Autoriteit Persoonsgegevens (Dutch DPA) – Court Ruling (Netherlands, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that requiring bus passengers to pay with a debit or credit card is legal under GDPR, as it helps prevent theft and robbery. This decision matters because it supports the use of cashless payments for security reasons in public transport.
What happened
The court upheld the requirement for bus passengers to pay with debit or credit cards instead of cash.
Who was affected
Bus passengers in the Netherlands who are required to use debit or credit cards for ticket purchases.
What the authority found
The court found that using debit or credit card payments is justified under GDPR for security reasons, as it helps prevent theft and robbery.
Why this matters
This ruling supports the trend towards cashless transactions in public transport for security purposes. Businesses should consider the balance between convenience, security, and privacy when implementing similar measures.
GDPR Articles Cited
National Law Articles
In the Netherlands, as of 1 July 2018 a passenger who wishes to purchase a ticket on the bus from the bus driver can only pay for this ticket with a debit or credit card and no longer with cash. The plaintiff requested the Dutch DPA to investigate the obligation to pay with a debit or credit card and the abolition of cash payments on the bus and to take an enforcement action against this measure under the GDPR. The DPA rejected the request and the plaintiff appealed its decision. He also asked the Court to suspend the present judgement until the CJEU issues a judgement on the preliminary questions which the Constitutional Court of Belgium referred with its judgement no. 135/2019 on the processing of passenger data. The DPA argued that the legal basis for the processing of PIN and credit card details when purchasing a ticket from a bus driver is Article 6(1)(b) GDPR. The Court had to assess whether the Dutch DPA has been able to conclude that the third party did not violate the GDPR and subsequently whether it did not have to take an enforcement action indeed. To this end, the Court had to assess whether Article 6 GDPR provides a legal basis for processing credit cards details and whether the processing is compliant with Article 5 GDPR. It also had to examine whether the criteria of necessity and proportionality had been met in this case. The Court found that the legal basis of Article 6(1)(b) GDPR is valid, hence there was no reason to further examine possible application of other legal grounds. Moreover, the Dutch DPA could reasonably consider the purpose of abolishing cash, since this measure was included in the action programme "Social Security in Public Transport" and aimed at the prevention of theft and robbery. For this purpose, the only plausible option for all third parties and bus routes could be only that one. The DPA could reasonably take the position that the processing of personal data in case of debit or credit card payments is limited to
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Autoriteit Persoonsgegevens (Dutch DPA) in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens (Dutch DPA) - Netherlands (2020). Retrieved from cookiefines.eu
Last updated: