AP (The Netherlands) - z2023-00037
From GDPRhub
| AP - z2023-00037 | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(e) GDPR Article 14 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 30,000 EUR |
| Parties: | Municipality of Voorschoten |
| National Case Number/Name: | z2023-00037 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | AP (in NL) |
| Initial Contributor: | n/a |
The Dutch DPA fined the Municipality of Voorschoten € 30,000 for unlawfully tracking its residents’ waste consumption data through waste collection bins equipped with tracking chips.
English Summary
Facts
In 2019, the Municipality of Voorschoten (the controller) implemented a new waste collection policy aimed at reducing residential waste. As part of this policy, the Municipality replaced residential waste disposal bins with new bins which contained a chip with a unique number. This chip was linked to residents’ addresses, therefore, residents were directly identifiable. The Municipality fitted its waste collection trucks with a reader that identified the chip number. When the trucks collected waste, the truck identified the chip and collected data related to the chip number, its associated addresses, the date and time of waste collection, the location of waste collection and the type of waste collected. In 2019, the Municipality notified residents of the bin replacement via letter, but did not inform them of the chip or of the data collected. On 9 March 2019, a resident of the Municipality filed a complaint with the Dutch DPA against the updated collection system. As a result, the investigative department of the DPA opened an investigation against the Municipality. The findings of this investigation were sent to the Dutch DPA on 13 March 2023.
Holding
The Dutch DPA held that the Municipality had violated Articles 5(1)(a), 6 and 14 GDPR. Firstly, the DPA found a violation of the principles of lawfulness and transparency under Article 5(1)(a) GDPR, as the Municipality failed to inform its residents of the data processing and it used an invalid legal basis to do so. Secondly, the DPA held that the Municipality was in violation of Article 6 GDPR and Article 5(1)(a) GDPR (lawfulness) as it lacked a legal basis for processing. The Municipality sought to rely on Article 6(1)(e) GDPR (public necessity) for processing. However, the DPA held that the processing did not meet the necessity test established under Article 6(1)(e) GDPR, because less invasive means could be adopted to fulfil the objective of reducing residential waste, which did not include the tracking of each household’s waste consumption. Lastly, the DPA found a violation of Article 14 GDPR for not informing the residents of the Municipality’s data processing activities. The letter which the Municipality sent to residents regarding the replacement of the bins made no mention of the data processing generally, and more specifically made no mention of the categories of data processed, the purpose of processing, or the legal basis relied upon for processing. As a result of the violations, the DPA imposed a fine of € 30,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1
Personal Data Authority
P.O. Box 93374, 2509 AJ The Hague
Hoge Nieuwstraat 8, 2514 EL The Hague
T 070 8888 500 - F 070 8888 501
autoriteitpersoonsgegevens.nl
Municipality of Voorschoten
Attn: The Municipal Executive
P.O. Box 393
2250 AJ VOORSCHOTEN
Date
2 November 2023
Our reference
z2023-00037
Contact person
[CONFIDENTIAL]
Subject
Decision to impose an administrative fine
Dear College,
The Primary Investigation Department of the Authority for Personal Data (hereinafter: AP) has, following
of an enforcement request, investigated the processing of personal data by the
college of the mayor and aldermen of the municipality of Voorschoten (hereinafter: the college) in the context
the implementation of the waste collection policy in the municipality. The findings of the investigation are
recorded in an investigation report, which was sent to the college on 13 March 2023.
In the decision now before us, the AP finds that the college, without an adequate basis and therefore
unlawfully processed personal data relating to the so-called landfill history of
residents of the municipality of Voorschoten. The AP further finds that the college did not correctly inform the residents of the
municipality of Voorschoten did not correctly inform the personal data processed in this regard,
the purpose and basis of the processing. As a result, the college was in breach of Articles 5,
first paragraph, opening words and under a, read in conjunction with Article 6, first paragraph, opening words and under e and Article 14,
first paragraph, opening words and points c and d, of the General Data Protection Regulation (hereinafter: AVG).
With this decision, the AP imposes an administrative fine of €30,000 on the college. The following is a discussion
(1) the procedure, (2) the college's views on the investigation findings, (3) the assessment and
(4) the decision to impose the administrative fine. Finally, it states what an interested party can
do if they do not agree with this decision.
Date
2 November 2023
Our reference
z2023-00037
2/14
1. Investigation and findings
On 9 March 2019, the AP received an enforcement request from a resident of the municipality of
Voorschoten. On 18 October 2020, it became clear that the resident was not only acting on his own behalf
but also on behalf of another resident of the municipality. The residents are referred to in this decision together and in
singularly referred to as "complainant". The complainant's request relates to the processing of
personal data in waste collection in the municipality of Voorschoten. In response, the
Primary Investigation Department of the AP conducted an investigation and recorded its findings in an
investigation report dated 22 December 2022. The report revealed the following facts.
On 29 March 2016, the municipal council of the municipality of Voorschoten adopted the Waste Policy Plan 2016-2020.
adopted. According to the Waste Policy Plan, the municipality aims to reduce the amount of
residual waste. In addition, better separation of waste streams should result in more raw materials
can be reused. The municipality does not apply a system of differentiated tariffs (diftar),
whereby each household is charged on the basis of the actual use of the waste facilities.
waste facilities. Nor are there any plans to introduce a diftar system.
The Waste Policy Plan distinguishes between single-family houses or ground-level
houses (hereafter: low-rise) and flats (hereafter: high-rise) on the other. Residents of low-rise buildings
use grey residual waste containers (wheelie bins) that are periodically emptied by a
rubbish truck. Residents of high-rise buildings use underground residual waste containers at the
street. To implement the Waste Policy Plan, the college has - as far as relevant here - taken the following
two measures:
1) Low-rise buildings
In March 2019, all grey residual waste containers (wheelie bins) in the municipality were replaced with new
containers with a chip. This chip contains a unique number. The number of containers in the municipality has been
reduced as each household (residential address) has only one container since then. The
new container has been provided with a barcode sticker with the container's
address, but this sticker has no further function and can be removed without consequences.
The rubbish truck is equipped with a reader that can read the chip number. If there is recognition
is present, the container is emptied. The municipality then stores data in an IT system of the
collection service of the municipality. This includes the chip number, associated address, date
and time of emptying, location data of emptying and type of waste. Subsequently, the container cannot be
weeks because the rubbish truck will not accept the container again.
The data was kept in the IT system as long as the container is in use and the data
were erased from the system when the container was replaced.
Low-rise residents were informed by letter about the container replacement, but
the letter did not specify what personal data would be processed by means of the chip in the new containers
would be processed, the purpose of such processing and its basis.
Date
2 November 2023
Our reference
z2023-00037
3/14
2) High-rise buildings
At the end of 2018, the above-ground shared containers were replaced by underground containers.
These containers can only be opened with a token, which like the residual waste containers
for low-rise buildings contain a chip with a unique number. For each underground container, it can be
which tokens have access to the container. A token can be used to open a container five times a day.
container can be opened five times a day, after which access to the container is denied.
After the container is opened with a token, the municipality stores data in an IT system of
the municipality. This includes token number, address details, date and time of deposit
location details and type of waste. This data was kept in the IT system for five years.
The residents of the high-rise buildings were informed by letter about the new containers with token,
but the letter did not state what personal data would be processed with the token, what
purpose of such processing and the basis for it.
The investigation report concluded that the college, as the data controller, was
processes personal data of residents for household waste collection. The
report addressed whether the college could rely on the basis it invoked
"necessity for the performance of a task in the public interest" (Article 6(1), introductory phrase and point e,
of the AVG).
In the context of low-rise buildings, the investigation report held that the brief processing of
personal data via the chip reader on the rubbish truck is necessary for the performance of the task of
the college. After all, it needs to be verified that it is a council-issued
container and that it has not been emptied recently. This only applies insofar and for as long as this is necessary to
empty and temporarily block the grey container. However, it is not necessary to store
record which container (chip number and address) was presented with waste and when (date and time).
presented. This would only be different if this so-called "tipping data" were used for a
diftar system, but the municipality of Voorschoten does not do that.
In the context of high-rise buildings, it was similarly held that it is necessary for the duty of
the college to check whether a token provides access to the waste container and whether the maximum number of
deposits per day is not exceeded. Again, however, it is NOT necessary to
keep records of which token (token number and address), when (date and time), where
(container location data) which type of waste was offered. This would only be different if the
tipping data are used for a diftar system, but as mentioned, the municipality of Voorschoten does
does not.
As there is no need for the long-term processing of the landfill data, such processing cannot
be based on the basis of necessity for a task of public interest. The processing is therefore
Date
2 November 2023
Our reference
z2023-00037
4/14
unlawful to that extent (Article 5(1)(a) read in conjunction with Article 6,
first paragraph (e) of the AVG).
The investigation report also concluded that the college had not
correctly informed about the personal data processed via the chip in the container
respectively token for the underground container, the purpose and basis of such processing.
In doing so, the college violated its duty to inform (Article 5, first paragraph, opening words and under a,
read in conjunction with Article 14, first paragraph, opening words and points (c) and (d) of the AVG).
2. The college's views on the report
The AP sent the investigation report and its underlying documents to the college
sent. In doing so, the AP expressed its intention to take remedial action to end the excessive
storage of landfill data, to destroy the data already stored and to inform the residents correctly.
still be properly informed. In addition, the AP expressed its intention to impose an administrative fine.
The college took the opportunity to submit a view by letter dated 28 March 2023.
A meeting with representatives of the college took place on 24 May 2023. In the
view and during the interview, the following was expressed on behalf of the college with regard to the investigation report
following was put forward. Insofar as the view relates to the measures to be imposed,
these are discussed in section 4 of this decision.
2.1. Regarding processing responsibility, processing and facts
The College first of all endorsed that it is the controller for the processing
of personal data taking place in the context of the Waste Policy Plan, as defined in
the investigation report. The college further endorsed the facts as set out in the report.
2.2. Regarding the need for grey containers
The college has explained that the primary objective of the Waste Policy Plan is to initiate a transition
in which waste is increasingly converted into a raw material. By increasing the percentage of separated
waste, the aim is that by 2030 only raw materials will be collected and therefore no
residual waste. To achieve this, waste separation must be encouraged.
Stricter management with regard to aboveground containers (wheelie bins) and underground containers is
one of the means to that end. By linking the grey containers to an address, it is possible to prevent
prevent residents from mistakenly reporting their grey container as missing and after receiving a
new container can offer two containers from now on. If a container with a chip is reported missing
is reported missing and not found within two weeks, linking it to the address will allow
the old chip number can be blocked. The old container can then no longer be emptied and
be replaced by a container with a different chip number. It was stated on behalf of the college that in
Date
2 November 2023
Our reference
z2023-00037
5/14
the past, 300 containers had to be replaced in one year. In February 2023, 30
containers reported missing, and 29 returned to the municipality because the missing
containers were not emptied and were abandoned. It follows that the deployment of the chip is effective.
In addition, thanks to the chip, a container can only be emptied once every fortnight. After emptying,
the chip blocked for a fortnight. In the conversation on 24 May 2023, the college explained that the
rubbish truck drives daily and that the collection day varies per neighbourhood. Without a chip and blocking of the
container, residents of the border areas of a neighbourhood, in particular, might offer their residual waste more frequently
offer their residual waste more often than once every fortnight.
These two points (limiting the number of containers and the collection frequency) lead to a maximum
amount of residual waste collected from residents. This aims to provide a positive incentive
to separate more waste so that it does not have to be offered as residual waste. It is
necessary to keep landfill records, the college said.
The college further points out that a resident can complain to the college because the grey
container is no longer functioning properly, it has not been emptied or has gone missing. In doing so, it may
relevant to investigate when waste was last presented. Around
2,000 containers emptied, resulting in several dozen reports per week.
On 24 May 2023, the college promised the AP to set the retention period of landfill data for the grey
containers to 14 days, instead of keeping them as long as the container is in use.
