RGPD

GDPR and marketing targeting: can legitimate interest be invoked without consent?

In a context where the protection of personal data has become a major concern, the case BGH VI ZR 109/23 raises crucial questions about the implications of the GDPR and of consent. Indeed, the recent case law of the German Federal Court of Justice could redefine

Contents
Schedule a discussion

Reading time:

6 min

In a context where the protection of personal data has become a major concern, the case BGH VI ZR 109/23 raises crucial questions about the implications of the GDPR and of consent. Indeed, the recent case law of the German Federal Court of Justice could redefine our understanding of consumer rights in the face of practices such as unsolicited advertising. The stakes are all the higher as data subjects are often confronted with situations in which they feel they have lost control over their data. This ruling highlights the delicate balance between the legitimate interests of businesses and the fundamental rights of individuals. So, what is the scope of this ruling and how could it influence the future of data protection law? To understand the principles established by the judgment and its consequences, let us examine the details of the case.

If you would like to engage a lawyer specialised in personal data law, contact me!

What are the facts of the case BGH VI ZR 109/23?

This case, brought before the German Federal Court of Justice, focuses on the circumstances surrounding the unsolicited advertising sent to an individual by a company following a transaction in an online store. The claimant, regarded as a data subject, took offence at the processing of his personal data by the data controller, a commercial entity, which had used his information for marketing purposes without his explicit consent. This case raises legitimate questions about ethical business practices and the protection of consumer rights.

When the claimant received a promotional email, he exercised his rights by sending an email to the data controller to express his disagreement with the « processing or use » of his data. Worse still, the latter failed to respond to this objection, making the situation even more problematic for the claimant, who felt that his control over his personal data had been compromised.

Under Article 17(1)(d) of the GDPR, the claimant requested that the processing of his data be stopped, stating that it constituted unlawful conduct. The feeling of having lost control over his personal data was compounded by the receipt of unsolicited advertising messages, thereby giving rise to serious concern about the unauthorised disclosure of his data. He thus argued that this breach of business ethics had caused him significant stress.

The data controller, in its defence, replied that its actions were justified by a legitimate interest within the meaning of Article 6(1)(f) of the GDPR. However, this justification was called into question by the lower courts, which expressed reservations about whether this approach complied with the requirements of the GDPR. An internet lawyer can assist you in understanding and applying these regulations relating to online business practices.

To assess the implications of this case, it is crucial to understand the court's response concerning the control of personal data and consumer rights in the face of business practices.

Let's discuss your needs for 15 min!

What was the decision of the Federal Court of Justice?

In its ruling, the Federal Court of Justice (BGH) examined the arguments put forward by the parties, in particular those relating to the legitimate interest of the data controller in using data for advertising. The Court noted that Article 6(1)(f) of the GDPR allows processing based on legitimate interest, but only where that interest overrides the fundamental rights and freedoms of individuals.

Based on the facts of the case, the BGH concluded that the absence of the claimant's explicit consent to the use of his personal data could not be replaced by a legitimate interest. Indeed, the court held that:

  • The protection of personal data is a fundamental right.
  • Businesses must be transparent in their use of data.
  • Individuals must have effective control over their personal data.

This ruling also underlines the importance of consent, which cannot be implied or presumed in commercial transactions. The Court thus reinforced the need for clarity in communications between businesses and consumers, establishing important precedents for future case law.

The BGH's decision will be decisive for the processing of personal data in similar contexts and could lead to a tightening of the rules on unsolicited advertising. Indeed, this case law paves the way for further cases in which consumer rights will be at the heart of the legal debate.

It therefore becomes essential to examine the implications for the protection of personal data in the light of this landmark ruling.

I want reliable legal documents!

What are the implications for the protection of personal data?

The decision of the Federal Court of Justice in the case BGH VI ZR 109/23 carries with it numerous implications for the protection of personal data in Europe. First of all, the judgment reaffirms that the GDPR imposes a strict obligation of consent for the processing of personal data. This means that businesses must obtain the explicit consent of users before being able to use their data for marketing purposes, including unsolicited advertising.

In particular, the collection and use of personal data must be coupled with ethical and legal considerations. Thus, to be compliant, businesses should:

  • Assess the necessity of each instance of personal data processing in light of users' consent.
  • Provide clear and transparent information about the use of personal data.
  • Ensure that users have a simple means of objecting to the use of their data.

