The Dutch Data Protection Authority (hereinafter: “DPA”) imposed a fine of EUR 525,000 on the KNLTB, the Royal Dutch Lawn Tennis Association (hereinafter: “KNLTB”), for selling data of its members. The personal data was sold to two sponsors, who then approached the members for promotional actions by mail or telephone. The KNLTB provided the sponsors with personal data such as name, gender and address and shared personal data of approximately 50,000 and 315,000 members.
The KNLTB is the umbrella body of the tennis sport and the tennis clubs in the Netherlands. According to the website of the KNLTB, almost 570,000 tennis players are affiliated with the association and about 97% of the tennis clubs are affiliated. Early 2018 the KNLTB announced to provide personal details of members to sponsors to enable them to approach members with tennis related and other offers. These announcements were made in newsletters and on the website of the KNLTB. As a result of these announcements and contacting members by telephone with promotional offers from the sponsors, the DPA received several complaints. The issue was also raised in the media. These complaints and the media attention to the issue prompted the DPA to launch an investigation into the KNLTB’s actions in October 2018.
The KNLTB processes personal data for multiple purposes, such as for the performance of the membership agreement with the members and the development of the tennis sport in the Netherlands. These goals were included in the articles of association of the KNLTB in 2005, but changed over time. For example, a new collection purpose was defined in 2007, namely to generate income by providing membership data to sponsors for direct marketing activities of the sponsors. This purpose was used for mail campaigns. In 2017, it was added that members may also be contacted by telephone for direct marketing purposes.
In the investigation, the DPA makes a distinction between two situations, members who became members before 2007 and members from 2007 onwards. According to the DPA, members who became members before 2007 are not informed of the transfer of their data to sponsors. Members from 2007 onwards have been informed of the new collective purpose by the KNLTB at the time of their registration.
Members prior to 2007
For these members, the provision of data to the sponsors qualifies as further processing, i.e. for a different purpose than the purpose for which the data were originally collected. This further processing would be lawful on the basis of the General Data Protection Regulation („GDPR“) if the further processing is compatible with the original purpose.
The KNLTB originally collected personal data for the performance of the membership agreement and not for the purpose of generating (additional) income by providing sponsors. The DPA considers that there is no compatible purpose. One of the reasons for this conclusion is that the distribution to the sponsors is not in line with the reasonable expectations of the members.
The fact that the KNLTB informed its members in various ways about the further processing of their personal data prior to the transfer and offered them the opportunity to object does not justify the transfer. After all, informing the members only took place after the collection of their personal data.
Members since 2007
For these members, the provision was known as a purpose. The DPA therefore does not investigate the lawfulness of the further processing, but focuses on the presence of a legal basis. The KNLTB invokes the legitimate interest as legal basis and refers to recital 47 of the GDPR in which direct marketing purposes are explicitly mentioned as legitimate interest and the freedom to conduct a business as set out in the Charter of Fundamental Rights of the European Union.
The DPA is of the opinion that the interest of the KNLTB is not legitimate. For a successful reliance on legitimate interest, three cumulative conditions must be met: (i) the interest of the KNLTB must be legitimate, (ii) the processing of the personal data must be necessary to promote the legitimate interest, and (iii) the legitimate interest of the KNLTB must take precedence over the fundamental rights and freedoms of its members.
The KNLTB does not meet this first threshold of legitimacy. According to the DPA, purely commercial interests, such as the interest in providing added value for membership and the interest in reducing the reduced income due to declining membership numbers, lack a more or less urgent character arising from a (written or unwritten) rule of law or principle of law. The same would apply to the freedom to conduct a business. The importance of this freedom is not sufficiently concrete and direct to qualify as a legitimate interest. Now that the KNLTB cannot invoke a legitimate interest as a legal basis, nor can it invoke any other legal basis, the transfers have been unlawful.
The DPA imposed a fine of EUR 525,000 which is the starting point for such infringements of the GDPR. The DPA sees no reason to increase or decrease the amount of the fine. Relevant factors for determining the level of the fine include the nature, seriousness and duration of the infringement, the degree of culpability and the measures taken to mitigate damages.
Outside the sports world, the DPA has previously imposed substantial fines for violating the protection of personal data. In July 2018, for example, the Dutch hospital HagaZiekenhuis was fined EUR 460,000 for the negligent handling of patient data.
The KNLTB objected to the decision and the DPA will assess this objection. Meanwhile, sports umbrella organization NOC*NSF has asked the DPA to reconsider the decision.
For many sports associations the cooperation with partners and sponsors is a crucial source of income and therefore they provide data to third parties for direct marketing purposes. The DPA stated that it may also investigate other sports associations in case they receive complaints from data subjects about the transfer of their data for commercial purposes.
Read the full decision here (in Dutch)
Dr. Martin Schirmbacher also keeps an updated list of all published fines relating to online marketing, including this one. Come have a look!