Banner2.png

AP (The Netherlands) - Boete voor tennisbond vanwege verkoop van persoonsgegevens

From GDPRhub
AP - Boete voor tennisbond vanwege verkoop van persoonsgegevens
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 20.12.2019
Fine: 525000 EUR
Parties: Koninklijke Nederlandse Lawn Tennisbond (KNLTB)
National Case Number/Name: Boete voor tennisbond vanwege verkoop van persoonsgegevens
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Dutch DPA (in NL)
Initial Contributor: CBMPN

The Royal Dutch Lawn Tennis Association (KNLTB) was fined €525,000 for providing personal data of its members to two sponsors, for direct marketing purposes without a lawful basis or proper consent.

English Summary

Facts

According to the KNLTB estimates, there are 1,782 tennis clubs in the Netherlands, of which 1,657 (or 97%) are affiliated with the KNLTB. According to the KNLTB website, almost 570,000 tennis players are affiliated with the KNLTB (via these tennis clubs), making the KNLTB the second largest sports association in the Netherlands.

From March 2018 to October 2018, the KNLTB initiated actions with two sponsors in which personal data such as name, address and place of residence and telephone numbers of KNLTB members were used. One sponsor sent two discount flyers by post to a selection of KNLTB members and the other sponsor called a selection of KNLTB members in a telemarketing campaign to sell products.

On 22 October 2018, the Dutch DPA launched an investigation into the provision by the KNLTB of personal data of its members to sponsors with the aim of approaching the members with ‘tennis-related and other offers’ after receiving tips and complaints from a number of members. On 7 May 2019, the DPA adopted its investigation report.

For one specific marketing campaing, the information of 314,846 members was sent to one of the sponsors.

Holding

The Dutch DPA found that the KNLTB had violated the GDPR by unlawfully sharing members' personal data with sponsors for commercial purposes. Additionally, the KNLTB provided email addresses to a sponsor when they were unnecessary for a telemarketing campaign, thereby increasing the risk of spam and phishing.


Since 2007, the KNLTB has informed its members that their personal data would be shared with sponsors to generate additional income. As a result, the DPA concluded that for members who joined before 2007, their data was originally collected solely for the purpose of executing the membership agreement. The subsequent use of their personal data for commercial purposes was deemed incompatible further processing under Article 5(1)(b) GDPR, as the original purpose (membership administration) did not include sharing data with sponsors for marketing. The KNLTB’s statutes from 2005 did not specify the categories of third parties to whom personal data could be provided or the purposes for which these third parties would use the data. The DPA determined that these objectives were not sufficiently well-defined or explicitly described, as KNLTB members could not reasonably infer that their personal data would be used to generate income through direct marketing by sponsors. Therefore, the KNLTB should not have collected personal data for this purpose.

Further processing of personal data is lawful only if:

- The data subject has given valid consent; - A provision of Union or Member State law justifies the processing under Article 23(1) GDPR; or - The new purpose is compatible with the original purpose of collection.

As membership in the KNLTB is mandatory for individuals who wish to join an affiliated tennis club, members could reasonably expect that their personal data would be processed exclusively for membership-related purposes. The DPA considered the non-profit status of the KNLTB and found that members would not have expected their data to be shared with sponsors for commercial reasons.

For members who joined after 2007, the DPA found that the KNLTB lacked a valid legal basis for processing under Article 5(1)(a) and Article 6(1) GDPR, as members were neither adequately informed nor given the opportunity to consent to the data sharing.

The DPA rejected the KNLTB’s argument that the processing was based on legitimate interest, concluding that the commercial interest in generating revenue did not outweigh members' fundamental rights to data protection.

Furthermore, informing members after their personal data had already been collected was not sufficient to justify the processing. The investigation revealed that KNLTB members did not expect the telemarketing campaign, which led to numerous complaints and public controversy. The campaign was ultimately terminated early due to the backlash.

The DPA determined that the KNLTB’s actions constituted a serious GDPR violation, particularly because personal data was shared with third parties for commercial gain. When determining the fine, the DPA considered factors such as the large number of affected data subjects and the culpability of the KNLTB .

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. 

Confidential/By courier
KNLTB [CONFIDENTIAL] Displayweg 4
3821 BT AMERSFOORT
Date
December 20, 2019
Subject
Our reference
[CONFIDENTIAL]
Contact person
[CONFIDENTIAL]
070 8888 500
Decision to impose an administrative fine
Dear [CONFIDENTIAL],
The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of €525,000 on the Royal Dutch Lawn Tennis Association (KNLTB), because in June and July 2018 the KNLTB provided a file with personal data of its members to two sponsors for the purpose of generating income for the purpose of direct marketing activities of these sponsors. As far as the provision and use of personal data of members who became members of the KNLTB before 2007 is concerned, this is an incompatible further processing. In doing so, the KNLTB violated Article 5, first paragraph, opening sentence and under b, of the GDPR. As far as the provision and use of personal data of members who became members of the KNLTB after 2007 is concerned, there was no legal basis for this. In doing so, the KNLTB violated Article 5, first paragraph, opening sentence and under a in conjunction with Article 6, first paragraph, of the GDPR.
The decision is explained in more detail below. Chapter 1 provides an introduction and Chapter 2 describes the legal framework. Chapter 3 lists the most important facts in this case. In Chapter 4, the AP assesses the facts on the basis of the legal framework and concludes that the KNLTB violated the GDPR. Chapter 5 provides reasons for the amount of the administrative fine. Finally, Chapter 6 contains the operative part and the legal remedies clause. Dutch Data Protection Authority
Postbus 93374, 2509 AJ Den Haag Bezuidenhoutseweg 30, 2594 AV Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl
1

