On March 2, 2020, the Dutch Data Protection Authority (DDPA) published its notice of a monetary penalty notice, issued under the General Data Protection Regulation against the Dutch National Tennis Association.
A fine in the amount of € 525,000 was imposed for the – allegedly – unauthorized sale of member data to the Association’s sponsors.
This decision is relevant as it is the first monetary fine issued by the DDPA which relates to (direct) marketing practices. Moreover, it provides an insight into the enforcement priorities of the Dutch regulator.
What happened?
The Association entered into data sharing agreements with two of its sponsors, and subsequently provided them with personal details such as name, gender and address, so as to enable these sponsors to approach a selection of members with tennis-related and other offers. The sponsors received personal data in respect of 50,000 and over 300,000 members, respectively and contacted a selection. Some of these members were then contacted by mail or telephone.
The DDPA engaged after it received queries from members who received a notice from the Association about the contemplated data sharing. At a later stage, other members lodged complaints about the fact that they were contacted by the sponsors without their consent. And to make things worse, the matter was picked up by the press. These factors caused the DDPA to start an investigation with a view of active enforcement.
The DDPA found that the Association had lawfully collected the member data as this data processing activity took place for membership administration, which can be viewed as necessary for the performance of the (membership) agreements. However, the subsequent sale of member data by the Association could not be based on this processing ground, nor did the Association have an alternative processing ground to rely upon.
What are the key lessons to be learned?
- Sale of personal data is one of the trickiest areas. The first observation is that this intervention is in line with the DDPA’s enforcement priorities. The areas that get specific attention from the DDPA are: (i) sale of personal data, (ii) digital government and (iii) artificial intelligence & algorithms. The fact that the personal data was solely shared for commercial purposes has played a clear role in the assessment of the case by the DDPA;
- Complaints and press coverage are important triggers for the DDPA to start investigation. The Association has complained that it was singled out by the DDPA and accused the DDPA of ‘gun jumping’. According to the Association, the DDPA should, as per its own enforcement policies, first have engaged in a dialogue with the Association to nudge them to compliance. In its response, the DDPA clearly mentions that it had reasons to shift gears and move to direct enforcement, as it not only received complaints, but the data sharing activities had also drawn media attention and caused public outcry.
- The legitimate interest condition as a processing ground is under pressure. The DDPA is getting more and more vocal in its stance that the “legitimate interest condition” of Art. 6(1)f GDPR cannot be relied upon by controllers whose personal data processing only takes place in order to generate income or profit. According to the DDPA, this interest is insufficiently specific. A controller should have a better, more specific story on why it really needs to process the personal data in question.
- “Further use” is clearly considered as an alternative to achieve lawfulness. The DDPA has assessed whether the data sharing could be based on the concept of “further use” as meant in Art. 6(4) GDPR. In doing so, it confirmed that this processing ground is indeed a “seventh processing ground”. In this case, the DDPA was not convinced that sufficient safeguards were put in place to ensure that the further processing is “compatible”, but for other use cases this decision could prove helpful.
- The DDPA’s penalty guidelines were followed mathematically. The DDPA applied its own policy guidelines in respect of administrative fines. Whereas the GDPR would leave room for a fine of € 20 Million, the guidelines suggested a fine in the category 300k – 750k. The DDPA imposed a fine in the amount of € 525k – which is the exact middle of this band.
What’s next?
The Association has announced it will appeal the fine decision. According to Dutch administrative law, the Association first has to make objections at the DDPA against the fine. If this will not lead to another (or more satisfactory) decision from the DDPA, the Association can apply for judicial review at the administrative court and afterwards even appeal to this judgement.
It is hence likely that this matter will drag along for quite some time. This decision may be the first one to be subject to a judicial review by the court, but even if this happens, a decision is not expected before 2021.
For an overview of all published enforcement decisions under the GDPR in Europe please visit the Baker McKenzie GDPR Enforcement Tracker.