What is legitimate interest and why is it important?
Legitimate interest is one of the six legal bases for processing personal data stipulated by the General Data Protection Regulation (“GDPR”), as well as Serbian Law on Personal Data Protection (Official Gazette of the RS no. 87/2018) (“LPDP”). This basis allows personal data processing on the grounds of data controller’s legitimate interest, provided that this interest does not override the fundamental rights and freedoms of individuals.
The significance of legitimate interest lies in its flexibility, as it allows data controllers to process personal data in situations where there is no explicitly prescribed legal basis or individual consent. However, in practice, questions often arise as to which data controller interests can truly be deemed legitimate, and when processing may constitute unlawful processing that controllers “justify” under legitimate interest in cases where no other basis for processing exists. This creates a risk that the rights of data subjects may be overlooked or inadequately protected, while data controllers may feel uncertain about when they can apply this basis due to inconsistent practices.
A turning point in the application of legitimate interest: What does the KNLTB case judgement bring?
In the Netherlands, debate has long centered on whether legitimate interest can cover solely commercial interests. The AP had consistently held that a commercial interest alone is insufficient to justify legitimate interest as a legal basis for processing. This strict interpretation made it more difficult for companies to rely on legitimate interest as a lawful basis for personal data processing, creating uncertainty regarding the legality of such practices.
In its ruling of October 4, 2024, the CJEU brought an end to the AP’s previous stance. The Royal Dutch Tennis Association had been fined by the AP for sharing its members' personal data with commercial partners, with the AP arguing that KNLTB could not rely on legitimate interests since these were exclusively commercial in nature. This interpretation was also confirmed by Dutch courts. However, the CJEU ruled in this case that commercial interests can indeed constitute legitimate interests without needing any additional legal basis, thereby indicating that a broad spectrum of interests may qualify as legitimate.
Impact of the judgment on the practice of other EU member states and Serbia
This judgment will significantly impact practice in the Netherlands, as well as interpretations of legitimate interest in other EU countries, which may now reconsider their views on processing data based solely on commercial interests. The CJEU’s judgment provides clear guidance that will facilitate many data controllers' reliance on legitimate interest as a legal basis for processing data.
As for Serbia, although it is not yet an EU member, domestic regulations in the field of personal data protection follow European standards, and it is likely that this ruling will influence future interpretations of legitimate interest in the local context.
Whether the CJEU’s ruling will achieve the expected effect in data protection practice and truly harmonize the interpretation of legitimate interest across Europe remains to be seen.
Sonja Stojčić
Senior Associate
sonja.stojcic@prlegal.rs; legal@prlegal.rs