News item / March 3, 2020
Category: Direct marketing

The Dutch Data Protection Authority (AP) has imposed a fine of EUR 525,000 on tennis association KNLTB for selling personal data. In 2018, the KNLTB unlawfully provided personal data of a few hundred thousand of its members to two sponsors against payment.

Source: https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-tennisbond-vanwege-verkoop-van-persoonsgegevens

• Bellow is an unofficial English translation of the above-referenced decision by the 
Dutch Data Protection Authority (AP) that has been reported as holding that commercial interests can never support legitimate interests for marketing.
• The AP ruling has been widely misrepresented by people with access only to summaries of, and not to the full, analysis by the AP. This is why Anonos is making this full English translation available for broader access, review and analysis.
• A full reading of the AP analysis shows that KNLTB was not penalised because it used personal data to achieve commercial purposes – it was penalised because all KNLTB had was a claim of commercial interest.
• The AP analysis shows that KNLTB failed to provide adequate technical and organisational safeguards to ensure demonstrable technically enforced accountability. Of particular significance is the yellow highlighted sections of paragraphs 137 and 141 (on pages 32 and 33) which emphasise that the lack of technically implemented accountability controls are a primary reason why the AP imposed a penalty against KNLTB.

• If KNLTB had technical and organisational safeguards – like Pseudonymisation – in place to ensure demonstrable technically enforced accountability, the result could have been very different.

The KNLTB decision came up in a webinar sponsored by Anonos and hosted by the World Data Protection Forum where over 700 senior privacy and data innovation professionals from around the world discussed Pseudonymisation-enabled Legitimate Interests processing with a focus on new legal requirements for direct marketing under the GDPR.

The information provided in this document is not intended to, nor shall it constitute legal advice. This document is an unofficial English translation provided by Anonos (www.anonos.com) for general informational purposes. Readers of this document should contact their attorney to obtain advice concerning any particular legal matter. No reader of this document should act or refrain from acting based on information in this document without first seeking legal advice from counsel in the relevant jurisdiction.

VIEW LEGITIMATE INTEREST WEBINAR REPLAY

Confidential / By courier

KNLTB
[CONFIDENTIAL]
Display path 4
3821 BT AMERSFOORT

Date
20 December 2019

Our reference
[CONFIDENTIAL]

Contact
[CONFIDENTIAL]
070 8888 500

Subject
Decision to impose an administrative fine

Dear [CONFIDENTIAL],

The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of €525,000 to the Royal Dutch Lawn Tennis Federation (KNLTB) because the KNLTB provided a file with personal data of its members in June and July 2018 to two sponsors for direct marketing activities of these sponsors. As far as it concerns the provision and use of personal data of members who joined the KNLTB before 2007, this is considered incompatible further processing. As a result, the KNLTB has violated article 5, first paragraph, preamble and under b, of the GDPR (General Data Protection Regulation). As far as it concerns the provision and use of personal data of members who became members of the KNLTB after 2007, there was no legitimate basis for this. This means that the KNLTB has violated article 5, first paragraph, preamble and under a jo. article 6, paragraph 1, of the GDPR.

The decision will be explained in more detail below. Chapter 1 is an introduction and Chapter 2 describes the legal framework. Chapter 3 lists the main facts of the case. In chapter 4, the AP assesses the facts on the basis of the legal framework and concludes that the KNLTB has violated the GDPR. The amount of the administrative fine is explained in chapter 5. Finally, Chapter 6 contains the judgement and the remedy clause.

1. Introduction

1.1. Legal entity involved
1. The KNLTB is an association with full legal capacity, which has its registered office at Displayweg 4 (3821 BT) in Amersfoort. The KNLTB was founded on June 5, 1899 and is registered in the trade register of the Chamber of Commerce under number 40516738. According to the articles of organization, last amended on March 4, 2019, the aim of the KNLTB is to promote the game of tennis in all its forms, including other game forms that use a racket or similar game material.

2. The KNLTB is the umbrella organization of tennis sports and tennis clubs in the Netherlands and is, among other things, engaged in advising and supporting the management of tennis clubs in association policy, accommodation and legal disputes. [1]

3. It is estimated by the KNLTB that there are 1,782 tennis clubs in the Netherlands, of which 1,657 (or 97%) are affiliated with the KNLTB. [2] According to the KNLTB website, (through these tennis clubs) almost 570,000 tennis players are affiliated with the KNLTB, making the KNLTB the second largest sports association in the Netherlands. [3]

1.2. Process sequence
4. On October 22, 2018, the AP initiated an investigation into the provision by the KNLTB of personal data of its members to sponsors with the aim of approaching members with "tennis-related and other offers".

5. On May 7, 2019, the AP established its investigation report. It submitted this report to the KNLTB on May 13, 2019. The AP has sent a copy of the investigation report to [CONFIDENTIAL] of the KNLTB.

6. By letter dated May 29, 2019, the AP sent the KNLTB an intention to enforce for violation of article 5, first paragraph, preamble and under b of the GDPR and article 5, first paragraph, preamble and under a jo. article 6, first paragraph, of the GDPR. A copy of the intention has also been sent to [CONFIDENTIAL] of the KNLTB.

7. As allowed by the letter of May 29, 2019, the KNLTB also gave its vision on this intention and the investigation report on which it was based, in a letter dated July 25, 2019. [CONFIDENTIAL] of the KNLTB also submitted a vision by way of document “[CONFIDENTIAL] comments on the AP investigation report”.

8. On August 1, 2019, an opinion hearing took place at the office of the AP at which the KNLTB orally explained its vision.

9. On August 2, 2019, the AP asked a number of questions by e-mail that could not yet be answered by the KNLTB during the review session. The KNLTB answered these questions by e-mails dated August 22, 2019 and September 11, 2019.

10. AP sent the report of the review session to the KNLTB by email dated August 20, 2019. The KNLTB sent its comments on the report to the AP by email dated September 17, 2019. The AP sent an amended report on October 2, 2019.

11. On October 18, 2019, the KNLTB responded to the amended report by e-mail.

12. The KNLTB provided the Contact Protocol KNLTB member database to the AP by e-mail dated October 28, 2019.

1.3. Reason and background start of research
13. Following the KNLTB's announcement to provide personal information of its members to sponsors to approach members with tennis-related and other offers, the AP received tips and complaints from a number of members. As a result of the announcement, a member of the KNLTB decided to publicly ask whether this KNLTB approach was in line with the GDPR. The media have reported that the KNLTB had suspended the provision of telephone numbers to a sponsor under pressure of a lawsuit brought by one of its members. This reporting was reason for the AP to invite the KNLTB for an interview. As a result of this conversation, the complaints and tips received as well as the media reports, the AP has started an investigation into the KNLTB's provision of member data to sponsors.

2. Legal framework

2.1 Scope of the GDPR
14. Pursuant to article 2, paragraph 1 of the GDPR, this regulation applies to the complete or partially automated processing, as well as to the processing of personal data contained in a file or intended to be included therein.

15. Pursuant to article 3, first paragraph, this regulation applies to the processing of personal data in the context of the activities of an establishment of a processor that is responsible or processor in the Union, regardless of whether or not the processing takes place in the Union.

16. Pursuant to article 4, as far as applicable here, for the application of this regulation, the following definitions apply:
1)" personal data" means any information about an identified or identifiable natural person ("the data subject") […];
2) "processing" means an operation or set of operations involving personal data or a set of personal data, whether or not carried out by automated processes […]; […]
7) "processing responsible" means a natural or legal person who, alone or together with others, determines the purpose and means of the processing of personal data; […]; […]
9) “recipient” means a natural or legal person, a governmental agency, a service or another body, whether or not a third party, to/to whom the personal data are provided. […];
10) "third party" means any natural or legal person, governmental agency, agency or other body, other than the data subject, the processing responsible, the processor, or the persons authorized under the direct authority of the processor responsible or processor to process the personal data;
11) "consent" of the data subject means any free, specific, informed and unambiguous expression of will by which the data subject accepts the processing of personal data concerning him by means of a statement or unambiguous active act; […]. "


2.2 Principles: legality, fairness and transparency & purpose limitation
17. Article 5, first paragraph, preamble under a and under b of the GDPR states:
"Personal data must:
(a) be processed in a manner that is lawful, fair and transparent with regard to the data subject ('lawfulness, fairness and transparency');
(b) be collected for specified, explicitly described and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with article 89 (1) ("purpose limitation"). "

18. Article 6, paragraph 4, GDPR states:
'Where the processing for a purpose other than that for which the personal data have been collected is not based on the consent of the data subject or on a provision of Union law or a Member State law provision which is a necessary and proportionate measure in a democratic society to ensure the fulfillment of the objectives of article 23, paragraph 1, processing responsible will, when assessing whether the processing for another purpose is compatible with the purpose for which the personal data were initially collected, take into account, among others:
a) any connection between the purposes for which the personal data was collected and the purposes of the intended further processing;
(b) the framework in which the personal data was collected, in particular in regards to the relationship between the data subjects and the processor responsible;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with article 9, and whether personal data on criminal convictions and offenses are processed, in accordance with article 10;
(d) the possible consequences of the intended further processing for the data subjects;
(e) the existence of appropriate safeguards, including, where appropriate, encryption or pseudonymisation. "

2.3 Principles for the processing of personal data
19. Article 6, paragraph 1, GDPR, where relevant, states:
"The processing is only lawful if and as far as at least one of the following conditions is met:
a) the data subject has consented to the processing of his personal data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract to which the data subject is a party, or for action to be taken at the request of the data subject before the conclusion of a contract;
(…)
(f) processing is necessary for the protection of the legitimate interests of the processor responsible or of a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the data subject is a child. (...) "

20. The previous article corresponds to article 8 of the Personal Data Protection Act (Wbp, withdrawn on May 25, 2018), which stated:
"Personal data may only be processed if:
(a) the data subject has unambiguously given his consent;
(b) the data processing is necessary for the performance of an agreement to which the data subject is a party, or for the taking of pre-contractual measures following a request from the data subject, which are necessary for the conclusion of an agreement;
(…)
f. the data processing is necessary for the representation of the legitimate interest of the person responsible or of a third party to whom the data is provided, unless the interests or fundamental rights and freedoms of the data subject, in particular the right to privacy, prevails. "

2.4 Authority to impose an administrative fine
21. The authority to impose an administrative fine arises from article 58, second paragraph, preamble and under i, in conjunction with article 83, fifth paragraph, preamble and under a, of the GDPR and article 14, third paragraph, of the Implementation Law GDPR.

22. Article 58, second paragraph, preamble and under i, of the GDPR state the following:
"Each supervisory authority shall have all of the following remedial powers:
(…)
(i) impose an administrative fine under article 83 (…), in accordance with the circumstances of each case, in addition to or in place of the measures referred to in this paragraph; "

23. Article 83, first, second and fifth paragraph, preamble and under a, of the GDPR states the following:
"1. Each supervisory authority shall ensure that the administrative fines imposed under this article for the infringements of this regulation referred to in paragraphs 4, 5 and 6, are effective, proportionate and dissuasive in each case.
2. Administrative fines, depending on the circumstances of the case, shall be imposed in addition to or in place of the measures referred to in points (a) to (h) and (j) of article 58, paragraph 2. (…)
5. Infringements of the following provisions, in accordance with paragraph 2, are subject to administrative fines of up to EUR 20 000 000 or, for an enterprise, up to 4% of the total worldwide annual turnover in the previous financial year, when higher:
(a) basic processing principles, including conditions for consent, in accordance with articles 5, 6, 7 and 9; "

24. Article 14, third paragraph, of the Implementation Law GDPR states the following:
"The Personal Data Authority may impose an administrative fine of no more than the amounts referred to in these paragraphs in the event of a violation of the provisions of article 83, fourth, fifth or sixth paragraph of the Regulation."

3. Facts
25. This chapter lists the facts relevant to the decision. Of interest are the facts regarding the provision of personal data by the KNLTB to two sponsors, namely [CONFIDENTIAL] (trading under the name [CONFIDENTIAL]; hereinafter [CONFIDENTIAL]) and the [CONFIDENTIAL] ([CONFIDENTIAL]). The purpose of this provision was for the KNLTB to generate (extra) income. The personal data have been used by [CONFIDENTIAL] and [CONFIDENTIAL] for their direct marketing activities for which the KNLTB has received compensation. In the context of their direct marketing activities, [CONFIDENTIAL] and [CONFIDENTIAL] have also provided the personal data to [CONFIDENTIAL] and various [CONFIDENTIAL], respectively, for the execution of their direct marketing activities. The AP has not investigated the lawfulness of the processing of personal data by [CONFIDENTIAL] and the [CONFIDENTIAL], and the processing of personal data by [CONFIDENTIAL] and the [CONFIDENTIAL]. Therefore, this decision does not assess the lawfulness of the latter processing operations.

26. The facts relevant to this resolution occurred before the last amendment of the articles of organization of March 4, 2019. This means that for the description of the facts, where relevant, reference will be made to the articles of organization that were amended on January 19, 2005 (articles of organization 2005) or the articles of organization as amended on December 30, 2015 (articles of organization 2015).

3.1 KNLTB
Purpose KNLTB

27. According to article 2, first paragraph, of the articles of organization 2005 (and also the articles of organization 2015), the KNLTB aims to promote the practice of tennis and the development of tennis.
According to the second paragraph, the KNLTB tries to achieve its goal by, among other things:
a. forming a bond between, if possible, all practitioners of the tennis game;
b. providing information about the tennis game and promoting the tennis game as a leisure activity;
c. to spread the rules of the tennis game;
d. taking all measures that may lead to an increase in the playing level;
e. organizing, arranging and supporting tennis matches;
f. providing information about and support in the construction and improvement of tennis courts and accommodations;
g. providing information and advice regarding the administrative organization of tennis sport;
h. promoting and/or organizing to undertake training courses aimed at club members, tennis teachers and referees;
i. representing Dutch tennis in the organizations to which KNLTB is or will be affiliated;
j. looking after the interests of its members and affiliates;
k. representing its members in and out of court;
l. all permitted means, which further serve the KNLTB.

Organization KNLTB

28. According to article 3, first paragraph, of the 2015 articles of organization, as far as relevant here, bodies of the KNLTB are the Council of Members and the Federal Board. Pursuant to article 3, second paragraph, of the 2015 articles of organization, the Council of Members represents all members of the KNLTB. Pursuant to article 3, third paragraph, of the 2015 articles of organization, the KNLTB is led by the federation board that is accountable to the Council of Members.

29. According to article 4 (1) of the 2015 articles of organization, the KNLTB has as a member:
a. associations […];
b. union members;
c. personal members.

30. Pursuant to article 4, second paragraph, of the 2015 articles of organization, members of the association are members of an association as referred to in paragraph 1 (a) of this article, as far as they have not been removed from membership by the KNLTB.

31. According to article 12, first paragraph, of the 2015 articles of organization, the Federal Board is responsible for matters such as:
a. taking all policy decisions […]
b. the daily management;
[…]
e. executing the decisions taken by the council of members;

Register of members

32. Article 4, ninth paragraph of the articles of organization 2005 (also articles of organization 2015) stipulates that the federation board must keep a register of members. Only those data that are necessary for the realization of the purpose of the KNLTB are kept in this register. After a prior decision by the Council of Members, the federal board can provide registered data to third parties, except for data from the member that has objected in writing to the federal board.

3.2 Decision-making and information provision member data to sponsors
Decision using of member data for direct marketing purposes sponsors
33. In 2007, on the proposal of the Federal Board, the Members Council approved the use of members names, addresses and places of residence for letter mail campaigns by KNLTB sponsors. From the minutes of the Members Council meeting in 2007 it can be concluded that the money resulting from the use of member data is spent on Toptennis, among other things.

34. In 2017, the KNLTB management discussed expanding the direct marketing possibilities by providing personal data to partners (sponsors) for electronic and telephone direct marketing purposes. This policy change was subsequently discussed at the meeting of the federal board in April 2017. The board of directors has informed the members council, among other things, by means of a memo dated November 24, 2017 about expanding the direct marketing possibilities. The purpose of this is to "create added value" for the members, but also to generate "extra income that will eventually make a structural and substantial contribution to the KNLTB and tennis sport". The Council of Members has been requested to grant permission to expand the direct communication possibilities towards the members of the KNLTB. This permission concerned the provision of personal data of members of the KNLTB for marketing and commercial purposes to current and future structural and future partners with the aim of approaching by telephone/telemarketing. The Members Council approved the proposal by the Federal Board at the Members Council meeting on December 16, 2017.

Provision of information by KNLTB

35. From 2015, new members of the KNLTB will receive a welcome email. The topic of privacy has been part of this welcome email since 2018. With regard to privacy aspects, the welcome email contains the following text under the heading "How does the KNLTB handle your personal data?": “We may and can make your name and address details and telephone number available to our partners under strict conditions, so that they can approach you with relevant, promotional actions. If you do not want to be contacted by telephone or mail with offers, you can use the right of objection (AP: the text [right of objection] is also a shortcut to the right of objection form).
Your email address will not be provided to our partners, unless you have given permission for this (opt-in). The KNLTB always adheres to the applicable laws and regulations. Would you like more information about the processing of your personal data? Then view our Privacy Statement (AP: the text [Privacy Statement] is also a shortcut to the privacy statement of the KNLTB). ”

36. In the newsletter dated February 7, 2018, the KNLTB informed its members about sharing personal data with its partners. Under the heading “Sharing data: added value for members and long-term investment for tennis”, the following text is stated: “The KNLTB would like to create added value for your KNLTB membership by being able to offer tennis-related and other great offers. In addition, the KNLTB wants to generate extra income with which we can keep the tennis sport affordable for you and your association in the long term. That is why permission has been granted in the Members Council meeting in December 2017 for providing your data to our partners. Of course, the KNLTB complies with all applicable laws and regulations in this context, and the KNLTB also strictly monitors the use of your data by its partners. Do you have any questions or would you like to know more? ”

By clicking the button [Read more] you can click through to a web page with the title 'Fan Marketing & Data' in which members are informed as follows: “The KNLTB will provide your name and address details and telephone number (if you have opted in) under strict conditions, to our partners so that they can approach you with relevant promotional actions. Your email address and telephone number will not be provided to our partners without your permission. ”
Members are also reminded of the possibility to invoke their right of objection: “If you do not wish to be contacted by mail with offers from KNLTB and/or its structural or incidental partners, you can use the right to object. You can report this to the KNLTB Member Service via an online form.”