2.3. Regarding necessity in the case of underground containers
By regulating access to underground containers with a token, first of all, the amount of
residual waste for residents of high-rise buildings is reduced. It also prevents residents who have a grey
container can also deposit waste in the underground containers. This would reduce the effect of
of the stricter management of grey containers. Furthermore, regulating access
prevents residents of other municipalities from improperly using the underground
containers. The college further points to the management of tokens. There is a strict policy that per household
only one token is issued per household. In addition, the token can open a container for
residual waste can be opened. This requires the deposit data to be kept for at least 24 hours.
Also with regard to the tokens, a resident can file a complaint. This is because it sometimes
that an underground container or token does not function properly. Also to deal with these complaints
complaints, it is necessary to consult the deposit history. This may show whether the token has
has been presented recently and has therefore broken down (in which case the token will be replaced free of charge) or
has not been presented for some time (which is an indication that the token has been lost, in which case the resident
should pay for replacement).
Date
2 November 2023
Our reference
z2023-00037
6/14
On 24 May 2023, the college promised the AP to set the retention period of landfill records for
underground waste containers to 14 days, instead of five years.
2.4. Regarding the provision of information
The college agrees with the finding in the investigation report that the provision of information to the
residents does not meet the requirements of the AVG. Nevertheless, according to the college, it should be
noted that the college has tried to inform residents appropriately. In letters
dated 5 and 22 March 2019, the college tried to clarify the purpose for which the containers were
replaced. For instance, it was mentioned that the containers will be fitted with chips for the purpose of managing the
containers so as to be in line with the objective of increased waste separation as described in
the Waste Policy Plan. It was then explained that the chips will be linked to the residential address, after which
even the specific method by which the chip is used to achieve better management of
waste collection. For instance, it is explained that the collection vehicle scans the chip and then
stores that the container has been emptied. According to the college, it at least partially explains for what
purpose the personal data is being processed.
On the other hand, the college recognises that the provision of information about the containers for the
high-rise buildings has fallen short. The letter dated 30 November 2018 was also not sufficiently
clear to give residents a proper picture of the processing of personal data under
of the waste policy.
3. Assessment
3.1. Controller and processing of personal data
As established in sections 3.1, 3.2 and 3.3 of the investigation report, and endorsed by the college
endorsed, the Municipal Executive, as data controller for the collection of residual waste, processes
personal data of residents of Voorschoten municipality. These include the chip number of
the container or token, the associated address details, date and time of emptying the container or opening the underground container.
container or opening the underground container, location details and type of waste. This data
are linked to an address via the chip number and make the residents concerned directly or indirectly identifiable.
identifiable.
3.2. Violation 1: processing personal data without a basis
Under the AVG, personal data must be processed in a way that, in relation to the
data subject is lawful, inter alia (Article 5(1), introductory sentence and (a)). The processing is only
lawful if and to the extent that at least one of the conditions ("foundations") is met
listed in Article 6, first paragraph.
Date
2 November 2023
Our reference
z2023-00037
7/14
For the processing operations at issue, the College has taken the view that they are based
on the basis that the processing operations are necessary for the performance of a task carried out in the public interest
interest (Article 6(1)(e) of the AVG). Therefore, successively
address the existence of a public task and the need to process personal data for that purpose.
processing.
3.2.1. Public task
As mentioned in the investigation report, it follows from Article 10.21 and onwards of the Environmental Management Act that on
the municipal council and the municipal executive have a public duty to ensure the collection of household waste at least once a
weekly collection of household waste. The municipal council has the power to adopt a
waste ordinance, which the council of the municipality of Voorschoten has done. In doing so
the municipal council has scope to adopt an environmental policy plan pursuant to section 10.23,
second paragraph, read in conjunction with Section 4.6 of the Environmental Management Act. In
the waste ordinance entrusted the college with the collection of household waste. From this
follows that the college has a public interest task with regard to the collection of
household waste.
As the Administrative Law Division of the Council of State (hereinafter: the Division) ruled in
its ruling of 30 June 2021 (ECLI:NL:RVS:2021:1420), the municipal government is allowed a certain amount of leeway in fulfilling
of that task a certain amount of leeway. The council is implementing the policy laid down in the Waste Policy Plan
2016-2020. Part of this is that the council is committed to reducing facilities for residual waste
to encourage waste separation.