Date Our reference
December 20, 2019 [CONFIDENTIAL]
1. Introduction
1.1. Legal entity involved
1. The KNLTB is an association with full legal capacity that is statutorily established at Displayweg 4 (3821 BT) in Amersfoort. The KNLTB was founded on June 5, 1899 and is registered in the trade register of the Chamber of Commerce under number 40516738. According to the articles of association, last amended on March 4, 2019, the purpose of the KNLTB is to promote the game of tennis in all its manifestations, including other forms of play in which a racket or similar playing equipment is used. 2. The KNLTB is the umbrella organization for tennis and tennis clubs in the Netherlands and is involved in, among other things, advising and supporting the boards of tennis clubs in the areas of club policy, accommodation and legal disputes.1
3. According to the KNLTB estimates, there are 1,782 tennis clubs in the Netherlands, of which 1,657 (or 97%) are affiliated with the KNLTB.2 According to the KNLTB website, almost 570,000 tennis players are affiliated with the KNLTB (via these tennis clubs), making the KNLTB the second largest sports association in the Netherlands.3
1.2. Proceedings
4. On October 22, 2018, the AP launched an investigation into the provision by the KNLTB of personal data of its members to sponsors with the aim of approaching the members with ‘tennis-related and other offers’.
5. On May 7, 2019, the AP adopted its investigation report. On 13 May 2019, she sent this report to the KNLTB. The AP sent a copy of the investigation report to [CONFIDENTIAL] of the KNLTB.
6. By letter dated 29 May 2019, the AP sent the KNLTB an intention to enforce due to a violation of Article 5, first paragraph, opening sentence and under b, of the GDPR and Article 5, first paragraph, opening sentence and under a in conjunction with Article 6, first paragraph, of the GDPR. A copy of the intention was also sent to [CONFIDENTIAL] of the KNLTB.
7. Having also been given the opportunity to do so in the letter of 29 May 2019, the KNLTB provided its written views on this intention and the underlying investigation report by letter dated 25 July 2019. [CONFIDENTIAL] of the KNLTB also has a point of view
1 https://www.knltb.nl/over-knltb/wat-doet-de-knltb/.
2 File document 35 (appendix 6: status as of 13 November 2018).
3 https://www.knltb.nl/over-knltb/wat-doet-de-knltb/historie.
2/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
submitted by way of the document “[CONFIDENTIAL]-marginal notes on the AP investigation report”.
8. On 1 August 2019, a point of view hearing took place at the offices of the AP, during which the KNLTB orally explained its point of view.
9. On 2 August 2019, the AP asked a number of questions by email that the KNLTB could not yet answer during the consultation hearing. The KNLTB answered these questions by email of 22 August 2019 and 11 September 2019.
10. By email of 20 August 2019, the AP sent the report of the consultation hearing to the KNLTB. By email of 17 September 2019, the KNLTB sent its comments on the report to the AP. The AP sent an amended report on 2 October 2019.
11. On 18 October 2019, the KNLTB responded to the amended report by email.
12. By email of 28 October 2019, the KNLTB provided the KNLTB member database contact protocol to the AP.
1.3. Reason and background for the start of the investigation
13. Following the announcement by the KNLTB to provide personal data of its members to sponsors in order to approach members with tennis-related and other offers, the AP received tips and complaints from a number of members. As a result of the announcement, a member of the KNLTB decided to publicly ask whether this practice of the KNLTB was in line with the GDPR. The media reported that the KNLTB had suspended the provision of telephone numbers to a sponsor under pressure from summary proceedings initiated by one of its members. This reporting was reason for the AP to invite the KNLTB for a meeting. Following this meeting, the complaints and tips received, and the media reporting, the AP started an investigation into the provision of member data to sponsors by the KNLTB. 2. Legal framework
2.1 Scope of the GDPR
14. Pursuant to the first paragraph of Article 2 of the GDPR, this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing of personal data which form part of a filing system or are intended to form part of a filing system.
15. Pursuant to the first paragraph of Article 3, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a
3/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
controller or processor in the Union, regardless of whether the processing takes place in the Union or not.
16. Pursuant to Article 4, for the purposes of this Regulation, the following definitions shall apply, in so far as is relevant:
‘1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”) [...];
2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means [...];
[...]
7) “controller” means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data; [...]; [...]
9) “recipient” means a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. [...]; 10) “third party” means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data; 11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
[...].’
2.2 Principles: lawfulness, fairness and transparency & purpose limitation
17. Article 5, paragraph 1, introductory phrase (a) and (b) of the GDPR states:
‘Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes pursuant to Article 89(1) (“purpose limitation”);’
18. Article 6(4) GDPR states:
‘Where processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in assessing whether processing for another purpose
4/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
is compatible with the purpose for which the personal data were initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; (b) the context in which the personal data have been collected, in particular as regards the relationship between the data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data relating to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for the data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.’
2.3 Grounds for processing personal data
19. Article 6(1) of the GDPR, insofar as relevant, states:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (...)
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
(...)’
20. The previous article corresponds to article 8 of the Personal Data Protection Act (Wbp, withdrawn as of 25 May 2018), which stated:
‘Personal data may only be processed if:
a. the data subject has given his unambiguous consent for the processing;
b. the data processing is necessary for the performance of an agreement to which the data subject is a party, or for taking pre-contractual measures in response to a request from the data subject and which are necessary for concluding an agreement;
(...)
f. the data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party to whom the data are disclosed, unless the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of privacy, prevail.’
5/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
2.4 Authority to impose an administrative fine
21. The authority to impose an administrative fine arises from Article 58, paragraph 2, opening sentence and under i, read in conjunction with Article 83, paragraph 5, opening sentence and under a, of the GDPR and Article 14, paragraph 3, of the UAVG. 22. Article 58(2)(i) of the GDPR provides that:
‘Each supervisory authority shall have all of the following powers to take corrective measures:
(...)
(i) impose, depending on the circumstances of each case, an administrative fine pursuant to Article 83 (...);’
23. Article 83(1), (2) and (5)(a) of the GDPR provides that:
‘1. Each supervisory authority shall ensure that the administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article 58(2). (...)
5. Infringements of the provisions below shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;’
24. Article 14, paragraph 3, of the GDPR states:
‘The Dutch Data Protection Authority may impose an administrative fine not exceeding the amounts specified in those paragraphs in the event of infringement of the provisions of Article 83, paragraphs 4, 5 or 6, of the Regulation.’
3. Facts
25. This Chapter lists the facts relevant to the decision. Of importance are the facts regarding the provision of personal data by the KNLTB to two sponsors, namely [CONFIDENTIAL] (trading under the name [CONFIDENTIAL]; hereinafter [CONFIDENTIAL]) and the [CONFIDENTIAL] ([CONFIDENTIAL]). The purpose of this provision was for the KNLTB to generate (additional) income. The personal data were used by [CONFIDENTIAL] and [CONFIDENTIAL] for their direct marketing activities for which the KNLTB received compensation. [CONFIDENTIAL] and [CONFIDENTIAL] also provided the personal data to
6/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
[CONFIDENTIAL] and various [CONFIDENTIAL] respectively, in the context of the execution of their direct marketing activities. The AP has not investigated the lawfulness of the processing of personal data by [CONFIDENTIAL] and the [CONFIDENTIAL], and the processing of personal data by [CONFIDENTIAL] and the [CONFIDENTIAL]. This decision therefore does not assess the legality of the latter processing.
26. The facts relevant to this decision occurred before the last amendment of the articles of association of
4 March 2019. This means that for the description of the facts, insofar as relevant, reference will be made to the articles of association, which were amended on 19 January 2005 (articles of association 2005) or the articles of association as amended on 30 December 2015 (articles of association 2015).
3.1 KNLTB
Objective of the KNLTB
27. According to article 2, first paragraph, of the articles of association 2005 (and also the articles of association 2015), the KNLTB aims to promote the practice of tennis and the development of tennis as a sport. According to the second paragraph, the KNLTB attempts to achieve its objective by, among other things:
a. forming a bond between, if possible, all practitioners of tennis;
b. providing information about tennis and promoting tennis as a leisure activity;
c. disseminating the rules of tennis;
d. taking all measures that can lead to raising the standard of play; e. announcing, arranging and supporting tennis matches;
f. providing information about and supporting the construction and improvement of tennis courts and facilities;
g. providing information and advice about the administrative organisation of tennis; h. promoting or undertaking training courses aimed at association management, tennis instructors and referees;
i. representing Dutch tennis in organisations to which KNLTB is or will be affiliated;
j. representing the interests of its members and affiliates;
k. representing its members in and out of court;
l. all other permitted means that are at the disposal of the KNLTB. KNLTB organisation
28. According to article 3, paragraph 1, of the 2015 articles of association, the members' council and the association board are, insofar as relevant here, the KNLTB bodies. According to article 3, paragraph 2, of the 2015 articles of association, the members' council represents all members of the KNLTB. According to article 3, paragraph 3, of the 2015 articles of association, the KNLTB is led by the association board, which is accountable to the members' council.
7/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
29. According to article 4, paragraph 1, of the 2015 articles of association, the KNLTB has as members: a. associations [...];
b. association members;
c. personal members.
30. In accordance with Article 4, paragraph 2, of the 2015 Articles of Association, association members are the members of an association as referred to in paragraph 1, sub a of this article, insofar as they have not been expelled from membership by the KNLTB.
31. According to Article 12, paragraph 1, of the 2015 Articles of Association, the association board is charged with, among other things: a. taking all policy decisions [...]
b. the day-to-day running of affairs;
[...]
e. implementing the decisions taken by the members' council;
Register of members
32. Article 4, paragraph 9, of the 2005 Articles of Association (also the 2015 Articles of Association) stipulates that the association board maintains a register of members. Only the data that are necessary for the realisation of the KNLTB's objective are kept in this register. The association board may, after a prior decision by the members' council, provide registered data to third parties, except for the member who has objected to the provision of data in writing to the association board. 3.2 Decision-making and information provision on providing member data to sponsors
Decision-making on the use of member data for direct marketing purposes by sponsors
33. In 2007, the members' council, on the proposal of the board of directors, approved the use of the name, address and place of residence of members for letter post campaigns by KNLTB sponsors. The minutes of the members' council meeting in 2007 show that the money resulting from the use of member data is spent on Toptennis, among other things.
34. In 2017, the KNLTB board of directors discussed expanding direct marketing opportunities by providing personal data to partners (sponsors) for electronic and telephone direct marketing purposes. This policy change was subsequently discussed at the board of directors meeting in April 2017. The board of directors informed the members' council, among other things, by means of a memo dated 24 November 2017 about expanding direct marketing opportunities. The aim of this is to ‘create added value’ for the members, but also to generate ‘extra income that will make a structural and substantial contribution to the KNLTB and tennis in the long term’. The members’ council was asked to grant permission to expand the direct communication options towards the members of the KNLTB. This permission related to the provision of personal data of members of the KNLTB for marketing and commercial purposes to current and future structural and future partners with the purpose of
8/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
approach by telephone/telemarketing. The members’ council agreed to the proposal of the association board in the members’ council meeting of December 16, 2017.
Provision of information by KNLTB
35. Since 2015, new members of the KNLTB have received a welcome email. Since 2018, the subject of privacy has been part of this welcome email. The welcome email contains the following text regarding privacy aspects under the heading “How does the KNLTB handle your personal data?”: “We may and can, under strict conditions, make your name and address details and telephone number available to our partners, so that they can approach you with relevant, promotional activities. If you do not wish to be approached by telephone or post with offers, you can exercise your right to object (AP: the text [right to object] is also a shortcut to the right to object form). Your e-mail address will therefore not be provided to our partners, unless you have given permission for this (opt-in). The KNLTB always complies with the applicable laws and regulations in this regard. Would you like more information about the processing of your personal data? Then view our Privacy Statement (AP: the text [Privacy Statement] is also a shortcut to the KNLTB privacy statement).”
36.In the newsletter of 7 February 2018, the KNLTB informed its members about sharing personal data with its partners. Under the heading “Sharing data: added value for members and long-term investment for tennis” the following text is stated: “The KNLTB would like to create added value for your KNLTB membership by being able to offer you tennis-related and other great deals. In addition, the KNLTB wants to generate additional income with which we can keep tennis affordable for you and your club in the long term. That is why permission was obtained in the Members' Council meeting in December 2017 to provide your data to our partners. Of course, the KNLTB complies with all applicable laws and regulations in this context, and the KNLTB also strictly monitors the use of your data by its partners. Do you have any questions or would you like to know more?” The [Read more] button can be used to click through to a web page entitled ‘Fan Marketing & Data’, in which members are informed as follows: “The KNLTB makes your name and address details and telephone number (if you have opted in) available to our partners under strict conditions, so that they can approach you with relevant promotional activities. Your e-mail address and telephone number will not be provided to our partners without your permission.”
Members are also informed of the possibility of invoking their right to object: “If you do not wish to be approached by post with offers from KNLTB and/or its structural or incidental partners, you can exercise your right to object. You can report this to the KNLTB Membership Service via an online form.”
37. On 23 February 2018, a news item with a similar content was sent to all association boards and volunteers. 38. In the newsletter of 7 March 2018, the KNLTB informed its members about the change in the way the KNLTB handles the personal data of its members. Under the heading “Change in the way the KNLTB handles your personal data” the following text is stated: “The KNLTB is continuously looking for ways to create added value for your KNLTB membership. For this purpose,
9/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
it is necessary to have relevant data and to be allowed to use this data, so that we can approach you and other tennis fans with tennis-related and other relevant offers. In December 2017, the Members' Council agreed to provide your data to our partners.” The [Read more] button can be used to click through to a news item from 12 February 2018 on the KNLTB website entitled ‘Change in the way the KNLTB handles your personal data’ in which members are informed as follows: “The KNLTB makes your name and address details and telephone number available to our partners under strict conditions, so that they can approach you with relevant, promotional activities. Your e-mail address will not be provided to our partners without your permission. We always monitor the actions of our partners and make strict agreements for each action about how they may handle your data. The KNLTB must and wants to always adhere to the applicable laws and regulations.” This web page also points out to members the possibility of invoking their right to object: “If you do not wish to be approached by telephone or post with offers from KNLTB and/or its structural or incidental partners, you can make use of your right to object. You can report this to the KNLTB Membership Service via an online form.” 39. Furthermore, the short message “How does the KNLTB handle members’ personal data?” of 23 April 2018 was on the KNLTB homepage for over a month.
