🎾Tennis enthusiasts and GDPR lovers, this decision is bound to catch your attention!
In a case involving the Dutch tennis federation (Royal Dutch Tennis Association or "KNLTB") and the Dutch supervisory authority, the Court of Justice of the European Union ruled on October 4, 2024, on a crucial question for the business world. For some, this decision is seen as a relief, while for others it is seen as a weakening of individuals' rights.
Transfer of data to commercial partners
In 2018, the KNLTB, a Dutch sports federation, shared personal data of its members with two sponsors: TennisDirect, a sports retailer, and Nederlandse Loterij Organisatie (NLO), a gambling operator. This data transfer was intended for promotional purposes: TennisDirect used the names and addresses of the members to send advertising leaflets by mail, while NLO collected more extensive data, including phone numbers and email addresses, to conduct a calling campaign.
This data transfer led to complaints from members, which led the Dutch Data Protection Authority (AP) to impose a fine of €525,000 on the KNLTB. The AP considered that the KNLTB had violated the GDPR by sharing this information without the consent of the members and without legal basis, in violation of Articles 6 and 5 of the Regulation.
The KNLTB challenged this penalty before the Amsterdam court. It argued that the processing was based on its legitimate interest, which consisted, on the one hand, in creating a strong connection between the association and its members, and, on the other hand, in being able to offer added value to their membership in the form of discounts and offers from partners that allowed these members to practice tennis at an affordable and accessible price.
Can any interest be legitimate?
The first question is whether the notion of legitimate interest should be interpreted in a positive or negative way. According to the supervisory authority, interests can only be legitimate if expressly provided by law: this is the positive criterion. According to the opposing party, it is the opposite, any interest can be legitimate as long as it does not contradict the law: this is the negative criterion.
The Court rules by recalling the terms of the GDPR, in particular the conditions for the lawfulness of processing set out in Article 6, as well as the spirit of the GDPR as it emerges from its recitals (in particular, recitals 1 and 47). It therefore confirms that the GDPR does not exclude any type of interest from qualifying as legitimate—provided that three key conditions are met to make the processing lawful:
- Legitimate interests must exist
- They must be necessary for the realization of the processing and its objectives, i.e., there must be no less intrusive means to the fundamental rights and freedoms of individuals,
- These interests must not outweigh the fundamental rights and freedoms of the data subject.
Therefore, the negative criterion applies.
This question had already been raised before the Court in a judgment of July 4, 2023, Meta Platforms e.a. (Terms of use of a social network) and had been answered in a positive way.
To this first question, the Court responds that legitimate interests are therefore free!
And commercial interests?
The second issue concerns whether a purely commercial interest—specifically the promotion and sale of advertising space for marketing purposes—can qualify as a legitimate interest under the GDPR.
To streamline the proceedings, the Court provides its view: yes, a commercial interest may indeed be considered legitimate. This interpretation is supported by Recital 47 of the GDPR, which explicitly states that direct marketing activities can constitute a legitimate interest.
However, when it comes to the necessity requirement, the Court proposes a less intrusive alternative: informing members in advance and obtaining their consent before sharing their personal data with third parties for advertising or marketing purposes.
Regarding the third condition—whether the processing unduly infringes on individuals' rights and freedoms—the Court raises the question: could members of a tennis club reasonably expect, at the time their data was collected for membership purposes, that their information would later be shared for a fee with third-party advertisers, such as the club’s sponsors?
In this specific case, the Court underscores the importance of contextual analysis. It notes that sharing members’ data with entities such as a casino or gambling company lacks a clear and appropriate relationship with the original purpose for data collection. Furthermore, it highlights that such processing may expose individuals to risks like gambling addiction, thus raising serious concerns about the impact on their rights.
The final ruling on this point remains pending before the Dutch court.
Why is this decision important for DPOs?
The legal basis of legitimate interests is fundamental in the GDPR as it covers a large part of the processing carried out by economic operators. It is therefore essential to ensure that the conditions for the application of this legal basis are met.
This decision is interesting because it provides a clear position on the notion of purely commercial interest. Although the CJEU has ruled several times on the concept of legitimate interest, it has not had the opportunity to clearly express its opinion on this notion of pure commercial interest.
This clarification is significant because some supervisory authorities—such as the Dutch DPA—had adopted a strict position, categorically rejecting purely commercial interest as a valid legal basis, deeming it inherently illegitimate.
In this case, the Court corrects that stance by confirming that a commercial interest can, in principle, be legitimate. However, it does not validate the association's practices, emphasizing that for the legal basis to apply, the balance with fundamental rights and freedoms must still be respected.
In other words, organizations cannot rely on legitimate interest to freely communicate personal data without adhering to the GDPR's strict criteria—especially the need for transparency, proportionality, and purpose limitation.
DPOs should also remember that the obligation to inform data subjects includes clearly specifying the legitimate interest pursued. These interests must be both defined and understandable, ensuring individuals are fully aware of how their data is used.
In response to the ruling, the Dutch supervisory authority acknowledged the decision but reaffirmed its commitment to putting individuals and their rights at the center of its approach—a stance that remains entirely defensible.