3.2.2. Necessity to process personal data
The necessity requirement entails that the processing of personal data must be proportionate and
must be subsidiary. In its judgment of 30 June 2021 (as cited), the Division considered that
in order to assess necessity, it must first be ascertained whether the purpose for which the
personal data is processed is well-defined and explicitly defined. Furthermore, it must be
determine whether that purpose can be achieved with the processing. In doing so, the purpose must fit within the task
of public interest. Next, it must be assessed whether the invasion of privacy is proportionate to the
interests served by the processing. In particular, it must be assessed whether the purpose cannot be
achieved in another way less prejudicial to the individuals concerned. The more detailed a
possible data subject describes an alternative, the more intrusive the AP's investigation should be. The
Division further considered that the risk of abuse of the system relates to the security of the
processing and is not relevant to determining its lawfulness.
Section 3.2.1 of this decision discussed the public interest task and the college's scope
to make policy in doing so. In view of the provisions of the Environmental Management Act and the adopted
Waste Policy Plan, considers that the purpose for which the personal data are processed - the
reducing the amount of residual waste by regulating the volume of that waste stream - in this case
Date
2 November 2023
Our reference
z2023-00037
8/14
well-defined and explicitly defined. The AP also notes that the purpose can be achieved by
processing personal data. The address-related numbers in the chip in the grey containers and
tokens indeed play a key role in limiting the amount of residual waste a household can
offer. Furthermore, the purpose of the processing fits within the public task, described in section 3.2.1.
It must then be considered whether the invasion of privacy is proportionate to the interests served, notably
particular by considering whether the purpose can be achieved in a less detrimental way. In the application for
enforcement, the complainant raised the possibility of anonymous chips. The link to an address is
however, necessary to manage (issue and block) the chips and thus achieve the objective.
Indeed, without this link, it is not possible to prevent a household from having multiple
containers and/or tokens, or from ending up with a company or resident in another municipality. This
would actually undermine its use and purpose. The fact that the green GFT container and blue
paper container are not equipped with a chip, is not an indication of the lack of need to
to process personal data to achieve the purpose regarding residual waste. Those containers - and
the so-called environmental parks in the municipality - are after all intended precisely for separated waste streams
and not for residual waste.
As stated in the investigation report, the AP considers that the processing of personal data is in
proportionate to the purpose to be served. Using a chip and storing data to
be able to check whether a container has been emptied in the past two weeks is necessary for that purpose.
Likewise, it is necessary for that purpose to record data for container management,
such as which address a container belongs to (chip number) and whether it is missing. A longer processing
of landfill data beyond the stated period of two weeks does not further contribute to the above
stated purpose and is therefore disproportionate.
The same applies to the token for underground waste containers. The use of a chip and the storage
of data is necessary to monitor whether the daily maximum number of deposits is not
is exceeded. Also with the token, it is necessary for its management to have some time to
be able to look back, so that the operation of a token can be checked if a resident reports a
malfunction is reported. It can be assumed that every household offers residual waste at least once a fortnight
offers, so no further than that need be looked back to see if the token worked recently.
Again, longer processing than this fortnight does not further contribute to the stated
purpose, and is therefore not proportionate.
3.2.3. Conclusion
The college retained the deposit data of grey containers for as long as the container was in use, and the
deposit records of tokens for five years. This far exceeds the two-week time limit.
For the period exceeded, there is no need to process personal data
processing as part of the public interest task. It is therefore concluded that this processing in
so far does not meet the requirements of Article 6(1)(e) of the AVG and is therefore
unlawful.
Date
2 November 2023
Our reference
z2023-00037
9/14
The college stated that the retention period had been adjusted and the stored landfill data in July 2023
have been deleted to the extent that they were older than two weeks. A supervisor from the AP inspected on
2 October 2023 accessed the systems and found that no landfill data was present
that exceeded the 14-day retention period. In view of the above, it is established that the college
in the period from the end of 2018 (high-rise) and March 2019 (low-rise) respectively until July 2023 was in breach
was in breach of Article 5(1)(a), read in conjunction with Article 6(1)(a) and (e) of the AVG.
