Tennis association fined for selling personal data Summary Our remarks The Dutch tennis association KNLTB sold personal data • A controller should be aware of how the DPA act about more than 300,000 members to two sponsors for during a case, and if they act according to formal the purpose of direct marketing. The personal data was procedures, etc. in the form of name, gender, address, and telephone numbers of members. The sponsors approached some • If the processing serves a purpose other than the of the KNLTB members by mail or telephone. one for which the personal data was originally collected, it should be assessed whether this other During the case, the Dutch DPA assessed if sharing purpose is compatible with the purpose for which personal data with sponsors was within the original the personal data has been collected. purpose of executing the membership. Secondly, it assessed if the KNLTB could rely on the legal basis of • In this case, the purpose of generating extra income legitimate interest when selling personal data. by selling personal data to sponsors was not within the original purpose of membership. Therefore, The KNLTB claimed that the Dutch DPA was biased in its the KNLTB should have obtained the consent of the approach because, in a news show, the DPA had given members for this action. the impression that the KNLTB had acted incorrectly while investigations were still ongoing. The Dutch DPA • The Dutch DPA stated that any solely commercial acknowledged this, but it did not have any legal effect purpose, such as interest in gaining income, could on the case as the proceedings in the case took place not qualify as a legitimate interest. This is quite a in accordance with formal procedures. restrictive interpretation of the scope of legitimate interest as a legal basis. The decision of the Dutch DPA The Dutch DPA imposed a fine of 525,000 EUR on the KNLTB for the following violations: • Selling personal data without a legal basis (GDPR, Article 6(1)). • Not making it clear to their members how their personal data was processed (GDPR, Article 5(1) (a)). • Processing personal data with a purpose that was incompatible with the original purpose for collection (GDPR, Article 5(1)(b)). Published: 20-12-2019 Journal number: N/A Tags: 01 Legal basis and principles of processing 18