When processing personal data in your business or other activities, you have likely encountered one of the legal grounds for such processing: legitimate interest. In current practice, "legitimate interest" is sometimes relied upon as an universal basis for processing personal data, particularly in situations where explicit consent from the individual is not obtained.

A recent ruling by the Court of Justice of the European Union provided a more concrete interpretation of "legitimate interest," offering data controllers practical guidance on when this legal basis can and cannot be applied. For example, can a purely commercial need constitute a legitimate interest under the GDPR? The Court answered affirmatively. Legitimate interest can encompass a wide range of reasons, which do not necessarily have to be defined by law (though they must comply with it) and may include purely commercial interests. However, there are limits.

The Court reminded us of several key principles for the balanced use of legitimate interest. Data controllers may process only the minimum amount of personal data necessary, for limited purposes, and only for the duration required, while respecting the fundamental rights and freedoms of the individuals concerned. The primary goal of invoking commercial interest should not be profitability alone; the commercial interest should have broader significance and provide benefits to both individuals and society as a whole.

It is always necessary to balance the fundamental rights and freedoms of individuals with the proportionality of processing personal data based on legitimate interest.

Author: Vladěna Svobodová

‍