Fine for Dutch tennis association for unlawfully selling personal data
The Royal Dutch Lawn Tennis Association (KNLTB) provided the sponsors with personal data such as names, gender and addresses, so that they could approach a selection of KNLTB members with tennis related and other offers. One sponsor received personal data from 50,000, the other from more than 300,000 members. These sponsors approached some of those KNLTB members by post or by telephone. In the opinion of the DPA, the KNLTB had no legitimate interest to sell these personal data. The KNLTB argued it did have a legitimate interest to sell personal data of its members. However, the DPA concluded the purely financial interest of the KNLTB was no lawful basis for infringing the basic rights of its members. The members had not given their permission either. The KNLTB lodged an objection to the fine imposed. The objection was decided on by the DPA itself.
In the Netherlands, this is the third time that the Dutch DPA imposes a fine under the GDPR. In 2018 the Dutch UWV ( Employee Insurance Agency) had to improve its logging security level and was to have two factor authentication in place before October 2019 – in the meantime, this date has been postponed until October 2020 – risking a fine of 150,000 euros per month with a maximum of 900,000 euros. The second fine amounting to 460,000 euros was imposed on the Dutch Haga Hospital, in July 2019, for not having sufficient internal security for patient records in place. About 200 employees had unauthorized access to the medical records of a Dutch celebrity and, moreover, personal information concerning this celebrity was leaked to the press.
So far, the fines have been relatively low in comparison to the fine imposed on Google, on 21 January 2019, by the French DPA CNIL under the GDPR amounting to 50 millions euros. The fine amounting to 204 million euros imposed on British Airways by the British DPA ICO in July 2019 is much higher as well.
Where the Dutch cases are concerned, it should be noted that de DPA imposes fines on semi-governmental bodies such as the Dutch UWV, The Haga hospital and recently the Dutch national tennis federation. No major Dutch companies have been fined under the GDPR as yet. In the past, however, under the previous Dutch privacy legislation, Facebook changed its personal data policy in response to an investigation by the Dutch DPA. Amongst other things, Facebook failed to adequately inform its users at the time that their data were used for targeted advertising, sometimes even based on their sexual orientation. However, no fine was imposed in that case.
The Dutch DPA has its own policy for determining the level of administrative fines. This to achieve a consistent approach when fines are imposed. The type of GDPR infringement is related to a specific GDPR article and these infringements are divided in categories I, II, III, IV (category I: €0 to €200,000, basic fine €100,000; category II: €120,000-€500,000, basic fine €250,000; category III: €300,000-€750,000, basic fine €525,000; category IV: €450,000-€1,000,000, basic fine €725,000). These are relatively low fines, considering the maximum fines listed in article 83 of the GDPR. The basic fines can be increased or reduced, depending on the relevant factors referred to in article 7 of this policy. These relevant factors are:
- The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
- The deliberate or careless nature of the infringement.
- The measures taken by the controller or the processor to limit the damage to the data subjects involved.
- The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR. • Previous infringements, where relevant, by the controller or the processor.
- The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
- The categories of personal data affected by the infringement.
- The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
- In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
- Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
- Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.
If the specific infringement category in a specific case does not result in what is considered an appropriate fine, the Dutch DPA may either opt for a fine in a specific range or in a higher or lower category or increase the fine by 50%.
In very special circumstances, either the maximum fine of €10 million or € 20 million under article 83 of the GDPR may be imposed or a fine amounting to 2% or 4% of the company’s annual turnover in the relevant financial year. In these situations, the Dutch DPA acts outside the limits of the specific ranges referred to in its own policy.
The financial situation of an offender may lead to reduced fines. In case of accumulated infringements, the maximum fine for the most severe infringement will be applicable.
The Dutch DPA is the first DPA who has defined its own policy and perhaps it will inspire the DPAs in other EU countries. In the case of the tennis association KNTLB, the DPA determined that the infringement was a category 3 infringement (article 6 GDPR) and imposed the basic fine amounting to €525,000.
In the Netherlands the DPA seems to prefer warnings and relatively low fines which, in our opinion, is a positive thing. So: no blind fear for huge fines and a more or less predictable DPA where the levels of GDPR fines are concerned.
Article provided by: Bob Cordemeyer (Cordemeyer & Slager Advocaten, The Netherlands)
Dr. Tobias Höllwarth (Managing Director INPLP)