Why the KNLTB was imposed a privacy fine of €525,000

On December 20, 2019, the Personal Data Authority imposed a fine of €525,000 on the Royal Dutch Lawn Tennis Association (KNLTB). This fine was imposed because the KNLTB shared personal data with sponsors on two occasions in 2018 for a fee. The sponsors then used this data for direct marketing campaigns.

Following a number of complaints and tips, as well as attention to the issue in the media, the Personal Data Authority decided to launch an investigation. In this blog, I will discuss how the Personal Data Authority arrived at the fine decision.

What personal data was provided?

For the first direct marketing campaign, the KNLTB provided the name, gender and address of 50,000 adult members to a sponsor. This sponsor then used the data to send discount flyers.

 For the second direct marketing campaign, a file containing personal data of 314,846 adult members was provided to a sponsor. Of these members, the name, gender, address, date of birth, (mobile) phone number, e-mail address and the name of the tennis club where the member plays were provided. The sponsor then selected 39,478 members from this file, after, among other things, consulting the do-not-call register, to contact by telephone.

No minimal data processing

According to the Personal Data Authority, no personal data was allowed to be provided to the sponsors at all, but even if it had been allowed, less was allowed to be provided than the KNLTB did. Indeed, according to the Personal Data Authority, as far as the second action was concerned, the KNLTB went wrong simply by having the sponsor in question select the members to be approached. This while the KNLTB could have done that itself. After all, by making its own selection, far fewer personal data would have had to be provided to the sponsor. E-mail addresses were also provided to the sponsor, while these data were not necessary for the intended call campaign.

Target binding

Personal data may be collected for specified, explicit and legitimate purposes. Once collected, data may not subsequently be further processed in a manner incompatible with those purposes. There is the exception that further processing of personal data is always allowed, if permission has been granted, or a legal basis exists. Here too, according to the Personal Data Authority, the KNLTB made a mistake, because for both actions data of members who became members before 2007 were used. At the time these members became members -and the personal data were collected- the KNLTB only collected the data for the execution of the membership agreement. The data were not collected at that time with the purpose of generating (additional) income by providing the data to sponsors.

Also in view of the compulsory membership, the members should have expected that their personal data would only be used for the original collection purpose. In this respect, the Personal Data Authority takes into account that the KNLTB is a non-profit organization and that also for this reason the members could not expect that their personal data would be provided to sponsors with commercial motives. Since the data of the members who had become members before 2007 had only been collected for the execution of the membership agreement, the personal data in question could not be used at a later time in a manner incompatible with that purpose. Not even after the KNLTB had informed its members about this other purpose.

Just making a profit = no legitimate interest

In 2007, the member council of the KNLTB had given permission to generate income by providing member data to sponsors for their direct marketing activities. The Personal Data Authority assumes that the personal data of members who became members after 2007 were collected for that purpose and that the members were aware of that purpose. Nevertheless, according to the Personal Data Authority, it was not permitted to provide the personal data in question to sponsors.

The processing of personal data is allowed only on the basis of one of the six processing bases mentioned in the AVG. One of these bases is that the data subject has consented to the processing of their personal data for the intended purpose. However, the individual members had never given their consent. Another basis on which personal data may be processed is that it is necessary for the performance the performance of the contract with the data subject. This basis was not invoked by the KNLTB.

The KNLTB invoked the basis of the legitimate interest of the KNLTB and/or its sponsors before the Personal Data Authority. On this basis, it is first of all important to assess whether the interests of the KNLTB and/or the sponsors qualify as legitimate. According to the Authority for Personal Data, this means that those interests are named in (general) legislation or elsewhere in (unwritten) law as a legal interest. According to the Personal Data Authority, it must concern an interest that is also protected in law, that is considered worthy of protection and that, in principle, must be respected and can be 'enforced'. The mere interest of being able to monetize personal data or make a profit from it does not qualify as a legitimate interest in itself, according to the Authority. According to the Authority, one does not get to the follow-up question whether the processing by the KNLTB or the sponsors is necessary, nor does one get to a balancing of interests. After all, the first threshold of 'justification' is not met. In this regard, the Personal Data Authority points out that an appeal to the basis of legitimate interest is fundamentally about processing outside the will of the members and thus involves a clash with the fundamental rights of the members. For this reason, not every interest of the KNLTB and the sponsors can qualify as a legitimate interest. The KNLTB therefore acted in violation of the AVG also for that reason.

The amount of the fine

To substantiate the amount of the fine, the Personal Data Authority refers to the Fine Policy Rules 2019. According to the annex to these policy rules, a violation of Article 6 AVG is subject to a basic fine of €525,000 and can be reduced or increased taking into account various factors. The Personal Data Authority concludes that there are no circumstances that weigh so heavily that the fine should be reduced (or increased). The fact that the fine relates to personal data of the KNLTB's members and that the KNLTB is an association, as a result of which the members themselves ultimately bear the brunt of the fine, is no reason for mitigation. The Personal Data Authority also reiterates that for a fine to be imposed it is not required that someone intentionally violates the AVG.

Conclusion

If personal data is collected for a certain purpose, you are not allowed to use it for any other purpose. Even if personal data have been collected for the purpose for which they are to be used, this does not mean that you are actually allowed to collect and/or use the personal data. After all, this also requires that one of the processing grounds mentioned in the AVG is present. The decision of the Personal Data Authority to impose a fine on the KNLTB demonstrates that the Personal Data Authority is of the opinion that a processing purpose consisting solely of a financial motive is insufficient to qualify as a processing ground of legitimate interest.