AP (The Netherlands) - Boete voor gemeente Voorschoten
From GDPRhub
| AP - Boete voor gemeente Voorschoten | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(e) GDPR Article 14 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 02.11.2023 |
| Fine: | 30000 EUR |
| Parties: | Municipality of Voorschoten |
| National Case Number/Name: | Boete voor gemeente Voorschoten |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Dutch DPA (in NL) |
| Initial Contributor: | CBMPN |
The Dutch DPA fined the municipality of Voorschoten €30,000 for unlawfully processing personal data in its waste collection system. The municipality stored records longer than necessary and failed to adequately inform residents about the processing.
English Summary
Facts
The municipality of Voorschoten implemented a waste collection system using chipped containers and tokens to regulate household waste disposal. The system collected personal data, including addresses, container/token numbers, and timestamps of waste disposal. The municipality stored this data for extended periods (up to five years for tokens and indefinitely for containers).
At the end of 2018, the above-ground shared containers were replaced by underground containers to serve residents of high-rise buildings. Undergroung containers can only be opened with a token, which contains a chip with a unique number. It can be determined for each underground container which tokens have access to the container. A container can be opened five times a day, after which access to the container is denied. After the container has been opened with a token, the municipality stores data in a municipal IT system. This concerns token number, address details, date and time of the dumping, location details and type of waste. This data was stored for five years.
In March 2019, all grey residual waste containers were replaced by new containers with a chip for low-rise buildings. Each household (residential address) now has only one container. The garbage truck is equipped with a reader that can read the number of the chip. If it is recognised, the container is emptied. The municipality then stores data in an IT system of the municipality's collection service. This concerns the chip number, the associated address, date and time of emptying, location data of emptying and type of waste. The container cannot then be emptied again for two weeks because the garbage truck will not accept the container. This data remained in the IT system as long as the container was in use and the data was deleted from the system when the container was replaced.
Holding
The Dutch Data Protection Authority (DPA) has determined that the municipality unlawfully processed personal data related to waste disposal. The data in question included the chip number of waste containers or tokens, associated address details, date and time of container emptying or underground container access, location data, and type of waste. As the chip number links this data to an address, it directly or indirectly identifies residents.
The DPA assessed whether the municipality could rely on Article 6(1)(e) GDPR—necessity for the performance of a task in the public interest—as a legal basis. The purpose of the processing was clearly defined as reducing residual waste by regulating disposal. Moreover, the stated purpose could be achieved by the processing of personal data. After all, the address information plays a key role in limiting the amount of residual waste that a household can offer. The purpose of the processing also fits within the public task.
The short-term processing of personal data via the chip reader on garbage trucks was deemed necessary for verifying whether a container was provided by the municipality and had not been emptied recently. Similarly, for underground containers, checking whether a token granted access and whether disposal limits were exceeded was considered necessary. However, storing detailed records of which token or container was used, when, where, and for which type of waste was not deemed essential unless part of a diftar (differentiated waste collection) system, which the municipality of Voorschoten does not operate. Since long-term storage of waste disposal data was unnecessary for fulfilling a public interest task, the processing lacked a valid legal basis and was deemed unlawful.
On 24 May 2023, the waste management board informed the DPA that it would reduce the retention period for container disposal data to 14 days. Previously, data was retained for as long as a container remained in use (for overground containers) or up to five years (for underground containers).
Additionally, the DPA found that the municipality failed to adequately inform residents about the processing of their personal data, as required under Article 14 GDPR. While some information was provided, it did not clearly specify which personal data was processed, for what purpose, or on what legal basis. For example, letters informing residents about new underground containers with tokens did not disclose how personal data would be processed. The DPA concluded that the municipality had failed to meet GDPR transparency requirements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Subject
Our reference
z2023-00037
Contact person
[CONFIDENTIAL]
Decision to impose an administrative fine
Dear board,
The First Line Investigation department of the Dutch Data Protection Authority (hereinafter: AP) has conducted an investigation into the processing of personal data by the board of mayor and aldermen of the municipality of Voorschoten (hereinafter: the board) in the context of the implementation of the waste collection policy in the municipality, following an enforcement request. The findings of the investigation are recorded in an investigation report, which was sent to the board on 13 March 2023.
In the decision now before us, the AP establishes that the board has processed personal data without adequate grounds and therefore unlawfully with regard to the so-called dumping history of residents of the municipality of Voorschoten. The AP further establishes that the board has not correctly informed the residents of the municipality of Voorschoten about the personal data processed in this context, the purpose and the basis of the processing. As a result, the board was in violation of Articles 5, first paragraph, opening sentence and under a, read in conjunction with Article 6, first paragraph, opening sentence and under e and Article 14, first paragraph, opening sentence and under c and d, of the General Data Protection Regulation (hereinafter: GDPR).
With this decision, the AP imposes an administrative fine of € 30,000 on the board. The following discusses (1) the procedure, (2) the board's view on the investigation findings, (3) the assessment and (4) the decision to impose the administrative fine. Finally, it states what an interested party can do if they do not agree with this decision. Dutch Data Protection Authority
Postbus 93374, 2509 AJ Den Haag Hoge Nieuwstraat 8, 2514 EL Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl
1
Date Our reference
November 2, 2023 z2023-00037
1. Investigation and findings
On March 9, 2019, the AP received an enforcement request from a resident of the municipality of Voorschoten. On October 18, 2020, it became clear that the resident is not only standing up for himself, but also on behalf of another resident of the municipality. The residents are collectively and singularly referred to in this decision as "complainant". The complainant's request relates to the processing of personal data during waste collection in the municipality of Voorschoten. Following this, the AP's Primary Investigation department conducted an investigation and recorded its findings in an investigation report dated December 22, 2022. The following facts emerge from the report. On 29 March 2016, the municipal council of the municipality of Voorschoten adopted the Waste Policy Plan 2016-2020. According to the Waste Policy Plan, the municipality aims to reduce the amount of residual waste. In addition, better separation of waste flows should lead to more raw materials being reused. The municipality does not use a system of differentiated tariffs (diftar), in which, in short, each household is charged based on the actual use of the waste facilities. Nor are there any plans to introduce a diftar system. The Waste Policy Plan distinguishes between, on the one hand, single-family homes or ground-level homes (hereinafter: low-rise buildings) and, on the other hand, apartments (hereinafter: high-rise buildings). Residents of low-rise buildings use grey residual waste containers (kliko's) that are periodically emptied by a garbage truck. Residents of high-rise buildings use underground residual waste containers on the street. In order to implement the Waste Policy Plan, the board has taken the following two measures – insofar as relevant here:
1) Low-rise buildings
In March 2019, all grey residual waste containers (kliko's) in the municipality were replaced by new containers with a chip. This chip contains a unique number. The number of containers in the municipality has been reduced because each household (residential address) now has only one container. The new container is provided with a barcode sticker with an address for the purpose of issuing the container, but this sticker has no further function and can be removed without consequences.
The garbage truck is equipped with a reader that can read the number of the chip. If it is recognised, the container is emptied. The municipality then stores data in an IT system of the municipality's collection service. This concerns the chip number, the associated address, date and time of emptying, location data of emptying and type of waste. The container cannot then be emptied again for two weeks because the garbage truck will not accept the container. The data remained in the IT system as long as the container was in use and the data was deleted from the system when the container was replaced.
The residents of the low-rise buildings were informed by letter about the replacement of the containers, but the letter did not state which personal data would be processed by means of the chip in the new containers, what the purpose of this processing is and what the basis for this is.
2/14
Date Our reference
2 November 2023 z2023-00037
2) High-rise buildings
At the end of 2018, the above-ground shared containers were replaced by underground containers. These containers can only be opened with a token, which, like the residual waste containers for the low-rise buildings, contains a chip with a unique number. It can be determined for each underground container which tokens have access to the container. A container can be opened five times a day with a token, after which access to the container is denied.
After the container has been opened with a token, the municipality stores data in a municipal IT system. This concerns token number, address details, date and time of the dumping, location details and type of waste. This data was stored in the IT system for five years.
The residents of the high-rise buildings were informed by letter about the new containers with token, but the letter did not state which personal data would be processed with the token, what the purpose of this processing is and what the basis for this is.
The research report concluded that the board, as the controller, processes personal data of residents for the collection of household waste. The report then addressed the question of whether the board can rely on the basis it invoked of “necessity for the performance of a task of general interest” (Article 6, first paragraph, opening sentence and under e, of the GDPR).
In the context of the low-rise buildings, the research report concluded that the short-term processing of personal data via the chip reader on the garbage truck is necessary for the performance of the board's task. After all, it must be verified that it concerns a container provided by the municipality and that it has not been emptied recently. This only applies to the extent and for as long as this is necessary to be able to empty the grey container and temporarily block it. However, it is not necessary to store for a longer period of time which container (chip number and address) was offered with waste when (date and time). This would only be different if this so-called "dumping data" were used for a diftar system, but the municipality of Voorschoten does not do this.
In the context of high-rise buildings, it has been judged in a similar way that it is necessary for the task of the board to check whether a token provides access to the waste container and whether the maximum number of dumps per day is not exceeded. However, here too it is not necessary to keep track of which token (token number and address) was offered when (date and time) where (location data of the container) which type of waste was offered. This would only be different if the dumping data were used for a diftar system, but as mentioned, the municipality of Voorschoten does not do this.
Since there is no need for the long-term processing of the dumping data, this processing cannot be based on the basis of necessity for a task of general interest. The processing is therefore
3/14
Date Our reference
2 November 2023 z2023-00037
unlawful in this respect (Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 6, first paragraph, opening sentence and under e, of the GDPR).
The investigation report also concluded that the board did not correctly inform residents of high-rise and low-rise buildings about the personal data processed via the chip in the container or token for the underground container, the purpose and basis of this processing. In doing so, the board has violated its duty to provide information (Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 14, first paragraph, opening sentence and under c and d, of the GDPR).
2. The board's view on the report
The AP sent the investigation report and the underlying documents to the board. In doing so, the AP expressed its intention to take a remedial measure to end the excessive storage of dumping data, to destroy the data already stored and to properly inform residents. In addition, the AP expressed its intention to impose an administrative fine.
The board took advantage of the opportunity to provide its view by letter dated 28 March 2023. A meeting with representatives of the board took place on 24 May 2023. In the view and during the meeting, the following was put forward on behalf of the board with regard to the investigation report. To the extent that the view relates to the measures to be imposed, this is discussed in paragraph 4 of this decision.
2.1. Regarding the processing responsibility, processing and facts
The board has first of all endorsed that it is the controller for the processing of personal data that takes place within the framework of the Waste Policy Plan, as described in the research report. The board further endorses the facts as set out in the report.
2.2. Regarding the necessity of grey containers
The board explained that the primary objective of the Waste Policy Plan is to initiate a transition in which waste is increasingly converted into a raw material. By increasing the percentage of separated waste, the aim is that only raw materials will be collected in 2030 and therefore no residual waste. To achieve this, the separation of waste must be stimulated.
Stricter management of above-ground containers (kliko's) and underground containers is one of the means to achieve this. By linking the grey containers to an address, it can be prevented that residents wrongly report their grey container as missing and can now offer two containers after receiving a new container. If a container with a chip is reported as missing and is not found within two weeks, the old chip number can be blocked by linking it to the address. The old container can then no longer be emptied and is replaced by a container with a different chip number. On behalf of the board, it was stated that in
4/14
Date Our reference
2 November 2023 z2023-00037
the past, 300 containers had to be replaced in one year. In February 2023, 30 containers were reported missing, and 29 were returned to the municipality because the missing containers were not emptied and were left behind. This shows that the use of the chip is effective.
In addition, thanks to the chip, a container can only be emptied once every two weeks. After emptying, the chip is blocked for two weeks. In the conversation on 24 May 2023, the board explained that the garbage truck drives daily and that the collection day differs per district. Without a chip and blocking of the container, residents of the border areas of a district in particular would be able to offer their residual waste more often than once every two weeks.
These two points (limiting the number of containers and the collection frequency) lead to a maximum amount of residual waste that is collected from residents. This is intended to provide a positive incentive to separate more waste, so that it does not have to be offered as residual waste. According to the board, it is necessary to retain the dumping data for this purpose.
Furthermore, the board points out that a resident can file a complaint with the board because the grey container is no longer functioning properly, has not been emptied or has been lost. It may be relevant to investigate when waste was last offered. Approximately 2,000 containers are emptied every day, resulting in several dozen reports per week.
On 24 May 2023, the board promised the AP to set the retention period of the dumping data for the grey containers at fourteen days, instead of retaining it as long as the container is in use.
2.3. With regard to the necessity for underground containers
By regulating access to the underground containers with a token, the amount of residual waste for residents of high-rise buildings is first of all limited. In addition, it prevents residents who have a grey container from also being able to dump waste in the underground containers. This would negate the effect of the stricter management of grey containers. Furthermore, regulating access prevents residents of other municipalities from making improper use of the underground containers. The board also points out the management of the tokens. There is a strict policy that only one token is issued per household. In addition, the token can open a residual waste container a maximum of five times per day. For this, it is necessary to keep the dumping data for at least 24 hours.
A resident can also file a complaint with regard to the tokens. It sometimes happens that an underground container or token does not function properly. In order to handle these complaints, it is also necessary to consult the dumping history. This can show whether the token was recently offered and has therefore become defective (in which case the token will be replaced free of charge) or has not been offered for a long time (which is an indication that the token has been lost, in which case the resident must pay for a replacement). 5/14
Date Our reference
November 2, 2023 z2023-00037
On May 24, 2023, the board promised the AP to set the retention period of the dumping data for underground waste containers at fourteen days, instead of five years.
2.4. With regard to the provision of information
The board endorses the finding in the research report that the provision of information to residents does not meet the requirements of the GDPR. Nevertheless, according to the board, it should be noted that the board has tried to inform residents in the right way. In letters dated March 5 and 22, 2019, the board attempted to clarify the purpose for which the containers were replaced. For example, it is stated that the containers are provided with chips for the purpose of managing the containers, so that the objective of more waste separation as described in the Waste Policy Plan can be met. It was then explained that the chips are linked to the residential address, after which the specific method by which the chip is used to achieve better management of waste collection was explained. For example, it was explained that the collection vehicle scans the chip and then stores that the container has been emptied. According to the board, it is at least partially explained for what purpose the personal data are processed.
On the other hand, the board realises that the information provision about the containers for high-rise buildings has been inadequate. According to the board, the letter of 30 November 2018 was also not sufficiently clear to give residents a good picture of the processing of personal data in the context of waste policy.
3. Assessment
3.1. Controller and processing of personal data
As established in paragraphs 3.1, 3.2 and 3.3 of the research report, and endorsed by the board, the board, as controller for the collection of residual waste, processes personal data of residents of the municipality of Voorschoten. This concerns the chip number of the container or token, the associated address data, date and time of emptying the container or opening the underground container, location data and type of waste. This data is linked to an address via the chip number and makes the residents in question directly or indirectly identifiable.
3.2. Violation 1: processing of personal data without a basis
Based on the GDPR, personal data must be processed in a manner that is, among other things, lawful with respect to the data subject (Article 5, first paragraph, opening sentence and under a). The processing is only lawful if and to the extent that at least one of the conditions ("basis") stated in Article 6, first paragraph has been met. 6/14
Date Our reference
November 2, 2023 z2023-00037
The board has taken the position that the processing in question is based on the basis that the processing is necessary for the fulfillment of a task of general interest (Article 6, first paragraph, opening sentence and under e, of the GDPR). Therefore, the existence of a public task and the need to process personal data for this purpose will be discussed in turn.
3.2.1. Public task
As stated in the research report, it follows from Article 10.21 et seq. of the Environmental Management Act that the municipal council and the board have the public task of ensuring that household waste is collected at least once a week. The municipal council has the authority to adopt a waste regulation for this purpose, which the council of the municipality of Voorschoten has done. In addition, the municipal council has room to establish an environmental policy plan on the basis of Article 10.23,
second paragraph, read in conjunction with paragraph 4.6 of the Environmental Management Act. In the waste bylaw, the municipal council has charged the board with the collection of household waste. It follows from this that the board has a task of general interest with regard to the collection of household waste.
As the Administrative Law Division of the Council of State (hereinafter: the Division) ruled in its judgment of 30 June 2021 (ECLI:NL:RVS:2021:1420), the municipal council is entitled to a certain amount of room to fulfil that task. The board implements the policy laid down in the Waste Policy Plan 2016-2020. Part of this is that the board focuses on limiting facilities for residual waste in order to stimulate waste separation.
3.2.2. Necessity to process personal data
The necessity requirement entails that the processing of personal data must be proportionate and subsidiary. In its ruling of 30 June 2021 (as stated), the Division considered that in order to assess the necessity, it must first be determined whether the purpose for which the personal data are processed is well-defined and explicitly described. It must also be determined whether that purpose can be achieved by the processing. In this respect, the purpose must fit within the task of general interest. It must then be determined whether the infringement of privacy is proportionate to the interests served by the processing. In particular, it must be assessed whether the purpose cannot be achieved in another way that is less detrimental to the persons concerned. The more detailed a potential data subject describes an alternative, the more intrusive the AP's investigation must be. The Division further considered that the risk of misuse of the system relates to the security of the processing and is not relevant to determining its lawfulness.
Section 3.2.1 of this decision addresses the task of general interest and the scope of the board to implement policy in this regard. In view of the provisions of the Environmental Management Act and the adopted Waste Policy Plan, the AP is of the opinion that the purpose for which the personal data are processed – reducing the amount of residual waste by regulating the size of that waste stream – is in this case
7/14
Date Our reference
2 November 2023 z2023-00037
specifically and explicitly described. The AP also establishes that the purpose can be achieved by processing personal data. After all, the address-related numbers in the chip in the grey containers and tokens play a key role in limiting the amount of residual waste that a household can offer. The purpose of the processing also fits within the public task, described in section 3.2.1.
It must then be examined whether the infringement of privacy is proportionate to the interests served, in particular by investigating whether the purpose can be achieved in a less detrimental manner. In the request for enforcement, the complainant raised the possibility of anonymous chips. However, the link to an address is necessary to be able to manage the chips (issue and block them) and thus achieve the objective. Without this link, it cannot be prevented that a household has multiple containers and/or tokens, or that these end up with a company or resident of another municipality. This would undermine their use and purpose. The fact that the green GFT container and blue paper container are not equipped with a chip is not an indication of the absence of the need to process personal data in order to achieve the objective with regard to residual waste. After all, these containers – and the so-called environmental parks in the municipality – are intended for separated waste flows and not for residual waste.
As stated in the investigation report, the AP is of the opinion that the processing of personal data is proportionate to the objective to be served. The use of a chip and the storage of data in order to be able to check whether a container has been emptied in the past two weeks is necessary for that purpose. It is also necessary for this purpose to record data for the management of the containers, such as the address to which a container (chip number) belongs and whether it is missing. Processing the dumping data for longer than the stated period of two weeks does not contribute further to the stated objective and is therefore not proportionate.
