Last week, the Dutch Data Protection Authority (the DDPA) issued a €525,000 fine to the Royal Dutch Lawn Tennis Association (Dutch Tennis Association) for the unjustifiable sale of member personal data to third party sponsors. The DDPA's investigative activities against the Dutch Tennis Association were already announced back in December 2018 and we have been waiting for the ball to drop. According to recent press releases, the Dutch Tennis Association is surprised it has been fined and has announced it has taken another shot at convincing the DDPA of its position in the objection procedure. In this article we discuss the DDPA's decision to fine the Dutch Tennis Association and how this decision impacts other types of organizations selling personal data.
Background of the case
During the summer of 2018, the Dutch Tennis Association sold personal data of its members to two third party sponsors for their direct marketing activities, in order to create value for members and generate revenue for the benefit of the sport of tennis in general.
The Dutch Tennis Association did not request its members' consent, but did request the approval of its Council of Members and offered members the possibility to object to the sale of their personal data (opt-out).
The Dutch Tennis Association shared the information of 50,000 members, including full name, gender, campaign ID and home address, with the first sponsor, which distributed promotional flyers. With the second sponsor, the Dutch Tennis Association shared the information of 314,846 households ̶ including full name, gender, campaign ID, home address, date of birth, telephone numbers (landline and mobile number), e-mail address and tennis club membership details ̶ for telemarketing purposes.
DDPA's legal assessment
In its decision, the DDPA makes a distinction between the processing of personal data of data subjects who became members of the Dutch Tennis Association before 2007 and from 2007 onwards. The DDPA is of the position that as of 2007 it was clear that the Dutch Tennis Association was not only collecting information for the purposes of the membership agreement (as it had been before 2007), but also for the sale of the information to third party sponsors for promotional purposes.
For the sale of personal data of data subjects who became members before 2007, it should be assessed if this processing activity is compatible with the purpose for which the personal data was collected (the legal concept of further processing of personal data (article 6(4) GDPR)).
For the sale of personal data of data subjects who became members from 2007, it should be assessed if the Dutch Tennis Association justifiably relied on the legal basis of legitimate interests (article 6(1)(f) GDPR).
The sale of personal data to third party sponsors for direct marketing purposes is allowed if:
- the data subject gave his/her prior consent to the envisaged further processing;
- his processing activity finds its basis in EU or EU member state law; or
- this further processing purpose is compatible with the purpose for which the personal data was collected.
Numbers i) and ii) do not apply in the given case.
In regard to whether the sale of member data is compatible with the collection purpose, the controller (i.e. the Dutch Tennis Association) must inter alia assess the factors set out in article 6(4) GDPR. The DDPA assessed the factors as well and concluded that the further processing of personal data is not compatible with the collection purpose. Instead, the Dutch Tennis Association should have obtained prior consent. In the table below, we set out the DDPA's in concreto analysis of the article 6(4) factors.
|Factor||In concreto analysis of DDPA|
|any link between the purposes for which the personal data have been collected and the purposes of the intended further processing||The DDPA does not see any link between the purpose of collection (i.e. the performance under the membership agreement) and the further processing (i.e. the generation of additional revenue for the Dutch Tennis Association by selling personal data to sponsors), though its motivation at this point is marginal.|
|the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller||The DDPA sets out that members did not expect and should not
have expected the sale of their personal data to third parties, in
particular as (i) data subjects are not given a choice as to
whether they become a member of the Dutch Tennis Association and
(ii) the Dutch Tennis Association is a non-profit organization (in
principle not having commercial motives).
While the Dutch Tennis Association informed the members of the envisaged provision of their data to sponsors, the DDPA rightly states that this information provision did not take place upon collection (and therefore does not influence the data subjects' expectations in the context of collection).
|the nature of the personal data, in particular whether special category data or criminal data are processed||The Dutch Tennis Association did not sell any special category
data, criminal data or data of minors.
Nevertheless, the Dutch Tennis Association provided unnecessary and unrelated information to the second sponsor for telemarketing communications purposes (e.g. home addresses and e-mail addresses), thereby unnecessarily increasing the risk of e.g. spamming and phishing.
|the possible consequences of the intended further processing for data subjects||As a consequence of the sale of their personal data, data
subjects lost control over their personal data, affecting their
privacy. Whether or not the revenue benefits the members as a whole
or the sport of tennis in general is irrelevant.
In this context, the DDPA takes it very seriously that the Dutch Tennis Association provided the second sponsor with more information than strictly necessary. Especially since the second sponsor selected less than 13% of the households in the database for telemarketing. This is partly because some members were registered in the public Do-Not-Call Register (Bel-me-niet Register). The Do-Not-Call Register prevents companies from undertaking telecommunication activities towards registered individuals. Thus, over 87% of the data was unnecessarily transferred.
Further, data subjects may find marketing communications unpleasant or annoying.
|the existence of appropriate safeguards, which may include encryption or pseudonymization||Appropriate safeguards could serve as a compensation for change
of purpose, or for the fact that purposes have not been specified
as clearly in the beginning as they should have.
Providing a mere opt-out right in this context cannot be considered sufficient compensation.
Legal basis of legitimate interests
For data subjects who became members as of 2007, the DDPA deems that it should have been clear that one of the collection purposes was the provision of personal data to third party sponsors for the benefit of the Dutch Tennis Association.
The processing of personal data requires a legal ground. The Dutch Tennis Association is of the view that it has a legitimate interest in the sale of personal data because the amount of members decreased over the past 10 years, causing revenue to decrease as well.
The DDPA strictly interprets what could be considered a legitimate interest, thereby narrowing down the possibility for controllers to base processing activities on the basis of 6(1)(f) GDPR. Essentially, the DDPA says that a legitimate interest must follow from a fundamental right or a principle of law. Purely commercial interests and profit maximization do not constitute legitimate interests.
The DDPA further reasons that this does not interfere with the freedom to conduct business as laid down in the EU Charter, as this freedom is not unconditional: The freedom to conduct business does not imply a right to profit maximization as such, nor do barriers to profit maximization that help protect others' rights to privacy and data protection constitute an unacceptable infringement on this freedom.
The DDPA concluded that the Dutch Tennis Association did not and does not have a legitimate interest for the sale of its members' personal data. Consequently, the provision of information to the sponsors is unlawful.
We agree with the DDPA that article 6(1)(f) GDPR is not the right lawful basis in this situation, and that the sale of personal data to third parties generally requires the data subject's consent. However, in our view this is because of the balancing test: in balancing the legitimate interests of the Dutch Tennis Association against the interests, fundamental rights or freedoms of data subjects, the latter outweigh the former's legitimate interests.
Unlike the DDPA, we adopt the position that purely commercial interests and profit maximization could be considered legitimate interests within the meaning of article 6(1)(f) GDPR. (Other data protection authorities do not take such a strict position as the DDPA). We are curious to see how this match will play out in court or will be followed up by new EDPB guidance.
The DDPA concludes that the Dutch Tennis Association breached two of the GDPR's key principles, the purpose limitation and lawfulness, fairness and transparency. For this the Dutch Tennis Association is fined with the base category III fine of €525,000, in accordance with the DDPA's Administrative Fines Policy. The Dutch Tennis Association announced that it objected to the decision.
This case shows the DDPA's strict stance on the sale of personal data without data subjects' consent, in particular in situations where the data subject should not have expected the sale of his/her information, or where he/she is not given a real choice.
This decision has a significant impact beyond just sport associations and should be taken seriously by any organization that is in the business of buying and selling personal data. If the DDPA's position holds in the objection procedure, or ultimately in court, it means that without the data subjects' prior consent, the sale of personal data is generally not permitted.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.