiable. However, the referring court points out that even before the entry into force of the GDPR, the limitation of Article 8 ECHR was provided for by law. Indeed, the “legitimate interest” ground for processing was at that time provided for in Article 8(f) of the Wet bescherming persoonsgegevens (Personal Data Protection Act)
Tags: Case lawGeneral Data Protection RegulationGoogleLawsLawsuitLegal questionPersonal dataPrivacyRegulationSponsor

Beliebte Beträge

Data leak in startup practice: GDPR reporting and damage limitation

dsgvo
29. April 2025

Young start-ups and solopreneurs often focus on agile development and rapid growth - but a data leak can put an...

Read moreDetails

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator
12. May 2025

OnlyFans has revolutionized the income opportunities for adult content creators - but with success comes legal challenges. In particular, data...

Read moreDetails

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies
10. May 2025

OnlyFans and similar platforms for erotic content are booming - but as their popularity grows, so do the data protection...

Read moreDetails

Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation
14. March 2025

It is impossible to imagine modern corporate communication without e-mail. It is not only used for the rapid exchange of...

Read moreDetails

Risks when hosting personal data on US cloud servers

Risks when hosting personal data on US cloud servers
18. February 2025

Hosting personal data on cloud servers from US providers poses significant risks for European companies, particularly with regard to compliance...

Read moreDetails

SaaS contract for marketing tools

da785cff1bca5b6897d0d4cacf7359ff
15. November 2024

When I helped set up CPMStar, one of the first major gaming marketing agencies in Germany, a few years ago,...

Read moreDetails

BGH ruling on damages for data protection breaches

BGH: Women also gamble on first-person shooters
8. December 2024

The ruling by the German Federal Court of Justice (BGH) on November 18, 2024 has put an abrupt end to...

Read moreDetails

New cookie regulation: a step towards simplifying digital consent?

Esport: Sports Committee of the BT meets Wednesday
8. December 2024

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails
  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung