Earlier this month, the Dutch Data Protection Authority (AP) announced that it had imposed an administrative fine of €525,000 on the Royal Dutch Lawn Tennis Association (KNLTB) for unlawfully selling personal data of approximately 350,000 of its members to two sponsors.
The AP concluded that KNLTB breached the General Data Protection Regulation's (GDPR's) purpose limitation principle and had no valid legal basis for sharing personal data of its members with the sponsors.
This is the second published GDPR fine in the Netherlands. In 2019 the AP imposed an administrative fine of €460,000 on a Dutch hospital for failing to implement adequate technical and organisational security measures.
In 2018, KNLTB sold – without consent – personal data of approximately 350,000 of its members to two sponsors in order to “create added value for its members, and to generate extra income that will make a structural and substantial contribution to the KNLTB and the sport of tennis". One sponsor received data of 50,000 members, while the other received data of 314,846 members.
The data provided to the first sponsor included name, address and gender, while the second sponsor also received date of birth, contact data (including phone number and email address) and club membership.
Prior to sharing the data with the sponsors, KNLTB announced its intention todo this via a newsletter and its website. Following these announcements – and after various members were approached by the sponsors – the AP received numerous complaints, which led to the investigation by the AP.
In its decision, the AP distinguishes between the processing of personal data of members who joined the KNLTB before 2007 and from 2007 onwards.
According to the AP, membership data collected by KNLTB before 2007 was not originally collected for the purpose of "generating income by sharing the data with sponsors for their marketing activities". Consequently, the further use of membership data for this new purpose is only permitted if it is based on consent, a legal provision or meets the strict "compatibility" requirements for "further processing" under Article 6 (4) GDPR.
KNLTB did not obtain consent of its members nor was the sharing of data based on a legal provision.
According to the AP, the further use of the data by KNLTB does not meet the compatibility requirements, as there is no link between the purposes and the members would not reasonably expect that their data was sold to and used by the sponsors for marketing purposes and more data was shared than necessary. Consequently, the AP concludes that KNLTB breached the GDPR’s purpose limitation principle with respect to membership data obtained prior to 2007.
With respect to membership data collected as of 2007, the AP is of the opinion that it was clear that this data was also collected for the purpose of generating additional income (as the members’ council in 2007 approved KNLTB’s proposal to expand the communication possibilities of KNLTB’s sponsors).
However, the AP is of the opinion that KNLTB does not have a legal basis for this processing, as it has not obtained consent and cannot rely on the legitimate interest-ground.
The AP holds a strict interpretation of what could be considered a legitimate interest. In the past the AP has indicated that a legitimate interest must follow from a fundamental right or a principle of law and that processing personal data for purely commercial interests, profit maximisation, monitoring employee conduct without legitimate interest or tracking the (purchasing) behaviour of (potential) customers do not qualify as legitimate interests.
In view of this strict interpretation, unsurprisingly the AP concludes that KNLTB does not have a legitimate interest for the sale of its members’ personal data and that KNLTB breached the GDPR principle of lawfulness, fairness and transparency.
The fine is calculated in accordance with the AP's fining policy under the GDPR, in which the AP created a four category structure for the fines it will administer based on the seriousness of the breach. According to this policy, a breach of the purpose limitation principle in conjunction with the absence of a lawful basis for processing results in the "base fine" of €525,000.
Although the AP considers the breach by KNLTB severe due to the large number of data subjects and the amount of data, the base fine is not increased because no special categories of data and no data of minors was involved and KNLTB had taken several measures to limit the impact for the data subjects.
In its decision, the AP emphasises the importance of the principle of purpose limitation and furthermore iterates its strict interpretation of the legitimate interest ground. Moreover, the AP shows it is taking a firm stance on data brokerage without the data subject’s consent which is one of its focus areas for 2020- 2023.
KNLTB announced that it objected to the decision.