In addition, the ruling emphasises that consumers, or data subjects, must not merely fear a breach of the protection of their personal data, but must be able to prove actual harm in the event of a violation of their rights. This point is crucial because it places the burden of proof on the claimant, who must demonstrate that he has suffered non-material damage as a result of the unlawful processing of his personal data. A lawyer specialised in software and database law can assist you in managing and protecting your data in compliance with the GDPR.

The case law arising from this ruling could also encourage data protection authorities to be more proactive in enforcing the GDPR. With more and more complaints relating to unsolicited advertising, businesses will need to anticipate rigorous audits of their compliance with regulations on the protection of data.

Ultimately, the case BGH VI ZR 109/23 is far more than an isolated case: it marks a significant turning point in case law on the protection of personal data in Germany and in Europe as a whole. Businesses must become aware of the importance of compliance with the GDPR in order to maintain consumer trust and avoid potentially severe penalties.

To learn more

What does the case BGH VI ZR 109/23 raise?

The case BGH VI ZR 109/23, brought before the German Federal Court of Justice, raises crucial questions about the GDPR and consent. It examines the balance between the legitimate interests of businesses, particularly in marketing targeting, and the fundamental rights of individuals.

Can legitimate interest be invoked without consent for marketing?

The case BGH VI ZR 109/23 specifically questions the possibility of basing marketing targeting practices on legitimate interest rather than on consent. It illustrates the delicate balance between the interests of businesses and the protection of data subjects' personal data.

What role does consent play in marketing targeting?

Consent is one of the legal bases under the GDPR for processing data for marketing purposes. The case BGH VI ZR 109/23 highlights the importance of this basis and the limits of relying on legitimate interest in the face of consumer rights.

Does this German ruling influence data protection law?

The case law of the German Federal Court of Justice could redefine the understanding of consumer rights in the face of practices such as unsolicited advertising. Although handed down in Germany, it forms part of the application of the GDPR and may inform debates beyond national borders.

What is unsolicited advertising under the GDPR?

Unsolicited advertising refers to solicitations sent without the prior agreement of the individual. The case BGH VI ZR 109/23 examines the conditions for the lawfulness of these practices under the GDPR, in particular the possible requirement of consent.

How can the interests of businesses and the rights of individuals be reconciled?

The ruling highlights the delicate balance between the legitimate interests of businesses and the fundamental rights of individuals. The GDPR requires each processing operation to be justified by an appropriate legal basis and the rights of individuals to be respected, which limits intrusive marketing practices.

What precautions ensure GDPR-compliant marketing targeting?

Compliant marketing targeting requires identifying the correct legal basis, informing individuals, obtaining their consent where required and respecting their right to object. The case BGH VI ZR 109/23 is a reminder of the caution needed when relying on legitimate interest.

Is a lawyer useful for securing one's marketing practices?

A lawyer specialised in personal data law helps to determine the legal basis for marketing targeting, to secure the collection of consent and to respect the rights of individuals. This support limits the risks associated with advertising practices under the GDPR.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

6 min

Drafting and posting your legal notices on Shopify
Mandatory in France, notably on e-commerce sites built on Shopify, a website's legal notices are information that allows internet users to know who they are dealing with and how they can get in contact with the website's owners. These

6 min

Connected vehicles and mobility: what the CNIL plans in terms of compliance in 2025
As automotive technology evolves at a breakneck pace, the question of personal data protection within connected vehicles is becoming crucial. The French Data Protection Authority (CNIL) is actively engaging in this area through its "compliance club"

6 min

Healthcare authorization requests: the CNIL's 2024 review
In 2024, the handling of healthcare authorization requests reached a significant turning point, with a growing number of applications recorded by the Commission Nationale de l'Informatique et des Libertés (CNIL). This trend, with 619 files submitted, highlights not only the growing importance

7 min

GDPR compliance at work: how to inform employees of the data processing in place?
In an increasingly digitalised world, the protection of personal data has become a major concern for companies and employees alike. The application of the General Data Protection Regulation (GDPR) imposes on employers, and more particularly on Directors

4 min

Context and challenges of generative AI in intellectual property matters
How should intellectual property, traditionally intended to protect works, be approached in relation to generative AI?

8 min

GDPR Compliance: What Changed in 2025
GDPR compliance in 2025: Since it came into force in 2018, the GDPR has continued to evolve. How can you ensure compliance in 2025?
Prendre rendez-vous
Book an appointment