Personal Data Authority – Court Ruling (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that Connexxion's decision to only allow card payments for bus tickets did not violate privacy rights. The court found that processing personal data for card payments was necessary for the contract of transportation. This decision highlights the balance between convenience and privacy in public transport systems.
What happened
Connexxion required bus tickets to be purchased by card, not cash, which led to a privacy complaint.
Who was affected
Bus passengers who had to use card payments instead of cash for purchasing tickets.
What the authority found
The court decided that Connexxion's processing of personal data for card payments was necessary for fulfilling the transportation contract.
Why this matters
This ruling suggests that companies can require card payments if it's necessary for their service, as long as they secure the data properly. It emphasizes the importance of defining clear purposes for data processing in business operations.
GDPR Articles Cited
This matter concerns an appeal to the Administrative Jurisdiction Division of the Council of State in which the data subject stated that his right to privacy was violated by the fact that he could only purchase a bus ticket by card (as opposed to cash payment). He previously raised a request to the AP (the DPA) to take action against Connexxion Openbaar Vervoer N.V. for the decision to abolish cash payments, through application of the GDPR. This request was denied and underlies the current appeal. On appeal, the data subject argued that “the court erred in finding that the processing of personal data is necessary for the performance of a contract” in that: 1. The data subject did not enter into an agreement with Connexxion “of his own free will” and that consent for the processing of his personal data was not given freely and unambiguously as Connexxion has a monopoly on which public transport users depend. He argued that the General Conditions for City and Regional Transport 2015 are insufficient to serve as a legal basis within the meaning of Article 6(1)(b) GDPR. 2. The purpose of the data processing is not well-defined, explicit and justified. 3. The effect on safety of banning cash payments is not clear as this measure is one of a group consisting of 23 measures. In establishing which data is being processed, the Court took note of the fact that Connexxion uses a Payment Service Provider (PSP) to process its financial transactions and applies the PAN Masking technique to secure these transactions. This technique only provides the last four digits of the bank account number to be stored at Connexxion while the preceding digits are anonymized. The Court further noted that a contract is established when the passenger boards the bus and the mere fact that the passenger has no choice as to whom he concludes this contract with does not negate the existence of said contract. It went on to consider whether there is an agreement in place and held that “there is no ev
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Personal Data Authority in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Personal Data Authority - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: