The Dutch Data Protection Authority (‘DPA’) imposed an administrative fine of € 525,000 on the Dutch Tennis Union for selling the personal data of its members to two sponsors. These sponsors approached part of these members with (tennis related) offers. Below we will discuss several interesting points from the DPA’s decision.
The Tennis Union is qualified as a controller. A controller is the party who determines the purposes and means of the processing alone or jointly with other controllers.
Not surprisingly, the DPA is of the opinion that the Tennis Unions has determined the purposes of the processing, i.e. the use of the personal data of its members to generate (additional) income by providing such data to sponsors for their direct marketing activities.
According to the DPA the means of processing, i.e. the manner in which the data is processed, have also been determined (in part) by the Tennis Union. After all, the Tennis Union has attached conditions to the way in which the personal data are supplied to its sponsors and the use of those data by those sponsors for their direct marketing activities. Thus, although the Tennis Union itself does not use the personal data for marketing activities, the Tennis Union is regarded as a co-controller for these activities.
Incompatible with initial purposes
The DPA distinguishes between the personal data of people who became members of the Tennis Union before 2007 and after 2007. In 2007, the Members’ Council of the Tennis Union agreed to the provision of name and address details to sponsors for marketing activities. From that moment on, therefore, a new situation arose.
Before 2007, the Tennis Union collected data from its members according to the articles of association i) for the execution of the membership agreement ii) for the promotion and practice of the tennis game and the development of the tennis sport in the Netherlands and iii) for the purpose of providing these to third parties.
The DPA held that these last two purposes were not specifically and explicitly defined, because members could not deduce from this that their personal data would also be used to generate income by providing them to sponsors for their direct marketing activities.
The sale of personal data to sponsors is therefore a different purpose than the purpose for which the personal data were initially collected and therefore qualifies as further processing of personal data. Such further processing is only lawful if (i) members have given their consent, or (ii) such processing is based on a legal basis, or (iii) the purpose is compatible with the purpose for which the personal data were initially collected.
In light of the above, the DPA concludes that the Tennis Union has not obtained the consent of its members for the provision of their personal data to sponsors. After all, obtaining permission from the Members’ Council is not sufficient for this purpose. Also, the provision is not based on any statutory provision and the purposes are not compatible with each other. After all, there is no connection between the implementation of the membership agreement and the generation of extra income by providing personal data to sponsors. Nor was the latter in line with the reasonable expectations of the members on the basis of their relationship with the Tennis Union. Also, unnecessarily large amounts of data were provided and, according to the DPA, the Tennis Uniondid not take appropriate measures that could serve as ‘compensation’ for the fact that personal data were processed for a purpose other than the initial purpose of data processing.
In conclusion, the Tennis Union infringed the GDPR by selling the member data from before 2007 to the sponsors without the consent of those members.
According to the Tennis Union, the provision of member data after 2007 was based on its legitimate interests. When the legitimate interest is used as a legal basis, three cumulative conditions must be met: (i) the interest must be legitimate, (ii) the processing must be necessary to protect that interest and (iii) that interest must prevail over the fundamental rights and freedoms of the members.
According to the DPA, the first criterion is not met because the interests of the Tennis Union do not qualify as legitimate. The DPA states that a legitimate interest must be based on a fundamental right or principle of law. In this regard, the Tennis Union indicated that the provision of membership data is necessary to generate additional income now that the number of members (and therefore its income) has fallen sharply over the past ten years. It has also invoked the freedom to conduct a business (Article 16 of the Charter of Fundamental Rights of the European Union).
The DPA considers that these interests are not sufficiently concrete and direct to qualify as legitimate interests. The mere interest of making money with personal data, or being able to make a profit from it, does not, qualify as a legitimate interest in itself. This opinion of the DPA is striking because recital 47 of the GDPR states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
In addition, according to the DPA, the Tennis Union does not implement any concrete or general legal standards relating to its duty of care as an ‘entrepreneur’ with the sale of personal data of its members. Pure commercial interests and the interests of profit maximization lack sufficient specificity and lack an urgent ‘legal’ character, so that they cannot qualify as legitimate interests.
Since the sale of data could not be based on any other legal basis either, the DPA concludes that the provision of the personal data of its members was unlawful after 2007 as well.
The DPA started an investigation after receiving a number of tips and complaints from members of the Tennis Union. As a result of that investigation, the DPA immediately imposed a fine.
This is noteworthy, because many organizations assume that the DPA – at least the first time – will suffice with a warning, or at least that organizations will be given a period of time to end the violation (possibly under threat of a penalty payment). But that has not happened in this case.
Amount of the fine
Half a million is quite a lot. The question is how the DPA determined the amount of this fine. The DPA refers in this respect to its own penalty policy rules, which were adopted in 2019. It follows from these rules that an infringement of Article 6 of the GDPR falls within penalty category III. In principle, a fine range of € 300,000 to € 750,000, with a basic fine of € 525,000, applies to this category. Thus, the basic fine has been imposed on the Tennis Union.
The basic fine is always taken as a starting point, but can be adjusted upwards or downwards. Factors that play a role are the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any relevant previous infringements, the categories of personal data affected by the infringement, any action taken to mitigate the damage suffered by data subjects, etcetera (see Article 83 GDPR).
The DPA saw no reason to increase or decrease the fine in this case. It took into account, among other things, that a very large number of data subjects were affected by the unlawful sale of personal data. After all, one sponsor was provided with a file containing the personal details of 50,000 members and another sponsor with a file containing the details of 314,846 members, 39,478 of whom (less than 13%) were ultimately selected to be approached as part of a telemarketing campaign. The DPA blames the Tennis Union for not having carried out this selection itself and thus having provided unnecessary data.
The DPA also took account of the fact that the Tennis Union provided the personal data deliberately and thus acted culpably. This culpability does not detract from the fact that the Tennis Union sought advice from a law firm in order to test the policy with regard to the sharing of personal data with sponsors.
Furthermore, the DPA notes that the Tennis Union has taken various measures to limit the damage suffered by the data subjects. For example, the Members’ Council’s consent was obtained for the provision of the data and the members were informed of the intended provisions in various ways (including via newsletters and the tennis union’s website) prior to the provision of the personal data.
Finally, the DPA did not see any reason in the financial position of the Tennis Union to moderate the fine. In its opinion, the Tennis Union has sufficient resources to pay the fine.
If the reasoning of the DPA is followed, direct marketing purposes will hardly ever qualify as a legitimate interest. It would therefore appear from the DPA’s decision that consent from the data subject’s must always be sought before their personal data can be used for direct marketing purposes. We – and many others – wonder whether the DPA has not interpreted the GDPR too strictly on this point.
The Tennis Union has announced that it will challenge the DPA’s decision. In conclusion, this discussion is certainly not over yet.