(e) of the AVG.
3.3. Breach 2: failure to properly inform data subjects about the processing of personal data
Under the AVG, personal data must be processed in a way that is transparent towards the
data subject is, inter alia, transparent (Article 5(1), introductory phrase and (a)). The information the
controller must provide to data subjects about personal data not obtained from
obtained from the data subjects is named in Article 14 of the AVG. These include the
processing purpose and the legal basis of the processing (first paragraph, introductory phrase and point (c)) and the
categories of personal data (first paragraph, introductory sentence and point (d)).
As stated in the investigation report, the college has written to the residents of the municipality
informed about the replacement of grey containers and above-ground containers. To this end,
the college sent letters on 30 November 2018 (high-rise buildings), 5 March 2019 and 22 March 2019
(low-rise buildings). However, these letters are mainly about the actual course of action regarding the replacement
of the grey containers and underground containers, and make no or insufficient mention of any
of the processing of personal data of data subjects. As mentioned in the investigation report, the
the letters do not state which categories of personal data are processed via the chip in the
container and the token for the underground container respectively, the purpose and basis of such
processing. The college endorsed this observation in the view.
The college by letter dated September 1, 2023 (according to the college sent on
22 September 2023) again informed about the processing of personal data in connection with the
collection of residual waste. This letter does contain all the required information. This means that the breach has
ended.
In view of the above, it is established that in the period from the end of 2018 (high-rise buildings)
March 2019 (low-rise buildings) until 22 September 2023, respectively, the Municipal Executive violated the obligation to provide information.
Thereby, the college was in violation of Article 5, paragraph 1, opening words and under a, read in conjunction
with Article 14(1)(c) and (d) of the AVG.
Date
2 November 2023
Our reference
z2023-00037
10/14
4. Administrative fine
4.1. Views of the college
As mentioned in paragraph 2 of this decision, the College's view also addressed the imposition
of a remedial measure and/or administrative fine. Thus, the college argues that the imposition of a
remedial measure is not necessary. The processing described in the investigation report is discontinued by the college
ceased insofar as it is not necessary for the implementation of the waste policy. As mentioned above,
the retention period has since been set at 14 days and the older data has been deleted.
In addition, the college has re-notified the residents of the municipality in the manner as per the
investigation report should have been.
The college further argues that it cannot agree to impose an administrative fine.
First of all, it concerns personal data with a rather low risk level. After all, it concerns
address details of residents, which could only be obtained by enriching them with data from the Basic Registration of Persons (hereinafter: BRP).
(hereafter BRP) to a specific person. In addition, the chip in the container and the token only contain a number.
and the token only contain a number. The chip can only be read with the IT system of the waste service
be read and linked to an address. Only two employees of the municipality have access
to this information and furthermore only when necessary for the implementation of the waste policy.
In addition, the college points out that the short-term processing of personal data when emptying the
grey container or opening the underground container respectively, according to the report, is necessary
for the implementation of the waste policy, and that the problem lies only in the longer than necessary
storage of landfill data.
Finally, the college points out that the AP did not impose a fine on the municipality of Arnhem (decision of
1 August 2017), while that case is broadly similar to that of the municipality of Voorschoten.
That too involved the excessive retention of personal data in the context of implementing the
waste policy. In that case, the AP imposed an order for periodic penalty payments to end the breach.
4.2. Remedial sanction
The college has already ended the violations found by deleting the unlawfully processed
data, adjusting the processing and informing residents of the municipality about the processing.
informed. As a result, there is also no fear of the breaches recurring. A recovery sanction is
therefore not at issue.
4.3. Administrative fine
The AP does see reason to use its power to impose an administrative fine.
administrative penalty. Of the arguments put forward in the opinion of the Board of Appeal, one ground relates to the question of whether a fine should be imposed.
whether a fine should be imposed (i.e. the ground that the AP in a previous case had sufficed with
Date
2 November 2023
Our reference
z2023-00037
11/14
an order for a penalty payment). These will now be addressed; the other grounds raised will be
dealt with in the light of the amount of the fine to be imposed.
The college points, as mentioned in section 4.1, to a decision of the AP dated 1 August 2017 that was directed
addressed to the College of Mayor and Aldermen of the Municipality of Arnhem. That case shows similarities in
similarities to the case now before us in that the Arnhem case also involved the
processing of personal data in the context of waste processing using chips (there in
access passes for underground waste containers). There, too, the purpose of the processing was to
reducing the size of the flow of residual waste. However, a further comparison of the cases comes up against
to the applicable legal regime.
At the time of the Arnhem case, it was not the AVG, but its predecessor, the Personal Data Protection Act
Personal Data Protection Act (hereinafter: Wbp). Under the Wbp, a different regime of fines applied than now applies under the AVG
1 Under the old regime, no fine could be imposed for the provisions breached by the Arnhem College
be imposed without first having been given a binding instruction. That principle only suffered
exception if the breach had been committed intentionally or was the result of seriously culpable
negligence. The Arnhem college had not previously been given a binding instruction, nor had there been any
intention or serious negligence. For that reason alone, no fine could be imposed in that case.
imposed.
With the AVG becoming applicable on 25 May 2018, the breaches identified in this decision can
violations can indeed be fined directly. In the mere circumstance that an administrative
fine could be imposed because of the fine regime in force at the time, the AP sees no reason to waive it now.
to waive it now.
4.4. Personal Data Authority fine policy 2019
When exercising the power to impose an administrative fine, the AP applies in respect of
public authorities, the Fines Policy Rules Authority Personal Data 2019 (hereinafter: Fines Policy Rules 2019).
The offences for which the AP can impose a fine are divided into
three penalty categories. These categories are ranked according to the severity of the violation of the
said articles, with category I containing the least serious offences and category III containing the most serious
offences. Associated with the categories are fines increasing in height. This follows from Article 2,
sections 2.1 and 2.3 of the Fine Policy 2019.
Category I Fine band between €0 and €200,000 Basic fine: €100,000
Category II Penalty band between €120,000 and €500,000 Basic fine: €310,000
Category III Fine band between €300,000 and €750,000 Basic fine: €525,000
1 The penalty regime was laid down in Chapter 10, Section 2 (Article 66 et seq.) of the Wbp.
Date
2 November 2023
Our reference
z2023-00037
12/14
According to Article 6 of the Fines Policy 2019, the AP determines the amount of the fine by adjusting the basic fine
upwards or downwards, depending on the extent to which the factors listed in Article 7
warrant it. Under Article 8, it is possible to apply the next higher or lower category
apply if the fine category determined for the offence does not allow an appropriate
punishment allows.
In case of multiple violations relating to the same or related
processing activities, the total fine shall not exceed the statutory maximum fine of the most serious
violation.
4.5. Penalty category and basic fine
The violation of Article 5, first paragraph opening words and under a, read in conjunction with Article 6, first paragraph,
opening words and (e) of the AVG (processing personal data without a basis), according to Annex I to
the Fine Policy 2019, classified in category III. This also applies to the violation of Article 5,
first paragraph, opening words and point (a), read in conjunction with Article 14, first paragraph, opening words and points (c) and (d) of the
AVG (failure to comply with the information obligation). The fine bandwidth and base fine of this
category (bandwidth between €300,000 and €750,000 with a basic fine of €525,000) may be appropriate given
the following discussion of fine increasing and decreasing factors, they do not result in an
appropriate punishment for the violations found. Therefore, fine category II will be
applied, whose fine band runs from €120,000 to €500,000 and the basic fine is €310,000
is.
The factors listed in Article 7 of the 2019 Fines Policy give rise to the following points
for comments. The factors not discussed are not applicable in this case.
a. Nature, gravity and duration of the infringement
Regarding the gravity of the breach, the AP notes that the unlawful processing of
personal data was not isolated, but was the continuation of a processing that was lawful.
However, the College failed to recognise that the basis for the processing ceased to exist after some time because the
necessity of the processing is time-limited.
