Legal bases for processing data in direct marketing under European legislation

The General Data Protection Regulation (GDPR) represents a cornerstone in the edifice of data protection laws in Europe, mandating rigorous standards for the handling of personal data. Within the sphere of marketing, GDPR introduces a paradigm shift, compelling marketers to revisit their strategies for engaging with customers and prospects. This comprehensive analysis delves into the legal underpinnings of processing personal data for direct marketing under GDPR, with a particular emphasis on the doctrine of legitimate interests pursuant to Article 6(1)(f).

The GDPR stipulates that personal data must be processed lawfully, fairly, and transparently, setting forth specific legal bases for processing activities. Among these, consent and legitimate interests emerge as pivotal for direct marketing initiatives. While consent has traditionally been the cornerstone of data processing in marketing, the introduction of GDPR has spotlighted the equally critical, albeit more nuanced, basis of legitimate interests.

Consent, as defined under Article 6(1)(a) of GDPR, demands an active, informed, and voluntary expression of the data subject’s wishes. It sets a high bar for legality, transparency, and accountability in data processing. However, the binary nature of consent – either wholly present or absent – can impose constraints on the dynamic and ongoing nature of direct marketing activities. This recognition has propelled the legitimate interests basis to the forefront of legal considerations for marketing professionals.

Legitimate interst – Article 6(1)(f) introduces a more flexible yet responsible framework for processing personal data without obtaining explicit consent. It allows organizations to pursue direct marketing under the premise of legitimate interests, provided they can demonstrate that the processing is necessary for these interests and does not disproportionately infringe upon the rights and freedoms of the individuals concerned. The concept of legitimate interests is deliberately broad, encompassing a wide array of potential scenarios where data processing is deemed necessary for the data controller’s or a third party’s activities. Importantly, Recital 47 of GDPR explicitly acknowledges direct marketing as a possible legitimate interest. However, this is not an unchecked license to process data; rather, it necessitates a meticulous evaluation process to justify such activities. Central to leveraging the legitimate interests basis is the execution of a Legitimate Interests Assessment. This process involves three core components: identifying a legitimate interest, demonstrating the necessity of data processing for achieving this interest, and conducting a balancing test against the data subject’s interests, rights, and freedoms. The LIA ensures that the processing does not override the fundamental rights of the individuals whose data is being processed. Moreover, it serves as a documented evidence of due diligence, reinforcing the accountability principle of GDPR. The balancing test is the crux of the LIA, demanding a careful analysis of whether the data controller’s interests are overridden by the interests or rights of the data subject. Factors such as the nature of the data, the context of processing, and the potential impact on data subjects are taken into account. This analysis must be thorough and documented, providing a rationale for proceeding with processing under the banner of legitimate interests.

Example 1: B2C Marketing Misstep – “GlamifyMe Cosmetics”

Scenario: GlamifyMe Cosmetics, a fictional beauty and skincare company, launches a new product line and decides to employ an aggressive email marketing campaign. Without seeking explicit consent, they purchase a mailing list from a third-party vendor, which includes detailed personal information such as names, personal email addresses, and purchase histories. GlamifyMe proceeds to send out mass emails showcasing their new products, relying on the assumption that interest in beauty products inferred consent.

Violation: This practice is a clear violation of the GDPR principles, specifically the requirement for consent under Article 6(1)(a). The use of personal data without explicit consent from the individuals for direct marketing purposes is unlawful. The GDPR mandates that consent must be freely given, specific, informed, and unambiguous. GlamifyMe’s assumption of implied consent does not satisfy these conditions, making their direct marketing efforts illegal.

Example 2: B2B Marketing Success – “TechSolutions Ltd”

Scenario: TechSolutions Ltd, a fictional company providing IT infrastructure services, decides to target other businesses (B2B) to promote their new cloud storage solutions. They compile a list of potential business clients using publicly available information, such as store names, general contact information from business websites (e.g.,, and industry publications. Before initiating their email campaign, they ensure the content is tailored to the business needs, highlighting benefits relevant to each sector and providing clear mechanisms for recipients to opt out.

Compliance: In this B2B context, TechSolutions Ltd navigates GDPR compliance adeptly by utilizing general contact information not classified as personal data under GDPR when it pertains to roles or positions within companies (e.g., rather than a personal email address). This approach respects the GDPR’s delineation between personal and non-personal data in a business context. By focusing on publicly available business contacts and providing an easy opt-out mechanism, TechSolutions respects both the spirit and the letter of GDPR, ensuring their marketing is legal and ethical.

Example 3: Best Practice in Data Handling – “GreenEarth Organics”

Scenario: GreenEarth Organics, a fictional sustainable goods retailer, seeks to enhance its marketing strategy by leveraging customer data for personalized promotions. Understanding the importance of GDPR compliance, they initiate their campaign by first updating their privacy policy to be transparent about data usage. They then seek explicit consent from their existing customers through a clear and straightforward opt-in process for receiving marketing emails that explain the benefits of opting in, such as exclusive discounts and early access to new products.

Adherence to GDPR: GreenEarth Organics exemplifies best practices in GDPR compliance by ensuring that all personal data used for marketing purposes is processed with lawful consent. They make it easy for customers to understand what they are consenting to and provide simple options to withdraw consent at any time. This approach not only adheres to GDPR requirements but also fosters trust and loyalty among their customers. By demonstrating respect for their customers’ personal data and privacy, GreenEarth Organics sets a high standard for ethical marketing in the digital age.

These fictional examples illustrate the importance of understanding and adhering to GDPR regulations in marketing activities. While the first scenario demonstrates a clear breach of GDPR, leading to potentially severe penalties, the latter two examples provide insights into compliant and ethical marketing practices that respect individual privacy rights and promote trust between businesses and their clients.

Even when processing data under legitimate interests, GDPR mandates a high degree of transparency. Data subjects must be informed about the use of their data for direct marketing purposes, the basis of legitimate interests being relied upon, and their right to object to such processing. The right to object, enshrined in Article 21(2) of GDPR, is absolute in the context of direct marketing. Upon objection, the processing of personal data for these purposes must cease immediately.

The legal basis of legitimate interests offers a viable and flexible pathway for conducting direct marketing under GDPR, balancing the needs of organisations with the rights of individuals. It demands a rigorous assessment process, underpinned by the principles of necessity, proportionality, and transparency. By adhering to these guidelines, marketers can navigate the complexities of GDPR, ensuring that their direct marketing efforts are both effective and compliant. This focus on legitimate interests not only underscores the importance of ethical data processing practices but also highlights the evolving landscape of privacy and data protection in the digital age.


EUR-Lex: This is the official website for European Union law, where you can access the full text of the GDPR (Regulation (EU) 2016/679). It provides a detailed overview of the regulation’s provisions, recitals, and legal interpretations.

European Commission – Data Protection: The European Commission’s website offers extensive resources on data protection and privacy in the EU, including guidance on GDPR, data protection rules for businesses and organizations, and rights for citizens.

European Data Protection Board (EDPB): The EDPB is an independent European body that contributes to the consistent application of data protection rules throughout the European Union. Its website provides guidelines, recommendations, and best practice advice on GDPR compliance.

National Data Protection Authorities: Each EU member state has its own data protection authority (DPA) responsible for enforcing GDPR compliance within its jurisdiction. The European Data Protection Board’s website offers a list of these national authorities, with links to their respective websites for localized guidance and resources.

The Official Journal of the European Union (OJEU): The OJEU publishes EU legislation, including directives, regulations, and decisions. The GDPR was published here, making it a primary source for the regulation’s official text and related legal documents.



Get free 30-minutes consulation

Get updates and learn from the best

Related posts