As further detailed below, it was commonly acceptable that data controllers that are subject to the European General Data Protection Regulation ("GDPR") can rely on their legitimate interests for using personal information obtained from existing customers, for direct marketing purposes, without requiring a separate consent. However, a recent decision by the Dutch Data Protection Authority ("Dutch DPA") caused some uncertainty for controllers relying on legitimate interests as their legal basis for sharing personal data for commercial purposes.
Under Article 6 to the GDPR, the processing and sharing of personal data shall rely on a valid lawful basis. One of the lawful bases under the GDPR, which is also the most flexible one, is the "legitimate interest" basis. According to Article 6(f), processing of personal data shall be lawful if the "processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party...". Usually, before relying on such basis, controllers are required to perform a Legitimate Interests Assessment.
Recital 47 of the GDPR provides further elaboration on the legitimate interest ground, stating that legitimate interests could exist where there is a relevant relationship between the data subject and the controller, for example when the data subject is a client or is using services provided by the controller.1 Moreover, Recital 47 explicitly states that the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest.
However, the Dutch DPA took a different approach. In its recent decision, the Dutch DPA imposed a €525,000 fine on the Royal Dutch Tennis Association ("KNLTB") for the sharing of personal data of its members with two of its sponsors.
In the Netherlands, individuals must register with the relevant sports association, like the KNLTB, in order to play and train. In practice, once an individual registers with his local tennis association his personal information is shared with the KNLTB. When the KNLTB receives the personal data, it reaches out to the individuals via email to inform of the data sharing and allow them to opt-out. The KNLTB considered to have a legitimate interest for the sharing of personal data of its members with its sponsors. The KNLTB based its reliance on legitimate interests on a previous publication by the
Dutch DPA which stated that sports associations could share member data if their players' member council approved the sharing. In such circumstances, the individual consent of members would not be required, and the sharing could be based on the legitimate interests of the sports association. In this case, the sharing was approved by the council on behalf of all tennis players in 2017. However, in 2019 the Dutch DPA published a new guidance on the interpretation of legitimate interests. The new guidance excluded commercial interests from being considered a legitimate interest. As a result, in its recent decision, the Dutch DPA decided that the KNLTB could not rely on its legitimate interests for sharing data with its sponsors as its interest was solely of a commercial nature.
The Dutch DPA concluded that the KNLTB's data sharing does not pass the requirements of the LIA because the monetization of members' personal data is not an interest that has a basis in the law and does not follow a legal norm. According to the Dutch DPA, these requirements are necessary for an interest to be considered legitimate. The Dutch DPA also pointed out that the interest does not represent a pressing need to process the personal data. Finally, the Dutch DPA stated that any commercial purpose in itself could not qualify as a legitimate interest.
The Dutch DPA's interpretation of legitimate interests in the context of direct marketing raises questions when looked at in the context of the interpretation given by the GDPR's recitals and by other EU regulatory and judiciary bodies, such as the Article 29 Working Party, the European Court of Justice and the British Information Security Officer ("ICO"), who seem to recognize commercial interests, including digital marketing, as a legitimate interest under the GDPR. Such deviation by the Dutch DPA from the common may create a confusion for controllers who are subject to the Dutch DPA as their Lead Supervisory Authority.
In any event, the result of this case further emphasizes the need to perform an appropriate Legitimate Interest Assessment before relying on the "legitimate interest'' legal ground for any use, including for digital marketing. Feel free to contact us for any assistance with reviewing the lawfulness of your personal data processing activities.