Analysing transactional data to build a Model: Can a commercial interest constitute a legitimate interest? | Fieldfisher
Skip to main content

Analysing transactional data to build a Model: Can a commercial interest constitute a legitimate interest?

In a data-driven economy, the analysis of behavioural data, consumption data, transaction data, etc. has become crucial for businesses to get insights into the needs of their customers.

What is less clear, however, is whether such processing activities require consent, or whether businesses can rely on their legitimate interest.

In the Benelux region, certain stakeholders have long harboured concerns regarding whether legitimate interest constitutes the most suitable option for establishing processing activities and ensuring compliance. Notably, the Dutch Data Protection Authority ('AP') has repeatedly asserted that legitimate interest cannot solely be of a commercial nature, such as profit maximisation, but must be substantiated by legal grounds. 

Despite the guidance provided by the Article 29 Working Party ('A29WP'), rulings from the Court of Justice of the European Union ('CJEU') and a letter from the European Commission ('EC'), the AP has maintained its position, stating that compliance with legal obligations or duty of care may constitute a legitimate interest.

In this context, it is interesting to see that the Belgian Data Protection Authority ('Belgian DPA') does not follow the interpretation of the Dutch DPA on this matter. In a recent decision (n°46/2024), the Belgian DPA Litigation Chamber ('the Litigation Chamber') acknowledged that commercial interest can indeed be considered a legitimate interest under the GDPR.

Background of the Case


An individual ('complainant') lodged a complaint with the Belgian DPA against a bank who used their personal data, specifically 'payment transactions data', to develop models underpinning a 'personalised discount' service offering. The complainant contended that the bank should have obtained their consent for providing tailored content. Conversely, the bank argued that it had legitimately employed its legitimate interest to construct such models.


The Litigation Chamber considered the building of data models as a further processing activity, which was incompatible with the initial purpose of processing banking transaction data. Hence, the bank should rely upon an alternative legal basis to process personal data in order to build data models intended to offer third-party products or services.

The Litigation Chamber assessed whether the bank could rely on its legitimate interest to process the transaction data for this secondary purpose:

(i) Purpose Test:

According to the Litigation Chamber, the objective of gaining insights in the service provided to its customers, to personalise its services and to diversify its service offering constitutes a commercial objective which may be a legitimate interest of the bank.

(ii) Necessity Test:

The Litigation Chamber then took the view that the analysis of banking transaction data to train the data model is indeed a necessary step to achieve the intended purpose of offering digital applications to provide personalised discounts to customers (in fact, data models serve as an intermediary step between the raw transaction data and the offering of personalised discounts through digital means).

(iii) Balancing Test:

Finally, the Litigation Chamber considered that the training of data models with transaction data falls within data subjects' normal expectations and is not considered intrusive when the data minimisation principle is applied (i.e. removing as many identifiers as possible from the model, without applying it to any individuals, so that the models consist solely of algorithms devoid of personal data).

Therefore, the Litigation Chamber considered the bank did pass the legitimate interest test. Contrary to its Dutch counterpart, the Litigation Chamber did consider that the provision of new services to customers in line with societal evolution and to match market trends (i.e. a market positioning objective) was a valid legitimate interest allowing one to process customers' transaction data to build of data models.

In addition, the Litigation Chamber clarified that providing tailored information promoting products and services (i.e. advertising) based on the data model that has been created, constitutes a separate purpose, which requires consent.


The Litigation Chamber concluded that the bank complied with the Belgian Data Protection Act and the GDPR, without breaching any regulations concerning processing activities related to building data models. Consequently, the case was dismissed.

Our Analysis:

This decision is a welcome clarification of the fact that a commercial interest may constitute a legitimate interest.

In itself it is not a surprise. Both the GDPR, the Article 29 Working Party and the CJEU have – expressly or implicitly - acknowledged the economic interest of a data controller as a legitimate interest.

It is clear that not every commercial interest will be 'legitimate' and many are the instances where the balance will tilt towards the right to data protection of the data subject. The decision confirms this in that it recognises the bank could lawfully process transaction data to build its model, but that it could not rely on legitimate interest to use that data for direct marketing purposes afterwards.

However, as always, the final word will be for the CJEU. Following the debate in the Netherlands, a Dutch court has asked the CJEU whether a purely commercial interest may be regarded as a legitimate interest (C-621/22, Koninklijke Nederlandse Lawn Tennisbond).

At this moment, it is unclear when the CJEU will adopt its decision. One can only hope that it will put an end to this discussion and that it will confirm the point of view of probably everyone, except for the Dutch AP: a purely commercial interest may constitute a legitimate interest.

Finally, we welcome the fact that the Belgian DPA differentiated between, on the one hand, the building or training phase of the data model itself, and, on the other hand, the operational offering of personalised discounts through digital applications that rely on these models.

The fact that controllers who want to use personal data to train a model may be able to rely on legitimate interest as a ground for processing is crucial in the current AI-driven climate.