40. In response to media attention about the provision of members’ personal data to its partners, the KNLTB posted various news items on its websites www.knltb.nl and www.centrecourt.nl4 on 23 April 2018 and 13 June 2018, in which members are informed, in short, how the KNLTB handles members’ personal data and how the KNLTB uses its members’ data under strict conditions and in the interest of tennis.
41. The KNLTB has posted a privacy statement on its website.5 In this statement, members are informed, among other things, about the nature of the personal data processed by the KNLTB, the foundations and purposes of the processing. According to the privacy statement, personal data are processed for the purpose of offering products, services, events of the KNLTB, the partners of the KNLTB or other parties with which the KNLTB collaborates. With regard to the provision of personal data to partners of the KNLTB, the privacy statement states: “When it comes to providing name and address details to our partners6 (making an offer specifically for our members), you are of course entitled at all times to make your objection known via the form provided for this purpose7 (right to object to direct marketing). Your data will then no longer be provided to our partners, so that they can make an offer to you as a member of the KNLTB. The legal basis for this provision is legitimate interest (and therefore not consent). Telephone numbers are only provided to our partners if a member has given explicit permission for this in advance.”
4 The KNLTB uses the website www.knltb.nl for communication with tennis players and tennis fans and the website www.centrecourt.nl for communication with tennis clubs and tennis instructors. 5 Privacy statement, version December 2018.
6 By clicking on the underlined text, you will be redirected to an overview of the partners that sponsor the KNLTB. 7 By clicking on the underlined text, you will be redirected to the Right of Objection Form, with which you can electronically object to the sharing of personal data with partners of the KNLTB.
10/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
3.3 KNLTB agreements with [CONFIDENTIAL] and [CONFIDENTIAL]
42. From March 2018 to October 2018, the KNLTB initiated actions with [CONFIDENTIAL] and [CONFIDENTIAL] in which personal data such as name, address and place of residence (NAW) and telephone numbers of KNLTB members were used. [CONFIDENTIAL] sent two discount flyers by post to a selection of KNLTB members and [CONFIDENTIAL] called a selection of KNLTB members in a telemarketing campaign to sell [CONFIDENTIAL]. For the direct marketing activities of [CONFIDENTIAL] and [CONFIDENTIAL], the KNLTB provided personal data of its members. The following agreements form the basis for the provision and use of this personal data.
KNLTB - [CONFIDENTIAL] Agreement
43. On 15 May 2018, the KNLTB and [CONFIDENTIAL] concluded an Official Supplier Agreement.
44. Article 1.2 of the Official Supplier Agreement stipulates that the KNLTB grants [CONFIDENTIAL] sponsorship rights and/or communication options of the KNLTB (hereinafter: the “Communication Options”) as set out in the appendices attached to the agreement, during the term of the agreement. 45. Section 3 of the Official Supplier Agreement stipulates how [CONFIDENTIAL] makes a sponsorship contribution to the KNLTB. This sponsorship contribution consists of a fixed amount per year (Article 3.1), making vouchers available to the KNLTB (Article 3.2) and offering a discount on items available in the [CONFIDENTIAL] webshop.
46. Article 3 of Appendix 1C (database rights) of the Official Supplier Agreement reads as follows:
“For (promotional) campaigns towards individual KNLTB members, the KNLTB will make a selection of the up-to-date address file (name and address details) available to [CONFIDENTIAL] two (2) times per year at the request of [CONFIDENTIAL]. Campaigns must take place in consultation with and after written approval from the KNLTB [...] and comply with the guidelines of the KNLTB.”
47. Appendix 4 of the Official Supplier Agreement concerns the processing agreement in which further agreements have been made about, among other things, the security of personal data (article 4), the possibility of control and audit by the KNLTB (article 5), a confidentiality obligation for [CONFIDENTIAL] (article 6) and the consequences of termination or dissolution of the processing agreement (article 12), namely that, in short, the personal data will be destroyed by [CONFIDENTIAL] as soon as possible or returned to the KNLTB.
11/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
48. In Appendix 6 (Description of processing Personal Data) the following is stated under the heading “Subject, nature and estimated term of the processing”: “Personal data of members of the KNLTB, being in any case name and address details for the purpose of actions by post.” 49. On 1 May 2018, the KNLTB and [CONFIDENTIAL] made additional agreements regarding the delivery of KNLTB member data for the purpose of a direct mail/postal mailing from [CONFIDENTIAL]. The following agreements were made regarding the selection of member data: [CONFIDENTIAL] delivers a file to the KNLTB, after which the KNLTB compiles an address file (with the following data: first name, middle name, last name, street, house number, postal code and city) based on the agreed selection criteria, which is sent to [CONFIDENTIAL]. [CONFIDENTIAL] deduplicates this address file by consulting the statutory registers (such as the Postfilter).
KNLTB - [CONFIDENTIAL] Agreement
50. On 28 June 2018, the KNLTB and [CONFIDENTIAL] entered into an agreement.
51. According to article 1.1, the purpose of the agreement is:
“The KNLTB will make its ‘adult’ membership file available to [CONFIDENTIAL] for the purpose of (telephone) approach by [CONFIDENTIAL] and/or [CONFIDENTIAL] on behalf of the KNLTB with the offer to become a [CONFIDENTIAL] subscriber, in accordance with the terms and conditions in this agreement.”
52. In article 1.2 of the agreement, the following is stipulated, insofar as relevant here:
“The file that [CONFIDENTIAL] receives from the KNLTB meets at least the following conditions:
- The records are complete and correct in accordance with the mandatory fields from the enclosed format (see appendix 3);
[...]
- The persons in the file as mentioned above are at least 18 years old, members of the KNLTB and were informed by the KNLTB when registering their personal data about the provision of their personal data to third parties (including [CONFIDENTIAL], [CONFIDENTIAL], [CONFIDENTIAL]);
- The persons in the file have not objected to the provision of their personal data to third parties. The text of the KNLTB privacy statement was used for this, as can be found on the KNLTB website. In addition, all KNLTB members were informed in February last year via the members' newsletter about the use of their data for [CONFIDENTIAL] with the option to object to this;”
12/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
53. In article 1.6 of the agreement, the following is stipulated, insofar as relevant here:
“During the term of this agreement, [CONFIDENTIAL] is permitted to approach the remaining 8 KNLTB members (by telephone) once per calendar year with an offer to become a [CONFIDENTIAL] or [CONFIDENTIAL] subscriber, [...].”
54. Article 3.1 of the Agreement provides, insofar as relevant here, that both parties will be regarded as controllers as referred to in Article 26 GDPR.
55. Article 8.1, insofar as relevant here, stipulates that in the event of termination of the assignment and/or the agreement or if a party so requests, the data (including all copies) will be returned to the KNLTB or destroyed at its request, in which case [CONFIDENTIAL] will declare in writing that this has happened.
56. Appendix 1 (Appendix [CONFIDENTIAL]-KNLTB agreement – Telemarketing pilot campaign) lists the fees for the KNLTB. [CONFIDENTIAL]
57. Appendix 3 (Data exchange format) shows that the mandatory records consist of: gender, initials, first and last name, date of birth, address, postcode, city, (mobile) telephone number, e-mail address, registration date, registration time and tennis club.
58. Appendix 5 to the agreement contains further agreements on, among other things, the security of personal data (article 4) and a confidentiality obligation for the parties.
3.4 Provision to and use of personal data by [CONFIDENTIAL] and [CONFIDENTIAL]
[CONFIDENTIAL]
59. The KNLTB, together with [CONFIDENTIAL], has compiled a membership file of 50,000 members (hereinafter: membership file) based on selection criteria (and after deduplication). The following data of these members are included in the file:
- Campaign ID (numeric code);
- Gender;
- First name;
- Initials; - Surname; - Street;
8 The file provided by the KNLTB has been deduplicated by the KNLTB with the right of objection and the right of appeal file of the KNLTB. The file was then deduplicated by [CONFIDENTIAL] for non-Dutch residents, the subscriber base of [CONFIDENTIAL] and the file with ex-subscribers of [CONFIDENTIAL], consumers who were approached by [CONFIDENTIAL] in the past three months, its own right of objection file and other customary registers, such as the Do Not Call Me Register and the Death Register (article 1.5 of the agreement). The part of the original file that remains after deduplication is ultimately used for marketing purposes, which is implied in the word "remaining".
13/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
- House number;
- House number Addition; - Postal code;
- City.
60. On June 11, 2018, the KNLTB placed the membership file on the sFTP server (a secure environment) for the benefit of [CONFIDENTIAL].
61. On June 11, 2018, [CONFIDENTIAL] deleted the membership file from the sFTP server and sent the membership file to [CONFIDENTIAL] via an sFTP connection. [CONFIDENTIAL] processed the personal data on discount flyers and sent these flyers to the selected members of the KNLTB on July 5, 6, 7 and 8, 2018.
[CONFIDENTIAL]
62. The KNLTB provided the following data to [CONFIDENTIAL]: - Campaign ID (numeric code);
- Gender;
- First name;
- Initials;
- Surname;
- Street;
- City;
- Date of birth;
- Postal code;
- House number;
- House number addition; - Telephone number;
- Mobile number;
- E-mail;
- Association.
63. On 29 June 2018, the KNLTB provided a file with 314,846 unique records to [CONFIDENTIAL]. By this, the KNLTB means that the data mentioned in paragraph 622 of 314,846 unique households were provided. This file was cleaned up by [CONFIDENTIAL] on the basis of ten selections, as included in the Do-Not-Call-Me Register and persons who have an active subscription to [CONFIDENTIAL] and [CONFIDENTIAL]. The file that was ultimately used by [CONFIDENTIAL] contained 39,478 records after the selection. 19,595 records were used for [CONFIDENTIAL] and 19,883 records for [CONFIDENTIAL]. This data was then provided via a secure sFTP server to various [CONFIDENTIAL] for telemarketing purposes.9
9 Initially, the KNLTB placed a file on the sFTP server of [CONFIDENTIAL] on 26 June 2018, but pending the signing of the agreement between [CONFIDENTIAL] and the KNLTB, this file was deleted. On 29 June 2018,
14/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
64. The telemarketing campaign started on Monday 16 July 2018 and was terminated prematurely at the request of the KNLTB.
3.5 KNLTB complaint regarding statements by AP chairman
65. On 17 December 2018, an item was broadcast on the television programme Nieuwsuur (NOS/NTR) about the resale of personal data of tennis players and football players. The chairman of the AP was interviewed for this item. Following statements made by the chairman in this interview, the KNLTB filed a complaint with the AP on 21 December 2018, which the AP declared well-founded on 19 March 2019.
4. Assessment
66. This chapter successively establishes that the KNLTB, as controller, processed personal data by providing member data to [CONFIDENTIAL] and [CONFIDENTIAL] (paragraphs 4.1 and 4.2); that the AP did not act contrary to its own prioritisation policy by conducting an investigation (paragraph 4.3) and that the AP did not act negligently towards [CONFIDENTIAL] (paragraph 4.4). Paragraphs 4.5 and 4.6 conclude that the AP did not act contrary to the principle of equality and the prohibition of bias, respectively. In paragraphs 4.7 – 4.11, the AP concludes that the provision to and use of personal data by [CONFIDENTIAL] and [CONFIDENTIAL] are not compatible with the original collection purpose of the personal data or that there was no lawful basis for the provision and use.
4.1 Processing of personal data
67. The KNLTB collects data from its members, including for the purpose of maintaining a register of affiliates.10 This includes the name, address, place of residence and telephone number of members.11 This data qualifies as personal data as referred to in Article 4, under 1, of the GDPR because it allows KNLTB members to be directly identified.
68. The KNLTB has provided personal data of its members in file form to [CONFIDENTIAL] and [CONFIDENTIAL] for use in their direct marketing activities. In doing so, the KNLTB has processed personal data as referred to in Article 4, under 2, of the GDPR. a file placed on the sFTP server of [CONFIDENTIAL]. This file was removed from this server by [CONFIDENTIAL] on the same day. It is striking that [CONFIDENTIAL] and KNLTB give a different picture of the number of records used for the marketing campaign. According to [CONFIDENTIAL], this concerns a number of 39,478; according to the KNLTB, this concerns 21,591 (whereby the KNLTB speaks about the number of members and not about the number of records). See File document 73.
10 Articles of Association 2005, article 5, fourth paragraph.
11 Privacy statement KNLTB, version December 2018.
15/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
4.2 Data controller
69. In the context of the question whether article 5, first paragraph, under a and b jo. Article 6, paragraph 1, of the GDPR is complied with, is important to determine who is to be regarded as the controller as referred to in Article 4, opening sentence and under 7, of the GDPR. The determining factor for this is who determines the purpose of and the means for the processing of personal data.
70. The members' council, on the proposal of the board of the association, determined the purpose of the processing, i.e. the use of personal data collected by the KNLTB for generating (additional) income by providing personal data to partners (sponsors) of the KNLTB for their direct marketing activities. The members' council and the board of the association are bodies of the KNLTB. In view of the foregoing, the KNLTB (also) determined the purpose of the processing.
71. The means for the processing, i.e. the manner in which the data processing takes place, was also (also) determined by the KNLTB. The KNLTB has attached conditions to the manner in which the personal data are delivered to [CONFIDENTIAL] and [CONFIDENTIAL] and the use by [CONFIDENTIAL] and [CONFIDENTIAL] for their direct marketing activities. In view of this, the KNLTB has (jointly) determined the means for the processing.
72. Since the KNLTB has (jointly) determined the purpose of and the means for the processing of personal data, it qualifies as the controller as referred to in Article 4, under 7, of the GDPR.
4.3 AP's actions not in conflict with its own policy
KNLTB's position
73. The KNLTB wonders why the AP did not carry out a risk analysis or whether an investigation was actually necessary, given that the provision to the sponsors had already stopped. The KNLTB also believes that the necessity and basis for the investigation are lacking, given the small number of complaints submitted to the AP about the telephone campaign by [CONFIDENTIAL]. 74. Furthermore, the KNLTB wonders why the AP, after receiving tips about the KNLTB's policy, started an investigation. According to the AP's Policy Rules for Prioritizing Complaints Investigations12 (prioritization policy), a norm-conveying conversation should have taken place or the AP should have sent a norm-conveying letter, according to the KNLTB. In this context, the KNLTB points to a passage in the explanation of the prioritization policy, which states that the AP primarily focuses on achieving norm-compliant behavior when handling complaints. In doing so, the AP aims for a pragmatic approach, in which effectiveness and efficiency play an important role. An example of a pragmatic approach, according to the prioritization policy, is that the AP, when it
12 Policy Rules for Prioritizing Complaints Investigations, published in the Government Gazette on October 1, 2018. The KNLTB refers to a paragraph from the introduction in section 2.1 of the explanation of the policy. 16/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
in a specific case can achieve norm-compliant behavior by contacting the (alleged) offender by telephone, the AP will do this and a complaint can be settled with this.
AP Response
75. The AP and its supervisors have various (investigative) powers that they can exercise at any time and spontaneously, in order to be able to adequately supervise compliance with the GDPR. This does not require a preceding and reasoned fact, signal, ground or suspicion.13 In view of this, the AP was not obliged to make a risk analysis of whether the investigation was actually necessary. For the exercise of the (investigative) powers, it is also not relevant whether and if so, how many complaints have been received and it is not relevant that the provision of personal data by the KNLTB and the use thereof by [CONFIDENTIAL] and [CONFIDENTIAL] have been terminated. The fact that provision and use have been terminated does not detract from the fact that they did take place. The investigation was precisely intended to answer the question of whether the provision and use of personal data of members of the KNLTB were lawful.
76. To the extent that the KNLTB argues that the AP is acting contrary to its prioritisation policy, the AP considers the following. Leaving aside the fact that the reason for the investigation was not only complaints but also the reporting by the KNLTB and the media attention about it and the conversation that the AP had with the KNLTB on 11 October 2018, the AP investigated the content of the complaints to the extent that this was appropriate. After an initial assessment of the complaints, the AP considered it plausible that it involved the processing of personal data and that one or more violations of the GDPR may have occurred. In view of this and taking into account that it may have involved many data subjects (the KNLTB has almost 570,000 members), the provision could have had serious consequences for the data subjects and the provision caused social unrest, the AP decided to initiate a further investigation. This is fully in line with Article 2 of the prioritisation policy. 77. The KNLTB's argument that the AP, according to its prioritisation policy, should have opted for a norm-transferring conversation after receiving complaints from its members and should have refrained from conducting an investigation, is unfounded. Such an obligation is not included in these policy rules, which concern the prioritisation of investigations following complaints. For this reason alone, the policy rules do not form a binding framework for the AP when choosing an enforcement instrument. The AP is therefore not obliged to achieve norm-compliant behaviour in the event of an infringement by contacting the (alleged) offender by telephone. In this regard, the AP points out its basic obligation to take enforcement action against infringements, given the general interest served by doing so. To this end, the AP has the corrective measures referred to in Article 58, paragraph 2, of the GDPR and Article 16 of the UAVG. The AP is free to choose the enforcement instrument, provided that the chosen instrument is sufficiently effective. In this case, the AP has
13 ABRvS 21 August 2019, ECLI:NL:RVS:2019:2832, r.o. 4.1; Rb. Rotterdam, 23 May 2019, ECLI:NL:RBROT:2019:4155, r.o. 15.2; Rb. Rotterdam (Vrznr.) 28 September 2018, ECLI:NL:RBROT:2018:8283, r.o. 6.1.; CBb 12 October 2017, ECLI:NL:CBB:2017:327, r.o. 6.4; CBb12 October 2017, ECLI:NL:CBB:2017:326, r.o. 4.4; Court of Appeal The Hague 13 June 2013, ECLI:NL:GHDHA:2013:CA3041, r.o. 2.3.
17/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
did not opt for a norm-transferring conversation due to the large number of people involved, the seriousness of the violation and the social commotion caused by the provision of member data to [CONFIDENTIAL] and [CONFIDENTIAL].
4.4 AP did not act negligently towards FG
Position of KNLTB
78. The KNLTB takes the position that the AP wrongly did not involve the FG in the investigation, also in view of his willingness to cooperate and provide information.
Response of AP
79. The AP firstly considers that during the investigation a copy of the information requests to the KNLTB were also sent to the FG. In addition, the FG has received all relevant correspondence exchanged by e-mail between the AP and the KNLTB. To that extent, the AP has involved the FG in the investigation. For the sake of completeness, the AP also considers the following. 80. The FG is an internal supervisor who must advise the controller on compliance with the GDPR. In that capacity as internal supervisor, the FG is in contact with the AP. The AP sees a FG as an essential part of the quality system of an organization with regard to the processing of personal data. In the context of the exercise of its supervisory tasks, the AP is authorized in accordance with the General Administrative Law Act to request any person to provide information or to grant access to documents. These powers are described in Chapter 5 of the General Administrative Law Act. The AP is aware of the delicate balance between the FG on the one hand and the organization or organizational unit that is the controller within the meaning of the GDPR on the other. The AP does work together with the FG, but its supervisory activities must be directed at the controller who is the standard addressee of the GDPR.
81. Although the AP can request information from anyone, including the FG, by virtue of its tasks, the FG is not part of the unit that can be regarded as the controller. The FG cannot give binding instructions to the management about setting up data processing. The AP is therefore authorised to question the controller. It states that in the context of a (possible) specific ex officio investigation, in order to be able to establish an infringement and possibly for enforcement, information must (also) always be requested from the relevant controller itself. The AP notes that the KNLTB itself had the opportunity to involve the FG in the investigation (if desired). 82. In this regard, the AP considers it important to note that in an organisation in which a healthy relationship has been established between the controller and the FG, the FG is expected to be able to provide sound information on behalf of the controller regarding compliance with the GDPR. However, the AP can never depend on this route to obtain the necessary information. If the contact between a
18/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
controller and a FG is not optimal, or if important preconditions for internal supervision are missing, this poses a risk to the reliability of the information obtained.
83. Based on the foregoing, the AP concludes that it has not acted negligently or otherwise improperly towards [CONFIDENTIAL] or the KNLTB by directing its investigation activities at the controller, the KNLTB. 4.5 AP's actions not in conflict with the principle of equality
KNLTB's opinion
84. The KNLTB takes the position that the investigation into and possible enforcement action against the provision of personal data by the KNLTB to [CONFIDENTIAL] and [CONFIDENTIAL] is in conflict with the principle of equality. To this end, it argues that the AP has opted for a standard-correcting letter towards [CONFIDENTIAL]14 ([CONFIDENTIAL]) and [CONFIDENTIAL]15 ([CONFIDENTIAL]) for a similar situation and not for enforcement. The AP is also aware of the provision of personal data by other, comparable sports associations to third parties for direct marketing purposes, but only the KNLTB is singled out by the AP for setting a standard.
AP's response
85. In the context of conducting an investigation and imposing a sanction, the principle of equality does not extend so far that the authority to do so has been exercised unlawfully simply because another possible offender is not subject to an investigation and no enforcement action is taken. This may be different if there is unequal treatment of equal cases that indicates arbitrariness in the supervisory and enforcement practice of the AP.16 This is not the case.
86. The explanation of the prioritization policy states, among other things, the following: “Because the AP receives many signals, complaints and requests for enforcement and its supervisory field is extensive, it will not always be able to carry out a further investigation, given its limited resources. That is why the AP first assesses situations in which there may be a violation, but for which further investigation is required to establish the violation, against its prioritization criteria.”
87. The prioritization policy is (partly) intended to prevent arbitrariness in the choice of cases to be investigated following complaints. Notwithstanding the fact that the investigation into the KNLTB was not only initiated in response to complaints but also in response to a conversation with the KNLTB
14 The KNLTB refers to the published letters on the AP website: https://autoriteitpersoonsgegevens.nl/nl/nieuws/banken-mogen-betaalgegevens-niet-zomaar-gebruiken-voor-reclame. 15 The KNLTB refers to the published letter on the AP website: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/brf.-kvk-20dec18-handelsregisterinfoproducten.pdf. 16 CBb 14 August 2018, ECLI:NL:CBB:2018:401, r.o. 7.2.
19/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
Due to media reporting, the AP has assessed the complaints it received about the KNLTB against its prioritization policy and has concluded on the basis of the prioritization criteria that further investigation into the KNLTB was appropriate (see paragraph 76). To that extent, the claim that the AP was guilty of arbitrariness in conducting the investigation is incorrect.
88. In addition, the AP disputes that the situations mentioned by the KNLTB are the same as the current situation. The letter that the AP sent to [CONFIDENTIAL] was prompted by a bank's intention to further process customer data for direct marketing purposes, which probably violated the provisions of the GDPR. This is in contrast to the provision by the KNLTB that actually took place.
89. The letter to [CONFIDENTIAL] was the result of complaints about the (possibly) unlawful use of personal data by customers of [CONFIDENTIAL] for direct marketing purposes. The complaints did not so much relate to the provision of personal data by [CONFIDENTIAL] itself, but to the (possibly unlawful) use of these personal data by parties to whom [CONFIDENTIAL] was provided. Given the tension between the public nature of the trade register, which obliges [CONFIDENTIAL] to provide certain personal data, and the (further) possible unlawful use of personal data from [CONFIDENTIAL], the AP sent a letter to [CONFIDENTIAL] requesting that [CONFIDENTIAL] be reviewed. The AP also sent a letter to [CONFIDENTIAL] and called on it to assess the [CONFIDENTIAL] it provided for privacy aspects and to consider measures to prevent unlawful use as much as possible. There is therefore no question of equal cases. 90. To the extent that the KNLTB argues that other sports associations also applied a similar policy with regard to the provision of third parties for direct marketing purposes, the AP considers that, in accordance with its prioritization policy, it has given priority to investigating the provision of personal data by the KNLTB to [CONFIDENTIAL] and [CONFIDENTIAL] and to take enforcement action against this. The AP notes, for the sake of completeness, that complaints about other sports associations are assessed against its prioritisation policy, which may lead to further investigations into these sports associations as well. If the investigation shows that other sports associations have committed a similar violation, enforcement action will also be taken.
91. In view of the above, the AP concludes that it has not acted in violation of the principle of equality.
4.6 AP has acted without bias
Opinion of the KNLTB
92. In its opinion, the KNLTB takes the position that the AP has violated the prohibition on bias. According to the KNLTB, this is evident from the performance of the chairman of the AP in a broadcast of Nieuwsuur on 17 December 2018. The KNLTB finds it remarkable that the AP has
20/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
acknowledged that it acted improperly towards the KNLTB and yet sent an intention to enforce.
Response AP
By decision of 19 March, the AP declared the complaint that the KNLTB filed with the AP on 21 December 2018 regarding statements made by the chairman of the AP in the television programme Nieuwsuur well-founded. In this decision, the AP acknowledged, among other things, that it could and should have been more nuanced and careful in its statements during this programme on a number of points. Without wishing to detract from the importance of this observed negligence, the AP believes that its statements at that time were not such that there was a violation of the prohibition on bias and that it should therefore not have initiated enforcement proceedings. The (outcome of) the complaint procedure does not provide any starting points for this. In addition, the AP is of the opinion that the investigation and the subsequent decision-making phase took place in accordance with the statutory requirements to be set for this.
4.7 Distinction between processing for collection purposes and further processing
93. The KNLTB processes personal data for multiple purposes. These purposes have changed over time. This has significance for the applicable legal framework against which the provision of member data by the KNLTB to [CONFIDENTIAL] and [CONFIDENTIAL] must be assessed. If the purpose of these provisions qualifies as a collection purpose, a legal basis as referred to in Article 6, paragraph 1, of the GDPR must be present for these processing operations. If the disclosures serve a purpose other than the purpose for which the personal data were originally collected, it must be assessed whether this other purpose is compatible with the purpose for which the personal data were collected. This is the compatibility test in Article 6, paragraph 4, of the GDPR. This test must be considered in conjunction with the principle of purpose limitation and compatibility included in Article 5, paragraph 1, point (b), of the GDPR. This article states that personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.17
94. If the purpose of the further processing differs from the purpose for which the personal data were originally collected (the collection purpose), such further processing is lawful if:
(i) data subjects have given consent to the processing, or
(ii) the processing is based on a provision of Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23, paragraph 1, of the GDPR, or
17 The principle of purpose limitation also applied under the Personal Data Protection Act (Wbp). Article 9, paragraph 1, of the Wbp stipulates that personal data may not be further processed in a manner incompatible with the purposes for which they were obtained. 21/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
(iii) the purpose of the provision is compatible with the (specific, explicit and legitimate) purpose of collection of the personal data.18
95. If the purpose of the further processing is compatible with the purpose of collection, no separate legal basis other than the one on the basis of which the collection of personal data was authorized is required for the further processing.19
96. If the further processing takes place for a purpose other than the purpose of collection, but no consent has been given for this, it is not based on a legal provision or is incompatible with the purpose of collection, the processing is unlawful due to the lack of a basis. A controller cannot therefore regard the further processing as a new processing that is separate from the original processing and ‘circumvent’ Article 6, paragraph 4, of the GDPR by using one of the legal bases in Article 6, paragraph 1, of the GDPR to legitimise the further processing.20
97. In order to assess whether the KNLTB has lawfully provided personal data of its members to [CONFIDENTIAL] and [CONFIDENTIAL], it will have to be determined for which purposes the KNLTB has collected personal data and whether these have been further processed for another purpose.
4.8 Collection purposes of personal data of KNLTB members
98. The purpose limitation principle of Article 5, paragraph 1, under b, of the GDPR is an important starting point for data protection. According to the purpose limitation principle, purposes must be well-defined and explicitly described, which means that a purpose of a processing must be formulated in such a way that it can provide a clear framework for the question to what extent the processing is necessary for the described purpose in a specific case. In addition, the purpose must be justified, which means that the purpose is in accordance with the law, in the broadest sense of the word. This means in any case (but not exclusively) that the processing for the purpose must be based on the legal grounds mentioned in article 6, paragraph 1, of the GDPR.21
99. Various documents are important for determining the purposes for which the KNLTB collects and has collected personal data. For the period before 2007, the 2005 statutes are important. Although the collection purposes are not explicitly described therein, they can be inferred from them.
18 This is stated in article 6, paragraph 4, of the GDPR.
19 See also recital (50) of the GDPR.
20 This follows from the wording of Article 5, paragraph 1, under b, of the GDPR (‘(...) may not subsequently be further processed in a manner incompatible with those purposes (...)’) and from WP29 Opinion 03/2013 On purpose limitation, p. 40.
20 WP29, Opinion 03/2013 on purpose limitation, p. 19-20.
21 WP29, Opinion 03/2013 on purpose limitation, p. 19-20.
22/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
100. Persons who join a tennis club as a member thereby become members of the KNLTB.22 The following is stated in the 2005 articles of association: ‘The board of the association keeps a register of members. Only those data that are necessary for the realization of the purpose of the KNLTB are kept in this register. The board of the association may, after a provide registered data to third parties, except for the member who has lodged a written objection to the provision with the board of the association.’23 The statutory objective of the KNLTB is to promote the practice of tennis and the development of tennis in the Netherlands.24 The KNLTB attempts to achieve this objective by, among other things, promoting tennis as a leisure activity, taking all measures that can lead to raising the level of play and promoting the interests of its members and affiliates, and deploying all other permitted means that the KNLTB has at its disposal.
101. Although this does not explicitly follow from the 2005 articles of association, the AP concludes from the factual context25 of these articles of association that the KNLTB has in any case collected personal data from members in order to implement the membership agreement.26 This is also not under discussion. Nor is it disputed that the processing for this legitimate purpose takes place on the basis of 'necessary for the performance of an agreement' as referred to in Article 6, paragraph 1, under b, of the GDPR (and until 25 May 2018, the date on which the GDPR became applicable, on the basis of Article 8, under b, of the Wbp).
102. Two other collection purposes can be derived from the 2005 statutes. Firstly, the collection (and further use) of personal data to the extent that this is necessary for the realisation of the KNLTB's objective, namely the promotion of the practice of tennis and the development of tennis in the Netherlands. Secondly, the collection of registered data (personal data) with the aim of providing it to third parties. The statutes do not contain any information about the (category of) third parties to whom personal data can be provided, nor any information for which the personal data are used by these third parties. The AP takes the position that these objectives are in any case not well-defined and explicitly described because members of the KNLTB could not infer from this that their personal data would also be used to generate income by providing it to sponsors for their direct marketing activities. The KNLTB should therefore not have collected personal data for that purpose. 
103. In 2007, the KNLTB formulated a new (collection) objective. The KNLTB Members’ Council then agreed to the proposal of the board of directors to expand the communication options of KNLTB sponsors, i.e. the use of names, addresses
22 Article 6, paragraph 2, of the 2005 and 2015 Articles of Association.
23 Article 4, paragraph 9, of the KNLTB Articles of Association of 19 January 2005 and Article 4, paragraph 9, of the KNLTB Articles of Association of 30 December 2015.
24 Article 2, paragraph 1, of the 2015 Articles of Association.
25 In WP29, Opinion 03/2013 on purpose limitation (p. 23-24) it is stated that it is necessary to take into account the factual context: ‘As previously highlighted in the context of purpose specification, it is always necessary to take account of the factual context and the way in which a certain purpose is commonly understood by relevant stakeholders in the various situations under analysis.’
26 Article 2, first paragraph, of the 2005 articles of association.
23/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
and places of residence (name and address details) of members for letter post campaigns. From the accompanying minutes of the members' council meeting in 2007, the AP concludes that these are advertising messages from KNLTB sponsors with which the KNLTB generates additional income. In accordance with the articles of association of 19 January 2005 (valid at the time of the members' council meeting in 2007), members of the KNLTB are obliged to comply with decisions of KNLTB bodies.27 It may therefore be assumed that new members from 2007 onwards have taken note of this new collection objective when they registered with the KNLTB, which can be described more generally as generating income by providing member data to sponsors for their direct marketing activities. 104. In December 2017, the members' council again gave permission for the provision of personal data of members of the KNLTB for marketing and commercial purposes to current and future structural and future partners with the aim of approaching by telephone/telemarketing. According to the AP, this purpose can be classified under the purpose of generating income by providing member data to sponsors and as such does not qualify as a new (collection) purpose. 105. To the extent that the KNLTB argues in its opinion that the purposes mentioned in the KNLTB articles of association of 4 March 2019 (2019 articles of association) and the December 2018 privacy statement, including the provision of personal data to partners, are specific, explicitly described and justified and ‘have always been central to the KNLTB, both now and before 2007, and (...) have always been communicated as such’, the AP considers that the 2019 articles of association and the privacy statement are not relevant, because these documents only came into effect after the provision of member data to [CONFIDENTIAL] and [CONFIDENTIAL] in June 2018. To the extent that the KNLTB refers to the newsletters about the provision of personal data to sponsors, it also applies that these were sent to the members after 2007. For the question of whether it was known before 2007 that member data would be provided to partners, it is not these documents but the 2005 articles of association that are decisive and, as already established, this purpose is not clearly and explicitly described therein.
106. Based on the above, the AP establishes that the KNLTB has informed its members since 2007 about its purpose for providing member data to sponsors, namely generating (additional) income.
107. Based on the above, the AP concludes that the KNLTB has collected personal data of members who became members of the KNLTB before 2007 for the purpose of executing the membership agreement.28 Since 2007, the KNLTB has started collecting personal data of its members for the purpose of generating income by providing this data to sponsors. The provision of member data to sponsors qualifies for members who
27 Based on article 6, paragraph 1, under a, viewed in conjunction with article 3, paragraph 1, of the Articles of Association of 19 January 2005 (which applied at the time of the provision), members are obliged, among other things, to comply with decisions of bodies of the KNLTB (including the members' council).
28 Article 2, paragraph 1, of the 2005 Articles of Association.
24/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
before 2007 as further (AP in italics) processing of personal data. For members who became members of the KNLTB after 2007, this purpose qualifies as a collection purpose.
108. In the following, the AP distinguishes between two situations for the assessment of whether the personal data have been processed by the KNLTB in a lawful manner. The first situation concerns the processing of personal data of members who joined before 2007. In this case, the AP qualifies the provision of member data to sponsors for the purpose of generating (additional) income as processing for a purpose other than that for which the personal data were originally collected (i.e. further processing). For members who joined after 2007, the provision of their personal data to sponsors was known as a purpose and qualifies as a collection purpose.
4.9 Compatibility of purposes in the case of membership before 2007
109. For members who joined the KNLTB before 2007, the provision of member data to sponsors for the purpose of their direct marketing activities for the purpose of generating (additional) income for the KNLTB is considered further processing. This is lawful if (1) members have given consent to the processing, or (2) the provision is based on a provision of Union law or a provision of Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23, paragraph 1, of the GDPR, or (3) the purpose of the provision is compatible with the purpose for which the personal data were originally collected. In the following, it will be assessed whether one of these situations applies.
No consent
110. It is not disputed that no consent was obtained from the members of the KNLTB for the provision of personal data to sponsors. However, the members' council did agree to the provision. To the extent that the KNLTB argues that this consent qualifies as consent within the meaning of the GDPR, the AP considers that this is not the case. After all, consent must be given by the data subject by means of a clear, active act that shows that the data subject freely, specifically, informed and unambiguously agrees to the processing of his or her personal data.29 The consent of the members' council in 2007 does not meet these requirements, as it did not obtain consent from the individual data subjects.
111. The AP concludes that the KNLTB did not obtain consent from its members to provide membership data to sponsors.
Provision is not based on a statutory provision
112. It is also not disputed that the provision of personal data to sponsors is not based on a provision of Union law or a provision of Member State law that in a democratic society
29 Recital (32) of the GDPR.
25/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
constitutes a necessary and proportionate measure to safeguard the objectives referred to in Article 23, paragraph 1, of the GDPR.
Further processing is incompatible
113. The principle of purpose limitation (Article 5, paragraph 1, sub b, of the GDPR) implies that personal data are collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes. In view of the principle of purpose limitation, it will have to be examined whether the processing of personal data for the purpose of generating additional income is compatible with the purpose for which the personal data were initially collected. In doing so, account must be taken of, among other things (Article 6, paragraph 4, of the GDPR):
(a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data relating to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Relationship purposes
114. The KNLTB has stated in its opinion regarding the investigation report that the collection purpose and the purpose of further processing are closely related and are an extension of each other. According to the KNLTB, the purpose of providing personal data is to be able to give the best possible content/added value to the membership of the members. Both the discounts that are given to the members with the campaigns, and the financial benefits that result from them, benefit these members, so that they will experience the added value and benefits of this in any case. After all, even if they do not participate, the members experience the benefits of the proceeds of the campaigns, which are invested in the members and the sport of tennis. The KNLTB also states that the AP wrongly failed to address the objectives communicated by the KNLTB in the investigation report, referring to its statutes and privacy statement.
115. The AP considers as follows. The KNLTB originally collected personal data (of members who became members before 2007) for the purpose of executing the membership agreement and not for the purpose of generating (additional) income by providing it to sponsors. According to the AP, there is no connection between the two purposes.
Framework in which personal data were collected
116. The KNLTB states that its members could expect that their personal data would also be provided to sponsors for the purpose of their direct marketing activities in order to generate income. To this end, the KNLTB primarily argues that the members have been informed about this on many occasions
26/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
. Furthermore, without the direct marketing activities of sponsors/partners, the members would not enjoy any additional benefits, as a result of which the added value of association membership would not be (directly) seen by the members, according to the KNLTB. The members also benefit from keeping tennis accessible and affordable. In addition, it would go against the expectations of the members if another method of generating additional income were chosen, such as increasing the membership fee or abolishing free tennis lessons for children under the age of six. The KNLTB also emphasises that membership is a free choice, because it is possible to become a member of an association that is not a member of the KNLTB or to set up a (tennis) club yourself. In addition, members can invoke their right to object to prevent the KNLTB from providing information to its partners. The KNLTB also adds that the members' council plays an important role, represents all members, is in close contact with the associations and translates the strategic policy of the KNLTB and its importance/consequences for the tennis associations and its members. According to the KNLTB, the members' council is therefore a link that should not be underestimated, which assesses, communicates, represents, listens to and (also) influences the reasonable expectations of the other members. 117. The personal data of the members of the KNLTB (insofar as they became members before 2007) were collected in the context of the execution of the membership agreement. In any case, it must be assessed whether the provision by the KNLTB to sponsors in order to generate (extra) income was in line with the reasonable expectations of the members, based on their relationship with the KNLTB (as the controller). According to the AP, this is not the case. Prospective members who join a tennis club that is a member of the KNLTB automatically become a member of the KNLTB. Someone who wants to become a member of a tennis club that is a member of the KNLTB does not have the option of not providing their personal data to the KNLTB; after all, these are necessary for the execution of the membership agreement. Given the mandatory membership, the members could have expected that their personal data would only be used for the collection purpose, the execution of the membership agreement. In this respect, the AP takes into account that the KNLTB is a non-profit organisation and that for this reason too, members could not expect that their personal data would be provided to sponsors with commercial motives. This applies all the more to the provision of personal data to and the use thereof by [CONFIDENTIAL], which did not make tennis-related offers (such as [CONFIDENTIAL]) but offered [CONFIDENTIAL]. The incidental fact that members of the KNLTB had a chance to win a trip to a tennis match in London when purchasing a [CONFIDENTIAL] does not alter this. The fact that the KNLTB informed its members in various ways prior to the provision of their personal data about the further processing of their personal data is not a circumstance that is relevant to the context in which the personal data were collected. After all, the members were only informed after (AP italics) their personal data had been collected. In addition, the facts from the investigation indicate that the members of the KNLTB had not expected the telephone campaign from [CONFIDENTIAL]. Although the KNLTB informed its members about the provision of personal data to sponsors, the telephone campaign led to many complaints and commotion in the media, which was also a reason to prematurely stop the telephone campaign.
27/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
Nature of the personal data provided
118. In its opinion, the KNLTB points out that only data that is necessary to contact the members, namely name and address details and telephone number, have been provided to third parties. No special categories of personal data have been provided. No personal data of minor members have been provided, nor have e-mail addresses of members, as there is a greater risk of spam in this case.
119. The AP establishes that the KNLTB has indeed not provided any special categories of personal data to [CONFIDENTIAL] and [CONFIDENTIAL]. Assuming that the KNLTB acted in accordance with its contact protocol, no personal data of persons under the age of 16 were provided.30 However, the KNLTB did provide e-mail addresses to [CONFIDENTIAL] while this was not necessary for the telemarketing campaign, which unnecessarily increased the risk of spam and phishing, for example.
Possible consequences of further processing
120. In its opinion, the KNLTB emphasises that the campaigns of [CONFIDENTIAL] and [CONFIDENTIAL] were positively received by most members and had a high conversion rate. In addition, according to the KNLTB, the campaigns also had positive consequences for members who did not use them. After all, the proceeds from the campaigns are invested in the members and in tennis. The KNLTB points out that when selecting the members who were approached in the context of the campaigns, an attempt was made as much as possible to prevent members from being approached undesirably, because they already had a subscription or were registered in the do-not-call register. The KNLTB also argues that the provision does not imply a loss of control over personal data. To this end, it argues that members were sufficiently informed about the provision of their personal data and could have objected to it. Furthermore, according to the KNLTB, the provision did not create any additional risks for the rights and freedoms of the data subjects, because various measures were taken to ensure the security of personal data, such as the use of a secure sFTP server, the partner agreement, the contact protocol, the call script, the immediate deletion of data after use and monitoring whether the agreement is being complied with. Finally, the KNLTB states that the negative consequences of the provision are limited: a discount flyer in the mailbox and/or being called once. According to the KNLTB, these consequences cannot be called far-reaching.31 In this context, the KNLTB also argues that the telemarketing campaign was terminated prematurely in connection with complaints about its implementation. 121. The AP considers that the disclosures have caused the members of the KNLTB to lose control over their personal data and that their privacy has been violated. That, as the KNLTB states, the generated income fully benefits the members and the
30 The agreement with [CONFIDENTIAL] states – unlike the KNLTB contact protocol – that the persons in the file must be at least 18 years old.
31 The KNLTB refers to the ruling of the Amsterdam District Court of 12 February 2004, ECLI:NL:RBAMS:2004:AO3649 and to a document from 2002 from the then Dutch Data Protection Authority: https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2002-0881.pdf.
28/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
tennis sport, this does not change. The members could have trusted that the KNLTB would only use their personal data for the execution of the membership agreement and would not provide it to sponsors. The seriousness of the infringement is partly determined by the following circumstances. Firstly, the KNLTB left the selection of the members to be called to [CONFIDENTIAL], which resulted in personal data being provided for 314,846 members, while [CONFIDENTIAL] only selected 39,478 members (less than 13%) to be approached. Secondly, personal data that were not necessary for a telephone campaign, including the e-mail address, were provided to [CONFIDENTIAL]. This is all the more pressing as the KNLTB explicitly pointed out in its news reports that the e-mail address would not be provided to [CONFIDENTIAL] without permission and this is in conflict with rule of thumb 2 (‘only provide necessary data’) from the Sports & Privacy Handbook. To that extent, the KNLTB provided an unnecessary amount of personal data of an unnecessary amount of members to [CONFIDENTIAL]. Thirdly, both [CONFIDENTIAL] and [CONFIDENTIAL] have provided personal data to [CONFIDENTIAL] and various [CONFIDENTIAL] respectively for the purpose of carrying out their direct marketing activities. This also means that the risk of a breach of their personal data may have increased for these members.
122. In addition, the KNLTB ignores the fact that (unwanted) receipt of a discount flyer and telephone sales can be experienced as a nuisance. This applies in particular to the telephone campaign of [CONFIDENTIAL] which was stopped prematurely for that reason. The stated high conversion of the campaigns of both sponsors and the income for the KNLTB do not detract from the fact that the many members whose personal data were provided, but not used for the campaigns, did not experience any benefit from the provision of their own personal data.
Appropriate safeguards
123. In its opinion, the KNLTB points out the safeguards it has taken to ensure the security of personal data. The KNLTB also refers to several older decisions by predecessors of the AP (the Registration Chamber and the Dutch Data Protection Authority (CBP)) which stated that safeguards could have a positive or sometimes decisive effect on the compatibility assessment.32
124. The AP considers that appropriate measures as referred to in Article 6, paragraph 4, of the GDPR can serve as ‘compensation’ for the fact that data are further processed for a purpose other than the collection purpose.33 According to the AP, the measures taken by the KNLTB, such as the possibility of objection, do not provide sufficient compensation in this case for the infringement that the KNLTB has made on the personal privacy of data subjects with the provision of data. Firstly, these are measures that the KNLTB was obliged to take. Secondly, these
32 The KNLTB refers to: https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2005-0703.pdf (from 2005); https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2005-1447.pdf (from 2005); https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2002-0881.pdf (from 2002) and https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/rapporten/rap_2003_onderzoek_kpn.pdf with a quote from Registratiekamer, The Hague, July 1999, Background Studies & Explorations 14, p. 19.
33 WP29 Opinion 03/2013 On purpose limitation, p. 26.
29/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
measures could not prevent an unnecessary amount of personal data from being provided to [CONFIDENTIAL] in particular and personal data from ending up with third parties, namely various [CONFIDENTIAL] and [CONFIDENTIAL]. The members of the KNLTB were not or at least insufficiently informed about this.34 It would have been up to the KNLTB to fully inform its members about which personal data would be provided to which sponsors and to inform its members that these would also be provided to third parties in the context of the implementation of the direct marketing activities. Given the original collection purpose, the implementation of the membership agreement, and the reasonable expectations of its members that their personal data would not be used for commercial purposes by sponsors, it would also have been up to the KNLTB to ask its members for permission to do so. However, this did not happen. Conclusion AP
125. Given the circumstances that there is no connection between the collection purpose and the purpose of the further processing, the provision to [CONFIDENTIAL] and [CONFIDENTIAL] is not in line with the reasonable expectations of the members, the consequences of the provision for the members of the KNLTB and that the measures taken by the KNLTB do not provide sufficient compensation for this, the AP concludes that the further processing for the purpose of generating income is not compatible with the collection purpose, implementation of the membership agreement.
4.10 Basis for processing personal data in the case of membership after 2007
126. For members who became members of the KNLTB after 2007, it is assumed that the purpose of generating additional income by providing personal data to sponsors was known to the members. The processing of these personal data must be based on a legitimate basis. According to the KNLTB, the processing of personal data for the purpose of generating additional income is necessary for the promotion of its legitimate interests, now that its membership (and thus the income of the KNLTB) has fallen sharply over the past ten years. Our own research has shown that the cause of this lies in the fact that members see little added value in membership of the KNLTB.
AP gives incorrect interpretation to the concept of legitimate interest
127. The KNLTB takes the position that the AP gives an incorrect interpretation to the concept of ‘legitimate interest’ in its research report by concluding that an interest only qualifies as legitimate if this interest can be traced back to a fundamental right or legal principle. This interpretation cannot be traced back to:
- the text of the law itself;
- information provided by European privacy supervisors (including the AP);
- case law;
- guidelines of the European Data Protection Board (EDPB).
According to the KNLTB, the interest must be ‘lawful’, which follows from the guidelines of the EDPB and the
34 WP29 Opinion 03/2013 On purpose limitation.
30/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
website of the ICO (Information Commissioner’s Office, the supervisory authority in the United Kingdom).
AP considerations
128. The AP considers that its conclusion that a legitimate interest must be traceable to a fundamental right or legal principle follows from the system of the GDPR. After all, processing personal data is always an interference with the fundamental right to protection of personal data. As a result, every processing is in principle unlawful. This also follows from Article 6, paragraph 1, of the GDPR, which states that processing is only lawful if and to the extent that at least one of the conditions mentioned under a to f (bases for processing) is met. 129. The GDPR thus provides a legal basis for processing personal data. This basis consists (in addition to consent) of five other bases. The basis mentioned in Article 6, paragraph 1, under f, of the GDPR is important here: the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require protection of personal data outweigh those interests, in particular where the data subject is a child.
130. For a successful appeal to the basis of legitimate interests, three cumulative conditions must be met for the processing of personal data to be lawful. Firstly: the pursuit of a legitimate interest of the controller or a third party. Secondly: the necessity of processing the personal data for the purposes of the legitimate interest. And thirdly: the condition that the fundamental rights and freedoms of the person concerned by the data protection do not prevail. 131. The first condition is that the interests of the controller or a third party qualify as legitimate. This means that these interests are designated in (general) legislation or elsewhere in the law as a legal interest. It must concern an interest that is also protected in law, that is considered worthy of protection and that must in principle be respected and can be ‘enforced’.
132. The controller or third party must therefore be able to rely on a (written or unwritten) legal rule or legal principle. If that legal rule or legal principle is (sufficiently) clear and precise for the data subject with regard to the processing of personal data and/or its application is (sufficiently) predictable, then the processing can take place on the basis of the grounds mentioned in Article 6, paragraph 1, under c and e, of the GDPR (legal obligation or performance of a task in the public interest). But there are also cases where the legal rule or legal principle with regard to the processing of personal data
31/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
is not (sufficiently) clear and accurate for the data subject and/or its application is (insufficiently) predictable.
133. In these cases, the controller or third party may still have legitimate interests. These interests themselves must always be real, concrete and direct. And therefore not speculative, future or derived. In principle, it can be any material or immaterial interest.
134. However, the mere interest in being able to monetize personal data or make a profit from it does not in itself qualify as a legitimate interest. Not only because such an interest will usually be insufficiently specific - in a sense, everyone always has an interest in having more money - but also, more fundamentally, because it is then assumed that a trade-off may then be made. And a trade-off between:
- the single non-legally/rightfully protected interest that a party has in monetising another person's personal data as effectively as possible on the one hand,
- the fundamentally anchored interest that the data subject has in protecting his personal data on the other hand.
135. There are few restrictions on the commercial possibilities when applying the grounds of consent and agreement. However, in the case of processing that is necessary for the protection of the legitimate interests of the controller, it essentially concerns processing outside the will of the data subject. This is the domain where the rights of controllers clash with the fundamental rights of data subjects. The idea that it would in principle be permitted to earn money by infringing on another person's fundamental rights on one's own authority is at odds with the principle that the data subject - apart from the intervention of the legislator - should have control over his data. Such a broad possibility for weighing up cannot therefore be what the GDPR intends and is also not mentioned, permitted or advocated by the Article 29 Working Party on Data Protection (WP29).35
136.The justification of the interest is – also according to WP29 – decisive for the question of whether the ‘threshold’ is reached for making a weighing up. After all, the weighing up (necessity and balancing of interests) is not relevant if the ‘justification’ threshold is not reached. In other words: If the controller cannot rely on a legally/legally protected interest – after all, the data subject can do so – then there can be no question of necessity and neither of weighing up both legal interests. Conversely, this means that the protection provided by the closed system of foundations could easily be undermined if the mere interest of making money were already a legitimate interest. After all, it can then also easily be claimed under certain circumstances that the income in question is urgently necessary, given the interest in making as much money as possible. And then in fact only a material consideration remains - to be made by the person with the financial interest himself - between earning money himself and giving up the fundamental rights of others. In the extreme
35 WP29 Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46EC”.
32/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
case, one could then argue that if a great deal of money is involved, the infringement of fundamental rights should be proportionately greater. That is clearly not the intention. The fundamental right to the protection of personal data would then become largely illusory.
137. The freedom to conduct a business is a recognition in the Charter of the freedom to pursue an economic or commercial activity and a recognition of contractual freedom and free competition. All of this is of course not unlimited, but only ‘in accordance with Union law and national laws and practices’. This means, among other things, that entrepreneurs may in principle decide for themselves who they do business with and who they do not, may set their own prices, etc. But it is not the case that the general fundamental right to conduct a business means that the right also protects the interest in earning (as much) money as possible in itself. Or that it follows from this that ‘being able to make less profit’ results in a conflict with the fundamental right to privacy or data protection of others. Just as this does not imply that, for example, the fundamental right of others/customers to property may be violated under certain circumstances with reference to freedom of enterprise. On the other hand, entrepreneurs do have the necessary duties of care for their employees and/or their customers. These are laid down in concrete or general legal standards. Being able to give substance to these is a legitimate interest.
138. The foregoing entails that legitimate interests have a more or less urgent and specific character that arises from a (written or unwritten) legal rule or legal principle; it must be unavoidable in a certain sense that these legitimate interests are served.36 Purely commercial interests and the interest of profit maximization lack sufficient specificity and lack an urgent ‘legal’ character so that they cannot qualify as legitimate interests. 139. This also follows, albeit in slightly different wording, from Opinion 06/2014 of the Article 29 Data Protection Working Party on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC. This Opinion states, among other things, that: ‘An interest can therefore be considered legitimate as long as the controller can pursue this interest in a manner that is consistent with data protection and other legislation. In other words, a legitimate interest must be “acceptable under the legislation”’.37
According to the KNLTB, its interest qualifies as legitimate
140. The KNLTB then argues that, even if the AP’s explanation is correct, it ignores the fact that the KNLTB’s interest in processing personal data can be traced back to the GDPR. Recital 47 of the preamble to the GDPR states that the processing of
36 See, for example, the judgment of the European Court of Justice of 4 May 2017, ECLI:EU:C:2017:336, paragraph 29: ‘[...] that the interest of a third party in obtaining personal data from the person who has caused damage to his property, in order to recover the damage from that person in court, is a legitimate interest’. See in that sense the judgment of the European Court of Justice of 29 January 2008, ECLI:EU:C:2008:54, paragraph 53).
37 WP29 Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46EC”, p. 25.
33/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
personal data for direct marketing purposes can be considered as carried out with a view to a legitimate interest. The KNLTB also refers to Article 16 of the Charter of Fundamental Rights of the European Union, the freedom to conduct business. According to the KNLTB, the AP has previously based this legal standard on assessments of the legitimate interest.
AP considerations
The AP first notes that the provision of member data to [CONFIDENTIAL] and [CONFIDENTIAL] serves two interests of the KNLTB: (1) the interest of providing added value for membership and (2) the interest of reducing the reduced income due to declining membership numbers.
141. The interests stated by the KNLTB lack a more or less urgent nature that arises from a (written or unwritten) legal rule or legal principle. To the extent that the KNLTB refers to Article 16 of the Charter of Fundamental Rights of the European Union, the freedom to conduct a business, the same applies. In addition to contractual freedom, this fundamental right regulates the freedom to exercise an economic or commercial activity. However, the importance of these freedoms is insufficiently concrete and direct to qualify as a legitimate interest. In this context, the AP considers that with the provision of data, the KNLTB does not give substance to concrete or general legal standards that relate to its duties of care as an ‘entrepreneur’. The AP therefore concludes that the interests stated by the KNLTB nor the interests named by the AP do not qualify as legitimate.
142. The conclusion is that the interest of the KNLTB in the provision of personal data of members to [CONFIDENTIAL] and [CONFIDENTIAL] does not qualify as a legitimate interest. Since the provision of data could not be based on a different legal basis than that stated in Article 6, first paragraph, of the GDPR, the AP concludes that the provision of data in question took place unlawfully. 4.11 Secondary position on the assessment framework for third-party provision
143. As described in Article 6, paragraph 4, GDPR, the assessment of further processing is relevant if, in summary, the processing takes place for a purpose other than that for which the personal data were collected. The AP is of the opinion that this assessment is in principle limited to further processing of personal data by the controller itself within its own business operations. For the provision of personal data to a third party, the controller must have a separate basis as referred to in Article 6, paragraph 1, GDPR. The presence of a separate basis has not been demonstrated.
34/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
5. Fine
5.1 Introduction
144. The KNLTB has provided personal data of its members to [CONFIDENTIAL] and [CONFIDENTIAL] without a lawful basis – and therefore unlawfully. In doing so, the KNLTB has acted in violation of Article 5, paragraph 1, opening sentence and under a in conjunction with Article 6, paragraph 1, of the GDPR towards its members and has infringed the right to respect for privacy and the right to protection of personal data of its members. As a result, members of the KNLTB have lost control over their personal data. The AP believes that this is a serious violation. The AP sees this as a reason to use its authority to impose a fine on the KNLTB on the basis of Article 58, paragraph 2, opening sentence and under i and Article 83, paragraph 4, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG.
Principle of trust
