24688
wp-singular,post-template-default,single,single-post,postid-24688,single-format-standard,wp-theme-stockholm,wp-child-theme-stockholm-child,stockholm-core-2.2.8,select-child-theme-ver-1.1,select-theme-ver-8.7,ajax_fade,page_not_loaded, vertical_menu_hidden,,qode_footer_adv_responsiveness,qode_footer_adv_responsiveness_1024,qode_footer_adv_responsiveness_one_column,qode_menu_center,qode-mobile-logo-set,wpb-js-composer js-comp-ver-7.7.2,vc_responsive
Valloni / News  / THE COURT OF JUSTICE OF THE EUROPEAN UNION RULES ON “LEGITIMATE INTERESTS” UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
15 September 2025

THE COURT OF JUSTICE OF THE EUROPEAN UNION RULES ON “LEGITIMATE INTERESTS” UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

 

On 4 October 2024, the Court of Justice of the European Union (CJEU) in the case of Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (Case C-621/22) delivered important guidance on the scope of “legitimate interests” under Article 6(1)(f) GDPR, effective 25 May 2018.

The case arose from proceedings before the Rechtbank Amsterdam, which asked whether a sports federation could rely on this provision to justify disclosing its members’ personal data to sponsors in return for payment.

The dispute dates back to 2018, when the Dutch Tennis Federation (KNLTB) (the Federation) transferred the names, addresses, dates of birth, telephone numbers and places of residence of its members to two commercial partners: a sports goods retailer and a gambling operator.

The CJEU confirmed that a commercial interest can, in principle, constitute a legitimate interest capable of justifying the processing of personal data. However, it stressed that such reliance is subject to stringent safeguards. Controllers must demonstrate that the interest is lawful and present; that the processing is necessary and proportionate; and that the rights and reasonable expectations of data subjects are respected.

This judgment reinforces that the notion of legitimate interests under the GDPR is not unlimited. Purely commercial motives must always be carefully balanced against fundamental rights and data protection principles.

The CJEU recalled the general principle, laid down in Article 5(1)(a) GDPR, that personal data must be processed lawfully, fairly and transparently. It emphasised that Article 6(1) GDPR provides an exhaustive and restrictive list of the legal bases on which processing may be regarded as lawful.

Consent, under Article 6(1)(a), is the primary ground. In the absence of such consent, processing may only be justified if it falls within one of the other grounds in Article 6(1)(b)–(f), each of which must be interpreted strictly, since they permit processing without the individual’s agreement.

Faced with the absence of consent from the members of the Federation, the CJEU examined whether Article 6(1)(f) GDPR could serve as a lawful basis for the disclosure of their personal data to sponsors. This provision allows processing where it is necessary for the purposes of the legitimate interests of the controller or a third party, provided that those interests are not overridden by the rights and freedoms of the individuals concerned. Whilst the notion of legitimate interest does not require a basis in law, it must always be lawful and subject to a rigorous balancing against data protection rights.

The CJEU reiterated that three cumulative conditions must be satisfied for Article 6(1)(f) to apply.

First, the processing must pursue a legitimate interest on the part of the controller or a third party.

Second, the processing must be genuinely necessary to achieve that interest, in the sense that it could not reasonably be attained by less intrusive means.

Third, a balancing exercise must show that the rights and freedoms of the data subjects do not outweigh the interest being pursued.

As to the first condition, the CJEU observed that the GDPR does not provide a strict definition of legitimate interest. Instead, it has previously recognised that the notion can cover a wide variety of interests, provided that they are lawful in nature. Commercial objectives, such as those advanced by the Federation, may, therefore, in principle fall within the concept.

Referring to recital 47 GDPR, the CJEU underlined that the notion is not limited to interests expressly recognised by law: direct marketing, for instance, can, in principle, qualify. What matters is that the interest must be lawful. Moreover, where processing is based on Article 6(1)(f), the controller must, under Article 13(1)(d) GDPR, inform the data subject of the legitimate interests being pursued at the time of collection.

The Court then turned to the second condition: the necessity test. This requires the national court to examine whether the legitimate aim in question could reasonably be achieved by less intrusive means. Such an assessment must also be read in light of the principle of data minimisation under Article 5(1)(c) GDPR, which requires the data to be adequate, relevant and limited to what is necessary. In other words, disclosure cannot be justified if equally effective but less restrictive alternatives are available.

Finally, the CJEU addressed the third condition: the balancing of interests. This balancing exercise depends upon the specific circumstances of each case and must weigh the competing rights and interests involved. Particular weight must be given to the reasonable expectations of the data subjects, as recital 47 GDPR makes clear: where individuals could not reasonably expect their data to be processed in a certain way, their interests and rights are likely to override those of the controller.

Although it is ultimately for the referring court to apply these three conditions to the facts before it, the CJEU stressed its role in providing clarifications to guide the national court in that assessment.

In the light of these considerations, the CJEU concluded that the disclosure of personal data to sponsors in return for remuneration may only be justified under Article 6(1)(f) GDPR if it is strictly necessary for the pursuit of a legitimate interest, and only if that interest is not overridden by the fundamental rights and freedoms of the members. As mentioned, whilst the notion of legitimate interest does not require a basis in law, it must always be lawful and subject to a rigorous balancing against data protection rights.

The judgment clarifies that commercial aims may fall within the scope of legitimate interests, but only under strict conditions. It underscores the high threshold imposed by the three-step test: the interest must be lawful and genuine; the processing strictly necessary with a no less intrusive alternative; and the rights and expectations of the individuals concerned must not be overridden. In this respect, the ruling aligns with the draft European Data Protection Board (EDPB) Guidelines 1/2024, which stress that Article 6(1)(f) is not a default ground for processing but a narrowly circumscribed exception, to be applied with caution and accountability on a case-by-case basis.

Against this background, the practical implications of the CJEU judgment become clear.

What, then, are the broader consequences of this judgment, and why does it matter for sports federations?

The judgment makes clear that reliance on Article 6(1)(f) GDPR is never automatic. Controllers must be prepared to demonstrate, through a rigorous three-step assessment, that their reliance on “legitimate interests” is lawful, necessary and proportionate in light of the rights and expectations of data subjects. This inevitably sets a high bar for organisations seeking to justify commercial uses of personal data.

For sports federations, the case is a reminder that the trust of members is paramount. Disclosing membership data to sponsors, without prior consent, will rarely align with what members reasonably expect, and carries reputational as well as legal risks. Partnerships with sensitive sectors, such as gambling, only increase the likelihood that such practices will be found unlawful.

More broadly, the judgment resonates with the objectives of good governance in sport as highlighted in the 2007 White Paper on Sport, which identified transparency, accountability and the protection of stakeholders as key principles. Safeguarding members’ personal data is not only a legal duty under the GDPR but also an ethical obligation directly linked to the legitimacy and credibility of sports governance.

Taken together with the updated EDPB Guidelines 2/2024, the judgment underscores that legitimate interests remain a narrow and carefully circumscribed ground for processing. For federations and associations, the safest path lies in transparency, robust governance and, wherever possible, the explicit consent of their members.

Data protection is, therefore, not only a matter of compliance, but a cornerstone of good governance in sport, reinforcing transparency, accountability and the trust of all stakeholders — from federations to athletes and members. Our firm is committed to supporting all of them in this process.

We advise sports federations and sportspersons on privacy and data protection issues and further information is available from Dr Estelle Ivanova by emailing her at ivanova@valloni.ch.

Tags: