The Dutch DPA Imposed a fine on the Dutch Tennis Association (The KNLTB) of EUR 525,000, for the unlawful sale of personal data of its members to two sponsors.

The Dutch DPA recently imposed a fine on the Dutch Tennis Association (KNLTB) under the GDPR, for the illegal sale of their members’ information to two of its sponsors. The information shared included personal data such as their names, addresses and genders. This information was then used by the two sponsors, to market offers to these individuals by both phone, and the post. One sponsor purchased the information of 50,000 members, while the other sponsor purchased the data of over 300,000 members. While the KNLTB argued that it had legitimate interest in selling its members data, the Dutch DPA does not agree and believes that financial gain was the basis of the KNLBT’s decision to infringe on the basic rights of its members under the GDPR, by selling their data. 

Previous Fines by the Dutch DPA.

The Dutch DPA had, prior to this most recent fine on the Dutch Tennis Association, imposed two fines under the GDPR. The first of which was ruled against the Dutch UWV (Employee Insurance Agency) in 2018. As a result of the fine the UWV was required to improve its logging security level by October 2019, however this has now been postponed by a year, which could carry a fine of EUR 150,000 per month, up to a total of EUR 900,000. The second fine, imposed on the Dutch Haga Hospital, was because of the insufficiency of their internal security of patient records, resulting in approximately 200 employees having unauthorized access to medical records of a Dutch celebrity, and this person’s private, personal information being leaked to the press. For this, the Dutch DPA imposed a fine of EUR 460,000.

On another note, the DPA has launched an investigation in the past into Facebook’s failure to adequately inform users that their data was being used for targeted advertising. This did not result in a fine, but did inspire a change in Facebook’s personal data policy. 

The Dutch DPA’s Policies for Determining Administrative Fines. 

In an effort to maintain consistency in the fines it imposes, the Dutch DPA has specific policies for determining the level of these administrative fines. Infringements are divided into categories, determined by the relative GDPR article. As reported by the INPLP in their article, the fines imposed based on this policy can be increased or reduced, depending on the following relevant factors: 

• The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
• The deliberate or careless nature of the infringement.
• The measures taken by the controller or the processor to limit the damage to the data subjects involved.
• The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR. 
• Previous infringements, where relevant, by the controller or the processor.
• The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
• The categories of personal data affected by the infringement.
• The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
• In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
• Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
• Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

Their general guide for imposing fines it’s based on the following categories, as determined by the corresponding GDPR infringement:

The fine imposed on the Dutch Tennis Association, KNTLB, was based on a category III infringement and therefore incurred the basic fine for that category; €525,000. So far this year, we reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively, and more recently, on CRDNN Ltd, of half a million pounds, by the UK’s DPA, the ICO. 

With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2003, and the DPA 2018. While this is only the third fine being imposed by the Dutch DPA under the GDPR, the Dutch DPA is the first in the EU to define its own policy for imposing fines, which may inspire other countries to do the same. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.