Autoriteit Persoonsgegevens (AP) – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court reviewed a case where a sports club shared its members' personal information with sponsors without their consent. The court couldn't definitively decide if the club had a legitimate interest for this data sharing. This case shows the complexity of using 'legitimate interest' as a legal basis for data processing.
What happened
A sports club shared members' personal data with sponsors without obtaining their consent.
Who was affected
Members of the sports club whose personal data was shared without their consent.
What the authority found
The court could not conclusively determine if the sports club had a legitimate interest in sharing the data, as required by GDPR.
Why this matters
This case highlights the challenges businesses face when relying on 'legitimate interest' to process personal data. It underscores the importance of clearly establishing and documenting legitimate interests when processing data without explicit consent.
GDPR Articles Cited
The controller is a sports club in the legal form of an association. To, in its own words, 'give more meaning' to the sport, its vision and the memberships of its members, the controller worked with sponsors. It provided these sponsors with personal information of its members (the data subjects) such as names and addresses. Some members complained to the Dutch DPA that they did not give the controller explicit consent to provide its sponsors with their personal data. The Dutch DPA investigated the matter and found that the controller had disclosed the personal data without consent or any other legal ground, in breach of Article 5(1)(b) and Article 6(1) read in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €525,000. The controller appealed the DPA's decision at the District Court of Amsterdam. It stated that there was, in fact, a legal ground for processing and this was its legitimate interest under Article 6(1)(f) GDPR. The DPA continued to be of the opinion that the controller had no legitimate interest and that the processing was not necessary to pursue such alleged legitimate interest. The parties were divided on the interpretation and scope of legitimate interest within the meaning of Article 6(1)(f) GDPR. According to the DPA, it followed from the grammatical interpretation of this term that there must be an interest laid down in a law. According to the controller, any interest was justified unless prohibited by law. The Court noted that there were three cumulative conditions according to established case law of the CJEU for processing on the grounds of legitimate interest: (1) the pursuit of a legitimate interest of the controller, (2) the processing must be necessary and (3) the controller's legitimate interest must outweigh the interest or fundamental fights and freedoms of the data subject(s). The Court held that it could not without reasonable doubt decide whether the controller had a legitimate interest. There was no established
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Autoriteit Persoonsgegevens (AP) in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens (AP) - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: