Digital marketing as a legitimate interest? Dutch DPA clarifies.

On the first of November the Dutch DPA (Autoriteit Persoonsgegevens) has tried to shed some more light on the subject of the legitimate interest as a lawful ground of processing. Besides reconfirming the common understanding and best practices, the Dutch DPA clarifies the legal basis for direct marketing if and to the extent, that the data subject is not yet a customer.

The existence of a legitimate interest must be carefully assessed in each specific case. The GDPR formulates three cumulative requirements in order to fulfill this ground of processing, legitimacy, necessity and the balancing of interests. A legitimate interest has to be real, concrete and immediate. Examples that the Dutch DPA give that qualify as a legitimate interest are protection and security of computer systems, protection against fraud and also communication with existing customers.

The interest has to be real, concrete and immediate. Therefore, it cannot be speculative, prospective or derivative. The DPA states that pure commercial interests such as maximalization of profit or the monitoring and the behavior of employees or customers cannot be seen as a legitimate interest.

The Dutch DPA clarifies that a legitimate interest can be used for direct communication to existing costumers provided they are offered an opt-out for e-mails. This means that the data subject must have bought a product or acquired a service from the controller.

The Dutch DPA stresses that if there is no legitimate interest, consent will be the basis for direct marketing. Direct marketing to new customers is seen as a pure commercial interest and cannot be deemed a legitimate interest. Communication with new customers may only be done on the basis of consent, which is also in line with the ePrivacy Directive which has been implemented in the Dutch Telecommunication Law. The Dutch DPA furthermore states in the Q&A-section on their website that when working with personal data acquired via list brokers companies always have to make sure that consent has been given by the data subjects that are on these contact lists.

Direct marketing has the attention of DPA’s in the whole of Europe. In June 2019 the British DPA (ICO) has given a fine of 100.000 pounds for unsolicited marketing text messages and 40.0000 pounds for sending direct marketing emails without consent.