The same applies to the token for underground waste containers. The use of a chip and the storage of data is necessary to be able to check whether the daily maximum number of dumps is not exceeded. It is also necessary for the management of the token to be able to look back for some time, so that the functioning of a token can be checked if a resident reports a malfunction. It can be assumed that every household offers residual waste at least once every two weeks, so that it is not necessary to look back further than that to see whether the token was working recently. Here too, processing for longer than these fourteen days does not contribute further to the stated objective and is therefore not proportionate.
3.2.3. Conclusion
The board kept the dumping data of grey containers for as long as the container was in use, and the dumping data of the tokens for five years. This far exceeds the two-week period. For the period that the period has been exceeded, there is no need to process personal data in the context of the task of general interest. The conclusion is therefore that this processing does not meet the requirements of Article 6, first paragraph, opening sentence and under e, of the GDPR and is therefore unlawful.
8/14
Date Our reference
2 November 2023 z2023-00037
The board has stated that the retention period has been adjusted and the stored dumping data was deleted in July 2023, insofar as it was older than two weeks. A supervisor of the AP had access to the systems on
2 October 2023 and found that there were no dumping data present that exceeded the retention period of fourteen days. In view of the foregoing, it has been established that the board was in violation of Article 5, paragraph 1, opening sentence and under a, read in conjunction with Article 6, paragraph 1, opening sentence and under e, of the GDPR in the period from the end of 2018 (high-rise buildings) and March 2019 (low-rise buildings) to July 2023.
3.3. Violation 2: failure to properly inform data subjects about the processing of personal data
Under the GDPR, personal data must be processed in a manner that is, among other things, transparent with regard to the data subject (Article 5, paragraph 1, opening sentence and under a). The information that the controller must provide to data subjects about personal data that has not been obtained from the data subjects is stated in Article 14 of the GDPR. This includes, among other things, the processing purpose and the legal basis for the processing (paragraph 1, opening sentence and under c) and the categories of personal data concerned (paragraph 1, opening sentence and under d). As stated in the investigation report, the board informed the residents of the municipality in writing about the replacement of the grey containers and the above-ground containers. To this end, the board sent letters on 30 November 2018 (high-rise buildings), 5 March 2019 and 22 March 2019 (low-rise buildings). However, these letters mainly concern the actual course of events surrounding the replacement of the grey containers and underground containers, and make no or insufficient mention of the processing of personal data of data subjects. As stated in the investigation report, the letters do not state which categories of personal data are processed via the chip in the container or the token for the underground container, the purpose and the basis of that processing. The board endorsed this observation in the opinion.
The board informed the residents again by letter dated 1 September 2023 (sent on 22 September 2023 according to the board) about the processing of personal data in the context of the collection of residual waste. This letter does contain all the required information. This means that the violation has ended.
In view of the foregoing, it has been established that the board violated the duty to provide information in the period from the end of 2018 (high-rise buildings) and March 2019 (low-rise buildings) to 22 September 2023. In doing so, the board was in violation of Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 14, first paragraph, opening sentence and under c and d, of the GDPR.
9/14
Date Our reference
2 November 2023 z2023-00037
4. Administrative fine
4.1. Opinion of the board
As stated in paragraph 2 of this decision, the board also addressed the imposition of a remedial measure and/or administrative fine in the opinion. For example, the board argues that the imposition of a remedial measure is not necessary. The processing described in the investigation report will be discontinued by the board to the extent that it is not necessary for the implementation of the waste policy. As mentioned above, the retention period has now been set at fourteen days and the older data has been deleted. In addition, the board has informed the residents of the municipality again in the manner that should have been done according to the investigation report.
The board also states that it cannot agree with the imposition of an administrative fine. First of all, it concerns personal data with a fairly low risk level. After all, it concerns address data of residents, which can only be traced back to a specific person by enriching it with data from the Personal Records Database (hereinafter: BRP). In addition, both the chip in the container and the token only contain a number. The chip can only be read and linked to an address with the IT system of the waste service. Only two employees of the municipality have access to this information and moreover only when this is necessary for the implementation of the waste policy.
In addition, the board points out that the short-term processing of personal data when emptying the grey container or opening the underground container is necessary for the implementation of the waste policy, according to the report, and that the problem only lies in the longer than necessary storage of the dumping data.
Finally, the board points out that the AP did not impose a fine on the municipality of Arnhem (decision of 1 August 2017), while that case is largely comparable to that of the municipality of Voorschoten. That case also involved the storage of personal data for too long in the context of the implementation of the waste policy. In that case, the AP imposed an order subject to penalty payments to end the violation.
4.2. Corrective sanction
The board has already ended the observed violations by deleting the unlawfully processed data, adjusting the processing and informing the residents of the municipality about the processing. As a result, there is no fear of a recurrence of the violation. A corrective sanction is therefore not appropriate.
4.3. Administrative fine
The AP does see reason to use its authority to impose an administrative fine. Of the arguments put forward in the board's opinion, one ground concerns the question of whether a fine should be imposed (namely the ground that the AP in an earlier case limited itself to
10/14
Date Our reference
2 November 2023 z2023-00037
a penalty payment order). This will now be addressed; the other grounds put forward will be dealt with in light of the amount of the fine to be imposed.
As stated in paragraph 4.1, the board refers to a decision of the AP of 1 August 2017 that was addressed to the board of mayor and aldermen of the municipality of Arnhem. That case shows similarities with the current case in that the Arnhem case also concerned the processing of personal data in the context of waste processing using chips (in that case in access passes for underground waste containers). There too, the purpose of the processing was to limit the volume of the residual waste stream. However, further comparison of the cases is hampered by the applicable legal regime.
At the time of the Arnhem case, the GDPR did not apply, but its predecessor, the Personal Data Protection Act (hereinafter: Wbp). The Wbp applied a different fine regime than the one that now applies under the GDPR.1 Under the old regime, no fine could be imposed for the provisions violated by the Arnhem council without first having been given a binding instruction. This principle was only an exception if the violation was committed intentionally or was the result of seriously culpable negligence. The Arnhem council had not previously been given a binding instruction, nor was there any intent or serious negligence. For that reason alone, no fine could be imposed in that case.
Due to the application of the GDPR on 25 May 2018, the violations noted in this decision can now be fined directly. In the sole circumstance that in the past no administrative fine could be imposed due to the fine regime that applied at the time, the AP sees no reason to refrain from doing so now.
4.4. Fine Policy Rules Dutch Data Protection Authority 2019
When exercising its authority to impose an administrative fine, the AP applies the Fine Policy Rules Dutch Data Protection Authority 2019 (hereinafter: Fine Policy Rules 2019) with regard to government bodies. The violations for which the AP can impose a fine are divided into three fine categories in the Fine Policy Rules 2019. These categories are ranked according to the severity of the violation of the aforementioned articles, with category I containing the least serious violations and category III the most serious violations. The categories are subject to increasing fines. This follows from Article 2, under 2.1 and 2.3 of the Fine Policy Rules 2019.
Category I Category II Category III
Fine range between €0 and €200,000 Fine range between €120,000 and €500,000 Fine range between €300,000 and €750,000
Basic fine: €100,000 Basic fine: €310,000 Basic fine: €525,000
1 The fine regime was laid down in Chapter 10, paragraph 2 (Article 66 et seq.) of the Wbp.
11/14
Date Our reference
November 2, 2023 z2023-00037
According to Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by adjusting the basic fine upwards or downwards, depending on the extent to which the factors mentioned in Article 7 give rise to this. Based on Article 8, it is possible to apply the next higher or lower category if the fine category determined for the violation does not allow for appropriate punishment in the specific case.
In the event of multiple violations relating to the same or related processing activities, the total fine is not higher than the statutory maximum fine for the most serious violation.
4.5. Fine categoriesbasic fine
The violation of Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 6, first paragraph, opening sentence and under e, of the GDPR (processing personal data without a basis), according to Annex I to the Fine Policy Rules 2019, classified in category III. This also applies to the violation of Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 14, first paragraph, opening sentence and under c and d, of the GDPR (failure to comply with the information obligation). The fine range and basic fine of this category (range between €300,000 and €750,000 with a basic fine of €525,000) cannot, in view of the following discussion of factors increasing and decreasing the fine, lead to an appropriate punishment for the violations found in this case. Therefore, fine category II will be applied, with a fine range of €120,000 to €500,000 and a basic fine of €310,000.
The factors mentioned in Article 7 of the Fine Policy Rules 2019 give rise to comments on the following points. The factors not discussed do not apply in this case.
a. Nature, seriousness and duration of the infringement
With regard to the seriousness of the infringement, the AP notes that the unlawful processing of personal data did not occur in isolation, but was the consequence of processing that was lawful. However, the board failed to recognise that the basis for the processing disappeared after some time because the necessity of the processing is limited in time.
In a similar sense, with regard to the infringement of the information obligation, the board did inform the residents of the municipality about the introduction of the chip in the container and the token, but that the board failed to recognise in a timely manner that the information provided was insufficient in the information about the processing of personal data. In view of these points, the basic amount should be adjusted downwards.
f. The extent to which cooperation with the supervisory authority was sought to remedy the breach and limit its possible negative consequences
12/14
Date Our reference
2 November 2023 z2023-00037
After receiving the investigation report, the board acknowledged all the findings therein. Shortly afterwards, the board entered into consultation with the software supplier and had the adjustments made that were necessary to bring the processing into permanent compliance with the GDPR. The board once again informed residents – and now correctly – about the processing of personal data. In addition, the negative consequences of the processing have been eliminated because all historical data has been removed from the municipality's systems.
For this reason too, the basic amount should be adjusted downwards.
g. Categories of personal data to which the breach relates
The AP furthermore takes into account that the personal data that have been processed can only lead to a limited breach of privacy by their nature. The processed data could only be traced back to address level. In addition, only two municipal employees were able to view the data and trace it back to the persons of the household in question using the BRP. Furthermore, the data only provide insight into the date on which residual waste was offered. The amount of waste was not registered and the location at the time of collection, in the case of the grey containers, is related to the designated offer location and is the same for all residents of the same area. In the case of the underground containers, the location is logically the location of the container.
This is also why the basic amount must be adjusted downwards.
Conclusion
In view of the above, the AP sees reason to reduce the basic fine to the minimum of the fine range, which is € 120,000.
4.6. Proportionality of fine amount
Finally, the AP will assess, on the basis of Article 49, paragraph 3, of the Charter of Fundamental Rights of the European Union and Articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality), whether the application of its policy for determining the amount of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome.
The AP qualifies the seriousness of the violations as minor, in particular due to the nature of the data (discussed above under circumstance g) and the circumstance that the violation with regard to the basis was preceded by lawful processing (discussed above under circumstance a) and became unlawful due to the passage of time. Given the minor seriousness of the violations and the circumstances under which the violations were committed, the AP sees reason to set the fine lower than € 120,000. The AP considers a fine of € 30,000 appropriate and necessary. 13/14
Date Our reference
November 2, 2023 z2023-00037
5. Dictum
Administrative fine
The AP imposes an administrative fine of €30,000.00 (in words: thirty thousand euros) on the board of mayor and aldermen of the municipality of Voorschoten for violating Article 5, first paragraph, opening sentence and under a, read in conjunction with Article 6, first paragraph, opening sentence and under e and Article 14, first paragraph, opening sentence and under c and d, of the GDPR.2
Yours sincerely,
Dutch Data Protection Authority
mr. A. Wolfsen chairman
Remedies clause
If you do not agree with this decision, you can submit an objection to the Dutch Data Protection Authority digitally or on paper within six weeks after the date of dispatch of the decision. In accordance with Article 38 of the UAVG, submitting an objection suspends the effect of the decision to impose the administrative fine. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Contact, item “Tip, complaint or objection”.3
The address for submitting on paper is:
Dutch Data Protection Authority PO Box 93374
2509 AJ The Hague.
