Legitimate Interest: Definition, Bedeutung & Beispiele im Direktmarketing

What is Legitimate Interest? -- Definition and Legal Framework

Legitimate Interest under Art. 6(1)(f) GDPR is one of six legal bases that companies can rely on when processing personal data. The legal text permits data processing when it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party" -- provided that the interests or fundamental rights and freedoms of the data subject do not override those interests. For direct marketing, this legal basis is of central importance, as Recital 47 of the GDPR explicitly states: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

In practice, this means that companies may process personal data such as names and addresses for advertising purposes without obtaining prior consent -- provided they carry out a documented balancing of interests and the rights of the data subject do not prevail. This regulation is the legal foundation for direct mail being permitted in Germany without opt-in -- both to existing customers and to new customers.

The distinction from other legal bases is important: Art. 6(1)(a) (consent) requires active agreement from the recipient and is primarily relevant for email marketing. Art. 6(1)(b) (contract performance) only covers the actual performance of a contract, not advertising. For physical direct mail, Art. 6(1)(f) is the authoritative legal basis and has been confirmed by courts on numerous occasions.

The Three-Stage Balancing Test -- How to Assess Correctly

Using legitimate interest as a legal basis is subject to a three-stage test, which the ECJ has confirmed in several rulings as cumulative requirements (including C-252/21 of 04.07.2023). Each stage must be satisfied for the data processing to be lawful.

Stage 1 -- Existence of a Legitimate Interest: There must be a legally recognized, specific interest. Economic interests such as customer acquisition, existing customer retention, and revenue generation through direct marketing are recognized. The ECJ expressly confirmed in C-621/22 (04.10.2024) that purely commercial interest can also constitute a legitimate interest -- including the transfer of data for advertising purposes for a fee.

Stage 2 -- Necessity of Data Processing: The processing must be necessary to achieve the interest. The ECJ clarified in C-394/23 (09.01.2025): Processing is only permissible if the objective cannot "reasonably be achieved as effectively by other means". For direct mail, this means: name and address are the minimum data required to deliver a letter -- no less is possible.

Stage 3 -- Balancing with Data Subject Interests: The interests, fundamental rights, and fundamental freedoms of the data subject must not prevail. Here, the "reasonable expectation" of the recipient is decisive (Recital 47): existing customers can expect advertising; for new customers, the bar is higher but not insurmountable. What is crucial is that the advertising nature is immediately recognizable and the burden on the recipient remains low -- both of which apply to direct mail advertising.

The entire assessment must be documented in writing according to Art. 5(2) GDPR (accountability principle) and updated regularly. In addition, the legitimate interest pursued must be communicated to data subjects in advance (Art. 13(1)(d) GDPR) -- if this information is missing, according to ECJ C-394/23, the processing is not lawful.

Direct Mail as a Privileged Channel -- Why Letters Enjoy Special Rights

Under German law, direct mail occupies a special position compared to other advertising channels. The German Unfair Competition Act (UWG) clearly distinguishes between physical mail and electronic communication:

Email advertising is generally only permitted with prior express consent (double opt-in) under Section 7(2) No. 3 UWG. The only exception: Section 7(3) UWG allows email advertising to existing customers for similar products if the address was collected during a purchase and the customer is informed of their right to object with each use.

Direct mail advertising, on the other hand, is permitted without consent under Section 7(1) UWG. It is only considered impermissible harassment if the recipient has clearly expressed their opposing will -- for example, through an advertising objection or a "No Advertising" sticker. Case law supports this privilege: The German Federal Court of Justice (BGH) has repeatedly ruled that direct mail advertising is permissible as immediately recognizable advertising because the recipient can dispose of it without significant effort.

This distinction has far-reaching practical consequences: while email marketers can only reach a fraction of their target audience (those with opt-in), direct mail marketers have access to the entire address base -- existing customers as well as new customers, purchased addresses as well as self-collected ones. This makes legitimate interest the most important legal basis in direct mail marketing.

Key Court Rulings on Legitimate Interest for Direct Mail

Case law has comprehensively confirmed legitimate interest for direct mail in recent years. An overview of the most important decisions:

The Stuttgart Regional Court (LG Stuttgart) ruled on 25.02.2022 (Ref. 17 O 807/21) that addressed direct mail advertising based on Art. 6(1)(f) GDPR is also permissible to new customers -- an existing customer relationship is not required. A claim for damages by the recipient was rejected because the mere interest in not receiving advertising does not prevail. The court also confirmed that a suppression list for advertising objections is permissible (legal basis: Art. 6(1)(c) GDPR).

The Stuttgart Higher Regional Court (OLG Stuttgart) confirmed this ruling on 02.02.2024 (Ref. 2 U 63/22) on appeal: personalized direct mail is GDPR-compliant without consent. Recital 47 explicitly mentions direct marketing as a legitimate interest. Advertising letters are a necessary means of customer acquisition. Only after an objection under Art. 21(2) GDPR does future direct mail become impermissible.

The Hamburg Higher Regional Court (OLG Hamburg) affirmed on 27.02.2025 (Ref. 5 U 30/24) the scope of legitimate interest for direct marketing and spoke of a "return to legislative intent". At the EU level, the ECJ confirmed in C-621/22 (04.10.2024) that purely commercial interest can also constitute a legitimate interest -- including the transfer of data for direct mail advertising for a fee.

Best Practices: Implementing Legitimate Interest Correctly

Legally compliant use of legitimate interest requires adherence to specific organizational and technical measures. The following checklist summarizes the most important requirements.

Every advertising campaign based on Art. 6(1)(f) requires a documented balancing of interests: description of the pursued interest, assessment of necessity, evaluation of risks for data subjects, and presentation of protective measures. This documentation must be retained as part of the record of processing activities.

The right to object under Art. 21(2) GDPR must be consistently implemented: every advertising letter must include a reference to the possibility of objection -- "explicitly" and "separately from other information" (Art. 21(4) GDPR). Incoming objections must be accepted without justification and immediately transferred to a suppression list. Checking against the Robinson List of the DDV (German Direct Marketing Association -- approx. 1.1 million entries, as of 2021) is standard practice for new customer mailings -- according to the DDV, it is used for over 90 percent of the total volume of new customer mailings.

For data from third-party sources (e.g., purchased addresses), the information obligations under Art. 14 GDPR additionally apply: the recipient must be informed about the data source, the processing purpose, and their right to object. Since the ECJ ruling C-394/23 (09.01.2025), it is clear: if information about the pursued legitimate interest is missing, the entire processing is not lawful.

Fines and Risks: What Violations Can Mean

Correct application of legitimate interest is not just a formality -- violations can result in significant fines. The fine framework under Art. 83(5)(a) GDPR ranges up to 20 million euros or 4 percent of global annual turnover.

In practice, specific cases show which errors become expensive: AOK Baden-Württemberg was fined 1.24 million euros by the Baden-Württemberg State Data Protection Authority in 2020 because their technical-organizational measures (Art. 32 GDPR) to ensure advertising consent for sweepstakes data were insufficient. Hannoversche Volksbank received a fine of 900,000 euros in 2022 because they used customer data -- including credit information -- for targeted advertising profiles without conducting the required balancing of interests.

According to the GDPR Enforcement Tracker, "insufficient legal basis for data processing" is the most common fine reason in the EU with 669 fines and an average value of 2.9 million euros. The message is clear: legitimate interest creates great freedom for direct mail -- but only if the documented balancing of interests, information obligations, and objection management are implemented without gaps.