APD/GBA (Belgium) - 125/2021
From GDPRhub
| APD/GBA (Belgium) - 125/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 10.11.2021 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 125/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | gegevensbeschermingsautoriteit.be (in NL) |
| Initial Contributor: | Martijn Staal |
The Belgian DPA issued a reprimand against a fitness club for violating articles 5(1)(b) and 6 of the GDPR by sharing the personal data, among which the dates of the last visits to the fitness club, of one customer with another in a payment dispute.
English Summary
Facts
Complainant is a member of a fitness club (the defendant). Complainant got contacted by a third party (who is also a member of a fitness club) that they received personal data of the complainant by the fitness club. The personal data consisted of the name, mobile phone number, e-mail address, date of birth, and the dates of the last visits to the fitness club by the complainant. The third party received the personal data of the complainant because the third party wrongly paid the membership fee of the complainant. An employee of the fitness club advised the third party to report this incident as theft to the police.
Complainant argues that the fitness club breached the purpose limitation of collected personal data laid down in article 5(1)(b) GDPR. The personal data of complainant was provided in confidence that it would only be processed as necessary for the contractual relationship between complainant and the defendant.
Holding
The Litigation Chamber of the Belgian DPA consisders that the transfer of the personal data of complainant to the third party, the defendand handled in breach of the principles of data processing.
Furthermore, the Litigation Chamber sees no reason why the transfer of personal data should nevertheless be allowed under article 6(4) GDPR, the exception to process personal data for a different purpose than initially collected without a separate legal basis.
An appeal to legitimate interest as a legal basis to transfer the data to the third party (article 6(1)(f) GDPR) also fails. According to the Litigation Chamber, it was not necessary for the defendant to give all this information about the complainant in order to identify who the third party accidentally was paying membership fees for. Furthermore, the Litigation Chamber considers that the complainant could not expect that their personal data including information on their fitness club visits, would be shared with a third party. With reference to recital 47 of the GDPR and the judgement of the Court of Justice of the European Union C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA, the Litigation Chamber concludes that there was no balance of the fundamental rights of complainant and the interests of the third party and the defendant. Lacking necessity and a good consideration, an appeal to article 6(1)(f) GDPR fails.
Since it was only a single event, probably cause by human error, and in the mean time defendant has taken appropriate measures to prevent repetition, the Litigation Chamber decides that it is not necessary to impose a fine and a simple reprimand is sufficient.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Dispute room
Decision on the merits 125/2021 of 10 November 2021
File number : DOS-2020-00292
Subject: transfer of personal data of a member of a sports club to a third party
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman and Messrs. Jelle Stassijns and Frank De Smet;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
The complainant: Mrs. X, hereinafter referred to as “the complainant”; .
.
The defendant: Sports Club Y, hereinafter referred to as “the defendant”. Decision on the merits 125/2021 - 2/7
I. Facts and procedure
1. On December 29, 2019, the complainant lodged a complaint with the Data Protection Authority against
defendant.
The object of the complaint concerns the transmission of the complainant's personal data, including
her name, address, date of birth, e-mail address and dates of her last visits to the
the defendant's fitness club, to a third party. The complainant is a member of the respondent's fitness club. on any
At the time, the complainant was contacted by a person who indicated that he was in possession of the
personal data of the complainant. This third party, who is also a member of the fitness club, gives
know that they have received personal data concerning the complainant from the defendant. After this
third party received a notice of default after which it was established that his wife was wrong
paid the complainant's subscription costs (instead of his own subscription costs), the
personal data of the complainant provided by the defendant to this third party
the complaint has been declared admissible by the Frontline Service on the basis of Articles 58 and 60 WOG
and the complaint pursuant to art. 62, §1 WOG transferred to the Disputes Chamber.
2. On August 12, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it
file is ready for processing on the merits.
3. On August 12, 2020, the concerned parties will be notified by registered mail
of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also,
they pursuant to art. 99 WOG of the time limits to lodge their defenses
serve.
4. The final date for receipt of the defendant's statement of defense was thereby set
laid down on 9 September 2020, this for the complainant's reply on 23
September 2020 date] and this one for the defendant's statement of reply on October 7
2020.
5. The parties have not requested to be heard at a hearing.
6. On September 8, 2020, the Disputes Chamber will receive the statement of defense from the
defendant. The defendant acknowledges that there has been
personal data of the complainant to a third party by one of its employees in the fitness club
Ledberg. This employee could not be questioned by the defendant because he is currently
is not working due to personal circumstances.
7. Defendant indicates that it regrets the course of events and points out that according to the
internal guidelines is under no circumstances allowed that employees provide personal data
To third parties. In addition to this, the defendant argues that the role of club employees is decreasing
as members are urged to use the principle of “self
service” whereby members can always check certain data themselves and change them if necessary. Decision on the merits 125/2021 - 3/7
In addition, the following measures have been taken: Members can provide support if desired
get from customer service; the regional managers and team leaders have been informed about this incident
and they have been requested to discuss this with all employees; new flyers are being handed out to
the employees with the obligations from the GDPR that they must adhere to; this
flyers will continue to be updated and redistributed in order to raise awareness for
maintain privacy; the club employee who will be providing the personal data
addressed the moment he returns; the internal procedure is being improved to
avoid similar situations in case of incorrect account numbers.
8. On 17 December 2020, the Disputes Chamber will receive the statement of reply from the complainant. She
indicates therein that the proposed measures to prevent the recurrence of
such events make her feel positive. However, she emphasizes that the processing of
personal data was apparently acted in violation of the GDPR in December 2019. complainant
requests the Disputes Chamber to impose an appropriate sanction on the defendant.
II. Justification
9. Any processing of personal data must be based on a
legal basis. The complainant was a member of the defendant's fitness club and therefore, in the context of the
performance of the contract provides its personal data to the defendant, who
was allowed to process data in the context of the same agreement (Article 6.1 under b GDPR).
10. An employee of the defendant has - as already described above - the
personal data of the complainant, including her name, address, date of birth, mobile phone number, email
email address and the dates of the last visits to the fitness club provided to a third party, because
the latter paid the complainant - admittedly incorrectly - the costs of the subscription. From the
submitted e-mails between an employee of the respondent and it appears that the employee
the third party advised to report the theft to the police against the complainant and
provide evidence of the declaration to the defendant. That advice was followed by the third and he
filed a complaint against the complainant.
11. Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that
personal data for specified, explicit and legitimate purposes
must be collected and then not further processed in any manner incompatible with those purposes
1
way to be processed. The complainant has provided her personal data in the context of
Article 5(1)(b) GDPR: Personal data must: for specified, explicit and legitimate purposes
collected and may not be further processed in a manner incompatible with those purposes; the further
processing for archiving purposes in the public interest, scientific or historical research or statistical purposes
shall not be considered incompatible with the original purposes in accordance with Article 89(1) ('purpose limitation'); interest,
scientific or historical research or statistical purposes shall not be regarded as incompatible in accordance with Article 89(1)
considered with the original purposes ("purpose limitation"); Decision on the merits 125/2021 - 4/7
a contractual relationship, in the confidence that the data will only be processed if
necessary part of that relationship. The Disputes Chamber is of the opinion that the defendant
passing on the complainant's personal data to a third party has acted contrary to
the principles of data processing . After all, it has, without a valid legal basis,
have passed on the personal data to a third party. That the third erroneously de
paid subscription fees for the complainant in no way justifies the transfer of the
personal data regarding the complainant to that third party. After all, the complainant has her personal data
provided for the implementation of the agreement between itself and the fitness club, with the sole purpose of
to use the sports facilities. It would have been in the way of the defendant
to remedy the administrative error by first contacting the complainant yourself and not
by passing on its personal data to the third party.
12. By acting in the manner described above, the defendant has obtained the personal data that
it has obtained in the context of the execution of the agreement, passed on and therefore
processed for purposes contrary to the original purpose in obtaining that
personal data, namely for the execution of the agreement. It is according to article 6 paragraph 4
GDPR is allowed in certain cases to process personal data that was initially
collected to process for one purpose, to process for other compatible
purposes (without requiring a separate legal basis). When determining
the foregoing takes into account: a relationship between the purposes for which the
personal data has been collected, and the purposes of the intended further processing; the
framework in which the personal data are collected and relationships between the data subjects and the
controller; the nature of the personal data; the consequences of the further
processing for the data subject; and the existence of appropriate safeguards. The Dispute Chamber is
is of the opinion that the assessment of the above elements does not give rise to
to assume that there was a further and compatible processing in accordance with Article 6
paragraph 4 GDPR. Nor can any relationship be established between the purposes for which the
data was collected and the purposes for further processing, nor can any other
lead can be found that could justify further processing.
Since this is therefore a processing incompatible with the original purposes,
In what follows, the Disputes Chamber will investigate whether there is possibly a separate legal basis
under which further processing would have been permitted. The only legal basis that
could still qualify for this in this case is a legitimate interest. After all, it stands
establish that the data subject has not given consent.
13. Legitimate interest is laid down in Article 6 (1) f) GDPR. The Dispute Room
will therefore check whether the further processing of the complainant's personal data in this case is possible Decision on the merits 125/2021 - 5/7
was lawful under the aforementioned provision.2 In order to be able to determine this, the
controller in accordance with the case law of the Court of Justice
show that:
1) the interests they pursue with the processing can be justified as legitimate
recognized (the “target test”)
2) the intended processing is necessary for the realization of those interests
(the “necessity test”)
3) balancing those interests against the interests, fundamental freedoms and
fundamental rights of data subjects weighs in favor of the
controllers or a third party (the “balancing test”).
14. First of all, the question is what interest and purpose the controller with the further
processing of the personal data (target test). Due to the personal data of
to pass on the complainant to a third party, the controller has complied with
the request of the third party who wanted to know whose place she had paid the subscription fees to
then ensure that that error could be corrected. The importance of the
controller was to be able to implement the change in membership in
the system so that from now on the payment would be made on behalf of the right person and the
customer could be retained. Customer retention can be classified as a
legitimate interest.
15. In order to comply with the second condition, it must be demonstrated that the processing
was necessary for the achievement of the objectives pursued
(necessity test). This means that the question must be asked whether
means the same result can be achieved without processing personal data or
without an unnecessarily drastic processing for those involved. The complainant's personal data
that have been passed on by the defendant to the third party as already indicated under
others the name, mobile phone number, e-mail address, date of birth as well as dates
of the last visits to the defendant's premises. The purpose that was pursued
was to identify the person on whose behalf the subscription fees were paid, rather
of their own. The Disputes Chamber establishes that it was by no means necessary to
personal data of the complainant (including the dates on which and the locations that the complainant
visited) to the third party, since the defendant could have contacted the
complainant. The second condition is therefore not met.
2Article 6 (1) f GDPR: Processing is only lawful insofar as it meets at least one of the following conditions
is satisfied: the processing is necessary for the representation of the legitimate interests of the controller
or of a third party, except where the interests or fundamental rights and freedoms of the data subject
protection of personal data outweigh those interests, in particular where the data subject is a child. Decision on the merits 125/2021 - 6/7
16. The third condition concerns the “balancing test” between the interests of the
controller on the one hand, and the fundamental freedoms and rights of
concerned, on the other. In accordance with Recital 47 GDPR, when determining this,
verify whether the “data subject at the time and in the context of the collection of the
personal data can reasonably expect that processing for that purpose can take place”
17. The foregoing is emphasized by the Court in its judgment “TKt v Asociaţia de Proprietari bloc
M5A-ScaraA” dated December 11, 2019, in which it states:
“Also relevant to this consideration are the person's reasonable expectations that his or her
personal data will not be processed when, in the given circumstances of the
case, the data subject cannot reasonably expect further processing of the data”.
18. The Disputes Chamber establishes that the complainant could not have expected that her
personal data, including data regarding her movements, would be passed on
may be passed on to a third party. The third condition is therefore not met. Given the
above, the Disputes Chamber determines that a legitimate interest is not a valid legal basis
was for the further processing of the complainant's data. Therefore, according to the
The Disputes Chamber determines that there has been an infringement of Articles 5, paragraph 1, b and 6
GDPR.
19. In view of the fact that this concerns a one-off unlawful processing, which may even be
attributable to human error, and given that measures have now been taken
taken that seem appropriate to prevent a recurrence, the Disputes Chamber decides that it is not
it is necessary in this case to impose a fine and that a simple reprimand is sufficient.
III.Publication of the decision
20. Given the importance of transparency in the decision-making of the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. It is not necessary, however, that the identification data
of the parties be made public directly. Decision on the merits 125/2021 - 7/7
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- To reprimand the defendant pursuant to Article 100.1.5° of the WOG.
Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a
period of thirty days, from the notification, to the Marktenhof, with the
Data Protection Authority as Defendant.
(get). Hielke Hijmans
Chairman of the Disputes Chamber
