Rb. Gelderland - AWB - 20 68

From GDPRhub
Revision as of 13:22, 25 May 2022 by EL (talk | contribs) (→‎Holding: cut some text as it was very lengthy)
Rb. Gelderland - AWB - 20 _ 68
Courts logo1.png
Court: Rb. Gelderland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
11.7a Telecommunicatiewet
Decided: 16.05.2022
Published: 17.05.2022
Parties: Autoriteit Persoonsgegevens
National Case Number/Name: AWB - 20 _ 68
European Case Law Identifier: ECLI:NL:RBGEL:2022:2431
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: Eva Lu

Cinema only accepts debit card and iDeal payments for tickets and consumption. For this, personal data is processed. Claimant argues the GDPR is breached as there is no necessity for the cinema to do so. Court held that the appeal is unfounded.

English Summary

Facts

On 17 August 2018, the claimant submitted a request to the defendant to take enforcement action against the cinema (third party) on the basis of the GDPR, because the cinema no longer accepts cash payments. As a result, the purchase of a cinema ticket is only possible by means of debit card payment at the box office or through the cinema’s website. Consumption can also no longer be paid for with cash. Personal data is processed for these debit card payments and personal data are processed when visiting the cinema’s website. The claimant believes that he should be able to visit arthouse films anonymously for social participation while maintaining his private life. According to the claimant, there is no necessity for the processing of personal data for debit card payments or a visit to the website. The claimant believes this constitutes a violation of the GDPR.

On 16 April 2019, the Dutch DPA (hereinafter: the defendant) denied claimant’s request to take enforcement action (primary decision). The defendant also dismissed the claimant’s objection on 27 November 2019 (contested decision) as they believed that the GDPR had not been violated. The processing of personal data when purchasing a cinema ticket, both when paying with debit card at the box office and website, and when purchasing consumption, is necessary for the performance of a contract (Article 6 (1)(b) GDPR). The processing of personal data as a result of visiting the website is necessary for the care and improvement of the website (Article 6(1)(f) GDPR). According to the defendant, there is no reason for enforcement action.

Holding

The court tests whether the defendant was able to conclude that the GDPR had not been violated by the cinema. If that is the case, the defendant would indeed not have the authority to take enforcement action. First, the court will consider the appeal insofar as it is directed against the processing of personal data when paying with a debit card for the purchase of a cinema ticket or consumption and iDeal when purchasing a cinema ticket through the website. Secondly, the court will assess the appeal insofar as it is directed against the processing of personal data when visiting the cinema’s website.

1. Debit card and iDeal transactions

i. Data processed First of all, the court considered what data will be processed in case of purchasing. Processed data includes the bank account number, the amount and payment date. The cinema uses a Payment Service Provider (PSP) to process the financial transactions for debit card payments. The so-called PAN Masking technique is applied to the bank account number of the visitor. This technique is an international standard drawn up by the Payment Card Industry Security Standards Council (PCI SSC) to make financial transactions secure. With this, only the last four digits of the masked bank account numbers, together with the amounts and dates on which payments were made are visible to the cinema. When purchasing a cinema ticket through the website, payments can be made with iDeal. The cinema uses payment processor Buckaroo that applies PAN Masking as well. When purchasing via the website, the visitor's name, email address, telephone number, transaction data and IP address are processed.

ii. Contract Secondly, the court finds that there is a contract. When purchasing a cinema ticket or consumption, a contract is established between the cinema and the visitor. The fact that the cinema is, as the claimant argues, a government-subsidized institution does not mean that a contract would not be formed for that reason.

iii. Assessment The processing of personal data may be lawful if it is necessary for the performance of the contract. In this case, the question is whether the processing of personal data is necessary for the performance of a contract as referred to in Article 6(1) GDPR and Article 6(1)(b) GDPR to which the cinema visitor or the visitor of the catering establishment of the cinema is a party. The court points out that this must be interpreted strictly and requires purpose. The mere fact that the processing of data is covered by or related to a contract does not mean that such processing is necessary for the performance of the contract.

iv. Purpose The court finds that the purpose of processing personal data when purchasing a ticket through the website is correct. Moreover, the defendant is entitled to consider the safety of the cinema employees as a legitimate purpose for the introduction of mandatory debit card payment. The court also finds that the absence of cash increases the safety of the employees on the cinema premises. Thus, the mandatory debit card payment achieves the purpose for which it applies. Furthermore, the defendant was justified in its belief that the processing of personal data when purchasing a cinema ticket through the website is a legitimate purpose to a correct delivery (of the contract).

v. Necessity The court finds the purpose of processing personal data clear and justified. The processing of personal data with a debit card payment is an inherent consequence of a debit card payment and is therefore necessary to achieve the specific purpose. With that, the debit card payment is part of the agreement. Moreover, with regard to a cinema ticket purchased via the website, the processing of personal data is necessary for a correct delivery. As a result, the court finds the defendant was right to establish the basis for the processing of personal data on the performance of the contract that the cinema has with the visitor.

vi. Proportionality The defendant could conclude that the purpose for which the personal data are processed by the cinema could not be achieved in another way that is less detrimental to the person involved. After all, allowing payment in cash for a ticket or consumption, would interfere with the cinema's objective of ensuring the safety of its employees. In doing so, the defendant rightly considered it important that the processing of personal data when making a debit card payment at the cinema is limited to the data necessary for the purposes for which they are processed. Therefore, the minimum data processing requirement has been met. The cinema uses a PSP for debit card payments and applies the PAN Masking technique. Thus, the processing of personal data is limited.

The court is of opinion that the defendant was able to conclude that the processing of personal data when purchasing a cinema ticket via the website is limited to what is necessary for the purposes for which they are processed and that the requirement of minimum data processing has also been met. With this, the defendant rightly considered it important that the cinema uses payment processor Buckaroo, which applies PAN Masking to the bank account numbers. The defendant also took into account that the personal data is necessary for the delivery of the ticket. Personal data collected during purchasing via the website is deleted after the screening date, unless it concerns an account created by the visitor. Finally, the defendant also pointed out the possibility for the claimant to purchase a cinema ticket with a voucher purchased elsewhere with cash (which is thus anonymous). Based on the foregoing, the court finds the processing of personal data proportionate to the interests served.

2. Website visiting

When visiting the cinema website, the visitor's IP address is processed and functional and analytical cookies are placed. An IP address contains information regarding an identified or identifiable natural person, because with the IP address a computer can be identified, which makes it possible to identify a natural person. This makes the IP address personal data. The cinema is a data controller within the meaning of Article 4(7) GDPR.

Pursuant to Article 6(1)(f) GDPR, the processing of personal data is lawful only if and insofar the processing is necessary for the purposes of protecting the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject which require protection of personal data outweigh those interests. The court is of opinion that the defendant was able to conclude that the cinema pursues a legitimate interest by processing the IP address of the website visitor.

The defendant points out that the processing of an IP address is inherent in visiting a website and that the cinema has taken measures to minimize undesirable consequences for the claimant as a website visitor. The cinema does not associate user IDs with IP addresses and has not allowed its sub-processors to use the masked IP addresses for their own services. Furthermore, the cinema informs users in its privacy statement that it uses Google Analytics (with privacy-friendly settings according to the DPA’s manual). Additionally, visitors are alerted to the use of functional and analytical cookies with their first visit. The use of other cookies (marketing and tracking) requires explicit permission from the visitor, which website visitors can grant or refuse by means of a pop-up.

The court finds that the defendant was able to conclude that the processing of personal data when visiting the website is necessary for the promotion of the interest of maintaining and improving the website. In doing so, the defendant rightly weighed the extent of the breach of the claimant's privacy against the interest of the cinema in processing personal data. The defendant was able to assume the position that the breach of the claimant's privacy is limited and that the purpose of maintaining and improving the website cannot be achieved in any other less detrimental way.

To conclude, following above reasons, the court finds that the claimant’s appeal is unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

GELDERLAND COURT

Arnhem seat

Administrative law

case number: AWB 20/68

ruling of the single chamber of

in the case between

[claimant] , at [place of residence] , claimant,

and

the Dutch Data Protection Authority in The Hague, defendant.

(Agents: W. van Steenbergen and T.G.H. Spruyt)

The following took part in the proceedings as third parties: [Third party 1] and [interested party] (hereinafter: [Third party 1] ), at [place of residence] .

Process sequence

By decision of April 16, 2019 (the primary decision), the respondent rejected the claimant's request to take enforcement action against [Third Party 1].

By decision of 27 November 2019 (the contested decision), the defendant dismissed the claimant's objection.

The applicant appealed against the contested decision.

Defendant has filed a statement of defence.

The hearing took place on February 8, 2022. Plaintiff and defendant's attorneys participated in it via video link. The third parties are represented there by [Third Party 1].

Considerations

Introduction

1. On August 17, 2018, the Claimant submitted a request to the Respondent to take enforcement action against [Third Party 1] pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter: the GDPR), because [Third Party 1] no longer accepts cash payments. As a result, the purchase of a cinema ticket is only possible by means of a debit card payment at the cash register or via the website of [Third Party 1] . Consumptions can no longer be paid with cash. Personal data is processed for these debit card payments. Personal data is also processed when visiting the website of [Third Party 1]. Plaintiff believes that he should be able to visit the arthouse films that [Third Party 1] offers anonymously in order to be able to participate in society while preserving his private life. According to the claimant, there is no need for the processing of personal data as a result of the debit card payments or a visit to the website, and according to him this is a violation of the GDPR.

1.1.

In the contested decision, the defendant - in summary - took the position that there was no violation of the GDPR by [Third Party 1]. The processing of personal data when purchasing a cinema ticket, both for debit card payments at the cash register and via the website, and when purchasing a drink in a catering facility is necessary for the execution of an agreement (Article 6, first paragraph, under b. , of the GDPR). The processing of personal data as a result of a visit to the website of [Third Party 1] is necessary for the provision and improvement of the website (Article 6(1)(f) of the GDPR). According to the defendant, there is no reason for enforcement action.

2. The court will assess whether the defendant was able to conclude that the GDPR is not being violated by [Third Party 1]. If that is the case, the defendant is not authorized to take enforcement action.

For the relevant legal provisions, the court refers to the appendix to this judgment.

The court will first of all assess the appeal below insofar as it is directed against the processing of personal data for debit card payments for the purchase of a cinema ticket at the box office or for consumption in the catering facility and iDeal payments when purchasing a cinema ticket via the website of [ Third party 1] (pin and iDeal payments). Thereafter, the court will assess the appeal insofar as it is directed against the processing of personal data when visiting the website of [Third Party 1] (visit of the website).

Judgment by the court

3. Pin and iDeal payments

What data is processed?

3.1.

With a debit card payment for a cinema ticket at the cash register or a drink in the catering establishment, the bank account number of the visitor, the amount and the payment date are processed. Because [Third Party 1] uses a Payment Service Provider (PSP) to handle the financial transactions for debit card payments, the so-called PAN Masking technique is applied to the bank account number of the visitor. This technique is an international standard established by the Payment Card Industry Security Standards Council (PCI SSC) to securely conduct financial transactions. By applying this technique, only the last four digits of the masked bank account numbers, together with the amounts and the dates on which payment was made, are visible to [Third Party 1].

3.2.

When purchasing a cinema ticket via the website of [Third Party 1], payment can be made with iDeal. [Third party 1] uses payment processor Buckaroo, which applies PAN Masking to the bank account numbers. When purchasing via the website, the name, e-mail address, telephone number, transaction data and IP address of the visitor are processed.

Is there an agreement?

3.3.

The court is of the opinion that there is an agreement. When purchasing a cinema ticket at the box office or via the website and purchasing a drink in the catering establishment, an agreement is concluded between [Third Party 1] and the visitor. The fact that, as the claimant argues, [Third Party 1] is an institution subsidized by the government, does not mean that no agreement would therefore be concluded.

What is the assessment framework?

3.4.

The processing of personal data can be lawful if it is necessary for the execution of the agreement. For this assessment, the court uses the following assessment framework.1

It must first be assessed whether the purpose for which the personal data are processed is well-defined and explicitly described. It must also be assessed whether that purpose is also achieved with the processing of the personal data at issue. If the processing of the personal data is necessary for achieving the specific purpose in this sense, it must then be assessed whether the invasion of privacy is proportionate to the interests served by the processing of the personal data. As the Administrative Jurisdiction Division of the Council of State ruled in its decision of 20 September 2017, ECLI:NL:RVS:2017:2555, it must be assessed in the light of the EU Charter whether the invasion of privacy is limited to what is strictly necessary to achieve the objective. In particular, it must be assessed whether the purpose for which the personal data are processed cannot reasonably be achieved in another way that is less detrimental to the persons involved in the processing of personal data. The intensity with which this must be done is partly determined by the specificity of the proposed alternatives. In other words, the more detailed the person concerned describes the alternative, the more intrusive the defendant's investigation must be.

With this assessment of the interests in the specific case, the GDPR is in accordance with Article 8 of the European Convention on Human Rights and Fundamental Freedoms (hereinafter: ECHR). A separate assessment against this article can therefore be omitted.

3.5.

In this case, the question is whether the processing of personal data is necessary for the execution of an agreement as referred to in Article 6, first paragraph, opening words and under b, of the GDPR whereby the cinema visitor or the visitor to the catering establishment of [Third Party party 1] is party. As stated in Opinion 06/2014 of the former Article 29 Working Group and Guidelines 2/2019 of the European Data Protection Board, Article 7(b) of the Privacy Directive, the predecessor of the provision of the GDPR, must be interpreted strictly. The mere fact that the processing of data falls under or is related to an agreement does not mean that this processing is necessary for the performance of the agreement. Article 7(b) of the Privacy Directive is virtually identical to Article 6(1)(b) of the GDPR. What is stated in the advice and Guidelines is therefore also important for the interpretation of the GDPR.

What is the purpose of the processing?

3.6.

The purpose of the processing of personal data is to increase the safety of the employees, mainly volunteers, of [Third Party 1] . Since the move to the new location in 2018, [Third Party 1] no longer accepts cash payments. [Third party 1] wants, from the duty of care for its employees, to protect the safety of its employees as well as possible and has therefore opted to work exclusively with debit card payments. [Third party 1] assumes that the absence of cash will make it less attractive to potential robbers. It is stated on the website and at the entrance of [Third Party 1] that only debit card payments are accepted. At the hearing, it was explained on behalf of [Third Party 1] that money was stolen from the cash register twice in the former premises of [Third Party 1] and that [Third Party 1] wants to protect its employees as much as possible and not at the risks of a to expose robbery.

The purpose of the processing of personal data when purchasing a cinema ticket via the website is the correct delivery of the cinema ticket.

Is the purpose justified and can the purpose be achieved with the processing in question?

3.7.

The court is of the opinion that the defendant was entitled to consider the safety of the employees of [Third Party 1] a legitimate aim for the introduction of the mandatory debit card payment and the abolition of the option to pay with cash.

The court is also of the opinion that the absence of cash increases the safety of the employees in the premises of [Third Party 1]. With the mandatory debit card payment, the goal, for which the obligation to pay by debit card applies, is thus achieved.

Respondent may also consider the correct delivery of the cinema ticket a legitimate purpose for the processing of personal data when purchasing a cinema ticket via the website of [Third Party 1].

Is the processing necessary for the execution of the agreement?

3.8.

As noted above, the purpose of the processing of personal data is clear and justified. The processing of personal data for a debit card payment is an inherent consequence of a debit card payment and is therefore necessary for achieving the specific purpose. The debit card payment is therefore part of the agreement. Also with regard to a cinema ticket purchased via the website, the processing of personal data is necessary for the correct delivery of the ticket.

The court is therefore of the opinion that the defendant has rightly based the legal basis for the processing of personal data (when purchasing a cinema ticket at the box office, via the website and drinks in the catering facility) on the execution of the (purchase) agreement that [ Third party 1] has with the visitor.

Is the processing proportionate?

3.9.

Respondent was able to take the position that the purpose for which the personal data are processed by [Third Party 1] cannot reasonably be achieved in a different way that is less detrimental to the person involved in the processing of the personal data. After all, allowing payment of a cinema ticket or consumption in cash would be detrimental to the objective of [Third Party 1] to guarantee the safety of its employees as much as possible.

The defendant rightly considered it important that the processing of personal data with a debit card payment at [Third Party 1] is limited to what is necessary for the purposes for which they are processed and that the requirement of minimum data processing is met. [Third party 1] uses a PSP for debit card payments and by applying the PAN Masking technique, only the last four digits of the masked bank account numbers, together with the amounts and the dates on which the payment was made, are visible. This limits the processing of personal data.

In the opinion of the court, the defendant was also able to take the position that the processing of personal data when purchasing a cinema ticket via the website is limited to what is necessary for the purposes for which they are processed and that the requirement is also met. of minimal data processing. The defendant rightly considered it important that [Third Party 1] uses payment processor Buckaroo, which applies PAN Masking to the bank account numbers. The defendant was also able to take into account that the personal data is necessary for the correct delivery of the cinema ticket and that the personal data collected when purchasing a ticket via the website will be deleted after the performance date, unless an account has been created by the visitor.

Finally, the defendant was able to point to the possibility for the plaintiff to buy a cinema ticket with a cinema voucher purchased elsewhere with cash. This means that the possibility remains to buy a ticket for the [Third Party 1] without processing personal data.

On the basis of the foregoing, the court is of the opinion that the processing of personal data is proportionate to the interests served by the processing of the personal data.

4. Visit the website

4.1.

When visiting the website of [Third Party 1], the IP address of the visitor is processed and functional and analytical cookies are placed. An IP address contains information relating to an identified or identifiable natural person, because the IP address can be used to identify a computer, on the basis of which it is possible to identify a natural person. The IP address is therefore personal data. [Third party 1] is the controller within the meaning of Article 4(7) of the GDPR.

4.2.

Pursuant to Article 6(1)(f) of the GDPR, the processing of personal data is only lawful if and to the extent that the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except when the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data override those interests, in particular where the data subject is a child.

4.3.

In the opinion of the court, the respondent was able to take the position that [Third Party 1] pursues a legitimate interest in processing the IP address of the visitor to the website (and the placement of functional and analytical cookies). This interest concerns the maintenance and improvement of the website.

4.4.

Respondent points out that processing an IP address is inherent to visiting a website (the IP address tells a web server where the requested information should be sent) and that [Third Party 1] has taken precautions to minimize undesired consequences for the claimant as a visitor to the website. [Third party 1] has applied steps 1 to 4 in accordance with the Defendant's Manual, on the basis of which Google Analytics can be set up in a privacy-friendly manner. For example, [Third Party 1] has concluded a processing agreement with its sub-processor Google via Eagerly, which includes that the last octet of the IP address is masked. [Third Party 1] does not associate user IDs with IP addresses and has not allowed its sub-processors to use the masked IP addresses for its own services. [Third Party 1] also informs users in its privacy statement that it uses Google Analytics and has applied steps 1 to 4. In addition, visitors are made aware of the use of functional and analytical cookies on their first visit. The use of other cookies (marketing and tracking) requires explicit permission from the visitor, which visitors to the website can grant or refuse by means of a so-called pop-up.

4.5.

In the opinion of the court, the respondent was able to take the position that the processing of personal data when visiting the website is necessary for the protection of the interests of maintaining and improving the website. In doing so, the defendant rightly weighed the scope of the infringement of the plaintiff's privacy against the interest of [Third Party 1] in the processing of the personal data. Defendant has been able to take the position that the infringement of the plaintiff's privacy is limited and that the purpose of maintaining and improving the website cannot be achieved in a less disadvantageous way.

Conclusion

5. It follows from the above that the grounds of appeal of the applicant against the defendant's position in the contested decision are ineffective. The appeal is unfounded. There is no reason for an order to pay costs.

Decision

The court:

declares the appeal unfounded.

This statement was made by mr. G.H.W. Bodt, chairman, mr. S.A. van Hoof and mr. M. Ichoh, judges, in the presence of R. van Diest, registrar.

The decision was pronounced in public on: .

clerk

chair

Copy sent to parties on:

Remedy

An appeal can be lodged against this decision with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent. If an appeal has been lodged, a request can be made to the preliminary relief judge of the appeal court to make a provisional injunction or to cancel or amend a provisional injunction made by this decision.

Appendix.

Legal framework.

General Data Protection Regulation.

Recital, recital 39

(...) Personal data may only be processed if the purpose of the processing cannot reasonably be achieved in any other way. †

Article 4 Definitions.

For the purposes of this Regulation:

1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

2) "processing" means any operation or set of operations on personal data or set of personal data, whether or not performed by automated means, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting , use, provide by transmission, dissemination or otherwise make available, align or combine, shield, erase or destroy data;

†

5) "pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional data, provided that such additional data are kept separately and technical and organizational measures are taken to ensure that ensure that the personal data is not linked to an identified or identifiable natural person;

†

7) "controller" means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means for such processing are established in Union or Member State law, they may determine who the controller is or according to the criteria according to which it is designated;

†

Article 5, Principles regarding the processing of personal data:

1. Personal data must:

a. a) processed in a manner that is lawful, fair and transparent towards the data subject ("lawfulness, fairness and transparency");

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ("purpose limitation");

(c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ('minimum data processing');

d) […].

2. The controller is responsible for and can demonstrate compliance with paragraph 1 ("accountability").

Article 6, Lawfulness of processing

1. Processing is only lawful if and insofar as at least one of the following conditions is met:

a. a) the data subject has consented to the processing of his/her personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) the processing is necessary to protect the vital interests of the data subject or of another natural person;

e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller;

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child. Point f of the first subparagraph shall not apply to processing by public authorities in the performance of their duties.

2. […].

Telecommunications Act.

Article 11.7a

1. Without prejudice to the General Data Protection Regulation, storing or accessing information in a user's peripheral equipment via an electronic communications network is only permitted on the condition that the user concerned:

a. is provided with clear and complete information in accordance with the General Data Protection Regulation, in any case about the purposes for which this information is used, and

b. has given permission for this.

†

3. The provisions of the first paragraph do not apply if it concerns storage or access:

†

b. which is strictly necessary to provide the information society service requested by the subscriber or user or – provided this has no or minor consequences for the privacy of the subscriber or user concerned – to obtain information about the quality or effectiveness of a delivered service of the information society.

1 See, inter alia, the decision of the Administrative Jurisdiction Division of the Council of State of 10 November 2021, ECLI:NL:RVS:2021:2511