145. The KNLTB takes the position that by imposing an administrative sanction, the AP is acting in violation of the principle of trust. In support of this, it argues that the KNLTB was justified in relying on written statements from the AP's legal predecessor, the CBP. The KNLTB refers to the information sheet ‘Providing data from membership administration’ from September 2010 (information sheet), which states the following: “Providing personal data to persons and companies outside the association, such as a sponsor, is permitted if the association has requested permission from its members. [...] If it concerns activities that are customary for the association or have been approved by the members’ meeting, explicit permission does not have to be requested from the members. Furthermore, an association can provide data to companies for the purpose of direct marketing. The association may only do so if the members have been given a reasonable period of time to object to this.
146. According to the KNLTB, the content of the information sheet is still fully relevant because its content has not been labelled as outdated. In addition, there has been no (material) change in the meantime in the legal rule to which the information sheet referred. Although the GDPR has become applicable and the Wbp no longer applies, the possible grounds and conditions for providing data from a membership file have remained unchanged. 147. The AP sees no basis in what the KNLTB argues for the conclusion that imposing an administrative fine would be in conflict with the principle of trust. The information sheet referred to by the KNLTB was already removed from the AP website in 2014. This alone indicates that the content was no longer relevant from that moment on. When the KNLTB provided the information to sponsors in June 2018, it must have been all the more clear - given the long time that had elapsed since 2014 - that the aforementioned information was no longer relevant and it would have been up to the KNLTB to (re)confirm the applicable laws and regulations with the entry into force of the GDPR on 24 May 2016 and its entry into force on 25 May 2018. In addition, it is important that the provision by the KNLTB of personal data of
35/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
members to sponsors took place on the basis of legitimate interest. The WP29 advice on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC was already published in April 2014. This advice provides guidelines for the application of Article 7, under f, of Directive 95/46/EC (now Article 6, first paragraph, opening sentence and under f, of the GDPR). In view of this, the KNLTB should no longer have relied on the content of the information sheet.
Intent
148. To the extent that the KNLTB argues that it did not intentionally act in violation of any statutory provision, the AP considers that the violated prohibition provision of Article 6 of the GDPR does not have intent as an element. Since this concerns an infringement, it is not required to demonstrate intent in order to impose an administrative fine in accordance with established case law38. The AP may assume culpability if the perpetrator has been established.39
5.2 Fine Policy Rules of the Dutch Data Protection Authority 2019 (Fine Policy Rules 2019)
149. Pursuant to Article 58, paragraph 2, opening sentence and under i and Article 83, paragraph 5, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG, the AP is authorised to impose fines on the KNLTB in the event of an infringement of Article 5, paragraph 1, opening sentence and under a jo. Article 6, paragraph 1, of the GDPR to impose an administrative fine of up to €20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
150. The AP has adopted the Fine Policy Rules 2019 regarding the implementation of the aforementioned authority to impose an administrative fine, including determining the amount thereof.
151. Pursuant to Article 2, under 2.2, of the Fine Policy Rules 2019, the provisions regarding violations for which the AP may impose an administrative fine of up to the amount of €20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, are classified in Annex 2 in category I, category II, category III or category IV. 152. In Annex 2, the violation of Article 5, paragraph 1, opening sentence and under a, of the GDPR is classified in category I, II, III or IV, depending on the classification of the underlying provision. This underlying provision is Article 6 of the GDPR. This article is classified in category III.
153. Pursuant to Article 2.3 of the Fine Policy Rules 2019, the AP sets the basic fine for violations for which a statutory maximum fine applies of [...] € 20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, within
38 Cf. CBb 29 October 2014, ECLI:NL:CBB:2014:395, r.o. 3.5.4, CBb 2 September 2015, ECLI:NL:CBB:2015:312, r.o. 3.7 and CBb 7 March 2016, ECLI:NL:CBB:2016:54, r.o. 8.3, ABRvS 29 August 2018, ECLI:NL:RVS:2018:2879, r.o. 3.2 and ABRvS 5 December 2018, ECLI:NL:RVS:2018:3969, r.o. 5.1.
39 Parliamentary Papers II 2003/04, 29702, no. 3, p. 134.
36/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
the fine ranges specified in that article. For violations in category III of Appendix 2 of the Fine Policy Rules 2019, a fine range of between €300,000 and €750,000 and a basic fine of €525,000 applies.
154. Pursuant to Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (to a maximum of the maximum of the range of the fine category linked to a violation) or downwards (to a minimum of that range). The basic fine is increased or reduced depending on the extent to which the factors mentioned in Article 7 of the Fine Policy Rules 2019 give reason to do so. 155. Pursuant to Article 7 of the Fine Policy Rules 2019, the AP shall, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb), take into account the following factors derived from Article 83, paragraph 2, of the GDPR, referred to in the Policy Rules under a to k:
a. the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the damage suffered by them;
b. the intentional or negligent nature of the infringement;
c. the measures taken by the controller [...] to limit the damage suffered by data subjects;
d. the extent to which the controller [...] is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 of the GDPR;
e. previous relevant infringements by the controller [...];
f. the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects;
g. the categories of personal data concerned by the breach;
h. the manner in which the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller [...] notified the breach;
i. compliance with the measures referred to in the second paragraph of Article 58 of the GDPR, insofar as they have been taken previously in relation to the controller [...] in question in relation to the same matter;
j. adherence to approved codes of conduct pursuant to Article 40 of the GDPR or approved certification mechanisms pursuant to Article 42 of the GDPR; and
k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether directly or indirectly, as a result of the breach. 156. In accordance with Article 9 of the Fine Policy Rules 2019, the AP will, if necessary, take into account the financial circumstances of the offender when determining the fine. In the event of reduced or insufficient financial capacity of the offender, the AP may further reduce the fine to be imposed if, after application of Article 8.1 of the policy rules, determining a
37/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
fine within the fine range of the next lower category would, in its opinion, nevertheless lead to a disproportionately high fine. 5.3 Systematics
157. With regard to violations for which the AP can impose an administrative fine of up to €20,000,000 or up to 4% of the total worldwide annual turnover in the previous financial year, whichever is higher, the AP has divided the violations into four categories in the Fine Policy Rules 2019, to which increasing administrative fines are attached. The fine categories are ranked according to the severity of the violation of the aforementioned articles, with category I containing the least serious violations and category IV the most serious violations.
158. Violation of Article 6 of the GDPR is classified in category III, for which a fine range between €300,000 and €750,000 and a basic fine of €525,000 has been established. The AP uses the basic fine as a neutral starting point. The AP will then adjust the amount of the fine in accordance with Article 6 of the Fine Policy Rules 2019 to the factors mentioned in Article 7 of the Fine Policy Rules 2019, by reducing or increasing the amount of the basic fine. This includes an assessment of (1) the nature, seriousness and duration of the infringement in the specific case, (2) the intentional or negligent nature of the infringement, (3) the measures taken to limit the damage suffered by the data subjects and (4) the categories of personal data to which the infringement relates. In principle, this will remain within the bandwidth of the fine category linked to that infringement. The AP may, if necessary and depending on the extent to which the aforementioned factors give rise to this, apply the fine bandwidth of the next higher or next lower category respectively. 5.4 Fine amount
159. Pursuant to Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to a maximum of the bandwidth of the fine category linked to an infringement) or downwards (down to a minimum of that bandwidth). The basic fine is increased or reduced depending on the extent to which the factors mentioned in Article 7 give rise to this.
160. According to the AP, the following factors mentioned in Article 7 are relevant in this case for determining the amount of the fine:
- the nature, seriousness and duration of the infringement;
- the intentional or negligent nature of the infringement (culpability);
- the measures taken by the controller or processor to limit the damage suffered by data subjects.
161. Pursuant to Article 8.1 of the Fine Policy Rules 2019, if the fine category determined for the violation does not allow for appropriate punishment in the specific case, the AP may, when determining
38/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
the amount of the fine, apply the fine range of the next higher category or the fine range of the next lower category.
Relevant factors for determining the amount of the fine
Nature, seriousness and duration of the violation
162. Pursuant to Article 7, opening words and under a, of the Fine Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the violation. In assessing this, the AP takes into account, among other things, the nature, scope or purpose of the processing as well as the number of affected data subjects and the extent of the damage suffered by them.
163. The protection of natural persons in the processing of personal data is a fundamental right. Under the first paragraph of Article 8 of the Charter of Fundamental Rights of the European Union and the first paragraph of Article 16 of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning him or her. The principles and rules relating to the protection of individuals with regard to the processing of their personal data must respect their fundamental rights and freedoms, in particular their right to the protection of personal data. The GDPR aims to contribute to the creation of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and convergence of the economies within the internal market and the well-being of natural persons. The processing of personal data must serve humanity. The right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and weighed against other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be carried out fairly and lawfully. It must be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are processed or will be processed.
164. In accordance with Article 5, paragraph 1, opening sentence and under a in conjunction with Article 6, paragraph 1, of the GDPR, personal data must be processed in a manner that is (inter alia) lawful with regard to the data subject, in the sense that there is a legal basis for this. In light of the above, these are fundamental provisions in the GDPR. If this is violated, this affects the core of the right that data subjects have to respect for their privacy and the protection of their personal data.
165. As a more or less fixed method of working in order to generate additional income, KNLTB provided personal data of (a large part of) its members to [CONFIDENTIAL] on 11 June 2018 and to [CONFIDENTIAL] on at least 29 June 2018. The provision could not be based on a legal basis as stated in Article 6, paragraph 1, of the GDPR. The provision in question was therefore unlawful. 39/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
This concerns two disclosures that affected a great many data subjects. A file with personal data of 50,000 data subjects was provided to [CONFIDENTIAL]. The KNLTB also provided [CONFIDENTIAL] with an unnecessary amount of personal data by providing a file with personal data of 314,846 data subjects from which [CONFIDENTIAL] would ultimately select 39,478 persons (less than 13%) to approach in the context of its telemarketing campaign. The AP takes the position that (at least part of) the selection could have been made by the KNLTB itself, so that the personal data of far fewer data subjects would have been provided.
166. In its further assessment of the seriousness of the violation, the AP takes into account, on the one hand, the large number of data subjects and the amount of personal data that was provided. On the other hand, the AP takes into account, in this case, the categories of personal data to which the violation relates. This included name and address details, gender, (mobile) telephone number and e-mail address, but no personal data that fall within the special categories of personal data as referred to in Article 9 of the GDPR. The AP has also not found that the KNLTB has provided personal data of minors to [CONFIDENTIAL] and [CONFIDENTIAL].
167. In view of the above, the AP is of the opinion that there is a serious violation, but there is no reason to increase or decrease the basic fine.
Intentional or negligent nature of the violation (culpability)
168. In accordance with Article 5:46, paragraph 2, of the General Administrative Law Act, the AP takes into account the extent to which it can be attributed to the offender when imposing an administrative fine. In accordance with Article 7, under b, of the Fine Policy Rules 2019, the AP takes into account the intentional or negligent nature of the violation. 169. As the AP has already considered above, it may assume culpability if the perpetrator has been established. KNLTB provided personal data without the provision of data being able to be based on a legal basis. Furthermore, the personal data were provided deliberately. In light of the above, the AP therefore considers the violation to be culpable. This culpability is not affected by the fact that the KNLTB obtained advice from a law firm to assess the policy regarding the sharing of personal data with sponsors. The Sports & Privacy Handbook, which was drawn up by a law firm on behalf of [CONFIDENTIAL], dates from 2017. The handbook deals with the basic principles of privacy law in an ‘accessible manner’ and only relates to the Wbp and not to the GDPR.
170. If and to the extent that KNLTB obtained other, additional advice from a law firm specifically with regard to (the policy surrounding) the provision of data, it did not submit this to the AP. While in the case of an appeal to the absence of all guilt, it is up to the KNLTB
40/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
to make this absence plausible by making known exactly what advice was requested about and what the content of the advice was.40 KNLTB failed to do so.
Measures taken to limit the damage suffered by the persons concerned
171. The AP considers that the KNLTB has taken various measures to limit the damage suffered by the persons concerned. The KNLTB did not proceed to provide the personal data until the consent of the members' council had been obtained. In addition, the members of the KNLTB were informed of the intended provision in various ways (including via newsletters and the KNLTB website) prior to the provision. Furthermore, the agreements between the KNLTB and the sponsors in question contain a confidentiality clause, which obliges [CONFIDENTIAL] and [CONFIDENTIAL] to maintain confidentiality of the personal data, which stipulates that personal data may not be provided to third parties without the permission of the KNLTB and which stipulates that the personal data will be destroyed after termination or dissolution of the agreement. [CONFIDENTIAL] also terminated the telemarketing campaign prematurely at the request of the KNLTB.
172. In view of the foregoing, the extent of the damage suffered by the parties involved is limited, but not such that the AP sees reason to reduce the basic fine in this case. After weighing up the foregoing factors, the basic amount remains at € 525,000.
Proportionality
173. Finally, the AP assesses on the basis of Articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine does not lead to a disproportionate outcome given the circumstances of the specific case. This takes into account the extent to which the violation can be attributed to the offender (Article 5:46, paragraph 2, of the General Administrative Law Act). According to the Fine Policy Rules 2019, application of the principle of proportionality also means that the AP, when determining the fine, takes into account the financial circumstances of the offender, if necessary.
174. The KNLTB takes the position that a fine is at the expense of all associations and individual members of the KNLTB. The KNLTB has been struggling with declining membership numbers and thus declining income for years. In view of this and in view of the necessary substantial investments in, for example, ICT facilities, the liquidity position of the KNLTB has come under pressure. Although the KNLTB has a positive general reserve, according to the KNLTB this reserve must be present as a minimum necessary resilience in order to be able to continue to meet the obligations with regard to the staff and the lease agreement. 40 Parliamentary Papers II 2003/04, 29702, no. 3, p. 134; CBb 7 March 2016, ECLI:NL:CBB:2016:54, r.o. 9.3. and CBb 1 December 2016, ECLI:NL:CBB:2016:352, r.o. 5.2.
41/43

Date Our reference
20 December 2019 [CONFIDENTIAL]
175. The AP considers that, according to its 2018 annual accounts, the KNLTB has healthy liquidity and solvency.41 The general reserve (equity) amounted to €6,356,139 on 31 December 2018. At the same time, KNLTB had €6,057,018 in liquid assets and €974,982 in (yet to be received) claims as of the same date. The AP sees no reason to assume that the KNLTB would not be able to bear a fine of €525,000 given its financial position. Regardless of whether the general reserve must be present as a minimum necessary resilience, the general reserve also falls within the range of 5 and 8 million euros after payment of the fine.42
Conclusion
176. The AP sets the total fine amount at €525,000.--.43
6. Judgment
Fine
The AP imposes on the KNLTB, for violation of article 5, first paragraph, opening sentence and under b, of the GDPR and article 5, first paragraph, opening sentence and under a jo. Article 6, paragraph 1, of the GDPR, an administrative fine of €525,000 (in words: five hundred and twenty-five thousand euros).
Yours sincerely,
Dutch Data Protection Authority,
signed
Mr. A. Wolfsen Chairman
41 Annual accounts for 2018 of the KNLTB, consulted via https://www.knltb.nl/siteassets/1.-knltb.nl/downloads/over- knltb/publicaties/jaarrekening/6965-knltb-jaarverslag-2018-v11-jaarrekening.pdf.
42 According to the 2018 annual accounts, the board of the association and the members' council have agreed that the general reserve must be within the range of 5 and 8 million euros.
43 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
42/43

Date Our reference
December 20, 2019 [CONFIDENTIAL]
Remedies clause
If you do not agree with this decision, you can file an objection with the Dutch Data Protection Authority digitally or on paper within six weeks after the date of dispatch of the decision. To file a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Objecting to a decision, at the bottom of the page under the heading Contacting the Dutch Data Protection Authority. The address for filing on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague. State ‘Awb objection’ on the envelope and put ‘objection’ in the title of your letter.
In your objection, write at least:
- your name and address;
- the date of your objection;
- the reference mentioned in this letter (case number); or attach a copy of this decision; - the reason(s) why you do not agree with this decision;
- your signature.
43/43
Retrieved from "https://gdprhub.eu/index.php?title=AP_(The_Netherlands)_-_Boete_voor_tennisbond_vanwege_verkoop_van_persoonsgegevens&oldid=46485"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki