In assessing the legal implications of the facts, IMY first determined that BN's processing activities did not fall within the scope of the ePrivacy directive and its mandatory rules on using consent as a legal basis for storing and collecting information from users' terminal equipment, since BN's processing activities began at a later stage. Therefore, BN was in principle free to rely on any adequate legal basis under the GDPR. In this case, BN relied on the legal basis of balance of interests under the GDPR article 6.1 f.
However, IMY also determined that BN and the ACs were joint controllers of the processing activities in the two joint databases, and that data subjects should not be granted less protection than if the profiling etc. was performed by the ACs (i.e., the joint controller who collected the information from the data subjects' terminal equipment). Since the ACs were required to rely on consent for the data collection under the ePrivacy directive, IMY reasoned that the data subjects' protection risked being undermined if BN then at a later stage could rely on a different legal basis, such as balance of interest under the GDPR article 6.1 f.
Taking this into account, IMY reasoned that although BN was not prohibited per se to rely on balance of interests for the processing activities under review, it had in principle very little room to do so in practice. In this particular case, IMY ultimately assessed that BN's legitimate commercial interest did not override the privacy interest of the data subjects' (the "Balance"), and so BN lacked legal basis for the processing activities in question.