In a similar vein, regarding the breach of the duty to inform, the college did inform the
residents of the municipality did inform about the introduction of the chip in the container and the
token, but that the college failed to recognise in time that the information was deficient in informing
about the processing of personal data.
In view of these points, the basic amount should be adjusted downwards.
f. The degree of cooperation with the supervisory authority to remedy the breach and mitigate the potential negative
negative consequences thereof
Date
2 November 2023
Our reference
z2023-00037
13/14
After receiving the investigation report, the college acknowledged all the findings therein. The college has
shortly thereafter entered into discussions with the supplier of the software and had the adjustments made to it that were
made necessary to bring the processing permanently into compliance with the AVG. The
college has again - and now correctly - informed residents about the processing of
personal data. In addition, the negative consequences of the processing have been eliminated by removing all
historical data have been removed from the municipality's systems.
For this reason too, the base amount should be adjusted downwards.
g. Categories of personal data affected by the breach
The AP further takes into account that the personal data processed, by their nature, can only lead to
a limited invasion of privacy. The data processed was only traceable to
address level. In addition, only two employees of the municipality were able to view the data and use the
using the BRP to trace it back to the individuals of the household in question. Furthermore, the
data only provide insight into the date on which residual waste was presented. The quantity of waste was not recorded
recorded and the location at the time of collection depends, in the case of the grey containers, on the designated
with the designated point of presentation and is the same for all residents of the same area. In the case of the
underground containers, the location is logically the location of the container.
For this reason too, the base amount should be adjusted downwards.
Conclusion
In view of the above, the AP sees reason to reduce the basic fine to the minimum of the
penalty band, being €120,000.
4.6. Proportionality of fine level
Finally, pursuant to Article 49(3) of the Charter of Fundamental Rights of the
European Union and Articles 3:4 and 5:46 of the Awb (principle of proportionality), it will assess whether the
application of its policy for determining the amount of the fine, given the circumstances of
the specific case, does not lead to a disproportionate outcome.
The AP qualifies the gravity of the breaches as minor, in particular due to the nature of the data
(discussed above under circumstance g) and the circumstance that the offence in respect of
basis was preceded by lawful processing (discussed above under circumstance
a) and became unlawful due to the passage of time. Given the minor gravity of the offences and the
circumstances under which the breaches were committed, the AP sees reason to set the fine lower
set at €120,000. The AP considers a fine of €30,000 appropriate and necessary.
Date
2 November 2023
Our reference
z2023-00037
14/14
5. Dictum
Administrative fine
The AP imposes an administrative fine on the Municipal Executive of the Municipality of Voorschoten for the
violation of Article 5, first paragraph, opening words and under a, read in conjunction with Article 6, first paragraph
opening words and under e and Article 14, first paragraph, opening words and under c and d, of the AVG an administrative fine in the amount of
amounting to €30,000.00 (in words: thirty thousand euros).2
Sincerely,
Netherlands Personal Data Authority
Mr A. Wolfsen
chairman
Remedies clause
If you disagree with this decision, you may, within six weeks of the date of dispatch of the
decision digitally or on paper, submit a notice of objection to the Personal Data Authority. Pursuant to
Article 38 of the UAVG, filing a notice of objection suspends the effect of the decision imposing the
imposition of the administrative fine. For filing a digital objection, see
www.autoriteitpersoonsgegevens.nl, under the Contact heading, item "Tip, complaint or objection".3
The address for filing on paper is:
Personal Data Authority
PO Box 93374
2509 AJ The Hague.
Indicate 'Awb-bezwaar' on the envelope and put 'bezwaarschrift' in the title of your letter.
In your notice of objection, write at least:
- your name and address;
- The date of your objection;
- the reference (case number) mentioned in this letter, or attach a copy of this decision;
- the reason(s) why you disagree with this decision;
- your signature.
2 The AP will hand over the claim to the Central Judicial Collection Agency (CJIB).
3 The direct URL is <https://www.autoriteitpersoonsgegevens.nl/over-de-autoriteit-persoonsgegevens/bezwaar-maken>.
