Does ‘legitimate interest’ for direct marketing no longer work under the GDPR after Inteligo Media case?
- 20.01.2026
- Data Privacy, Top articles
The European Court’s decision in the Inteligo Media case was issued only on November 13, 2025 (just over a month ago), but privacy specialists are already making the necessary changes to their clients’ documents. And for good reason: “legitimate interest” can no longer serve as the legal basis under Article 6 GDPR for marketing emails! So what can be used instead? Let’s explore this in this article.
Table of Contents
Read (almost) for free: Inteligo Media’s business model
Inteligo Media owns the online platform avocatnet.ro, which publishes reviews of regulatory legal acts adopted daily in Romania, as well as expert analytical materials on legislative changes. The site operates on a Freemium model: any internet user, even without registering on the site, can read 6 articles per month for free. Complete free registration — and get 2 more articles. And, of course, you can always purchase a paid subscription — and read about legislative news without restrictions. Registration on the portal, in addition to 8 free articles per month, also included a daily newsletter called “Personal Update“: it contained brief summaries of the previous day’s articles with hyperlinks leading to the originals.
This newsletter became the cause of the dispute between Romanian data protection authority and Inteligo Media SA. However, the final word in this dispute was delivered by the European Court of Justice, which examined questions regarding the interpretation of Article 13 of the ePrivacy Directive (case C-654/23).
Brief history of the dispute between Inteligo Media and ANSPDCP
In September 2019, Romania’s supervisory authority — Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — fined Inteligo for non-compliance with GDPR. The request from the Bucharest Court of Appeal to the CJEU was submitted in November 2023, and the decision was issued in November 2025.
In the supervisory authority’s opinion, the email addresses of “Personal Update” newsletter subscribers were initially obtained to fulfill a contract — the user agreement that users accepted when registering their free account — but were ultimately used for a purpose incompatible with the original one, namely: to send direct marketing emails. The company did not collect recipients’ consent for this. As a general rule established in Article 13(1) of the Directive, marketing newsletters can only be sent when the newsletter recipient has given consent for this. Inteligo challenged the decision: in the company’s opinion, the newsletter was purely informational (editorial) in nature and did not constitute “commercial communications“.
Accordingly, the requirement to collect mandatory consent for newsletters does not apply to informational newsletters.
Article 13 of the Directive, in addition to the general rule about consent, also provides for an exception (Article 13(2)). Thus, newsletters for direct marketing purposes can be sent without consent if the company simultaneously meets three conditions:
🔹 it is advertising its own similar products and services (to those the user has already purchased);
🔹 it is using an email address obtained in the context of a sale;
🔹 it has provided (at the time of collecting the email address) and provides (when sending each electronic message) the user with the opportunity to opt out of such newsletters.
Just in case, Inteligo nevertheless took the necessary measures to comply with Article 13 of the Directive. When registering on the avocatnet.ro site, users were offered the option to opt out of the newsletter by checking the box “I do not want to receive ‘Personal Update’“. Since there was no pre-checked box in this field, by default the user was subscribed to the newsletter. Nevertheless, Article 13(2) of the Directive does not require explicit consent, so Inteligo Media did not violate anything. In addition, each email included an unsubscribe link so that users could subsequently opt out of the newsletter. The GDPR legal basis for processing personal data for the newsletter was “legitimate interest” (Article 6(1)(f) GDPR).
After the decision was challenged in the Bucharest Court of Appeal, the case was reviewed again, but the second decision did not satisfy Inteligo either. The fine was reduced, but the qualification of the company’s actions remained unchanged — the company was still allegedly violating GDPR. The case returned to the Court of Appeal. It ruled that to make a final decision, it was necessary to clarify:
🔹 what is meant by messages for direct marketing purposes, which Article 13 of the Directive addresses
🔹 what does “email address was obtained in the context of the sale of a product or service” mean (one of the components of the exception under Article 13(2) of the Directive).
The corresponding questions were referred to the CJEU.
Direct marketing: purpose matters more than content
The text of the Directive does not contain a definition of the term “direct marketing“. Nevertheless, the European Court has defined this concept through case law.
Direct marketing refers to messages that have a commercial purpose (criterion 1) and are addressed directly and individually to a particular consumer (criterion 2). In the Court’s opinion, advertising messages that promote the company’s services (commercial purpose) and appear in the recipient’s email inbox (addressed to a specific consumer) constitute direct marketing.
The “Personal Update” newsletter was sent to a specific registered user (it doesn’t matter whether such a message was individualized or whether identical messages were sent to all recipients), meaning the second criterion of direct marketing is met. But did these emails have a commercial purpose? They contained no information about promotions or discounts, no personal promo codes were offered. All these messages contained was an overview of legislative changes and articles published on the portal the previous day, with a brief summary of each article and a hyperlink leading to its full text on the portal. As Inteligo noted, such a newsletter was informational in nature, not commercial at all.
However, in the Court’s opinion, the informational nature of the newsletter does not mean at all that it cannot also have a commercial purpose. On the contrary, Advocate General Szpunar noted in his opinion: such a newsletter is aimed at encouraging the user to read a particular article — and thereby more quickly exhaust the limit of free articles on the platform and purchase a paid subscription. Through this original method, the company stimulates subscription sales — and that is already a commercial purpose.
“It is quite clear that the purpose of these electronic messages is not at all to provide free access to information about changes in Romanian legislation, which newsletter recipients could learn about without leaving the cozy space of their email inbox. On the contrary, by providing a hyperlink to an article on the platform’s website, Personal Update turns the article into bait to lure the user to the site and help them more quickly exhaust the limit of 8 free articles available to them monthly.
… Inteligo Media’s commercial purpose becomes even more evident when we analyze the target audience of the Personal Update newsletter. It is assumed that any user who provides their email address to the avocatnet.ru portal in order to view more than 6 free articles per month and receive an email newsletter has at least a basic interest in keeping their finger on the pulse of legislative changes in Romania. That is, thanks to Personal Update, such users are offered several hyperlinks daily leading to potentially interesting articles for them. It is highly likely that these users will read the 8 articles available to them for free within literally a few days or weeks. And if they want to read even one more article before the end of the month, the only choice they have left — is to purchase a paid subscription.” (Source: paragraphs 32 and 34 of the decision).
Data must be obtained in the context of a sale — but you can sell to someone else
To fall under the exception provided by Article 13(2) of the Directive, it is necessary that Inteligo company obtained email addresses in the context of a sale of a product or service. But the thing is, users registered in order to receive an additional 2 articles and a daily newsletter for free. Can such registration constitute a “context of sale” if it is specifically aimed at avoiding a sale (purchasing a paid subscription)?
In answering this question, the Court again quotes Advocate General Szpunar, who notes: a sale relates to a contract that by its very nature involves payment in exchange for a good or service. However, it is not at all necessary that the service be paid for by the person to whom it will be provided. This, in the Court’s opinion, also applies to cases where a service or good is provided free of charge for advertising purposes. Moreover, the price of such free samples is already built into the price of the product or service. That is, these supposedly free services are still paid for: either by the user themselves in the future if they purchase a subscription, or by other customers of the company who have already purchased a subscription.
The Court’s position was supported by factual evidence: registering an account on avocatnet.ro involved the user accepting the terms of the contract for the provision of premium services (paid subscription). In other words, the user accepted these terms but could choose to use only the eight free articles without paying for unlimited access. But, no matter how you look at it, this was in fact merely a deferred payment under the concluded contract for the provision of premium services.
This is undoubtedly good news for companies. It means that a user who has registered on the platform but only uses free functionality can be sent mailings for direct marketing purposes — without obtaining their consent. In such a case, free functionality is only conditionally free, since resources (human, technical, time) are still needed to provide it, it’s just that these resources are paid for by someone else. Thus, the company provides a person with services for a fee, even if it receives the fee from someone else — and the email address obtained during account registration can be safely used for advertising mailings.
But why doesn’t ‘legitimate interest’ legal basis under GDPR work?
As we noted at the very beginning, legitimate interest cannot be used as a legal basis for such mailings. But why?
By sending the Personal Update mailing to registered users, Inteligo Media:
a) complied with all conditions for applying the exception from Article 13(2) of the Directive,
b) relied on Article 6(1)(f) GDPR (“legitimate interest”) as the legal basis for processing personal data.
However, the Court noted that Article 6(1) GDPR establishes a closed list of conditions under which the processing of personal data is lawful. At the same time, there is Article 95 GDPR, which regulates the relationship between the norms established by GDPR and the norms of the Directive. According to it, GDPR must not impose on natural and legal persons any additional obligations on matters for which the Directive has already established specific obligations. Sending marketing mailings is still processing of personal data. But the conditions and purposes of processing personal data for such processing, as well as the rights of data subjects related to this processing, are already defined by the Directive. GDPR cannot add anything “of its own” (including establishing additional conditions for the lawfulness of such processing in the form of the need to select a legal basis for it from Article 6(1) GDPR).
Thus, in the Court’s opinion, the conditions for lawfulness of personal data processing provided for in Article 6(1) GDPR are not applicable to those processing operations already described in the Directive (and for which it is the Directive that determines the conditions of lawfulness).
Special attention should be paid to the statement by both the Court and Advocate General Szpunar that the Directive fully regulates not only the issue of conditions and purposes of personal data processing, but also the rights of data subjects. The Court specifically refers to Recital 173 GDPR. If GDPR cannot impose additional obligations where corresponding obligations are provided by the Directive, and, in the Court’s opinion, the Directive fully “closes” the issue of data subjects’ rights when sending them marketing mailings, then data subjects find themselves in a rather disadvantageous position. After all, Articles 15–22 GDPR provide a much broader list of rights than Article 13 of the Directive, which mentions only three:
🔹 the right to receive information about processing (including information about the company sending the mailing);
🔹 the right to refuse processing at the stage of providing contact details;
🔹 the right to refuse receiving marketing mailings subsequently.
From the perspective of the best interests of data subjects, such a position looks somewhat unexpected. Well, we’ll see what happens.
How to use legitimate interest for marketing after the Inteligo decision?
Master the nuances of applying GDPR and the ePrivacy rules for marketing mailings in the GDPR Data Privacy Professional course.
What does this mean in practice for GDPR compliance?
1) When selecting a legal basis for sending marketing communications, you should refer not to Article 6(1) GDPR, but to Article 13(1) (consent-based communications) or 13(2) (exception-based communications) of the Directive. And it is the Directive that should be cited when specifying the legal basis for personal data processing in the Register of Processing Activities and Privacy Policy.
2) When sending communications for direct marketing purposes in accordance with Article 13(2) of the Directive (exception), make sure you provide potential subscribers with the option to opt-out of communications at the stage of collecting their email address. This option must also be described in each subsequent message.
3) Although the Directive supposedly fully describes data subjects’ rights when sending marketing communications, you should still not deny subjects the exercise of their other rights provided specifically by GDPR (for example, the right to access or delete data). Both national supervisory authorities and the EDPB need time to digest this Court decision and determine whether data subjects’ rights under GDPR can truly not be exercised in relation to such processing. We recommend not taking risks: even if a company satisfies a data subject’s request that it was entitled not to satisfy, this will certainly not constitute a violation.
4) Privacy specialists should consider: what legal basis do they indicate in their personal data processing policy when using cookies (Cookie Policy)? After all, Article 95 GDPR applies to all processing operations governed by the Directive, and the use of cookies also falls within its scope (check Article 5(3) if you don’t believe it). Whether these are functional cookies (necessary for the functioning of the service), which are currently based on Article 6(1)(f) GDPR, or others for which Article 6(1)(a) GDPR applies, the legal basis for them will be the same — Article 5(3) of the Directive. However, in the case of functional cookies, Article 5(3) of the Directive will mean activating such cookies without user consent, while all other cookies will require consent in accordance with the same article.
5) Some communications will still be governed by GDPR. Remember: Article 13 of the Directive only governs communications in the context of direct marketing. But purely informational communications do exist. For example, a platform for sending electronic communications can track legislative changes in different countries and send relevant clients communications with useful tips and reminders. The legal basis for such communications can be either Article 6(1)(a) or Article 6(1)(f) GDPR. Naturally, the full range of data subjects’ rights provided by GDPR will apply to such processing.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
