Autoriteit Persoonsgegevens – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a cinema's decision to stop accepting cash payments did not violate privacy laws. This is important because it shows that processing personal data for necessary transactions, like buying tickets, can be lawful. It reassures businesses that they can collect data when it's essential for their services.
What happened
A cinema stopped accepting cash payments, requiring debit card transactions that involved personal data processing.
Who was affected
Cinema visitors who had to provide personal information for ticket and snack purchases.
What the authority found
The court held that the cinema's processing of personal data was necessary for fulfilling contracts under GDPR.
Why this matters
This ruling clarifies that businesses can process personal data if it's essential for their operations. It encourages companies to understand the legal bases for data processing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 17 August 2018, the data subject requested that the Dutch DPA takes enforcement action against a cinema (the controller) on the basis of the GDPR, because the cinema no longer accepted cash payments. As a result, the purchase of a cinema ticket was only possible by means of a debit card payment at the box office or through the cinema’s website. Snacks and drinks could also no longer be paid for with cash. Personal data, namely the bank account number, the amount and the payment date, were processed for these debit card payments in addition to the visitor's name, email address, telephone number, transaction data and IP address when purchasing via the cinema’s website. The data subject believed that he should be able to go to the movies anonymously as there is no necessity for the processing of personal data. On 16 April 2019, the Dutch DPA denied the data subject’s request to take enforcement action against the controller. The DPA also dismissed the data subject’s objection on 27 November 2019 as it believed that the GDPR had not been violated. The processing of personal data when purchasing a ticket or snacks and drinks was considered necessary for the performance of a contract (Article 6 (1)(b) GDPR). The processing of personal data as a result of visiting the website was considered necessary for the maintenance and improvement of the website (Article 6(1)(f) GDPR). According to the DPA, there was no reason for enforcement action. The District Court of First Instance of Gelderland considered whether the DPA was entitled to concluding that the cinema had not violated the GDPR and hence had no authority to take enforcement action. First, the court considered the processing of personal data when paying with a debit card for the purchase of a cinema ticket or snacks and drinks, and iDeal when purchasing a cinema ticket through the website. Processing of personal data may be lawful if it is necessary for the performance of a contract under Article 6(1)(b) GDPR.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (10)
Other cases involving Autoriteit Persoonsgegevens in NL
Court Ruling
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: