On 3 March 2020, NOS published an article about the mega fine of €525,000 imposed by the Personal Data Authority (AP) on the Royal Dutch Lawn Tennis Association (KNLTB). The AP's decision was also published on 3 March 2020.
In June and July 2018, for the purpose of generating revenue, the KNLTB provided a file containing personal data of its members to two sponsors for the purpose of these sponsors' direct marketing activities. The AP ruled that for the provision of the data by the KNLTB to the sponsors in respect of one part of the members, there was no lawful basis and that in respect of the other part of the members, there was incompatible further processing.
In this article, we will discuss the bases for processing and what is meant by further processing. There will be a brief look at the AP's ruling and, in particular, what went wrong at the KNLTB, after which things will be briefly summarised.
To process personal data, the purpose of the processing must always be clearly defined and justified. There must also always be a basis for the processing. One basis must then be chosen, whereby it should not be the case that if one basis is not justified (with hindsight) another one is then chosen. The AVG has six bases, three of which we briefly highlight in this piece.
The clearest and most unambiguous basis is consent of the data subject. Consent is the free, specific, informed and unambiguous expression of will by which the data subject accepts the processing of their personal data. Consent must be actively and freely given. The data subject may withdraw the consent given for any purpose and at any time. Personal data may then no longer be processed for that specific purpose. This makes it not the most secure basis for processing.
Another basis is, for example, if the processing is necessary to fulfil an agreement with the data subject. Processing the personal data is necessary only then, when the agreement cannot be properly fulfilled without its processing.
The (own) legitimate interest may also be a basis. Here, the balancing of interests involves setting the organisation's interest against the privacy interest of the data subject. For a successful reliance on the legitimate interest basis, three cumulative conditions must be met for a processing of personal data to be lawful. First: the pursuit of a legitimate interest of the controller or a third party. Secondly: the necessity of processing the personal data to satisfy the legitimate interest. And thirdly: the condition that the fundamental rights and freedoms of the data subject shall not prevail. However, all the circumstances of this specific situation and the outcome of the balancing of interests must be recorded in writing.
According to the AVG, personal data may therefore only be processed for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes. This is the so-called purpose limitation: processing may only take place for the purposes notified in advance, or for purposes that are compatible with those purposes. The purpose limitation applies not only to processing by third parties, but also to processing carried out by the controller itself.
Further processing, or processing for a purpose other than that for which the personal data are originally processed, must be justified separately. If such processing is not justified by the basis of consent or based on a legal provision, the controller must make an additional assessment whether this other purpose is compatible with the original purpose. Here, the following factors play a major role:
With regard to the one part of the members, the KNLTB argues that the processing of personal data is necessary to pursue its legitimate interests, namely to generate extra income now that its membership (and thus revenue) has fallen sharply over the past decade. Its own research has shown that the reason for this is that members see little added value in membership of the KNLTB.
However, the AP concluded that the mere interest consisting of the monetisation of personal data and/or being able to make a profit does not qualify as a legitimate interest in itself. According to the AP, the interests claimed by the KNLTB thus lack a more or less urgent character that outweighs the interests of the data subjects. However, the interest of entrepreneurial freedom, contractual freedom and the freedom to exercise an economic or commercial activity are not sufficiently concrete and direct to qualify as a legitimate interest under the AVG. The AP therefore concludes that the interests claimed by the KNLTB do not qualify as legitimate. In addition, the AP concludes that the processing of personal data could also not be based on any other legal basis as named in the AVG.
For the other part of the members, the processing of personal data for direct marketing activities to generate (extra) income for the KNLTB is further processing. This is lawful if consent has been given for the processing for this purpose or the processing is based on a legal provision or is compatible with the original purpose.
The KNLTB takes the position that permission for further processing was obtained via the members' council. After all, the members' council has consented to this processing. The AP considers that this consent does not meet the requirement of the AVG. After all, consent must be given by the (individual) data subject by means of a clear active act showing that the data subject freely, specifically, informed and unambiguously consents to the processing of their personal data. The Member Council's consent does not meet these requirements, as it does not obtain the consent of individual data subjects.
The AP also concluded that there was no processing according to a statutory provision, nor a compatible purpose. Indeed, with regard to the latter, there is no connection between the original purpose of processing and the purposes of further processing, because the KNLTB originally processed the personal data for the purpose of executing the membership agreement and not for the purpose of generating (additional) income by providing the data to sponsors. The AP also concludes that members should have expected that their personal data would only be used for the performance of the membership agreement and that, given that the KNLTB is a non-profit organisation, members could not expect that their personal data would also be provided to sponsors with commercial motives. Finally, the AP concludes that the processing of the personal data caused the KNLTB's members to lose control over their personal data, thus infringing on their privacy, and that the measures taken by the KNLTB would not sufficiently compensate for this.
In order to process personal data, there must be a basis for doing so. The AVG has six bases. One basis must then be chosen for the processing, whereby it should not be the case that if one basis does not succeed (with hindsight) another one is then chosen.
If, as the KNLTB did, the processing is based on its (own) legitimate interest, then for a successful reliance on this, the three aforementioned cumulative conditions must be met for a processing of personal data to be lawful. Moreover, the legitimate interest must be of a more or less urgent and specific nature arising from a ((un)written) rule of law or legal principle. Purely commercial interests and the interest of profit maximisation lack sufficient specificity and lack an urgent 'legal' character so that they cannot qualify as legitimate interests.
With regard to the purposes, the rule is therefore that they must be well-defined, explicitly described and justified, and personal data may not be further processed in a manner incompatible with those purposes.
If the purpose of the further processing is compatible with the original purpose of the processing, the further processing does not require a separate legal basis other than the one under which the original processing was authorised. If the further processing is done for a different purpose, but it is not authorised, not based on a legal provision and/or not compatible with the original purpose, the processing is unlawful due to the lack of a basis. Thus, the further processing cannot be considered as a new processing separate from the original processing. Therefore, no other legal basis under the AVG can be used to legitimise the further processing as yet.
If you have any questions on this topic or would like to exchange views, we would be happy to be your discussion partner.