APD/GBA (Belgium) - 125/2021

From GDPRhub
APD/GBA (Belgium) - 125/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 6(4) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.11.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 125/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: gegevensbeschermingsautoriteit.be (in NL)
Initial Contributor: Martijn Staal

The Belgian DPA issued a reprimand against a fitness club for violating Article 5(1)(b) and Article 6 GDPR by sharing the personal data of a member of the club with another member in the context of a payment dispute.

English Summary

Facts

A member of a fitness club (the Complainant) was contacted by another member of the same fitness club (the Third Party). The Third Party informed the Complainant that he had been paying the membership fee of the Complainant because of an error, and that in the context of this payment issue, the fitness club had shared with him personal data relating to the Complainant. These personal data included the name, mobile phone number, e-mail address, date of birth of the Complainant, as well as the dates of the Complaint's last visits to the fitness club.

The Complainant considered that the fitness club had breached the principle of purpose limitation set in Article 5(1)(b) GDPR because these personal data were initially collected for the performance of the contract between the Complainant and the fitness club. According to the Complainant, the fitness club should not have shared these data with another member of the club because of a payment issue. The Complainant therefore filed a complaint with the Belgian DPA against the fitness club.

The fitness club argued for its part that the disclosure of the Complainant's personal data to the Third Party was lawful because compatible with the purpose for which the data were initially collected (i.e. the performance of the contract), and/or based on the legitimate interests of the fitness club to inform the Third Party about a payment issue in order to solve it.

Holding

The Belgian DPA considered that the disclosure of the personal data of the Complainant to the Third Party was made in breach of the principles of data processing.

The Belgian DPA saw no reason why the disclosure of personal data should have been allowed under Article 6(4) GDPR, which provides that the processing of personal data for another purpose than the one for which it was initially collected can be allowed if that other purpose is compatible with the initial purpose. In particular, the Belgian DPA found that disclosing the Complainant's name, data of birth, etc., to resolve a payment issue was neither compatible nor necessary with the purpose to perform the contract between the fitness club and the Complainant.

The Belgian DPA also found that the fitness club could not have validly relied on its legitimate interest as a legal basis under Article 6(1)(f) GDPR to disclose the personal data of the Complainant to the Third Party. According to the Belgian DPA, it was indeed not necessary for the fitness club to reveal the identity and other details about the Complaints to the Third Party who was accidentally paying the Complainant's membership fees. Furthermore, the Belgian DPA stressed that the Complainant could not have expected that their personal data, including information about his last visits to the fitness clubs, would be shared with a Third Party to solve a payment issue. By referring to Recital 47 of the GDPR and to the CJEU judgment in case C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA, the Belgian DPA concluded that the fitness club had failed to properly balance the fundamental rights of the Complainant with the interests of the Third Party or of the fitness club, and that Article 6(1)(f) GDPR could thus not be invoked as a valid legal basis by the fitness club.

Since the unlawful disclosure of the Complainant's personal data was only a single event, most likely caused by a human error, and since in the meantime the fitness club had taken appropriate measures to avoid any further breaches of the GDPR, the Belgian DPA decided not to impose a fine and issued a simple reprimand instead.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                       1/7








                                                                                     Dispute room



                                         Decision on the merits 125/2021 of 10 November 2021






File number : DOS-2020-00292



Subject: transfer of personal data of a member of a sports club to a third party





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs. Jelle Stassijns and Frank De Smet;


Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;

Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;



has taken the following decision regarding:



The complainant: Mrs. X, hereinafter referred to as “the complainant”; .

                                                                                                     .

The defendant: Sports Club Y, hereinafter referred to as “the defendant”. Decision on the merits 125/2021 - 2/7




I. Facts and procedure



    1. On December 29, 2019, the complainant lodged a complaint with the Data Protection Authority against

        defendant.


        The object of the complaint concerns the transmission of the complainant's personal data, including

        her name, address, date of birth, e-mail address and dates of her last visits to the

        the defendant's fitness club, to a third party. The complainant is a member of the respondent's fitness club. on any

        At the time, the complainant was contacted by a person who indicated that he was in possession of the

        personal data of the complainant. This third party, who is also a member of the fitness club, gives

        know that they have received personal data concerning the complainant from the defendant. After this

        third party received a notice of default after which it was established that his wife was wrong

        paid the complainant's subscription costs (instead of his own subscription costs), the

        personal data of the complainant provided by the defendant to this third party

        the complaint has been declared admissible by the Frontline Service on the basis of Articles 58 and 60 WOG

        and the complaint pursuant to art. 62, §1 WOG transferred to the Disputes Chamber.


    2. On August 12, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it

        file is ready for processing on the merits.

    3. On August 12, 2020, the concerned parties will be notified by registered mail

        of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also,

        they pursuant to art. 99 WOG of the time limits to lodge their defenses


        serve.

    4. The final date for receipt of the defendant's statement of defense was thereby set

        laid down on 9 September 2020, this for the complainant's reply on 23

        September 2020 date] and this one for the defendant's statement of reply on October 7

        2020.


    5. The parties have not requested to be heard at a hearing.


    6. On September 8, 2020, the Disputes Chamber will receive the statement of defense from the

        defendant. The defendant acknowledges that there has been

        personal data of the complainant to a third party by one of its employees in the fitness club

        Ledberg. This employee could not be questioned by the defendant because he is currently

        is not working due to personal circumstances.

    7. Defendant indicates that it regrets the course of events and points out that according to the

        internal guidelines is under no circumstances allowed that employees provide personal data

        To third parties. In addition to this, the defendant argues that the role of club employees is decreasing

        as members are urged to use the principle of “self


        service” whereby members can always check certain data themselves and change them if necessary. Decision on the merits 125/2021 - 3/7



        In addition, the following measures have been taken: Members can provide support if desired


        get from customer service; the regional managers and team leaders have been informed about this incident

        and they have been requested to discuss this with all employees; new flyers are being handed out to

        the employees with the obligations from the GDPR that they must adhere to; this

        flyers will continue to be updated and redistributed in order to raise awareness for

        maintain privacy; the club employee who will be providing the personal data

        addressed the moment he returns; the internal procedure is being improved to

        avoid similar situations in case of incorrect account numbers.


    8. On 17 December 2020, the Disputes Chamber will receive the statement of reply from the complainant. She

        indicates therein that the proposed measures to prevent the recurrence of

        such events make her feel positive. However, she emphasizes that the processing of

        personal data was apparently acted in violation of the GDPR in December 2019. complainant

        requests the Disputes Chamber to impose an appropriate sanction on the defendant.




II. Justification



    9. Any processing of personal data must be based on a

        legal basis. The complainant was a member of the defendant's fitness club and therefore, in the context of the

        performance of the contract provides its personal data to the defendant, who

        was allowed to process data in the context of the same agreement (Article 6.1 under b GDPR).

    10. An employee of the defendant has - as already described above - the

        personal data of the complainant, including her name, address, date of birth, mobile phone number, email


        email address and the dates of the last visits to the fitness club provided to a third party, because

        the latter paid the complainant - admittedly incorrectly - the costs of the subscription. From the

        submitted e-mails between an employee of the respondent and it appears that the employee

        the third party advised to report the theft to the police against the complainant and

        provide evidence of the declaration to the defendant. That advice was followed by the third and he

        filed a complaint against the complainant.

    11. Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that


        personal data for specified, explicit and legitimate purposes

        must be collected and then not further processed in any manner incompatible with those purposes
                                       1
        way to be processed. The complainant has provided her personal data in the context of




Article 5(1)(b) GDPR: Personal data must: for specified, explicit and legitimate purposes
collected and may not be further processed in a manner incompatible with those purposes; the further
processing for archiving purposes in the public interest, scientific or historical research or statistical purposes
shall not be considered incompatible with the original purposes in accordance with Article 89(1) ('purpose limitation'); interest,
scientific or historical research or statistical purposes shall not be regarded as incompatible in accordance with Article 89(1)

considered with the original purposes ("purpose limitation"); Decision on the merits 125/2021 - 4/7



    a contractual relationship, in the confidence that the data will only be processed if

    necessary part of that relationship. The Disputes Chamber is of the opinion that the defendant

    passing on the complainant's personal data to a third party has acted contrary to

    the principles of data processing . After all, it has, without a valid legal basis,

    have passed on the personal data to a third party. That the third erroneously de


    paid subscription fees for the complainant in no way justifies the transfer of the

    personal data regarding the complainant to that third party. After all, the complainant has her personal data

    provided for the implementation of the agreement between itself and the fitness club, with the sole purpose of

    to use the sports facilities. It would have been in the way of the defendant

    to remedy the administrative error by first contacting the complainant yourself and not

    by passing on its personal data to the third party.

12. By acting in the manner described above, the defendant has obtained the personal data that

    it has obtained in the context of the execution of the agreement, passed on and therefore

    processed for purposes contrary to the original purpose in obtaining that

    personal data, namely for the execution of the agreement. It is according to article 6 paragraph 4

    GDPR is allowed in certain cases to process personal data that was initially


    collected to process for one purpose, to process for other compatible

    purposes (without requiring a separate legal basis). When determining

    the foregoing takes into account: a relationship between the purposes for which the

    personal data has been collected, and the purposes of the intended further processing; the

    framework in which the personal data are collected and relationships between the data subjects and the

    controller; the nature of the personal data; the consequences of the further

    processing for the data subject; and the existence of appropriate safeguards. The Dispute Chamber is

    is of the opinion that the assessment of the above elements does not give rise to

    to assume that there was a further and compatible processing in accordance with Article 6

    paragraph 4 GDPR. Nor can any relationship be established between the purposes for which the

    data was collected and the purposes for further processing, nor can any other

    lead can be found that could justify further processing.

    Since this is therefore a processing incompatible with the original purposes,

    In what follows, the Disputes Chamber will investigate whether there is possibly a separate legal basis

    under which further processing would have been permitted. The only legal basis that

    could still qualify for this in this case is a legitimate interest. After all, it stands

    establish that the data subject has not given consent.





13. Legitimate interest is laid down in Article 6 (1) f) GDPR. The Dispute Room

    will therefore check whether the further processing of the complainant's personal data in this case is possible Decision on the merits 125/2021 - 5/7



       was lawful under the aforementioned provision.2 In order to be able to determine this, the


       controller in accordance with the case law of the Court of Justice

       show that:


           1) the interests they pursue with the processing can be justified as legitimate

               recognized (the “target test”)


           2) the intended processing is necessary for the realization of those interests

               (the “necessity test”)


           3) balancing those interests against the interests, fundamental freedoms and

               fundamental rights of data subjects weighs in favor of the

               controllers or a third party (the “balancing test”).


    14. First of all, the question is what interest and purpose the controller with the further

       processing of the personal data (target test). Due to the personal data of

       to pass on the complainant to a third party, the controller has complied with

       the request of the third party who wanted to know whose place she had paid the subscription fees to

       then ensure that that error could be corrected. The importance of the

       controller was to be able to implement the change in membership in

       the system so that from now on the payment would be made on behalf of the right person and the

       customer could be retained. Customer retention can be classified as a

       legitimate interest.


    15. In order to comply with the second condition, it must be demonstrated that the processing

       was necessary for the achievement of the objectives pursued

       (necessity test). This means that the question must be asked whether

       means the same result can be achieved without processing personal data or

       without an unnecessarily drastic processing for those involved. The complainant's personal data

       that have been passed on by the defendant to the third party as already indicated under

       others the name, mobile phone number, e-mail address, date of birth as well as dates

       of the last visits to the defendant's premises. The purpose that was pursued

       was to identify the person on whose behalf the subscription fees were paid, rather

       of their own. The Disputes Chamber establishes that it was by no means necessary to

       personal data of the complainant (including the dates on which and the locations that the complainant


       visited) to the third party, since the defendant could have contacted the

       complainant. The second condition is therefore not met.




2Article 6 (1) f GDPR: Processing is only lawful insofar as it meets at least one of the following conditions
is satisfied: the processing is necessary for the representation of the legitimate interests of the controller
or of a third party, except where the interests or fundamental rights and freedoms of the data subject

protection of personal data outweigh those interests, in particular where the data subject is a child. Decision on the merits 125/2021 - 6/7




    16. The third condition concerns the “balancing test” between the interests of the

       controller on the one hand, and the fundamental freedoms and rights of

       concerned, on the other. In accordance with Recital 47 GDPR, when determining this,

       verify whether the “data subject at the time and in the context of the collection of the

       personal data can reasonably expect that processing for that purpose can take place”


    17. The foregoing is emphasized by the Court in its judgment “TKt v Asociaţia de Proprietari bloc

       M5A-ScaraA” dated December 11, 2019, in which it states:


        “Also relevant to this consideration are the person's reasonable expectations that his or her

       personal data will not be processed when, in the given circumstances of the

       case, the data subject cannot reasonably expect further processing of the data”.


    18. The Disputes Chamber establishes that the complainant could not have expected that her

       personal data, including data regarding her movements, would be passed on

       may be passed on to a third party. The third condition is therefore not met. Given the

       above, the Disputes Chamber determines that a legitimate interest is not a valid legal basis

       was for the further processing of the complainant's data. Therefore, according to the

       The Disputes Chamber determines that there has been an infringement of Articles 5, paragraph 1, b and 6

       GDPR.


    19. In view of the fact that this concerns a one-off unlawful processing, which may even be

       attributable to human error, and given that measures have now been taken

       taken that seem appropriate to prevent a recurrence, the Disputes Chamber decides that it is not

       it is necessary in this case to impose a fine and that a simple reprimand is sufficient.


III.Publication of the decision


    20. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. It is not necessary, however, that the identification data

       of the parties be made public directly. Decision on the merits 125/2021 - 7/7






   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

   - To reprimand the defendant pursuant to Article 100.1.5° of the WOG.



   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.











(get). Hielke Hijmans


Chairman of the Disputes Chamber