APD/GBA (Belgium) - 125/2021
|APD/GBA (Belgium) - 125/2021|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 6(1)(f) GDPR
Article 6(4) GDPR
|National Case Number/Name:||125/2021|
|European Case Law Identifier:||n/a|
|Original Source:||gegevensbeschermingsautoriteit.be (in NL)|
|Initial Contributor:||Martijn Staal|
The Belgian DPA issued a reprimand against a fitness club for violating Article 5(1)(b) and Article 6 GDPR by sharing the personal data of a member of the club with another member in the context of a payment dispute.
English Summary[edit | edit source]
Facts[edit | edit source]
A member of a fitness club (the Complainant) was contacted by another member of the same fitness club (the Third Party). The Third Party informed the Complainant that he had been paying the membership fee of the Complainant because of an error, and that in the context of this payment issue, the fitness club had shared with him personal data relating to the Complainant. These personal data included the name, mobile phone number, e-mail address, date of birth of the Complainant, as well as the dates of the Complaint's last visits to the fitness club.
The Complainant considered that the fitness club had breached the principle of purpose limitation set in Article 5(1)(b) GDPR because these personal data were initially collected for the performance of the contract between the Complainant and the fitness club. According to the Complainant, the fitness club should not have shared these data with another member of the club because of a payment issue. The Complainant therefore filed a complaint with the Belgian DPA against the fitness club.
The fitness club argued for its part that the disclosure of the Complainant's personal data to the Third Party was lawful because compatible with the purpose for which the data were initially collected (i.e. the performance of the contract), and/or based on the legitimate interests of the fitness club to inform the Third Party about a payment issue in order to solve it.
Holding[edit | edit source]
The Belgian DPA considered that the disclosure of the personal data of the Complainant to the Third Party was made in breach of the principles of data processing.
The Belgian DPA saw no reason why the disclosure of personal data should have been allowed under Article 6(4) GDPR, which provides that the processing of personal data for another purpose than the one for which it was initially collected can be allowed if that other purpose is compatible with the initial purpose. In particular, the Belgian DPA found that disclosing the Complainant's name, data of birth, etc., to resolve a payment issue was neither compatible nor necessary with the purpose to perform the contract between the fitness club and the Complainant.
The Belgian DPA also found that the fitness club could not have validly relied on its legitimate interest as a legal basis under Article 6(1)(f) GDPR to disclose the personal data of the Complainant to the Third Party. According to the Belgian DPA, it was indeed not necessary for the fitness club to reveal the identity and other details about the Complaints to the Third Party who was accidentally paying the Complainant's membership fees. Furthermore, the Belgian DPA stressed that the Complainant could not have expected that their personal data, including information about his last visits to the fitness clubs, would be shared with a Third Party to solve a payment issue. By referring to Recital 47 of the GDPR and to the CJEU judgment in case C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA, the Belgian DPA concluded that the fitness club had failed to properly balance the fundamental rights of the Complainant with the interests of the Third Party or of the fitness club, and that Article 6(1)(f) GDPR could thus not be invoked as a valid legal basis by the fitness club.
Since the unlawful disclosure of the Complainant's personal data was only a single event, most likely caused by a human error, and since in the meantime the fitness club had taken appropriate measures to avoid any further breaches of the GDPR, the Belgian DPA decided not to impose a fine and issued a simple reprimand instead.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Dispute room Decision on the merits 125/2021 of 10 November 2021 File number : DOS-2020-00292 Subject: transfer of personal data of a member of a sports club to a third party The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs. Jelle Stassijns and Frank De Smet; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: The complainant: Mrs. X, hereinafter referred to as “the complainant”; . . The defendant: Sports Club Y, hereinafter referred to as “the defendant”. Decision on the merits 125/2021 - 2/7 I. Facts and procedure 1. On December 29, 2019, the complainant lodged a complaint with the Data Protection Authority against defendant. The object of the complaint concerns the transmission of the complainant's personal data, including her name, address, date of birth, e-mail address and dates of her last visits to the the defendant's fitness club, to a third party. The complainant is a member of the respondent's fitness club. on any At the time, the complainant was contacted by a person who indicated that he was in possession of the personal data of the complainant. This third party, who is also a member of the fitness club, gives know that they have received personal data concerning the complainant from the defendant. After this third party received a notice of default after which it was established that his wife was wrong paid the complainant's subscription costs (instead of his own subscription costs), the personal data of the complainant provided by the defendant to this third party the complaint has been declared admissible by the Frontline Service on the basis of Articles 58 and 60 WOG and the complaint pursuant to art. 62, §1 WOG transferred to the Disputes Chamber. 2. On August 12, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it file is ready for processing on the merits. 3. On August 12, 2020, the concerned parties will be notified by registered mail of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also, they pursuant to art. 99 WOG of the time limits to lodge their defenses serve. 4. The final date for receipt of the defendant's statement of defense was thereby set laid down on 9 September 2020, this for the complainant's reply on 23 September 2020 date] and this one for the defendant's statement of reply on October 7 2020. 5. The parties have not requested to be heard at a hearing. 6. On September 8, 2020, the Disputes Chamber will receive the statement of defense from the defendant. The defendant acknowledges that there has been personal data of the complainant to a third party by one of its employees in the fitness club Ledberg. This employee could not be questioned by the defendant because he is currently is not working due to personal circumstances. 7. Defendant indicates that it regrets the course of events and points out that according to the internal guidelines is under no circumstances allowed that employees provide personal data To third parties. In addition to this, the defendant argues that the role of club employees is decreasing as members are urged to use the principle of “self service” whereby members can always check certain data themselves and change them if necessary. Decision on the merits 125/2021 - 3/7 In addition, the following measures have been taken: Members can provide support if desired get from customer service; the regional managers and team leaders have been informed about this incident and they have been requested to discuss this with all employees; new flyers are being handed out to the employees with the obligations from the GDPR that they must adhere to; this flyers will continue to be updated and redistributed in order to raise awareness for maintain privacy; the club employee who will be providing the personal data addressed the moment he returns; the internal procedure is being improved to avoid similar situations in case of incorrect account numbers. 8. On 17 December 2020, the Disputes Chamber will receive the statement of reply from the complainant. She indicates therein that the proposed measures to prevent the recurrence of such events make her feel positive. However, she emphasizes that the processing of personal data was apparently acted in violation of the GDPR in December 2019. complainant requests the Disputes Chamber to impose an appropriate sanction on the defendant. II. Justification 9. Any processing of personal data must be based on a legal basis. The complainant was a member of the defendant's fitness club and therefore, in the context of the performance of the contract provides its personal data to the defendant, who was allowed to process data in the context of the same agreement (Article 6.1 under b GDPR). 10. An employee of the defendant has - as already described above - the personal data of the complainant, including her name, address, date of birth, mobile phone number, email email address and the dates of the last visits to the fitness club provided to a third party, because the latter paid the complainant - admittedly incorrectly - the costs of the subscription. From the submitted e-mails between an employee of the respondent and it appears that the employee the third party advised to report the theft to the police against the complainant and provide evidence of the declaration to the defendant. That advice was followed by the third and he filed a complaint against the complainant. 11. Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that personal data for specified, explicit and legitimate purposes must be collected and then not further processed in any manner incompatible with those purposes 1 way to be processed. The complainant has provided her personal data in the context of Article 5(1)(b) GDPR: Personal data must: for specified, explicit and legitimate purposes collected and may not be further processed in a manner incompatible with those purposes; the further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ('purpose limitation'); interest, scientific or historical research or statistical purposes shall not be regarded as incompatible in accordance with Article 89(1) considered with the original purposes ("purpose limitation"); Decision on the merits 125/2021 - 4/7 a contractual relationship, in the confidence that the data will only be processed if necessary part of that relationship. The Disputes Chamber is of the opinion that the defendant passing on the complainant's personal data to a third party has acted contrary to the principles of data processing . After all, it has, without a valid legal basis, have passed on the personal data to a third party. That the third erroneously de paid subscription fees for the complainant in no way justifies the transfer of the personal data regarding the complainant to that third party. After all, the complainant has her personal data provided for the implementation of the agreement between itself and the fitness club, with the sole purpose of to use the sports facilities. It would have been in the way of the defendant to remedy the administrative error by first contacting the complainant yourself and not by passing on its personal data to the third party. 12. By acting in the manner described above, the defendant has obtained the personal data that it has obtained in the context of the execution of the agreement, passed on and therefore processed for purposes contrary to the original purpose in obtaining that personal data, namely for the execution of the agreement. It is according to article 6 paragraph 4 GDPR is allowed in certain cases to process personal data that was initially collected to process for one purpose, to process for other compatible purposes (without requiring a separate legal basis). When determining the foregoing takes into account: a relationship between the purposes for which the personal data has been collected, and the purposes of the intended further processing; the framework in which the personal data are collected and relationships between the data subjects and the controller; the nature of the personal data; the consequences of the further processing for the data subject; and the existence of appropriate safeguards. The Dispute Chamber is is of the opinion that the assessment of the above elements does not give rise to to assume that there was a further and compatible processing in accordance with Article 6 paragraph 4 GDPR. Nor can any relationship be established between the purposes for which the data was collected and the purposes for further processing, nor can any other lead can be found that could justify further processing. Since this is therefore a processing incompatible with the original purposes, In what follows, the Disputes Chamber will investigate whether there is possibly a separate legal basis under which further processing would have been permitted. The only legal basis that could still qualify for this in this case is a legitimate interest. After all, it stands establish that the data subject has not given consent. 13. Legitimate interest is laid down in Article 6 (1) f) GDPR. The Dispute Room will therefore check whether the further processing of the complainant's personal data in this case is possible Decision on the merits 125/2021 - 5/7 was lawful under the aforementioned provision.2 In order to be able to determine this, the controller in accordance with the case law of the Court of Justice show that: 1) the interests they pursue with the processing can be justified as legitimate recognized (the “target test”) 2) the intended processing is necessary for the realization of those interests (the “necessity test”) 3) balancing those interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favor of the controllers or a third party (the “balancing test”). 14. First of all, the question is what interest and purpose the controller with the further processing of the personal data (target test). Due to the personal data of to pass on the complainant to a third party, the controller has complied with the request of the third party who wanted to know whose place she had paid the subscription fees to then ensure that that error could be corrected. The importance of the controller was to be able to implement the change in membership in the system so that from now on the payment would be made on behalf of the right person and the customer could be retained. Customer retention can be classified as a legitimate interest. 15. In order to comply with the second condition, it must be demonstrated that the processing was necessary for the achievement of the objectives pursued (necessity test). This means that the question must be asked whether means the same result can be achieved without processing personal data or without an unnecessarily drastic processing for those involved. The complainant's personal data that have been passed on by the defendant to the third party as already indicated under others the name, mobile phone number, e-mail address, date of birth as well as dates of the last visits to the defendant's premises. The purpose that was pursued was to identify the person on whose behalf the subscription fees were paid, rather of their own. The Disputes Chamber establishes that it was by no means necessary to personal data of the complainant (including the dates on which and the locations that the complainant visited) to the third party, since the defendant could have contacted the complainant. The second condition is therefore not met. 2Article 6 (1) f GDPR: Processing is only lawful insofar as it meets at least one of the following conditions is satisfied: the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject protection of personal data outweigh those interests, in particular where the data subject is a child. Decision on the merits 125/2021 - 6/7 16. The third condition concerns the “balancing test” between the interests of the controller on the one hand, and the fundamental freedoms and rights of concerned, on the other. In accordance with Recital 47 GDPR, when determining this, verify whether the “data subject at the time and in the context of the collection of the personal data can reasonably expect that processing for that purpose can take place” 17. The foregoing is emphasized by the Court in its judgment “TKt v Asociaţia de Proprietari bloc M5A-ScaraA” dated December 11, 2019, in which it states: “Also relevant to this consideration are the person's reasonable expectations that his or her personal data will not be processed when, in the given circumstances of the case, the data subject cannot reasonably expect further processing of the data”. 18. The Disputes Chamber establishes that the complainant could not have expected that her personal data, including data regarding her movements, would be passed on may be passed on to a third party. The third condition is therefore not met. Given the above, the Disputes Chamber determines that a legitimate interest is not a valid legal basis was for the further processing of the complainant's data. Therefore, according to the The Disputes Chamber determines that there has been an infringement of Articles 5, paragraph 1, b and 6 GDPR. 19. In view of the fact that this concerns a one-off unlawful processing, which may even be attributable to human error, and given that measures have now been taken taken that seem appropriate to prevent a recurrence, the Disputes Chamber decides that it is not it is necessary in this case to impose a fine and that a simple reprimand is sufficient. III.Publication of the decision 20. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is not necessary, however, that the identification data of the parties be made public directly. Decision on the merits 125/2021 - 7/7 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - To reprimand the defendant pursuant to Article 100.1.5° of the WOG. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (get). Hielke Hijmans Chairman of the Disputes Chamber