Privacy & Information Security Law Blog

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

Background

In early 2018, the KNLTB announced in a newsletter and on its website its intention to provide personal data of its members to sponsors for targeted marketing purposes (by phone and by post). Members of the KNLTB subsequently informed the media and the Dutch DPA, and several members filed complaints with the Dutch DPA.

The Dutch DPA’s Decision

The Dutch DPA’s investigation revealed that:

• The personal data of more than 350,000 KNLTB members were sold to sponsors for direct marketing purposes.
• Although the collection of personal data by KNLTB from members was legally justified because it was necessary to participate in the membership program, the sale of such data to KNLTB’s sponsors could not take place based on the same legal ground, and members’ consent should have been collected by KNLTB.
• The purpose for which personal data had been originally collected by KNLTB was not compatible with the subsequent sale of such data to KNLTB’s sponsors (i.e., the purpose limitation principle under the GDPR was not complied with). The Dutch DPA assessed this compatibility based on a number of factors, including the context in which the personal data was collected.

Ultimately, the Dutch DPA found that the sale of personal data by KNLTB to its sponsors was unlawful because it took place without a valid legal ground, therefore infringing Articles 5 and 6 of the EU General Data Protection Regulation. According to the Dutch DPA, this is a serious violation justifying the €525,000 fine. KNLTB has objected to the fine and such objection will be assessed by the Dutch DPA.

Read the press release, summary of the investigation and decision of the Dutch DPA (in Dutch).