RvS (Netherlands) - 202001625/1/A3
|RvS (Netherlands) - 202001625/1/A3|
|Relevant Law:||Article 4 GDPR|
Article 5 GDPR
Article 6 GDPR
|Parties:||Personal Data Authority|
|National Case Number/Name:||202001625/1/A3|
|European Case Law Identifier:||ECLI:NL:RVS:2021:2511|
|Appeal from:||Rb. Gelderland (Netherlands)|
|Original Source:||rechtspraak.nl (in Dutch)|
|Initial Contributor:||Anike Malherbe|
The Dutch Council of State (RvS) upheld the DPA's decision not to take action against Connexxion, a public transport company, for abolishing cash payments on its buses, as “the invasion of privacy [was deemed] proportionate to the interests served by the processing of the personal data.”
English Summary[edit | edit source]
Facts[edit | edit source]
This matter concerns an appeal to the Administrative Jurisdiction Division of the Council of State in which the data subject stated that his right to privacy was violated by the fact that he could only purchase a bus ticket by card (as opposed to cash payment). He previously raised a request to the AP (the DPA) to take action against Connexxion Openbaar Vervoer N.V. for the decision to abolish cash payments, through application of the GDPR. This request was denied and underlies the current appeal.
On appeal, the data subject argued that “the court erred in finding that the processing of personal data is necessary for the performance of a contract” in that:
1. The data subject did not enter into an agreement with Connexxion “of his own free will” and that consent for the processing of his personal data was not given freely and unambiguously as Connexxion has a monopoly on which public transport users depend. He argued that the General Conditions for City and Regional Transport 2015 are insufficient to serve as a legal basis within the meaning of Article 6(1)(b) GDPR.
2. The purpose of the data processing is not well-defined, explicit and justified.
3. The effect on safety of banning cash payments is not clear as this measure is one of a group consisting of 23 measures.
Holding[edit | edit source]
In establishing which data is being processed, the Court took note of the fact that Connexxion uses a Payment Service Provider (PSP) to process its financial transactions and applies the PAN Masking technique to secure these transactions. This technique only provides the last four digits of the bank account number to be stored at Connexxion while the preceding digits are anonymized.
The Court further noted that a contract is established when the passenger boards the bus and the mere fact that the passenger has no choice as to whom he concludes this contract with does not negate the existence of said contract. It went on to consider whether there is an agreement in place and held that “there is no evidence to suggest that an agreement with Connexxion does not qualify as an agreement within the meaning of Article 6(1)(b) GDPR.”
The Court further clarified that “the processing of personal data may be lawful if it is necessary for the performance of the contract.” In its application to this matter and whether the processing was necessary, the Court set out a three-step approach to its assessment and elaborated with reference to case law:
First, the Court turned to whether the purpose for processing said data was “well-defined and explicitly described". Second, the Court considered whether the processing of said data actually achieved that purpose. Thirdly, the Court concluded with a balancing of interests by stating that “[i]f the processing of the personal data is necessary to achieve the specific purpose in this sense, it must be assessed whether the invasion of privacy is proportionate to the interests served by the processing of the personal data.” The Court referred to the judgment of 20 September 2017 where it was held that “it must be assessed in light of the EU Charter whether the invasion of privacy is limited to what is strictly necessary to achieve the purpose. In particular, it must be assessed whether the purpose for which the personal data are processed cannot reasonably be achieved in another manner that is less detrimental to the persons involved in the processing of personal data.” The intensity of this investigation depends on the specificity of alternative which are tabled.
In its assessment for necessity, the Court noted that “[t]he mere fact that the processing of data is covered by or related to a contract does not mean that such processing is necessary for the performance of the contract.” It compared Article 7(b) Directive 95/46/EC to Article 6(1)(b) GDPR and found that the two are “almost identical”. Hence, it found that the Opinion and Guidelines (opinion 06/2014 of the former Article 29 Working Party and Guideline 2/2019 of the European Data Protection Board) were also relevant when interpreting the GDPR.
The Court then referred to various provisions in the General Terms and Conditions for City and Regional Transport 2015 in order to ascertain the terms of the contract in this particular matter. It clarified that “[t]he essential content of the agreement is therefore that a passenger can be transported from A to B in a safe manner in return for payment. This safety does not only relate to the competence of the driver and the quality of the means of transport, but also to the social safety of the traveller. In the opinion of the Department, ensuring safety of the traveller is an essential part of the obligations arising from the transport contract. Thus, the objective of the measure to require debit card payment on the bus is an integral part of that agreement.”
Whilst investigating the purpose behind processing the data, the Court found that the card payment measures were introduced as a safety mechanism for public transport operators and passengers alike. It took note of figures reflecting incidents (such as theft, robbery, threats with a weapon and more, known under the collective category of A-incidents) and the added vulnerability of passengers and operators to such incidents when payment is accepted in cash. The absence of cash on board makes public transport less attractive for those committing these deeds and the number of incidents was proven to the court to have dropped after the implementation of these measures. Therefore, the Court found that “the AP was entitled to consider safety a legitimate objective for the introduction of compulsory debit card payments...” and that “the mandatory debit card payment achieves the purpose for which it was established.”
In considering the requirement of proportionality the Court assessed the PSP used by Connexxion and the PAN technique put in place. It found that this limits the processing of personal data. It further took note of the fact that one can still travel on the bus without a card payment, by simply purchasing a ticket in advance (in cash) from any sales point or by paying with an anonymous chipcard. Therefore, the court held that “the invasion of privacy is proportionate to the interests served by the processing of the personal data.”
Thus, the appeal failed and the attacked decision was confirmed.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body Council of State Date of judgment 10-11-2021 Date of publication 10-11-2021 Case number 2020201625/1/A3 Jurisdictions Administrative law Special characteristics Appeal Content indication By decision of 7 April 2015, the Personal Data Protection Board (now: the AP) rejected a request from [appellant] to take enforcement action under the Personal Data Protection Act. [Appellant] wants to be able to buy a ticket with cash in the bus. Since 1 July 2018, this is no longer possible and he can only purchase a ticket with a debit or credit card in the bus. He considers this measure to be contrary to his right to private life. He therefore submitted a request to the AP to investigate and take enforcement action against the abolition of cash payment in buses by local and regional carriers, pursuant to the General Data Protection Regulation (EU) 2016/679. Locations Rechtspraak.nl Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation 2020201625/1/A3. Judgment date: November 10, 2021 DEPARTMENT ADMINISTRATIVE JURISDICTION Decision on the appeal of: [appellant], living in [place of residence], against the judgment of the Gelderland District Court of 4 February 2020 in case no. 19/2901 in the proceedings between: [appellant] and the Dutch Data Protection Authority (hereinafter: the AP). Process sequence By decision of January 10, 2019, the AP rejected [appellant]'s request to take enforcement action against Connexxion Public Transport N.V.. By decision of 14 May 2019, the AP declared the objection lodged by [appellant] unfounded. By decision of 4 February 2020, the court dismissed the appeal lodged by [appellant] against it. This statement is attached. The appellant appealed against this decision. The AP has given a written explanation. Connexxion has provided a view. [appellant] and Connexxion have submitted further documents. The Department opened the hearing on February 8, 2021, where the AP, represented by mr. J.M.A. Koster and mr. O.S. Niveld, has appeared. Connexxion was also present, represented by mr. E.C. de Vries and mr. J.R. van Dorp, lawyers in Amsterdam. After the opening of the hearing, the Division announced that it could not deal with the case because no video connection could be established with [appellant] and it has adjourned the case. The Division then heard the case on 5 July 2021, where [appellant], via video connection, and the AP, represented by W. van Steenbergen and J.M.A. Koster, have appeared. Connexxion, represented by mr. E.C. de Vries and mr. J.R. van Dorp, lawyers in Amsterdam, and mr. E.P.C. Seijbel. Considerations Introduction 1. [appellant] wants to be able to buy a ticket with cash in the bus. Since 1 July 2018, this is no longer possible and he can only purchase a ticket with a debit or credit card in the bus. He considers this measure to be contrary to his right to private life. He has therefore submitted a request to the AP to investigate the abolition of cash payment in buses by local and regional carriers and to take enforcement action pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter: the GDPR). 