Court case 202203874/1/A3 – Court Ruling (Netherlands, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
After moving to a new building in 2018, Stichting Focus Filmtheater, the controller, abolished cash payments and allowed customers to pay only by debit card, credit card, or online. The data subject objected to this policy, arguing that forcing card payments unnecessarily involves the processing of personal data and infringes his right to privacy. He therefore filed a complaint with the DPA. The DPA rejected the complaint following investigation, concluding that no likely violation of the GDPR occurred. It considered that card payments were used to ensure employee safety and to enable the performance of the contract with customers. The court of first instance upheld this view. The data subject then appealed to the Council of State, arguing that the DPA had failed to properly assess whether the processing was necessary and justified, and that less intrusive alternatives, such as allowing cash payments, were available. The court held that the DPA’s decision was insufficiently reasoned and therefore unlawful. The court clarified that compliance with the GDPR generally implies compliance with Articles 7 and 8 of the EU Charter and Article 8 ECHR, so no separate human-rights analysis was required. While the court accepted that “(social) safety” can in principle constitute a legitimate and well-defined purpose for processing personal data under Article 6(1)(b) GDPR, it emphasised that such a purpose must be substantiated in the specific circumstances of the case. In this instance, the data subject had credibly argued that staff safety was not actually at risk, and the DPA had failed to demonstrate that abolishing cash payments materially improved employee safety. The mere fact that cash can be stolen was not sufficient to establish a concrete and justified purpose. Because the existence of a legitimate purpose had not been adequately established, the DPA could not properly assess whether the processing was necessary for the performance of the contract or whether it was
GDPR Articles Cited
After moving to a new building in 2018, Stichting Focus Filmtheater, the controller, abolished cash payments and allowed customers to pay only by debit card, credit card, or online. The data subject objected to this policy, arguing that forcing card payments unnecessarily involves the processing of personal data and infringes his right to privacy. He therefore filed a complaint with the DPA. The DPA rejected the complaint following investigation, concluding that no likely violation of the GDPR occurred. It considered that card payments were used to ensure employee safety and to enable the performance of the contract with customers. The court of first instance upheld this view. The data subject then appealed to the Council of State, arguing that the DPA had failed to properly assess whether the processing was necessary and justified, and that less intrusive alternatives, such as allowing cash payments, were available. The court held that the DPA’s decision was insufficiently reasoned and therefore unlawful. The court clarified that compliance with the GDPR generally implies compliance with Articles 7 and 8 of the EU Charter and Article 8 ECHR, so no separate human-rights analysis was required. While the court accepted that “(social) safety” can in principle constitute a legitimate and well-defined purpose for processing personal data under Article 6(1)(b) GDPR, it emphasised that such a purpose must be substantiated in the specific circumstances of the case. In this instance, the data subject had credibly argued that staff safety was not actually at risk, and the DPA had failed to demonstrate that abolishing cash payments materially improved employee safety. The mere fact that cash can be stolen was not sufficient to establish a concrete and justified purpose. Because the existence of a legitimate purpose had not been adequately established, the DPA could not properly assess whether the processing was necessary for the performance of the contract or whether it was
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 202203874/1/A3 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 202203874/1/A3 - Netherlands (2026). Retrieved from cookiefines.eu
Last updated: