Recently, the latest fine under the AVG was announced. The Personal Data Authority (AP) imposed a fine of €525,000.00 on the Royal Dutch Lawn Tennis Association (KNLTB). The fine was imposed on December 20, 2019 for providing and using member data without a lawful basis (Article 5 paragraph 1 opening words and under a jo. Article 6 paragraph 1 AVG). The KNLTB filed an objection to the fine decision.
Reason
In early 2018, the KNLTB announced on its site and in newsletters its intention to provide members’ personal data to sponsors for a fee. This allowed the sponsors to approach members with offers (tennis-related or otherwise). Back in 2007, the KNLTB decided it wanted to use this source of income. Several members of the KNLTB filed complaints about this with the AP. The media also paid attention to this ‘sale of member data’. The AP therefore launched an investigation, in line with its policy up to and including 2023 on ‘data trading’.
Findings
The AP’s investigation revealed that the KNLTB twice provided a selection of member data to a sponsor. Promotional actions were then carried out with these. The KNLTB itself announced that these were:
- (twice) a discount flyer by mail from TennisDirect, for which 50,000 address details were provided.
- a call action by the Dutch Lottery for which over 300,000 contact and address details were provided. The call action was terminated early, so just under 40,000 data were actually used for the action.
In the investigation, the AP also looked at the decision-making process and provision of information to members about these data processing operations. In 2017, the KNLTB Member Council approved a board proposal to expand direct communication options to members. Based on this decision-making, the KNLTB said it could create added value for its members through great offers and generate additional revenue.
The KNLTB freely informs its members about the processing of their data. For example, in a welcome e-mail for new members. But also through newsletters, the privacy statement and its websites. The information provided therein in recent years was largely the same. The KNLTB indicated that on the basis of its ‘legitimate interest’ it could provide member data to partners so that they could make direct offers. In addition, members were always reminded of their right to object to such provision. What is noticeable, however, is that the KNLTB varies in indicating what is done with the telephone numbers and e-mail addresses of its members. Indeed, some messages indicate that the telephone number will be provided after prior consent, while others indicate that only the e-mail address will be provided after prior consent for the promotions.
In the December 2018 privacy statement, the KNLTB explains this processing of personal data. There it states the following (author’s italics): “When it comes to providing NAW data to our partners (making an offer especially for our members), you are of course entitled at all times to make your objection known via the appropriate form (right to object in direct marketing). Your data will then no longer be provided to our partners so that they can make an offer to you as a KNLTB member. The legal basis for this provision is legitimate interest (and therefore not consent). Telephone numbers will only be provided to our partners if a member has given explicit prior consent.”
AP assessment
In the fining decision, the AP outlines the manner in which it arrives at the judgment that there is processing in violation of the AVG. To do this, it takes a number of steps:
- The member data in question (NAW and contact details) are personal data (Article 4 under 1 AVG). Members can be directly identified through the data.
- Providing data for direct marketing activities qualifies as processing personal data (Article 4 under 2 AVG).
- The KNLTB qualifies as processing controller for the processing operations involved (Article 4 under 7 AVG). This is because the KNLTB (also) determines the purpose and means of the processing.
- The processing for sponsorship actions is only partially and varying over time in the various purposes formulated by the KNLTB. This means that for each period there is no question of well-defined and explicitly defined purposes from which members could infer that their personal data would be used for sponsorship actions by third parties. This violates the principle of purpose limitation (Article 5 paragraph 1 sub b AVG).
- For the collection of member data by the KNLTB itself there is a basis in accordance with Article 6 paragraph 1 under b AVG, namely membership of the KNLTB.
- The “new” purpose of the sponsorship actions is not compatible with the already existing purposes, namely the collection of membership data (Article 6 paragraph 4 AVG).
- Further processing of the originally collected data is lawful if there is 1) consent, 2) a legal duty or the new purpose is compatible with the original purpose. The AP considers this assessment relevant for members who became members before 2007. Indeed, it is only from 2007 onwards that a decision to collect data for a new purpose, namely for marketing with the membership data by sponsors, is made.
- No legally valid consent was obtained for the ‘further processing’ prior to 2007. The member council’s consent does not qualify as consent within the meaning of the AVG (recital 32 AVG). This further processing does not follow from a legal duty. Nor is the further processing compatible with the original purpose. The AP does not see any connection between the execution of the membership agreement and the generation of additional income through sponsors.
- For post-2007 processing, the AP believes there is no legitimate basis for the processing. Indeed, the KNLTB may not use the ‘legitimate interest’ basis, which requires consent. Indeed, the KNLTB’s commercial interests can never constitute a legitimate interest within the meaning of Article 6(1)(f) AVG.
The AP’s conclusion is that the KNLTB has processed the members’ personal data without a basis and therefore unlawfully. By providing the member data, the KNLTB members have lost control over their personal data and thus their privacy has been infringed. This is because it involves large numbers of data and many potential data subjects (the KNLTB has over 570,000 members). In addition, the KNLTB provided more personal data than was necessary for the actions. For example, e-mail addresses for a call action. Especially when it was indicated that the e-mail address would not be provided without permission. The consequences also play a role. Receiving offers by mail or phone can be experienced as a nuisance. In addition, the personal data have now ended up with other parties, increasing the risk of a personal data breach. The safeguards from the KNLTB (in particular the right to object) are, in the AP’s view, insufficient to compensate for this.
Penalty
For this reason, the AP has decided to impose an administrative fine on the KNLTB This amounts to €525,000.00. According to the 2019 Fine Policy Rules, a violation of Article 6 AVG falls into penalty category III of Annex 2. The applicable fine band for this is between €300,000.00 and €750,000.00, where the basic fine is €525,000.00. The AP sees no circumstances in, for example, nature, scope or severity of the violation to deviate from this basic fine. Given the KNLTB’s annual turnover of over €6 million, the AP believes that the KNLTB can bear the fine financially.
KNLTB’s response
As mentioned in the introduction, the KNLTB completely disagrees with the fine. The objection to it is now pending. A follow-up in court is certainly expected. Legally, it is particularly interesting whether the AP’s explanation of the ‘legitimate interest’ will stand up in court. Namely, the AP excludes purely commercial interests as a possible legitimate interest. This is in line with the further explanation of the ‘legitimate interest’ basis published in November 2019. This publication has caused some professional controversy. Indeed, recital 47 of the AVG seems to offer more room for the designation of direct marketing as a legitimate interest. The KNLTB argued this in its opinion preceding the penalty decision. However, the AP does not honor that objection. A court ruling on this point might not only give the KNLTB, but also other sports associations and (Dutch) privacy lawyers more conclusive answers.
The KNLTB also regrets that the AP chose to proceed with enforcement. In its experience, the AP could also have opted for a normative discussion and information about the manner in which the KNLTB could lawfully process data. In itself, the AP does have the right to enforce directly in the event of a violation. The impression does remain that the KNLTB is being used somewhat as an example and test case. Whether that is so sporting remains to be seen.
In addition to the KNLTB, other sports clubs and associations are awaiting further developments with heightened interest. After all, data trading in this form occurs more often in the sports world. If the sanction is upheld, it may have significant consequences for other organizations as well. In addition, the sports world is afraid of losing a source of income. his in turn would lead to higher membership fees. The VVD has already submitted parliamentary questions to the minister about this. Furthermore, NOC*NSF also says it is surprised by the decision. The Handbook that the KNLTB has used for its privacy policy was developed by order of NOC*NSF and is used by a large number of sports clubs. That makes the outcome relevant to them as well.
Given the amount of the fine and the impact in the sports world, it can be expected that the fine will be (extensively) litigated. This not only provides more clarity for the sports world, but also the development of the ‘legitimate interest’ makes the issue even more interesting for lawyers. To be continued for sure.
This article was written by mr. Henk-Jan Ligtenberg and also appeared in SDU OpMaat Privacy Law.