2. On appeal, the Division assesses, on the basis of the grounds put forward by [appellant], whether the District Court was justified in reaching its decision. In assessing the appealed decision, the Division is bound by the scope of [appellant]'s request and the grounds put forward by him in the objection and appeal within that scope. This means that in this ruling the Division will not express an opinion on grounds that fall outside the scope of this ruling. The Division will also not comment on more general reflections by [appellant] about contemporary society and the way in which people's private lives are treated within that society. 3. In its assessment, the Division will only consider those documents that relate to this procedure and that have also been submitted in this procedure. 4. This also includes further documents that Connexxion has submitted on appeal and received on January 28, 2021. These include recent overviews of so-called A-incidents and sales locations of bus tickets that can be paid for with cash. In view of the fact that the substantive handling of the case has been postponed to July 5, 2021 and the considerable time until that hearing, in which [appellant] had the opportunity to respond to the further submitted documents, there is no reason to disregard these documents. because it is contrary to due process, as [appellant] has argued. 5. The legal framework is included in the appendix. That appendix forms part of this ruling. Attacked verdict 6. The court has considered that the AP correctly rejected the request for enforcement. There is in fact a transport agreement between the passenger and the carrier and the processing of the personal data takes place for the conclusion and implementation of that agreement. Improving safety for passengers and employees in public transport is a legitimate goal for the abolition of cash payments on the bus. Moreover, the measure does not go beyond what is necessary for the execution of the agreement because Connexxion only receives a limited amount of personal data with a debit or credit card payment, according to the court. Higher grounds of appeal 7. [appellant] argues that the court erroneously ruled that the processing of personal data is necessary for the performance of an agreement. First of all, he argues that the General Terms and Conditions for Urban and Regional Transport 2015 are insufficient to serve as a legal basis within the meaning of Article 6, first paragraph, preamble and under b, of the GDPR. [appellant] did not enter into the agreement with Connexxion voluntarily. Connexxion is a monopolist on which users of public transport depend. There is therefore no question of free, unambiguous consent when entering into the agreement for the processing of personal data, according to [appellant]. Furthermore, [appellant] argues that the purpose of the data processing is not clearly defined, explicitly described and justified. According to [appellant], the need for abolishing cash payment in the bus cannot be deduced from a number of unspecified security incidents. The effect on the safety of the exclusion of cash payment in the bus is also not clear, because this measure is one of a package of 23 measures. Assessment by the Department What data is processed? 8. If a ticket is bought on the bus, it can be paid for with a debit card or credit card. With that payment, the bank account number of the traveler is processed. Because Connexxion uses a Payment Service Provider (hereinafter: PSP) to handle financial transactions, the so-called PAN Masking technique is applied to the traveler's bank account number. This technique is an international standard established by the Payment Card Industry Security Standards Council (PCI SSC) to ensure secure financial transactions. The technique means that the last four digits of the bank account number are stored at Connexxion and the other digits are anonymised. Is there an agreement? 9. Contrary to what [appellant] argues, there are no grounds for the conclusion that an agreement with Connexxion cannot be regarded as an agreement within the meaning of Article 6, first paragraph, opening words and under b, of the GDPR. When a passenger gets on a bus, a contract of carriage is concluded. The fact that a traveler has no choice with which party to enter into an agreement when traveling by bus does not mean that there can be no agreement. Incidentally, it falls outside the jurisdiction of the Division to assess whether the agreement is in accordance with contract law. Contrary to what [appellant] argues, the term agreement in the GDPR does not have an independent EU law meaning. According to the Guidelines 2/2019 on the processing of personal data pursuant to Article 6(1)(b) of the GDPR of the European Data Protection Board, the concept of a contract and its validity must be interpreted according to national law. Although these guidelines are not legally binding, they do have meaning when interpreting the GDPR in this case. In Dutch law, the concept of an agreement and its interpretation belong to the domain of private law. [Applicant] can therefore raise with the civil court whether this agreement is invalid because, in view of the alleged monopoly position of Connexxion, it was not formed out of free will. The court rightly considered that the existence of an agreement must be assumed and that it must be assessed whether the processing of personal data is necessary for the performance of that agreement. Is the processing necessary for the execution of the agreement? - What is the assessment framework? 10. The processing of personal data can be lawful if it is necessary for the execution of the agreement. To this end, it must first be assessed whether the purpose for which the personal data are processed is well-defined and explicitly described. It must also be assessed whether that purpose is also achieved with the processing of the personal data at issue. If the processing of the personal data is necessary for the achievement of the specific purpose in this sense, it must then be assessed whether the invasion of privacy is proportionate to the interests served by the processing of the personal data. As the Division previously ruled in its judgment of 20 September 2017, ECLI:NL:RVS:2017:2555, it must be assessed in the light of the EU Charter whether the invasion of privacy is limited to what the purpose is strictly necessary. In particular, it must be assessed whether the purpose for which the personal data are processed cannot reasonably be achieved in a different way that is less detrimental to the persons involved in the processing of personal data. The intensity with which this must be done is partly determined by the specificity of the proposed alternatives. In other words: the more detailed the person concerned describes the alternative, the more intrusive the investigation of the AP must be. With this assessment of the interests in the specific case, the GDPR is in accordance with Article 8 of the ECHR. The Division therefore sees no reason to test separately against that article. 11. In this case, the question is whether the processing of travel data is necessary for the performance of an agreement as referred to in Article 6, first paragraph, preamble and under b, of the GDPR to which the traveler is a party. As stated in Opinion 06/2014 of the former Article 29 Working Group and Guidelines 2/2019 of the European Data Protection Board, Article 7(b) of the Privacy Directive, the predecessor of the GDPR provision, must be interpreted strictly. The mere fact that the processing of data falls under or is related to an agreement, does not mean that this processing is necessary for the performance of the agreement. Article 7(b) of the Privacy Directive is almost identical to Article 6(1)(b) of the GDPR. What is stated in the advice and Guidelines is therefore also important for the interpretation of the GDPR. - What is the purpose of the processing? 12. The purpose of the processing of personal data is to prevent theft and robbery of the driver and thus to increase the safety of the driver and passengers. Because there is no more cash in the bus, theft is less attractive. The reason for wanting to increase safety lies in the action program "Social Safety in Public Transport". This program was drawn up in 2016 by parties from the public transport sector, transporters, trade unions, the police, local authorities and the central government. The action program contains a table of registered A-incidents in the Netherlands. A incidents are incidents involving assault, threats (with a weapon), theft, drug nuisance, vandalism, destruction and offenses such as pushing/pulling and spitting. The table shows that the number of A-incidents in bus transport outside the three major cities has increased again after a decrease since 2014. The table submitted on appeal with an overview of the number of A-incidents up to and including 2020 shows that after the introduction of the measure, the number of incidents decreased again. Connexxion has stated that its drivers have had to deal with A-incidents. [Appellant] has not disputed this. The argument of [appellant] that per bus line must be specified with figures how many incidents have occurred, does not succeed. Connexxion cannot reasonably be required to demonstrate the effect of the specific measure to no longer facilitate cash payment in the bus to that level of detail. With the court, the Division is of the opinion that, in view of the information from the action programme, the AP could consider safety a justified goal for the introduction of mandatory debit card payments in the bus and thus the abolition of the option to pay with cash. The concept of (social) safety is indeed broad, but not such that it is too indeterminate and not explicit enough, as [appellant] argues. The Division also does not follow [appellant]'s argument that it is unclear what should be counted under the so-called A-incidents because, for example, it concerns different types of perpetrators. 12.1. The Department is also of the opinion that the absence of cash increases the safety of the driver and passengers. The mandatory pin payment therefore achieves the purpose for which that obligation was set. The fact that the abolition of cash is one of a total of 23 measures proposed in the action program to increase security does not lead to a different opinion. This measure is one of the most important and has therefore been introduced as the first of the 23. 12.2. The argument fails. - Is the processing necessary for the execution of the agreement? 13. The fact that the processing of the data must be necessary within the meaning of Article 6(1)(b) of the GDPR does not mean that the processing is only lawful if the contract cannot be performed without data being processed . Pursuant to Article 2.1 of the General Terms and Conditions for Urban and Regional Transport 2015, the agreement that is concluded when a passenger boards a bus to be transported, means that the carrier undertakes to keep the passenger safe as much as possible in accordance with its published timetable. transport and provide a seat. In order to be able to use public transport, the traveler must have a valid ticket in accordance with Article 3.1. Article 3.3 of the General Terms and Conditions stipulates that payment of the ticket to the carrier is made with legal tender in the Netherlands, unless the carrier has indicated otherwise. The essential content of the agreement is therefore that a traveler can be moved from A to B in a safe manner for a fee. This safety relates not only to the driver's competence and the quality of the means of transport, but also to the passenger's social safety. In the opinion of the Division, guaranteeing the passenger's safety is an essential part of the obligations arising from the contract of carriage. The objective of the measure to oblige debit card payment in the bus is therefore an integral part of that agreement. The court has rightly considered that the AP correctly based the legal basis for processing the personal data of bus passengers on the execution of the transport contract. - Is the processing proportionate? 14. Together with the court, the Division is of the opinion that the AP could take the position that Connexxion cannot reasonably achieve the goal of increasing safety in the bus for employees and travelers by means of a less intrusive method for the payment of tickets. As the court has rightly considered, it is important that the payment is made by debit or credit card via a PSP and that only the last four digits of the debit or credit card payments remain visible to Connexxion. In this way, the processing of personal data is limited. The court also rightly considered that it was possible to opt to apply this measure to all Connexxion bus lines. The AP did not have to regard the alternative proposed by [appellant] to state on a website which lines can and cannot be paid with cash as an equivalent alternative. It is likely that in that case the risk of robberies would be shifted to bus lines where cash payments are still allowed. On the other hand, it is possible to travel by bus without processing personal data. This can be done by traveling with an anonymous OV chip card or by buying a bus ticket in advance with cash at a point of sale. The fact that the traveler, as [appellant] argues, has to make more effort for this, because the number of points of sale is limited, and that a ticket for a child under the age of 12 cannot be bought for the same price as on the bus, does not alter this. . In view of the foregoing, the Division is of the opinion that the District Court was right to consider that the invasion of privacy is proportionate to the interests served by the processing of the personal data. [Appellant's] argument fails. - Has the right of fair trial been violated by the court? 15. The argument of [appellant] that the court did not treat his appeal seriously and that there is therefore a lack of a fair trial is not successful. Given what the Division has already ruled in the considerations above, there is no ground for the conclusion that the principle of a fair trial has been violated by the court. Furthermore, on appeal, the court rightly did not extend the scope of the proceedings to the cumulative effects of other processing of personal data referred to by [appellant], because these fall outside the scope of the request. Conclusion 16. The appeal is unfounded. The attacked decision needs to be confirmed. 17. The AP does not have to reimburse legal costs. Decision The Administrative Jurisdiction Division of the Council of State: confirms the attacked statement. Adopted by mr. N. Verheij, chairman, and mr. G.M.H. Hoogvliet and mr. E.J. Daalder, members, in the presence of mr. S.C. van Tuyll van Serooskerken, clerk of the court. w.g. verheij chair w.g. Van Tuyll van Serooskerken clerk Pronounced in public on November 10, 2021 290. APPENDIX GDPR Recital, recital 39 (...) Personal data may only be processed if the purpose of the processing cannot reasonably be achieved in any other way. (...) Article 4 Definitions For the purposes of this Regulation: 1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; 2) "processing" means any operation or set of operations on personal data or set of personal data, whether or not performed by automated means, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consult, use, provide by transmission, dissemination or otherwise make available, align or combine, block, delete or destroy data; 5) 'pseudonymisation' means the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional data, provided that such additional data are kept separately and technical and organizational measures are taken to ensure that ensure that the personal data is not linked to an identified or identifiable natural person; 7) "controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means for such processing are established in Union or Member State law, they may determine who the controller is or according to the criteria according to which it is designated; Article 5, Principles regarding the processing of personal data: 1. Personal data must: (a) processed in a manner that is lawful, fair and transparent towards the data subject ("lawfulness, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ("purpose limitation"); (c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ('minimum data processing'); d) […]. 2. The controller is responsible for and can demonstrate compliance with paragraph 1 ("accountability"). Article 6, Lawfulness of the processing: 1. Processing is only lawful if and insofar as at least one of the following conditions is met: a) the data subject has consented to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) the processing is necessary for compliance with a legal obligation to which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child. Point f of the first subparagraph shall not apply to processing by public authorities in the performance of their duties. 2. […].