The Dutch Data Protection Authority (“DPA”) imposed a EUR 525,000 fine on the Dutch Lawn Tennis Federation (“KNLTB”). The Dutch DPA found the Federation guilty of wrongfully providing - for payment - two of its sponsors with the personal data of a few hundred thousand KNLTB members, who subsequently received promotional offers from the sponsors.
Selling personal data
In 2007, the KNLTB resolved to provide members’ personal data to a sponsor, which would use the data to send out direct mail advertising. In 2017, the KNLTB adopted a similar resolution, this time to allow telemarketing. More on this later. The decision to sell the personal data was taken in 2018. The idea behind the decision was to create added value for members and to generate additional income to cushion falling income from membership fees. The federation sold a database containing the address data of 50,000 members to Sponsor A and a database containing personal data (including telephone numbers, email addresses, home addresses and dates of birth) of 314,846 members to Sponsor B.
The data received by Sponsor A were passed on to a company that printed the addresses on discount coupons and then sent these to the relevant members. Sponsor B intended to use part of the personal data it received for telephone marketing purposes (Sponsor A and Sponsor B hereinafter jointly referred to as the “Sponsors”).
The Dutch DPA's findings
The Dutch DPA published a report with three main findings. First, the Dutch DPA found that the KNLTB's collecting personal data of members was lawful, as these personal data were necessary for the purposes of executing its obligations under the membership agreement. Second, the Dutch DPA found that members did not consent to their personal data being transmitted to the Sponsors, whereas consent turned out to be required for the further processing of the data. Third, the Dutch DPA found that at least for a part of the personal data collected the purpose of collecting them was incompatible with the purpose of providing them to the Sponsors.
The GDPR requires a lawful ground for the processing of personal data. A further stipulation of the GDPR is that personal data may not be processed for purposes other than those for which they were initially collected and may not be further processed in a manner that is incompatible with those purposes. To review the compatibility of the processing , the Dutch DPA examined a number of factors, such as the purpose for which the personal data were collected. It found that part of the personal data collected was not processed in a manner that is compatible with the purpose of providing the data to the Sponsors. As for the remainder of the personal data provided, the DPA found that the "legitimate interest” ground used to justify the sale to the Sponsors was not a lawful ground.
The KNLTB contends that processing personal data to generate additional income was necessary for the purpose of furthering its legitimate interests as membership - and consequently income from fees - had dropped considerably over the past few years. Additionally, the KNLTB argues that the Dutch DPA disregarded the fact that the KNLTB's interest traces back to the GDPR. After all, Recital 47 to the GDPR provides that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The Dutch DPA on the "legitimate interest” ground
For a reliance on the “legitimate interest” ground to be successful, three conditions need to be satisfied: (A) the interest of the controller must be a legitimate interest, and (B) the processing must be necessary for the purposes of the legitimate interests pursued by the controller. The third condition is (C) a test balancing the interests of the data subject against those of the controller. In our view, it is remarkable that the Dutch DPA did not even balance the various interests, arguing that the interests of the KNLTB are not legitimate. The DPA takes the position that the mere interest in monetising personal data or profiting from them does not constitute a legitimate interest as such (‘in a way, everybody everywhere has an interest in having more money”, according to the Dutch DPA). Although commercial opportunities for processing personal data are restricted by the matter of consent and the terms of the membership agreement, the processing of personal data for the purposes of a legitimate interest is essentially an instance of processing that goes beyond the control of the data subjects. According to the Dutch DPA, the notion that it is allowed, in principle, to generate income from infringing the rights of others on one's own authority is at right odds with the premise that data subjects should be in control of their personal data.
The Dutch DPA went on to consider that legitimate interests are more or less urgent and specific in nature and ensue from a rule or principle of law - meaning that the processing must not only be necessary for the purposes of the legitimate interests pursued, but to a certain extent inevitable. Thus, purely commercial interests and profit maximisation are insufficiently specific and lack an urgent basis in law to be considered legitimate interests.
The Dutch DPA also held that the more or less urgent nature ensuing from an (unwritten) rule or principle of law is absent from the legitimate interests claimed by the KNLTB, and that the KNLTB's interest in providing the personal data to the Sponsors cannot be considered a legitimate interest within the meaning of the GDPR.
The Dutch DPA's concluding argument was that the transfer of the personal data had no basis in any other lawful ground from Article 6(1) GDPR and that for this reason the transfer was unlawful.
Comment on the Dutch DPA's assessment of the “legitimate interest” ground
Although this point of view of the Dutch DPA aligns with its earlier interpretation of the “legitimate interests” ground, one cannot but wonder whether this interpretation might be too narrow. After all, it follows clearly from the final sentence of Recital 47 to the GDPR that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. This narrow interpretation may also be contrary to the fundamental right of freedom to conduct a business as included in the Charter of Fundamental Rights of the European Union. Pursuing economic gain is an inevitable consequence of exercising the right of freedom of enterprise and is - fortunately - considered a legitimate interest. The Dutch DPA's interpretation makes it virtually impossible to avoid the conclusion that in commercial settings the “consent” ground will be left as the only ground to justify the processing of personal data for (purely) commercial purposes. Consent can always be revoked. While that does appear to afford data subjects the maximum control possible, it also does away with the plasticity of the system. We believe that allowing a purely commercial interest to constitute a legitimate interest would be the most desirable outcome, provided that the processing (and further processing) of personal data is lawful. This depends on the question whether the necessity criterion is satisfied and the result of the act of balancing the commercial interest of a company against the privacy interest of a data subject (see our earlier blog: “Autoriteit Persoonsgegevens geeft normuitleg over grondslag “gerechtvaardigd belang”). It should be noted that direct marketing is not just subject to the general GDPR rules but also to the limitations imposed by the e-Privacy Directive as implemented in Section 11.7 of the Dutch Telecommunications Act.
Anyone found guilty of violating Article 6 GDPR is liable to a fine ranging between EUR 300,000 and EUR 750,000, with a basic fine of EUR 525,000. The latter fine is considered a default position. Acting in line with the 2019 Fining Policy Rules, the Dutch DPA has discretion to adjust the fine up or down. Having applied the factors of Article 7 of the 2019 Fining Policy Rules to the case in hand, the Dutch DPA concluded that the data subjects suffered only limited damage. However, the damage was not so limited as to warrant a downwards adjustment of the basic fine. Thus, the Dutch DPA imposed the default fine of EUR 525,000.
The KNLTB will appeal the Dutch DPA's decision. To quote their statement: “it is with astonishment that the KNLTB has learned of the EUR 525,000 fine imposed by the Dutch Data Protection Authority (DPA) on the ground of alleged privacy infringements. The conduct for which the federation has been fined fell within the ambit of the law applicable to associations and was in line with the Sport & Privacy guidelines of the NOC*NSF. The KNLTB is concerned that this ruling will push up sport membership fees and endanger the social support role of sports associations. The NOC*NSF shares our concerns, which strengthens our resolve to appeal the DPA's decision.”
The full decision can be read here.
Legal advice or more information
Do you have questions about the legality of processing data within your organisation? Are you interested in learning more about the “legitimate interest” ground? Then feel free to contact Martin Hemmer.