Autoriteit Persoonsgegevens (Dutch DPA) – Court Ruling (Netherlands, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that requiring bus passengers to pay with a debit or credit card is legal under GDPR, as it helps prevent theft and robbery. This decision matters because it supports the use of cashless payments for security reasons in public transport.
What happened
The court upheld the requirement for bus passengers to pay with debit or credit cards instead of cash.
Who was affected
Bus passengers in the Netherlands who are required to use debit or credit cards for ticket purchases.
What the authority found
The court found that using debit or credit card payments is justified under GDPR for security reasons, as it helps prevent theft and robbery.
Why this matters
This ruling supports the trend towards cashless transactions in public transport for security purposes. Businesses should consider the balance between convenience, security, and privacy when implementing similar measures.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The complainant wanted the Dutch DPA to open an investigation concerning (1) identification issues when handing in an anonymous chip card and being reimbursed the sum; (2) a perceived attempt to mislead the complainant as a customer that identification would be mandatory when purchasing tickets at the station counter for all international train journeys within the EU; and (3) charging service costs when topping up an anonymous public transport chip card using cash. The dispute in front of the court was whether the decision to reject the investigation for the three issues was sufficiently grounded. The court assessed each of the three issues seperately. The first issue was whether the DPA sufficiently investigated whether the costumer was identified on reimbursement of the balance of a non-registered OV chip card. The court highlighted that the Dutch DPA showed in the investigation that it was not a policy of the Dutch Railways to record personal data, and that the issue of privacy was brought to the attention of employees during courses and training. In addition, Dutch Railways explained that their computer system did not allow personal data to be recorded when a non-registered public transport chip card was returned. Based on this, the Dutch DPA was able to conclude that the Dutch Railways acted sufficiently adequate with their policy and did not record any personal details of the identification shown. As such, the Court found the issue to be sufficiently investigated. The second issue was whether the DPA sufficiently investigated the procedure for purchasing an international train ticket. The court highlighted that according to the employee handbook, a customer buying an international ticket is not required to give up personal data. The complainant highlighted that the employee in fact asked for personal data when the complainant bought a ticket. However, as noted by the DPA, a deviation from the handbook by one of the employees was not sufficient to lau
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Autoriteit Persoonsgegevens (Dutch DPA) in NL
Details
Ruling Date
4 February 2020
Authority
DPA RbGelderland
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens (Dutch DPA) - Netherlands (2020). Retrieved from cookiefines.eu
Last updated: