Court case 202203874/1/A3 – Court Ruling (Netherlands, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a theater's decision to stop accepting cash payments did not violate privacy rights. This case is significant because it clarifies how companies can justify processing personal data for safety reasons. Businesses should understand the importance of substantiating their reasons for data collection.
What happened
A complaint was filed against a theater for requiring card payments, which the complainant argued involved unnecessary data processing.
Who was affected
A customer of the theater who preferred cash payments was affected by the policy change.
What the authority found
The court found that the theater's policy was lawful but criticized the data protection authority for not adequately justifying the necessity of the cashless policy.
Why this matters
This ruling emphasizes the need for companies to provide clear justifications for their data processing decisions. It encourages businesses to carefully assess their policies to ensure they are necessary and lawful.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
After moving to a new building in 2018, Stichting Focus Filmtheater, the controller, abolished cash payments and allowed customers to pay only by debit card, credit card, or online. The data subject objected to this policy, arguing that forcing card payments unnecessarily involves the processing of personal data and infringes his right to privacy. He therefore filed a complaint with the DPA. The DPA rejected the complaint following investigation, concluding that no likely violation of the GDPR occurred. It considered that card payments were used to ensure employee safety and to enable the performance of the contract with customers. The court of first instance upheld this view. The data subject then appealed to the Council of State, arguing that the DPA had failed to properly assess whether the processing was necessary and justified, and that less intrusive alternatives, such as allowing cash payments, were available. The court held that the DPA’s decision was insufficiently reasoned and therefore unlawful. The court clarified that compliance with the GDPR generally implies compliance with Articles 7 and 8 of the EU Charter and Article 8 ECHR, so no separate human-rights analysis was required. While the court accepted that “(social) safety” can in principle constitute a legitimate and well-defined purpose for processing personal data under Article 6(1)(b) GDPR, it emphasised that such a purpose must be substantiated in the specific circumstances of the case. In this instance, the data subject had credibly argued that staff safety was not actually at risk, and the DPA had failed to demonstrate that abolishing cash payments materially improved employee safety. The mere fact that cash can be stolen was not sufficient to establish a concrete and justified purpose. Because the existence of a legitimate purpose had not been adequately established, the DPA could not properly assess whether the processing was necessary for the performance of the contract or whether it was
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 202203874/1/A3 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 202203874/1/A3 - Netherlands (2026). Retrieved from cookiefines.eu
Last updated: