DPO Radio

Free Website Privacy Check: Ensure Your Site's Compliant Now!
Logo Image
Sign Up

GDPR Update: Landmark Case Limits Legitimate Interest for Personal Data Sharing

Sep 13, 202406 minute read

GDPR Update: Landmark Case Limits Legitimate Interest for Personal Data Sharing

blogdetail image
News and Articles
AesirX
GDPR Update: Landmark Case Limits Legitimate Interest for Personal Data Sharing

In a groundbreaking ruling, the Court of Justice of the European Union (CJEU) has placed tighter restrictions on how businesses can process personal data without consent, tightening the rules around "legitimate interest". 

This decision in Joined Cases C-17/22 and C-18/22, dated 12 September 2024, highlights stricter boundaries for data sharing, particularly in sensitive cases like contact details. The Court examined the application of Article 6(1) and the circumstances under which personal data processing may be lawful, particularly when consent is absent.

Here’s a breakdown of the key findings and what they mean for GDPR compliance.

Key Points and Analysis

1. Context of the Case

The case concerns an investment fund set up as a limited partnership offering shares to the public. The plaintiffs, who are partners in the fund, requested access to the contact details of other partners with indirect shareholdings through a trust company. The trust companies refused, arguing that the request was economically driven and could harm other partners. The referring court asked for guidance on applying Article 6(1) of the GDPR, focusing on the legitimacy of processing personal data in such a scenario.

2. Article 6(1) GDPR: Lawfulness of Processing Personal Data

Article 6(1) of the GDPR outlines six conditions under which the processing of personal data can be lawful. These include:

  • Consent of the data subject (point (a))
  • Processing necessary for the performance of a contract (point (b))
  • Compliance with a legal obligation (point (c))
  • Legitimate interest pursued by the data controller or a third party (point (f))

The Court examined how points (b), (c), and (f) applied to this case.

3. Point (b): Processing Necessary for Contract Performance

The plaintiffs argued that accessing the contact details of other partners was necessary for exercising their rights under the partnership contract, such as negotiating the purchase of shares or coordinating partner resolutions.

  • Court’s Response: The Court clarified that for processing under point (b) to be justified, it must be "objectively indispensable" for fulfilling the contract. Processing that is merely helpful or convenient is not enough. In this case, the investment and trust agreements explicitly prohibited sharing personal data with other partners, so the requested data processing was not necessary for the contract's performance.
  • Conclusion on Point (b): The Court ruled that disclosing the contact details of other partners does not meet the necessity threshold for contract performance, especially if the contract explicitly forbids such disclosure.

4. Point (f): Legitimate Interests of the Data Controller or Third Party

The plaintiffs also argued that their request was justified by legitimate interests, such as the economic interest of entering into share purchase negotiations or coordinating resolutions with other partners.

  • Court’s Response: The Court applied the three-part test for legitimate interest under Article 6(1)(f):
    • Legitimate interest: The Court acknowledged that a wide range of interests can be considered legitimate, and the plaintiffs' interest in contacting other partners for business purposes could be legitimate.
    • Necessity: The Court emphasized that processing must be "strictly necessary" to achieve the legitimate interest. Here, the Court suggested alternative methods, such as the plaintiffs requesting the trust company to pass on their contact details to other partners, leaving it up to the partners to decide whether to engage. This alternative would be less intrusive and still serve the legitimate interests of the plaintiffs.
    • Balancing of interests: The Court ruled that even if a legitimate interest exists, it must not override the fundamental rights and freedoms of the data subjects (the other partners). The Court noted that the partners with indirect shareholdings had a reasonable expectation of confidentiality, and this expectation likely outweighed the plaintiffs' interests.
  • Conclusion on Point (f): The Court held that while the plaintiffs may have a legitimate interest, the processing of personal data in this case was not strictly necessary, and the interests or fundamental rights of the data subjects (partners) took precedence.

5. Point (c): Compliance with a Legal Obligation

The referring court also raised the possibility of a legal obligation under national law that might require the disclosure of partners’ contact details. In some national case law, there may be an obligation to disclose such information, particularly within the context of transparency in partnerships.

  • Court’s Response: The Court stated that any legal obligation to process personal data must be based on clear, precise, and foreseeable national law, as required by Article 6(3) GDPR. Additionally, such a legal obligation must meet an objective of public interest and be proportionate. The referring court must verify whether such a legal obligation exists under national law and whether it meets these criteria.
  • Conclusion on Point (c): The Court deferred to the national court to determine whether a legal obligation exists under national law, but stressed that such an obligation must comply with the requirements of clarity, precision, and proportionality as set out in EU law.

Final Judgment and Conclusions

  • Point (b) (Performance of a Contract): The processing of personal data for disclosing partners' contact information is not justified under this provision, especially when the contract explicitly prohibits such disclosure.
  • Point (f) (Legitimate Interest): While the plaintiffs may have a legitimate interest in contacting other partners, the disclosure of their personal data is not strictly necessary, and the data subjects' (partners') right to confidentiality takes precedence.
  • Point (c) (Compliance with a Legal Obligation): The Court left it to the national court to determine whether such an obligation exists under national law, subject to the condition that the law is clear, precise, and proportionate.

The Role of Consent: Key Takeaways

This judgment reinforces that consent remains a cornerstone of lawful data processing under the GDPR. 

While alternative grounds like legitimate interest may sometimes justify processing, the lack of consent requires a high threshold for any other legal basis to apply. Consent, when freely given, specific, informed, and unambiguous, remains the gold standard for ensuring compliance, particularly in sensitive contexts where confidentiality is expected, as with financial partnerships.

This ruling underscores the importance of protecting personal data and suggests that when consent is not obtained, businesses must apply a very narrow and restrictive interpretation of other lawful bases. AesirX focuses on helping organizations navigate these complexities, emphasizing first-party consent solutions to ensure GDPR compliance.

Broader Implications

This judgment reinforces the strict interpretation of Article 6(1) of the GDPR, particularly in limiting the use of legitimate interest as a lawful basis for data processing. It stresses the need for carefully balancing the rights of data subjects against the interests of data controllers or third parties, especially where individuals have a reasonable expectation of privacy and confidentiality. Furthermore, the judgment underscores the necessity of well-defined and explicit legal obligations when processing personal data under national law.

The decision highlights the critical role of transparency in contractual agreements and the protection of personal data, especially in business structures involving multiple parties. It reaffirms the GDPR’s focus on prioritizing individual rights over economic interests, requiring businesses to be more vigilant in securing valid consent or adhering strictly to other lawful bases for processing.

In summary, the ruling elevates the protection of personal data above commercial objectives, aligning firmly with the GDPR's core principles. Businesses must take proactive steps to ensure that they are obtaining valid consent or rigorously applying alternative legal bases when consent is absent.

To learn more about how AesirX can help you stay compliant and avoid fines, contact us for a Privacy Review or try our free Privacy Scanner to evaluate your website’s current consent practices.

Ronni K. Gothard Christiansen // VikingTechGuy 

Creator, AesirX.io

Enjoyed this read? Share the blog!

TABLE OF CONTENTS

  1. Key Points and Analysis
  2. Final Judgment and Conclusions
  3. The Role of Consent: Key Takeaways
  4. Broader Implications

share icon

Share

Continue Reading

SSO and Analytics Integration: How Single Sign On Enhances Data-Driven Strategies

SSO

SSO and Analytics Integration: How Single Sign On Enhances Data-Driven Strategies

Sep 16, 2024

Continue reading
Understanding the Recent Ruling by the Belgian DPA on Cookie Consent

AesirX

Understanding the Recent Ruling by the Belgian DPA on Cookie Consent

Sep 11, 2024

Continue reading
The Importance of Consent Management for Personal Data in Web3 BI

BI

The Importance of Consent Management for Personal Data in Web3 BI

Sep 09, 2024

Continue reading
Symbol Image
Footer logo

The evolution of Aesir is Aesir + AesirX Icon (the Norse symbol for Necessity)"Needed in order to achieve a particular result"

Discover our weekly privacy insights on LinkedIn Newsletters.

Solutions

Resources

Support

Partnership Opportunities

Terms of ServicePrivacy PolicyRefund Policy

Copyright @ 2024 AesirX
Coin Gecko Logo
Join our Community