Rb. Gelderland - AWB 19/2901

From GDPRhub
Revision as of 11:12, 7 February 2020 by AL (talk | contribs)
Rb. Gelderland - AWB 19/2901
CourtsNL.png
Court: Rb. Gelderland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5 GDPR

Article 6(1)(b) GDPR

Recital 39 GDPR

Decided: 4. 2. 2020
Published: 5. 2. 2020
Parties: Autoriteit Persoonsgegevens (Dutch DPA)
National Case Number: AWB 19/2901
European Case Law Identifier: ECLI:NL:RBGEL:2020:619
Appeal from: n/a
Language: Dutch
Original Source: (in NL)

The Gelderland Court of First Instance confirmed that the measure according to which passengers can purchase tickets on the buses only by means of credit/ debit cards is compatible with the principles of necessity and proportionality and that the subsequent processing of personal data is necessary for the performance of this purchase contract. Therefore, the processing is compatible with the GDPR.

English Summary

Facts

In the Netherlands, as of 1 July 2018 a passenger who wishes to purchase a ticket on the bus from the bus driver can only pay for this ticket with a debit or credit card and no longer with cash. The plaintiff requested the Dutch DPA to investigate the obligation to pay with a debit or credit card and the abolition of cash payments on the bus and to take an enforcement action against this measure under the GDPR. The DPA rejected the request and the plaintiff appealed its decision. He also asked the Court to suspend the present judgement until the CJEU issues a judgement on the preliminary questions which the Constitutional Court of Belgium referred with its judgement no. 135/2019 on the processing of passenger data. The DPA argued that the legal basis for the processing of PIN and credit card details when purchasing a ticket from a bus driver is Article 6(1)(b) GDPR.

Dispute

The Court had to assess whether the Dutch DPA has been able to conclude that the third party did not violate the GDPR and subsequently whether it did not have to take an enforcement action indeed. To this end, the Court had to assess whether Article 6 GDPR provides a legal basis for processing credit cards details and whether the processing is compliant with Article 5 GDPR. It also had to examine whether the criteria of necessity and proportionality had been met in this case.

Holding

The Court found that the legal basis of Article 6(1)(b) GDPR is valid, hence there was no reason to further examine possible application of other legal grounds. Moreover, the Dutch DPA could reasonably consider the purpose of abolishing cash, since this measure was included in the action programme "Social Security in Public Transport" and aimed at the prevention of theft and robbery. For this purpose, the only plausible option for all third parties and bus routes could be only that one. The DPA could reasonably take the position that the processing of personal data in case of debit or credit card payments is limited to what is necessary for the purpose pursued and the principle of data minimisation is respected. The DPA could reasonably consider that there was no other, less drastic method to achieve the same objective.

The Court declared the appeal unfounded.

Comment

Share your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.

DECISION

Process sequence

By decision of 10 January 2019, the defendant rejected a claimant's request to take enforcement action against [third party].

By decision of 14 May 2019 (the contested decision), the defendant dismissed plaintiff's objection as unfounded.

Plaintiff appealed against the contested decision.

The defendant filed a statement of defence.

Third party submitted a written statement of defence.

The investigation at the hearing took place on 16 December 2019. Plaintiff has appeared. The defendant is represented by its agents. Third Party is represented by its agents and M.J.M. Piels.
Considerations

Why doesn't the court grant the plaintiff's request for arrest?

1. The plaintiff has requested that his case be stayed pending the answer to preliminary questions from the Constitutional Court of Belgium and pending the ruling on the appeal to the Administrative Jurisdiction Division of the Council of State (the Division) in a similar case previously conducted by him.
1.1.

The court sees no reason to do so. In its ruling of 17 October 2019 (judgment no. 135/2019), the Constitutional Court of Belgium referred preliminary questions to the Court of Justice of the European Union. These questions relate to the national (Belgian) law of 25 December 2016 on the processing of passenger data. By this law, the (EU) 2016/681 of the European Parliament and the Council of 27 April 2016, 2004/82/EC of the Council of 29 April 2004 and 2010/65/EU of the European Parliament and the Council of 20 October 2010 have been transposed into (national) law. Directive 2004/82/EC aims at improving border controls and combating illegal immigration and covers the professional transport of persons by air. Directive 2010/65 aims to simplify and harmonise the administrative procedures applicable to maritime transport. Directive 2016/681 lays down rules on the transfer by air carriers of Passenger Name Records (PNR) on flights for the purpose of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

One of the questions of the Constitutional Court of Belgium concerns the applicability of Article 23 of the AVG to (this) national legislation. For the rest, the questions relate to Directive (EU) 2016/681.

In the opinion of the Court, the answers given by the European Court to the questions asked do not affect the plaintiff's appeal in this case. The directives mentioned are not at issue and the AVG has been directly applied in this case and not through national legislation.

Nor is there any reason to await the decision of the Division on the appeal of the plaintiff against the decision of this court of 5 September 2019 in cases AWB 18/546 and 18/14871. The enforcement request at issue in this case relates to facts other than those referred to in the judgment of 5 September 2019.

What is this judgment about?

2. In this judgment, the court assesses the defendant's refusal to take enforcement action against [third party] under Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; AVG). This concerns the measure that, as of 1 July 2018, a passenger who wishes to purchase a ticket on the bus from the bus driver can only pay for this ticket with a debit or credit card and no longer with cash. The plaintiff has requested the defendant to investigate the obligation to pay with a debit card or credit card and the abolition of cash payment on the bus and to take enforcement action against this.

For the relevant laws and regulations, the court refers to the appendix. This appendix is part of the judgment.

How does the court review the defendant's decision?

3. In this case, the application of articles 5 and 6 of the AVG plays a role in the light of recital 39 in the preamble. The defendant has adopted a basis for processing PIN and credit card details when buying a ticket from a bus driver in Article 6(1)(b) of the AVG.
3.1.

The court will assess whether the defendant has been able to conclude that [third party] is not in breach of the AVG. If this is indeed not the case, the defendant is not entitled to take enforcement action.

To this end, the Court will assess whether article 6 of the AVG provides a basis for processing PIN and credit card details. It will also examine whether the defendant has been able to claim that the processing of these personal data meets the requirements of Article 5 of the AVG. Relevant in this respect is whether the reason why [third party] only allows debit and credit card payments in the coach is justified. Subsequently, the court assesses whether the requirements of necessity and proportionality have been met in the case of payment by debit and credit card and whether an alternative (subsidiarity) may exist (recital 39 of the AVG).

Is there a basis for data processing?

4. The plaintiff argues that he does not enter into an agreement with [third party] when using the bus, because he did not give permission for this. If it is assumed that he did give permission, he did not freely or unambiguously give this permission. The transport company has a monopoly position and the plaintiff is dependent on public transport.
4.1.

In the opinion of the court, the defendant was right to base the processing of the personal data of bus passengers on the transport contract. As the District Court also considered in its judgment of 5 September 2019, if a passenger uses public transport, he enters into a transport contract with a transport company. In this case, that is the plaintiff as a bus passenger and Breng/[third party] as a carrier. The processing of PIN and credit card details is therefore based on an agreement with [third party] as referred to in Section 6(1)(b) of the AVG.
4.2.

This ground for appeal does not succeed. The court will therefore not discuss the plaintiff's grounds relating to other provisions of Article 6 of the AVG concerning the lawfulness of the processing of personal data, such as consent of the data subject or a statutory obligation.

Does [third party] have a legitimate purpose to only allow debit or credit card payments on the bus?

5. The plaintiff argues that it is not necessary for security reasons to abolish cash payments on all bus routes. A sufficient level of security is only necessary on specific, high-risk bus routes. A general invasion of the privacy of all passengers on all bus routes is not necessary. Furthermore, security cannot be seen as a necessity for data processing, according to the plaintiff.
5.1.

The District Court is of the opinion that the defendant could reasonably consider the purpose for which [third party], as controller, abolished the cash payment on the bus and thereby processed personal data to be justified. [third party] has come to its decision as a result of the action programme "Social Security in Public Transport". This integrated action programme was drawn up in 2016 by parties from the public transport sector, carriers, trade unions, the police, local and regional authorities and central government. An integrated approach was chosen for the entire public transport sector to improve the safety of passengers and employees in public transport. One of the measures in this report is to no longer allow cash money in the bus to prevent theft and robbery.

The following table is included in this action programme, where A incidents are understood to mean: assault, threat (with a weapon), theft, drug nuisance, vandalism, vandalism and offences such as pushing, pulling and spitting:

Table 1: registered A incidents regional transporters
[...]
As [third party] explained at the hearing, national efforts are being made to reduce the number of A incidents, including robberies. At [third party] robberies of bus drivers have taken place on their bus lines and this has had a huge impact on employees and passengers. By abolishing cash payments on buses, the number of robberies has dropped to almost zero nationwide.
In view of this report and the explanations provided by [third party], the defendant was able to consider the introduction of debit and credit card payments on the buses a justified objective. In this respect, the Court deems it plausible that the only option that can be chosen is to apply this national measure to all [third party] bus routes, because otherwise the robberies will be relocated. This ground for appeal is unsuccessful.

Is the processing of PIN and credit card details necessary and proportionate for the performance of the transport contract with [third party]?

6. The plaintiff has argued that the burden of proof of necessity, proportionality and subsidiarity should not be placed on him but on Breng/[third party]. It concerns him not only his bank details but also his PIN code. There is a danger of hacking and profiling, according to the plaintiff.
6.1.

In the District Court's opinion, the defendant could reasonably take the position that the processing of personal data in the case of a debit or credit card payment in the bus is limited to what is necessary for the purposes for which they are processed, and the requirement of minimum data processing has also been met. As [third party] explained at the hearing, payment by debit or credit card is made via a payment service provider (PSP). When buying a ticket in the coach, the details of the Passenger's debit card and credit card are pseudonymised and only the last four digits of the debit card and credit card are visible to the carrier. The PSP collects and processes these payments and periodically transfers the revenue to [third party]. [third party] will only periodically receive an overview of the total amount. Only the last four digits of the debit or credit card payments can be found on this overview in order to be able to retrieve them in case of any uncertainties about payments. No other information is received by [third party]. The PIN code also passes through the PSP and is not stored with [third party]. As a result, the invasion of the plaintiff's privacy by [third party] is limited to the minimum necessary to buy a ticket from the bus driver. This ground for appeal is unsuccessful.

Is there an alternative to [third party]?

7. The plaintiff is of the opinion that [third party] did not have to introduce the measure for all bus routes and should limit it to the high-risk bus routes. According to the plaintiff, [third party] can create a website on which employees and passengers can see on which routes cash can no longer be paid for at that time.
7.1.

In the District Court's opinion, the defendant could reasonably take the position that [third party] cannot reasonably achieve the objective of increasing safety in the bus for employees and passengers by means of a less drastic working method. The position of [third party] that such a website will not be consulted by everyone and will lead to confusion and lack of clarity in communication among passengers and employees is plausible. third party] can also be followed that this proposal of plaintiff is not workable. It is also important that there is a national agreement. [third party] can be followed that it is not desirable to be the only one to deviate from it.
7.2.

The plaintiff may, incidentally, choose to buy bus tickets in advance. The plaintiff can also travel with a non-nominative public transport chip card which he can recharge at the ticket machine (anonymously). The defendant did not have to come to any other conclusion that the plaintiff was inconvenienced by this. Therefore, this ground of appeal is unsuccessful.

Other grounds of appeal. Conclusion

8. The plaintiff has put forward further grounds of appeal. The plaintiff's fear that there will increasingly be a society in which the privacy of the citizen will be put under pressure. However, these grounds do not directly relate to the contested decision and therefore cannot detract from its lawfulness. The other grounds for appeal do not detract from this either.

9. Because the grounds of appeal are unsuccessful, the appeal is unfounded. There are no grounds for an order to pay the costs of the proceedings.
Decision

The court declares the appeal unfounded.

This ruling was made by J.H. van Breda, chairman, W.P.C.G. Derksen and W.P.C.G. Derksen.

Mr S.E.M. Lichtenberg, Judges, in the presence of Mr M.G. Smeenk, Registrar.