37. On February 23, 2018, a news item of the same nature was sent to all association boards and volunteers.

38. In the newsletter dated March 7, 2018, the KNLTB informed its members about the change in the way in which the KNLTB handles the personal data of its members. Under the heading
“Change in the way in which KNLTB handles your personal data”, the following text is stated: “
The KNLTB is constantly looking for ways to create added value for your KNLTB membership. That’s why it is necessary to have relevant data and to be able to use this data, so that we can approach you and other tennis fans with tennis-related and other relevant offers. In December 2017, the Council of Members agreed to provide your data to our partners. ”

By clicking on the button [Read more] you go to a news item dated February 12, 2018 on the KNLTB website titled 'Change in the way in which the KNLTB handles your personal data' in which members are informed as follows: “The KNLTB provides your name and address details and telephone number to our partners under strict conditions, so that they can approach you with relevant, promotional actions. Your email address will not be provided to our partners without your permission. We always supervise the actions of our partners and will enter into strict agreements per action on how they may handle your data. The KNLTB must and will always adhere to the applicable laws and regulations. ” On this web page, members are also informed of the possibility to invoke their right of objection: “If you do not wish to be contacted by telephone or mail with offers from KNLTB and/or its structural or incidental partners, you can use the right to object. You can report this to the KNLTB Member Service via an online form. ”

39. Furthermore, the short message "How does the KNLTB handle the personal data of members?" of April 23, 2018 was on the KNLTB homepage for more than a month.

40. As a result of media attention about the provision of members personal data to its partners, the KNLTB posted various news items on its websites www.knltb.nl and www.centrecourt.nl[4] on April 23, 2018 and June 13, 2018, in which members, in short, are informed about how the KNLTB handles the personal data of its members and how the KNLTB uses data of its members under strict conditions and in the interest of tennis.

41. The KNLTB has placed a privacy statement on its website.[5] Members are informed, among other things, about the nature of the personal data processed by the KNLTB, the bases and purposes of the processing. According to the privacy statement, personal data is processed, among other things, for the provision of products, services, events of the KNLTB, the partners of the KNLTB or other parties with which the KNLTB cooperates. With regard to the provision of personal data to partners of the KNLTB, the privacy statement states: “When it comes to providing name and address details to our partners [6] (making an offer especially for our members), you are of course always entitled to submit your objection via the appropriate form[7] (right to object to direct marketing). Your data will then no longer be provided to our partners, so that they can no longer make an offer to you as a member of the KNLTB. The legal basis for this provision is the legitimate interest (and therefore not consent). Telephone numbers will only be provided to our partners if a member has explicitly given prior permission to do so.”

3.3 Agreements KNLTB with [CONFIDENTIAL] and [CONFIDENTIAL]
42. From March 2018 up to October 2018, the KNLTB has initiated actions with [CONFIDENTIAL] and [CONFIDENTIAL] using personal data such as name, address and place of residence (NAW) and telephone numbers of members of the KNLTB. [CONFIDENTIAL] sent two discount flyers by mail to a selection of KNLTB members and [CONFIDENTIAL] called a selection of KNLTB members in a telemarketing campaign to sell [CONFIDENTIAL]. For the direct marketing activities of [CONFIDENTIAL] and [CONFIDENTIAL], the KNLTB has provided personal data of its members. The following agreements form the basis for the provision and use of this personal data.
Agreement KNLTB - [CONFIDENTIAL]


43. On May 15, 2018, the KNLTB and [CONFIDENTIAL] entered into an Official Supplier Agreement.

44. Article 1.2 of the Official Supplier Agreement provides that the KNLTB provides sponsorship rights and/or communication possibilities of the KNLTB (hereinafter: the “Communication Options”) to [CONFIDENTIAL] for the duration of the agreement, as laid out in the appendices attached to the agreement.

45. Section 3 of the Official Supplier Agreement stipulates how [CONFIDENTIAL] makes a sponsorship contribution to the KNLTB. This sponsor contribution consists of a fixed amount per year (article 3.1), making vouchers available to KNLTB (article 3.2) and offering discounts on items available in [CONFIDENTIAL] webshop.

46. ​​Article 3 of Appendix 1C (Database Rights) of the Official Supplier Agreement states:

“For (promotional) actions towards the individual KNLTB members, the KNLTB makes a selection of the up-to-date address file (name and address details) available to [CONFIDENTIAL] two (2) times per year upon request of [CONFIDENTIAL]. Actions must be taken in consultation with and after written approval from the KNLTB […] and comply with the guidelines of the KNLTB. ”

47. Appendix 4 of the Official Supplier Agreement is concerning the processor agreement in which further agreements have been made regarding, among other things, the security of personal data (article 4), the possibility of control and audit by the KNLTB (article 5), an obligation for confidentiality for [CONFIDENTIAL] (article 6) and the consequences of termination or dissolution of the processor agreement (article 12), namely that, in short, the personal data will be destroyed by [CONFIDENTIAL] or returned to the KNLTB as soon as possible.

48. In Appendix 6 (Description of the processing of Personal Data), under the heading “Subject, nature and estimated term of the processing”, the following is stated: “Personal data of members of the KNLTB, are at least name and address data for promotions by mail. ”

49. On May 1, 2018, the KNLTB and [CONFIDENTIAL] made additional agreements regarding the delivery of KNLTB member data for the purpose of direct email/mailing of [CONFIDENTIAL]. The following agreements have been made about the selection of member data: [CONFIDENTIAL] supplies a file to the KNLTB, after which the KNLTB creates an address file based on the agreed selection criteria (with the following data: first name, insert, surname, street, house number, zip code and domicile) to be sent to [CONFIDENTIAL]. [CONFIDENTIAL] deduplicates this address file by consulting the legal registers (such as the Postfilter).

Agreement KNLTB - [CONFIDENTIAL]

50. On June 28, 2018, the KNLTB and the [CONFIDENTIAL] entered into an agreement.

51. Under article 1.1, the purpose of the contract is:

“The KNLTB will make available to [CONFIDENTIAL] its 'adult' member base for (telephone) approach by [CONFIDENTIAL] and/or [CONFIDENTIAL] on behalf of the KNLTB with the offer to become a [CONFIDENTIAL] subscriber, in accordance with the terms in this agreement.”

52. Article 1.2 of the agreement, as far as relevant here, states the following:

“The file that [CONFIDENTIAL] receives from the KNLTB meets at least the following conditions:
- The records are complete and correct in accordance with the mandatory fields from the supplied format (see appendix 3); […]
- The persons in the file mentioned above are at least 18 years old or older, member of the KNLTB and have been informed by the KNLTB, with the registration of their personal data, about the provision to third parties (including [CONFIDENTIAL], [CONFIDENTIAL], [CONFIDENTIAL]) of their personal data;
- The persons in the file have not objected to the provision of their personal data to third parties. The text of the privacy statement of the KNLTB has been used for this, as can be found on the website of the KNLTB. Also, this past February, all KNLTB members were informed through the member newsletter about the use of their data for [CONFIDENTIAL] with the possibility to object to this; ”

53. Article 1.6 of the agreement, as far as relevant here, states the following: "During the term of this agreement, [CONFIDENTIAL] is permitted to contact the remaining KNLTB members[8] (by telephone) once per calendar year with an offer to become respectively [CONFIDENTIAL] and [CONFIDENTIAL] subscribers ...".

54. Article 3.1 of the agreement provides, as far as currently relevant, that both parties will be regarded as responsible as referred to in article 26 GDPR.

55. Article 8.1 stipulates, as far as currently relevant, that in the event of termination of the assignment and/or the agreement or if a party requests it, the data (including all copies) will be returned to the KNLTB or, upon her request, be destroyed, in which case [CONFIDENTIAL] declares in writing that this has happened.

56. Appendix 1 (Appendix [CONFIDENTIAL] -KNLTB agreement - Telemarketing pilot campaign) lists the fees for the KNLTB. [CONFIDENTIAL]

57. Appendix 3 (Format Data exchange) shows that the compulsory records consist of: gender, initials, first and last name, date of birth, address, zip code, place of residence, (mobile) telephone number, e-mail address, registration date, registration time and tennis club.

58. In appendix 5 to the agreement, further agreements have been made regarding, among other things, the security of personal data (article 4) and an obligation to confidentiality for parties.

3.4 Provision and use of personal data by [CONFIDENTIAL] and [CONFIDENTIAL]
[CONFIDENTIAL]

59. Based on selection criteria (and after deduplication), the KNLTB, together with [CONFIDENTIAL], has compiled a membership base of 50,000 members (hereinafter: membership base). The following information about these members is included in the file:

- Campaign ID (numerical code);
- Sex;
- First Name;
- Initials;
- Last name;
- Street;
- House number;
- House number Addition; - Zip Code; - Place.

60. On June 11, 2018, the KNLTB placed the member file on the sFTP server (a secure environment) for the purpose of [CONFIDENTIAL].

61. On June 11, 2018, [CONFIDENTIAL] deleted the member file from the sFTP server and sent the member file via an sFTP connection to [CONFIDENTIAL]. [CONFIDENTIAL] has processed the personal data on discount flyers and sent these flyers to the selected members of the KNLTB on July 5, 6, 7 and 8, 2018.

[CONFIDENTIAL]

62. The KNLTB has provided the following information to [CONFIDENTIAL]:
- Campaign ID (numerical code);
- Sex;
- First Name;
- Initials;
- Last name;
- Street;
- Place;
- Date of birth;
- Zip Code;
- House number;
- House number addition;
- Phone number;
- Mobile number;
- E-mail; - Association.

63. On June 29, 2018, the KNLTB provided a file with 314,846 unique records to
[CONFIDENTIAL]. By this, the KNLTB means that the data of 314,846 unique households mentioned in appendix 622 have been provided. This file has been cleaned up by [CONFIDENTIAL] based on a dozen selections, like being included in the Do-Not-Call-Me-Register and persons who have an active subscription to [CONFIDENTIAL] and [CONFIDENTIAL]. After selection, the file that was ultimately used by [CONFIDENTIAL] counted 39,478 records. 19,595 records have been used for [CONFIDENTIAL] and 19,883 for [CONFIDENTIAL]. This information was then provided to various [CONFIDENTIAL] via a secure sFTP server for telemarketing. [9]

64. The telemarketing campaign started on Monday July 16, 2018 and ended prematurely at the request of the KNLTB.

3.5 Complaint KNLTB concerning statements by chairman AP
65. On December 17, 2018, an item about the resale of personal data of tennis players and soccer players was broadcast in the television program Nieuwsuur (NOS/NTR). The chairman of the AP was interviewed for this item. Following statements by the chairman in this interview, the KNLTB filed a complaint with the AP on December 21, 2018, which was declared justified by the AP on March 19, 2019.

4. Assessment
66. In this chapter it is established consecutively that the KNLTB, as personal data processor responsible, has processed personal data by providing member data to [CONFIDENTIAL] and [CONFIDENTIAL] (sections 4.1 and 4.2); that by conducting investigations the AP has not acted contrary to its own prioritization policy (section 4.3) and that the AP has not acted negligently towards [CONFIDENTIAL] (section 4.4). Paragraphs 4.5 and 4.6 conclude that the AP has not violated the principles of equality or the prohibition of prejudice. In paragraphs 4.7 - 4.11, the AP concludes that the provisions to and use of personal data by [CONFIDENTIAL] and [CONFIDENTIAL] are not compatible with the original purpose of the collection of personal data or that there was no lawful basis for the provision and use.

4.1 Processing of personal data
67. The KNLTB collects data from its members, including for keeping a register of affiliates.[10] This includes, among others, name, address, place of residence and telephone number of members.[11] These data qualify as personal data as referred to in article 4, under 1 of the GDPR because it allows members of the KNLTB to be identified directly.

68. The KNLTB has provided personal data of its members in file form to [CONFIDENTIAL] and [CONFIDENTIAL] for use for their direct marketing activities. The KNLTB has thus processed personal data as referred to in article 4 (2) of the GDPR.

4.2 Processor responsible
69. In the context of the question whether article 5, first paragraph, under a and b jo. article 6 (1) of the GDPR is complied with, it is important to determine who can be regarded as a processor responsible as meant in article 4, preamble and under 7 of the GDPR. For this, it is decisive who determines the purpose and means of the processing of personal data.

70. The Council of Members has, on a proposal from the Federal Board, determined the purpose of the processing, i.e. the use of personal data collected by the KNLTB to generate (extra) income by providing personal data to partners (sponsors) of the KNLTB for their direct marketing activities. The Council of Members and the Federal Board are bodies of the KNLTB. In view of the above, the KNLTB has (partly) determined the purpose of the processing.

71. The means of processing, that is, the manner in which the data processing takes place, has also been determined (partly) by the KNLTB. The KNLTB has attached conditions to the way in which the personal data are supplied to [CONFIDENTIAL] and [CONFIDENTIAL] and the use by [CONFIDENTIAL] and [CONFIDENTIAL] for their direct marketing activities. In view of this, the KNLTB has (partly) determined the means for the processing.

72. Because the KNLTB has (partly) determined the purpose of and the means for the processing of personal data, it qualifies as a processor responsible as referred to in article 4 (7) of the GDPR.

4.3 Action by AP not in violation of its own policy
KNLTB position

73. The KNLTB wonders why the AP did not carry out a risk analysis or whether an investigation was actually necessary, since the distributions to the sponsors had already stopped. The KNLTB also believes that the necessity and basis for the investigation are missing, given the small number of complaints that have been submitted to the AP about the phone calls by [CONFIDENTIAL].

74. In addition, the KNLTB wonders why the AP, after having received tips about the policy of the KNLTB, started an investigation. According to the Policy Rules on Prioritizing Complaints-Investigation of the AP[12] (prioritization policy), a norm-transferring interview should have taken place or the AP should have sent a norm-transferring letter, according to the KNLTB. In this context, the KNLTB refers to a passage in the explanatory notes to the prioritization policy, which states that the AP focuses primarily on achieving standard-compliant behavior when dealing with complaints. In doing so, the AP aims for a pragmatic approach, in which effectiveness and efficiency play an important role. An example of a pragmatic approach is according to the prioritization policy that the AP, when it can realize standard-compliant behavior in a specific case by contacting the (alleged) offender by telephone, the AP will do this and a complaint can be settled with that.

Response AP

75. The AP and the supervisors working for it, have various (investigative) powers that they can exercise spontaneously at any time, in order to be able to adequately supervise compliance with the GDPR. This does not require a prior and reasoned fact, signal, ground or suspicion.[13] In view of this, the AP was not obliged to make a risk analysis as to whether the investigation was actually necessary. It is also irrelevant for the exercise of the (investigative) powers whether and, if so, how many complaints were received and it is not relevant that the provision of personal data by the KNLTB and its use by [CONFIDENTIAL] and [CONFIDENTIAL] have ended. The fact that provisions and use have ended has not affected the fact that they have taken place. The purpose of the investigation was to answer the question whether the provision and use of personal data of members of the KNLTB have been lawful.

76. As far as the KNLTB argues that the AP acts contrary to its prioritization policy, the AP considers as follows. Besides the fact that the reason for the investigation consisted not only of complaints, but also of the news of the KNLTB and the media attention about it and the conversation that the AP had with the KNLTB in that regard on October 11, 2018, the AP has investigated the content of the complaints to its appropriate extent. After an initial assessment of the complaints, the AP considered it plausible that it concerned a processing of personal data and that there may have been one or more violations of the GDPR. In view of this and taking into account that it may have involved many parties (the KNLTB has close to 570,000 members), the provision could potentially have serious consequences for those involved and the provision had caused social upheaval, the AP has decided to establish a further investigation. This is fully in line with article 2 of the prioritization policy.

77. The KNLTB's assertion that, according to its prioritization policy, the AP should have opted for a norm-transferring interview after receiving complaints from its members, and should have refrained from investigating, is not convincing. There is no such obligation in these policy rules, which concern prioritizing investigations in response to complaints. For this reason, the policy rules do not form a binding framework for the AP when choosing an enforcement instrument. There is therefore no obligation for the AP to realize norm-conform behavior by telephone contact with the (alleged) offender in the event of a violation. Also, the AP addresses its duty of principle to take enforcement action against violations, in view of the public interest that serves this purpose. To this end, the AP has the corrective measures referred to in article 58 (2) of the GDPR and article 16 of the Implementation Law GDPR. The AP is free to choose the enforcement instrument, provided that the instrument chosen is sufficiently effective. The AP has in this matter not opted for a norm-transferring conversation because of the large number of people involved, the seriousness of the violation and the social commotion that was caused by the provision of member data to [CONFIDENTIAL] and [CONFIDENTIAL].

4.4 AP has not acted negligently towards FG [Data Protection Officer]
KNLTB position

78. The KNLTB takes the view that the AP wrongly did not involve the FG in the investigation, partly in view of its willingness to cooperate and to provide information.

Response AP

79. First, the AP considers that during the investigation a copy of the information requests to the KNLTB were also sent to the FG. In addition, the FG has received all relevant correspondence exchanged by email between the AP and the KNLTB. To this extent, the AP involved the FG in the investigation. For the sake of completeness, the AP considers as follows.

80. The FG is an internal supervisor who must advise the processor responsible about compliance with the GDPR. In this capacity as internal supervisor, the FG is in contact with the AP. The AP sees an FG as an essential part of the quality system of an organization with regard to the processing of personal data. In the context of the exercise of its supervisory duties, the AP is authorized in accordance with the Awb [General Administrative Law] to request anyone to provide information or to inspect documents. These powers are described in chapter 5 of the Awb. The AP is aware of the delicate balance between, on the one hand, the FG and, on the other hand, the organization or organizational unit that is the processor responsible within the meaning of the GDPR. Although the AP collaborates with the FG, it must direct its supervisory activities to the processor responsible who is the norm-addressee of the GDPR.

81. While the AP may request information from anyone, including the FG, by virtue of its duties, the FG does not, however, form part of the unit that can be identified as the processor responsible. Nor can the FG give binding instructions to the management about setting up data processing. The AP is therefore authorized to interview the processor responsible. In doing so, it states that, in the context of a (possible) concrete ex-officio investigation, in order to be able to establish a violation and possibly for enforcement, information (also) must always be requested from the relevant processor responsible himself. The AP also notes that the KNLTB itself had the opportunity to involve the FG (if desired) in the investigation.

82. The AP also considers it important to note that in an organization in which a good relationship has been built between the processor responsible and the FG, the FG is expected to be able to provide reliable information on behalf of the processor responsible regarding compliance with the GDPR. However, the AP can never depend on this route to obtain the necessary information. After all, if contact between a processor responsible and a FG is not optimal, or if important preconditions for internal supervision are lacking, this poses a risk to the reliability of the information obtained.

83. Based on the above, the AP concludes that it has not acted negligently or on other grounds improperly towards [CONFIDENTIAL] or the KNLTB by directing its investigative activities to the processor responsible, the KNLTB.

4.5 Action by AP does not violate the principle of equality
View KNLTB

84. The KNLTB takes the position that the investigation into and possible enforcement action against the provision of personal data of the KNLTB to [CONFIDENTIAL] and
[CONFIDENTIAL] violates the principle of equality. To this end, it argues that the AP has opted for a norm-correcting letter for a similar situation and not for enforcement towards the [CONFIDENTIAL][14] ([CONFIDENTIAL]) and [CONFIDENTIAL][15] ([CONFIDENTIAL]). The AP is also aware of the provision of personal data by other comparable sports clubs to third parties for direct marketing purposes, but only the KNLTB is highlighted by the AP to set a standard.

Response AP

85. The principle of equality in the context of conducting investigations and imposing a sanction does not extend to the extent that the power to do so has been unlawfully exercised only because any other offender is not subject to investigation and enforcement has not been carried out. This could be different if there is unequal treatment of equal cases that indicates arbitrariness in the supervision and enforcement practice of the AP. [16] This is not the case.

86. In the explanatory notes to the prioritization policy, the following is stated, among other things: “Because the AP receives many signals, complaints and requests for enforcement and because its supervisory field is extensive, it will not always be able to conduct further investigations, given its limited resources. Therefore, in situations where there may be a violation, but where further investigation is needed to determine the violation, the AP will first test against its prioritization criteria.”

87. The prioritization policy is (partly) intended to prevent arbitrariness in the choice of cases to be investigated in response to complaints. Apart from that, the investigation into the KNLTB has not only started as a result of complaints but also as a result of a conversation with the KNLTB due to media reports, the AP assessed the complaints it received about the KNLTB against its prioritization policy and concluded, based on the prioritization criteria, that further investigation into the KNLTB was appropriate (see marginal 76). To that extent, the statement that the AP was guilty of arbitrariness in conducting the investigation is false.

88. In addition, the AP disputes that the situations mentioned by the KNLTB are similar to the present situation. The letter, sent by the AP to [CONFIDENTIAL], was prompted by a bank's intention to further process customer data for direct marketing purposes, likely violating GDPR provisions. This is in contrast to the provisions by the KNLTB that actually took place.

89. The letter to [CONFIDENTIAL] has resulted from complaints about the (possible) unlawful use of personal data by customers of [CONFIDENTIAL] for direct marketing purposes. The complaints related not so much to the provision of personal data by [CONFIDENTIAL] itself, but to the (possibly unlawful) use of these personal data by parties to whom [CONFIDENTIAL] have been provided. In view of the existing tension between the public nature of the commercial register, which makes [CONFIDENTIAL] obliged to provide certain personal data, and the (further) possible unlawful use of personal data from [CONFIDENTIAL], the AP has sent a letter to [CONFIDENTIAL] with a request to review [CONFIDENTIAL]. The AP also sent a letter to [CONFIDENTIAL] and requested for the provided [CONFIDENTIAL] to be checked for privacy aspects and to consider measures to prevent unlawful use as much as possible. Therefore, these are not equal cases.

90. As far as the KNLTB argues that other sports associations also followed a similar policy with regard to the provision of third parties for direct marketing purposes, the AP considers that, in accordance with its prioritization policy, it has given priority to investigations into the provision of personal data by the KNLTB to [CONFIDENTIAL] and [CONFIDENTIAL] and to take action against them. For the sake of completeness, the AP notes that complaints about other sports associations are assessed against its prioritization policy, which may lead to further investigation into these sports associations. As far as research shows that other sports associations have committed a similar offense, enforcement action will also be taken.

91. In view of the foregoing, the AP concludes that it has not acted contrary to the principle of equality.

4.6 AP acted without bias
View KNLTB

92. In its view, the KNLTB takes the view that the AP has violated the prohibition of bias. According to the KNLTB, this is evident from the performance of the chairman of the AP in a broadcast of Nieuwsuur on December 17, 2018. The KNLTB finds it remarkable that the AP has acknowledged that it had acted improperly towards the KNLTB and yet sent an intention to uphold it.

Response AP

By decision of March 19, the AP declared the complaint submitted by the KNLTB to the AP on December 21, 2018 about statements by the chairman of the AP in television program Nieuwsuur, justified. Among other things, the AP acknowledged that it could have and should have been more nuanced and more careful in its statements during this program. Without wanting to dismiss the importance of this established carelessness, the AP believes that, at the time, its statements were not such as to constitute a violation of the prohibition of bias and that for that reason, it should not have initiated an enforcement procedure. The (outcome of) the complaints procedure does not offer any leads for this. In addition, the AP is of the opinion that the investigation and the subsequent decision-making phase took place in accordance with the legal requirements.

4.7 Distinction between processing for collection purpose and further processing
93. The KNLTB processes personal data for multiple purposes. These goals have changed over time. This has significance for the applicable legal framework to which the provision of
membership data by the KNLTB to [CONFIDENTIAL] and [CONFIDENTIAL] must be
tested. If the purpose of these provisions qualifies as a collection purpose, a legal basis as referred to in article 6 (1) GDPR must be available for these processing operations. If the provisions serve a purpose other than the purpose for which the personal data were originally collected, it must be assessed whether this other purpose is compatible with the purpose for which the personal data was collected. This is the compatibility test of article 6 (4) of the GDPR. This test should be seen in conjunction with the principle of purpose limitation and compatibility included in article 5 (1) (b) of the GDPR. This article states that personal data may only be collected for specified, explicitly described and legitimate purposes and may not be further processed in a manner incompatible with those purposes. [17]

94. If the purpose of the further processing differs from the purpose for which the personal data were originally collected (the collection purpose), this further processing is lawful if:
(i) data subjects have given consent for the processing, or
(ii) the processing is based on a Union law provision or a Member State law provision which, in a democratic society, is a necessary and proportionate measure to safeguard the objectives referred to in article 23 (1) of the GDPR, or
(iii) the purpose of provision is compatible with the (specific, explicitly defined and justified) purpose of collection of the personal data.[18]

95. If the purpose of the further processing is compatible with the purpose of collection, the further processing does not require a separate legal basis other than the one that allowed the collection of personal data.[19]

96. If the further processing takes place for a purpose other than the collection purpose, but no permission has been given, it is not based on a legal provision or is incompatible with the collection purpose, the processing is unlawful due to the lack of a basis. A processor responsible therefore can not regard the further processing as a new processing that is separate from the original processing and 'bypasses' article 6 (4) of the GDPR by using one of the legal bases in article 6 (1) of the GDPR to still legitimize further processing. [20]

97. To assess whether the KNLTB has lawfully provided personal data of its members to [CONFIDENTIAL] and [CONFIDENTIAL], it will have to be determined for what purposes the KNLTB has collected personal data and whether they have been further processed for another purpose.

4.8 Collection purposes personal data members KNLTB
98. The purpose limitation principle of article 5 (1) (b) of the GDPR is an important principle of data protection. Pursuant to the purpose limitation principle, purposes must be clearly defined and expressly defined, which means that a purpose of a processing must be formulated in such a way that it can provide a clear framework as to the extent to which the processing is necessary for the specified purpose in a specific case. In addition, the purpose must be justified, that is, the purpose is in accordance with the law, in the broadest sense of the word. This means in any case (but not exclusively) that the processing for the purpose must be based on the legal grounds referred to in article 6, first paragraph, of the GDPR. [21]

99. Various documents are important for determining the purposes for which the KNLTB collects and has collected personal data. The 2005 articles of organization are important for the period before 2007. Although the collection purposes are not explicitly described herein, they can be derived from this.

100. As a result, persons who join a tennis club become members of the KNLTB [22]. The articles of organization of 2005 state the following: "The federation board keeps a register of members. Only those data that are necessary for the realization of the purpose of the KNLTB are kept in this register. The board of the federation may provide registered information to third parties after a prior decision of the council of members, except for the member who has objected to the provision in writing to the administration of the federation.”[23] The statutory purpose of the KNLTB is to promote the practice of tennis and development of tennis in the Netherlands. [24] The KNLTB tries to achieve this goal by promoting the game of tennis as a leisure activity, taking all measures that can lead to increasing the level of the game and promoting the interests of its members and affiliates and using all permitted means that are at the disposal of the KNLTB.

101. Although this does not follow explicitly from the articles of organization 2005, the AP concludes from the factual context[25] of these articles of organization that the KNLTB has at least collected personal data from members in order to implement the membership agreement.[26] This is not up for debate. Nor is it disputed that the processing for this legitimate purpose takes place on the basis of `necessary for the performance of an agreement' as referred to in article 6 (1) (b) of the GDPR (and until May 25, 2018, when the GDPR became applicable, on the basis of article 8 (b) of the Wbp).

102. Two other collection purposes can be derived from the 2005 articles of organization. In the first place, the collection (and further use) of personal data as far as this is necessary for the realization of the goal of the KNLTB, namely to promote the practice of the tennis game and the development of tennis in the Netherlands. Secondly, collecting registered data (personal data) for the purpose of providing it to third parties. The articles of organization do not contain any information about the (category of) third parties to whom personal data can be provided, nor any information for which the personal data are used by these third parties. The AP takes the view that these goals are in any case not defined and explicitly defined because members of the KNLTB could not infer from this that their personal data would also be used to generate income by providing them to sponsors for direct marketing activities. The KNLTB should therefore not have collected personal data for that purpose.

103. In 2007, the KNLTB formulated a new (collection) purpose. The Members Council of the KNLTB then approved the proposal of the Federal Board to extend the communication possibilities of KNLTB sponsors, i.e. the use of names, addresses and places of residence (name and address data) of members for mailing campaigns. From the accompanying minutes of the Members Council meeting in 2007, the AP concludes that these are advertising messages from KNLTB sponsors with which the KNLTB generates extra income. Pursuant to the articles of organization of January 19, 2005 (valid at the time of the Members Council meeting in 2007), members of the KNLTB are obliged to comply with decisions of bodies of the KNLTB. [27] It can thus be assumed that from 2007 onwards when registering with the KNLTB, new members have taken note of this new collection purpose which can more generally be described as generating income by providing member data to sponsors for their direct marketing activities.

104. In December 2017, the Council of Members again authorized the provision of personal data of members of the KNLTB for marketing and commercial purposes to current and future structural and future partners for the purpose of telephone/telemarketing. According to the AP, this goal can be classified under the goal of generating revenue by providing member information to sponsors and as such does not qualify as a new (collection) purpose.

105. As far as the KNLTB argues in its view that the purposes stated in the KNLTB articles of organization dated March 4, 2019 (articles of organization 2019) and the privacy statement of December 2018, including the provision of personal data to partners, are specific, explicitly described and justified and 'have always been central for the KNLTB, both in the present and in 2007, and (...) have always [been] communicated in this way', the AP considers that the articles of organization 2019 and the privacy statement are not relevant, because these documents only became effective after the provision of member data to [CONFIDENTIAL] and [CONFIDENTIAL] in June 2018. As far as the KNLTB refers to the newsletters about the provision of personal data to sponsors, it also applies that they were sent to the members after 2007. For the question whether it was known before 2007 that member data would be provided to partners, it is therefore that not these documents are decisive, but the 2005 articles of organization and, as already established, this purpose is not clearly defined and explicitly described.

106. Based on the above, the AP determines that, from 2007, the KNLTB has informed its members about its purpose of providing member data to sponsors, which is to generate (extra) income.

107. Based on the above, the AP concludes that the KNLTB has collected personal data of members that became a member of the KNLTB before 2007 to implement the membership agreement.[28] As of 2007, the KNLTB has started collecting personal data from its members for generating income by providing this data to sponsors. The provision of member data to sponsors qualifies for members who joined the KNLTB before 2007 thus as a further (italic AP) processing of personal data. For members who joined the KNLTB after 2007, this purpose qualifies as a collection purpose.

108. In the following, the AP distinguishes between two situations in order to assess whether the personal data have been lawfully processed by the KNLTB. The first situation concerns the processing of personal data of members who joined before 2007. In this case, the AP qualifies the provision of member data to sponsors for the generation of (extra) income as a processing for a purpose other than that for which the personal data were originally collected (i.e. further processing). For members who have become members since 2007, the provision of their personal data to sponsors was known as a purpose and qualifies as a collection purpose.

4.9 Compatibility purposes in the case of membership before 2007
109. For members that joined the KNLTB before 2007, the provision of member data to sponsors for their direct marketing activities for generating (extra) income for the KNLTB applies as further processing. This is lawful if (1) members have given permission for the processing, or (2) the provision is based on a Union law provision or a Member State law provision which, in a democratic society, is a necessary and proportionate measure to safeguard the objectives referred to in article 23 (1) of the GDPR, or (3) the purpose of the provision is compatible with the purpose for which the personal data was originally collected. In the following, it will be assessed whether one of these situations occurs.

No permission

110. It is not disputed that the members of the KNLTB have not given permission to provide personal data to sponsors. The Members Council did agree to the provision. As far as the KNLTB argues that this consent qualifies as consent within the meaning of the GDPR, the AP considers that this is not the case. After all, consent must be given by the data subject by means of a clear action that shows that the data subject freely, specifically, informs and unambiguously consents to the processing of his personal data. [29] The consent of the Members Council in 2007 does not meet these requirements, as no consent has been obtained from the individual parties involved.

111. The AP concludes that the KNLTB has not obtained permission from its members for providing member data to sponsors.

Provision is not based on legal provision

112. It is also not disputed that the provision of personal data to sponsors is not based on an Union law provision or a Member State law provision that is, in a democratic society, a necessary and proportionate measure to safeguard the objectives referred to in article 23 (1) of the GDPR.

Further processing is not compatible

113. The principle of purpose limitation (article 5 (1) (b) of the GDPR) means that personal data is collected for specified, explicitly described and legitimate purposes and may not be further processed in a manner incompatible with those purposes. In accordance with the principle of purpose limitation, it will be necessary to examine whether the processing of the personal data for the purpose of generating additional income is compatible with the purpose for which the personal data were initially collected. Among other things, the following must be taken into account (article 6 (4) of the GDPR):
(a) any connection between the purposes for which the personal data was collected and the purposes of the intended further processing;
(b) the framework in which the personal data is collected, in particular in regards to the relationship between the data subjects and the processor responsible;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with article 9, and whether personal data on criminal convictions and offenses are processed, in accordance with article 10;
(d) the possible consequences of the intended further processing for the data subjects;
(e) the existence of appropriate safeguards, including, where appropriate, encryption or pseudonymisation.

Connection purposes

114. In its opinion with regard to the investigation report, the KNLTB took the view that the collection purpose and the purpose of further processing are closely connected and in line with each other. According to the KNLTB, the provision of personal data aims to provide the best possible interpretation/added value to the membership of the members. Both the discounts given to members by the promotions and the financial benefits that flow from them, will benefit those members, so that they will experience the added value and benefits in any case. After all, even when there is no participation, the members experience the benefits of the proceeds of the actions, which are invested in the members and tennis sports. The KNLTB also states that the AP in the investigation report wrongly did not address the goals communicated by the KNLTB, referring to its articles of organization and privacy statement.

115. The AP considers as follows. The KNLTB originally collected personal data (from members who joined before 2007) for the implementation of the membership agreement and not for the purpose of generating (extra) income by providing it to sponsors. According to the AP, there is no connection between the two purposes.

Framework in which personal data is collected

116. The KNLTB states that its members should expect that their personal data would also be provided to sponsors for their direct marketing activities in order to generate income. To this end, the KNLTB first argues that the members have been frequently informed about this. Furthermore, without the direct marketing actions of sponsors/partners, the members would not enjoy any additional benefit as a result of which the added value of the organization membership would not be (directly) seen by the members, according to the KNLTB. Members also benefit from keeping tennis sports accessible and affordable. In addition, it would be contrary to the expectations of the members to opt for another way of generating additional income, such as increasing the membership fee or abolishing free tennis lessons for children under the age of six. The KNLTB also emphasizes that membership is a free choice, because it is possible to join an association that is not a member of the KNLTB or to set up a (tennis) club itself. In addition, members can invoke their right to object to prevent the KNLTB from providing it to its partners. The KNLTB also adds that the members council plays an important role, represents all members, is in close contact with the associations and implements the strategic policy of the KNLTB and its importance/consequences for the tennis associations and its members. According to the KNLTB, the Council of Members is therefore a link that should not be underestimated, which assesses, communicates, represents, and therefore influences the reasonable expectations of the other members.

117. The personal data of the members of the KNLTB (as far as they became members before 2007) were collected in the context of the implementation of the membership agreement. In any case, it should be assessed whether the provision by the KNLTB to sponsors to generate (extra) income was in line with the reasonable expectations of the members, based on their relationship with the KNLTB (as processor responsible). This is not the case according to the AP. Prospective members who join a tennis club that is a member of the KNLTB automatically become members of the KNLTB. A person who wants to become a member of a tennis club that is a member of the KNLTB does not have the choice not to provide his personal data to the KNLTB; after all, these are necessary for the implementation of the membership agreement. In view of the mandatory membership, members should have expected that their personal data would only be used for the collection purpose, the implementation of the membership agreement. In doing so, the AP takes into account that the KNLTB is a non-profit organization, which is why members could not expect their personal data to be provided to sponsors with commercial motives. This applies all the more for the provision of personal data to and the use of [CONFIDENTIAL], who did not make tennis-related offers (such as [CONFIDENTIAL]) but offered [CONFIDENTIAL]. The fact that members of the KNLTB had a chance to win a trip to a tennis match in London when purchasing a [CONFIDENTIAL] does not change this. The fact that the KNLTB has informed its members in various ways prior to the provision of information about the further processing of their personal data is not a circumstance that is important for the framework in which the personal data are collected. After all, informing the members only took place after (italic AP) the collection of their personal data. In addition, the facts from the investigation indicate that the members of the KNLTB did not expect the telephone promotion of [CONFIDENTIAL]. Although the KNLTB has informed its members about the provision of personal data to sponsors, the telephone promotion has led to many complaints and fuss in the media, which has also led to the telephone promotion being stopped prematurely.

Nature of the personal data provided

118. In its view, the KNLTB points out that only data have been provided to third parties that are necessary to be able to contact the members, namely name and address details and telephone number. No special categories of personal data have been provided. Neither have any personal data of under-age members been provided, nor have email addresses of members, as there is a greater risk of spam.

119. The AP notes that the KNLTB has indeed not provided any special categories of personal data to [CONFIDENTIAL] and [CONFIDENTIAL]. Assuming that the KNLTB has acted in accordance with its contact protocol, no personal data of persons younger than 16 years have been provided.[30] However, the KNLTB has provided e-mail addresses to [CONFIDENTIAL] when this was not necessary for the telemarketing campaign, which unnecessarily increased the risk of spam and phishing, for example.

Possible consequences of further processing

120. The KNLTB emphasizes in its view that the actions of [CONFIDENTIAL] and [CONFIDENTIAL] were received positively by most members and had a high conversion rate. In addition, according to the KNLTB, the actions also had positive consequences for members who did not use them. After all, the proceeds of the actions are invested in the members and in tennis. The KNLTB points out that when selecting the members who have been approached in the context of the actions, it tried as much as possible to prevent members from being approached undesirably, because they already had a subscription or are included in the do-not-call-me register. The KNLTB also argues that the disclosures do not mean loss of control over personal data. To this end, it argues that prior to the provision of their personal data, members have been sufficiently informed and could have objected to this. Furthermore, according to the KNLTB, no additional risks have arisen for the rights and freedoms of the data subjects, because various measures have been taken to ensure the security of personal data, such as the use of a secure sFTP server, the partner agreement, the contact protocol, the calling script, the immediate deletion of data after use and the monitoring of compliance with the agreement. Finally, the KNLTB states that the negative consequences of the provision are limited: a discount flyer in the mailbox and/or a single call. According to the KNLTB, these consequences cannot be described as far-reaching.[31] In this context, the KNLTB further argues that the telemarketing campaign ended prematurely in connection with complaints about its implementation.

121. The AP believes that the members of the KNLTB have lost control of their personal data as a result of the disclosures, thereby infringing their privacy. This does not change by the fact, as the KNLTB states, that the generated income is entirely for the benefit of the members and the tennis sport. The members should have been confident that the KNLTB would only use their personal data for the implementation of the membership agreement and would not provide it to sponsors. The seriousness of the infringement is partly determined by the following circumstances. Firstly, the KNLTB left the selection of the members to be called to [CONFIDENTIAL], which resulted in the personal data of 314,846 members being provided, while [CONFIDENTIAL] selected only 39,478 members (less than 13%) to approach. Secondly, [CONFIDENTIAL] has been provided with personal data that are not necessary for a telephone promotion, including the email address. This is all the more urgent as the KNLTB has explicitly pointed out in its news items that the e-mail address will not be provided without permission to [CONFIDENTIAL] and this is contrary to rule of thumb 2 ('provide only necessary data') from the Sports & Privacy Manual. To this extent, the KNLTB has provided an unnecessary amount of personal data of an unnecessarily large number of members to [CONFIDENTIAL]. Thirdly, both [CONFIDENTIAL] and [CONFIDENTIAL] have provided personal data to [CONFIDENTIAL] and various [CONFIDENTIAL], respectively, in order to carry out their direct marketing activities. This also has the consequence that these members may have an increased risk of a breach of their personal data.

122. In addition, the KNLTB ignores the fact that the (unintentional) receipt of a discount flyer and telephone sales can be experienced as a nuisance. This particularly applies to the telephone promotion of [CONFIDENTIAL], which has therefore been discontinued prematurely. The alleged high conversion of the actions of both sponsors and the income for KNLTB do not detract from the fact that the many members whose personal data have been provided but have not been used for the actions have not benefited in any way from the provision of their own personal data.

Appropriate guarantees

123. In its view, the KNLTB refers to the safeguards it has taken to guarantee the security of personal data. The KNLTB also cites some older decisions by predecessors of the AP (the Registration Chamber and the Board for the Protection of Personal Data (CBP)), which stated that guarantees could have a positive or sometimes decisive effect on the question of compatibility. [32]

124. The AP considers that appropriate measures as referred to in article 6 (4) of the GDPR can serve as 'compensation' for the fact that data are further processed for a purpose other than the collection purpose.[33] The measures taken by the KNLTB, such as the possibility of objection, according to the AP, do not offer sufficient compensation for the infringement that the KNLTB has committed with the disclosures on the privacy of data subjects. In the first place, these are measures that the KNLTB was obliged to take. Secondly, these measures have not prevented the supply of an unnecessary amount of personal data to, in particular [CONFIDENTIAL] and personal data have ended up with third parties, namely various [CONFIDENTIAL] and [CONFIDENTIAL]. The members of the KNLTB are not or at least insufficiently informed about this.[34] It would have been KNLTB's route to inform its members fully about which personal data would be provided to which sponsors, and to inform its members that these would also be provided to third parties in the context of carrying out the direct marketing activities. In view of the original collection purpose, the implementation of the membership agreement, and the reasonable expectations of its members that their personal data would not be used for the commercial purposes of sponsors, it would also have been KNLTB’s route to request permission from its members . However, this has not happened.

Conclusion AP

125. In view of the circumstances that there is no connection between the collection purpose and the purpose of the further processing, that the provision to [CONFIDENTIAL] and [CONFIDENTIAL] is not in line with the reasonable expectations of the members, the consequences of the provision for the members of the KNLTB and that the measures taken by the KNLTB do not provide sufficient compensation for this, the AP concludes that the further processing for the purpose of generating income is not compatible with the collection purpose, implementation of the membership agreement.

4.10 Basis for processing personal data in the case of membership after 2007
126. For members who joined the KNLTB after 2007, it is assumed that the purpose of generating additional income by providing personal data to sponsors was known to the members. The processing of these personal data must be based on a lawful basis. According to the KNLTB, the processing of personal data for the purpose of generating extra income is necessary for the protection of its legitimate interests, now that its membership (and therefore the income of the KNLTB) has fallen sharply in the past ten years. Their research has shown that this is caused by the fact that members see little added value in membership of the KNLTB.

AP misinterprets the concept of legitimate interest

127. The KNLTB takes the position that the AP, in its investigation report, misrepresented the term "legitimate interest" by concluding that an interest only qualifies as legitimate if this interest can be traced back to a fundamental right or legal principle. This explanation cannot be traced back to:
- the legal text itself;
- information provided by European privacy supervisors (including the AP);
- case law;
- European Data Protection Board (EDPB) guidelines.
According to the KNLTB, the interest should be "lawful", which follows from the guidelines of the EDPB and the website of the ICO (Information Commissioner's Office, the supervisory authority in the United Kingdom).

AP Considerations

128. The AP considers that its conclusion that a legitimate interest must be traceable to a fundamental right or principle of law, follows from the GDPR system. After all, a processing of personal data is always an interference with the fundamental right to protection of personal data. As a result, any processing is in principle illegal. This also follows from article 6, first paragraph, of the GDPR, which states that processing is only lawful if and as far as at least one of the conditions referred to under a to f (principles of processing) is met.

129. The GDPR thus provides a legal basis for processing personal data. This basis consists (in addition to permission) of five other bases. What is important here is the basis referred to in article 6 (1) (f) of the GDPR: the processing is necessary for the representation of the legitimate interests of the processor responsible or of a third party, except when the interests or fundamental rights and fundamental freedoms of the data subject that require the protection of personal data, outweigh those interests, in particular when the data subject is a child.

130. For a successful appeal on the basis of legitimate interests, three cumulative conditions must be met for a processing of personal data to be lawful. First, the representation of a legitimate interest of the processor responsible or of a third party. Secondly: the need to process the personal data for the representation of the legitimate interest. And thirdly: the condition that the fundamental rights and freedoms of the person involved in data protection do not prevail.

131. The first condition is that the interests of the processor responsible or a third party qualify as legitimate. This means that those interests have been identified as a legal interest in (general) legislation or elsewhere in the law. It must be an interest that is also protected in court, that is considered worthy of protection and which must in principle be respected and "enforced".

132. The processor responsible or third party must therefore be able to rely on a (written or unwritten) rule of law or legal principle. If that legal rule or legal principle with regard to the processing of personal data is (sufficiently) clear and accurate and/or the application thereof (sufficiently) predictable, the processing can be carried out based on the principles of article 6 (1) (c) and (e), of the GDPR (legal obligation or fulfillment of a task of general interest). However, there are also cases where the rule of law or that legal principle with regard to the processing of personal data is not (sufficiently) clear and accurate to the data subject and/or its application is (insufficiently) predictable.

133. In these cases, the processor responsible or third party may nevertheless have legitimate interests. These interests must always be real, concrete and direct. And therefore not speculative, future or distracted. In principle, it can be any material or intangible interest.

134. However, the mere interest in being able to realize or make a profit from personal data does not in itself qualify as a legitimate interest. Not only because such an interest will usually be insufficiently specific - in a sense, everyone everywhere always has an interest in having more money - but more in principle, because it is then assumed that a consideration may then be made. A consideration between:
- the mere non-legally/legally protected interest that a party has in making the best financial use of other people's personal data, on the one hand,
- the fundamental interest of the data subject, which is enshrined in law, in the protection of his personal data on the other hand.

135. There are few restrictions on the commercial possibilities in applying the principles of consent and agreement. However, processing that is necessary for the representation of the legitimate interests of the processor responsible is essentially about processing outside of the will of the data subject. This is the area where processor responsible’s rights clash with data subjects' fundamental rights. The idea that, in principle, it would be permissible to earn money by, on their own authority, violating other people's fundamental rights, is in this case perpendicular to the basic premise that the person concerned - leaving aside the action of the legislator - should have control over his data. Therefore, such a wide range of options cannot be what the GDPR aims for and is also not mentioned, permitted or advocated by the article 29 Data Protection Party (WP29).[35]

136. The justification of the interest - also according to WP29 - determines whether the 'threshold' is reached in order to be able to make a decision. After all, the consideration (necessity and balancing of interests) is not an issue if the 'justification' threshold is not reached. In other words: If the processor responsible can not invoke a legally/legally protected interest - after all, the data subject can - then there can be no question of necessity or even the weighing of both legal interests. Conversely, this means that the protection provided by the closed system of bases could easily be eroded if the mere interest of making money was already a legitimate interest. After all, under certain circumstances it can simply be argued that the income in question is urgently needed, given the importance of earning as much money as possible. And then, in fact, only a material consideration remains- to be made by the person with the financial interest - between earning money and giving up other people's fundamental rights. In the most extreme case, it could be argued that if it concerns a lot of money, the violation of fundamental rights could be proportionately greater. That is obviously not the intention. The fundamental right to protection of personal data would then become largely illusory.

137. Freedom to conduct a business is an acknowledgment in the Charter of freedom to engage in an economic or commercial activity and an acknowledgment of contractual freedom and free competition. All this is of course not unlimited, but only "in accordance with Union law and national laws and practices." From this, among other things, entrepreneurs may in principle determine with whom they do business and with whom not, set their prices themselves, etc. However, it is not the case that the general fundamental right to freedom to do business also protects the interest to make (as much) money (as possible). Or that "making less profit" conflicts with others' fundamental rights to privacy or data protection. Just as this does not mean that, for example, the fundamental right of others/customers to property may be violated under circumstances when referring to freedom of business. Entrepreneurs also, on the other hand, have the necessary duties of care for their employees and/or their customers. These are laid out in concrete or general legal standards. Being able to give substance to this is a legitimate interest. (emphasis added)

138. The foregoing implies that legitimate interests have a more or less urgent and specific character that arises from a (written or unwritten) rule of law or principle of law; it must be, in a way, inescapable that these legitimate interests are defended. [36] Purely commercial interests and the interest of profit maximization lack sufficient specificity and lack an urgent "legal" character so that they cannot qualify as legitimate interests.

139. This follows, albeit in slightly different terms, also from advice 06/2014 of the article 29 Data Protection Group on the concept of "legitimate interest of the processor responsible" in article 7 of Directive 95/46/EC. Among other things, this opinion states: "An interest can therefore be considered legitimate as long as the processor responsible can represent this interest in a manner that is consistent with data protection and other legislation. In other words, a legitimate interest must be "acceptable under the law".[37]

According to KNLTB, its interest qualifies as justified

140. The KNLTB then argues that, if the explanation of the AP is correct in any way, it ignores the fact that the interest that the KNLTB has in the processing of the personal data can be traced back to the GDPR. Indeed, it is stated in consideration 47 in the preamble to the GDPR that the processing of personal data for the purposes of direct marketing can be considered as carried out with a legitimate interest in mind. The KNLTB also refers to article 16 of the Charter of Fundamental Rights of the European Union, the freedom to conduct a business. According to the KNLTB, the AP has previously based this legal standard on assessments of legitimate interest.

AP considerations

The AP first notes that the provision of member data to [CONFIDENTIAL] and
[CONFIDENTIAL] serves two interests of the KNLTB: (1) the importance of giving added value to membership and (2) the importance of reducing the reduced income due to declining membership numbers.

141. The interests put forward by the KNLTB lack a more or less urgent character that arises from a (written or unwritten) rule of law or legal principle. The same applies to the extent that the KNLTB refers to article 16 of the Charter of Fundamental Rights of the European Union, freedom to conduct a business. In addition to contractual freedom, this fundamental right regulates the freedom to pursue an economic or commercial activity. However, the interest of these freedoms is insufficiently concrete and direct to qualify as a legitimate interest. In this context, the AP considers that with the provisions, the KNLTB does not implement concrete or general legal standards that relate to its duty of care as an "entrepreneur". The AP therefore concludes that neither the interests stated by the KNLTB nor the interests mentioned by the AP, qualify as legitimate. (emphasis added)

142. It is concluded that the interest of the KNLTB in providing members' personal data to [CONFIDENTIAL] and [CONFIDENTIAL] does not qualify as a legitimate interest. Now that the provisions could not be based on any other legal basis as referred to in article 6 (1) of the GDPR, the AP concludes that the provisions in question were unlawful.

4.11 Secondary position regarding the assessment framework for third party provision
143. As article 6 (4) GDPR describes, the assessment of further processing is required if, summarized, the processing takes place for a purpose other than for which the personal data were collected. The AP is of the opinion that this test is in principle limited to further processing of personal data by the processor responsible within his own business operations. For the provision of personal data to a third party, the processor responsible must have a separate basis as referred to in article 6 (1) GDPR. The presence of a separate basis has not been established.

5. Fine

5.1 Introduction
144. The KNLTB has provided, without lawful basis - and thus unlawfully - personal data of its members to [CONFIDENTIAL] and [CONFIDENTIAL]. With this, the KNLTB has acted towards its members in violation of article 5, first paragraph, preamble and under a jo. article 6, first paragraph, of the GDPR and infringed the right to privacy and the protection of the personal data of its members. As a result, members of the KNLTB have lost control over their personal data. The AP is of the opinion that this is a serious violation. The AP sees this as a reason to make use of its power to fine the KNLTB, pursuant to article 58 (2), preamble and under (i) and article 83 (4) of the GDPR, read in conjunction with article 14, third paragraph, of the Implementation Law GDPR.

Principle of Protection of Legitimate Expectations

145. The KNLTB takes the view that, by imposing an administrative sanction, the AP violates the principle of the protection of legitimate expectations. To this end, it argues that the KNLTB may legitimately have relied on written statements from the AP's legal predecessor, the Dutch DPA. The KNLTB refers to the information sheet 'Provision of data from member administration' from September 2010 (information sheet), which includes the following: “The provision of personal data to persons and companies outside the association, such as a sponsor, is permitted if the association requested permission from its members. […] When it comes to activities that are common for the association or that have been approved by the general assembly, no explicit permission needs to be requested from the members. Furthermore, an association can provide data to companies for direct marketing purposes. The association may only do so when the members have been given the opportunity to object to this for a reasonable period of time.

146. According to the KNLTB, the content of the information sheet is still relevant in its entirety because its content has not been considered obsolete. In addition, in the meantime (substantively) there has been no change in the legal rule to which the information sheet refers. Although the GDPR has become applicable and the Wbp no longer applies, the possible bases and conditions for providing data from a membership file have remained unchanged.

147. The AP does not see any grounds in what the KNLTB argues, for concluding that the imposition of an administrative fine would be contrary to the principle of the protection of legitimate expectations. The information sheet to which the KNLTB refers was already removed from the AP's website in 2014. This already indicates that the content was no longer relevant from that moment on. When the KNLTB provisions to sponsors took place in June 2018, it must have been all the more clear that the aforementioned information was no longer relevant, given the long time that had passed since 2014, and it would have been KNLTB's route to verify (again) the applicable laws and regulations after the introduction of the GDPR as of May 24, 2016 and its implementation on May 25, 2018. In addition, it is important that the provision by KNLTB of personal data of members to sponsors occurred on the basis of legitimate interest. Already in April of 2014, the opinion of the WP29 on the concept of “legitimate interest of the data processor responsible” was published in article 7 of Directive 95/46/EC. This advice provides guidelines for the application of article 7 (f) of Directive 95/46/EC (now article 6 (1), preamble and (f) of the GDPR). In view of this, the KNLTB should no longer have relied on the content of the information sheet.

Intent

148. As far as the KNLTB argues that it has not intentionally acted in violation of any statutory regulation, the AP considers that the violation of the prohibition provision of article 6 of the GDPR does not include intent as an element. Since this is a violation, the imposition of an administrative fine in accordance with settled case-law[38] does not require proof of intent. The AP may presume culpability if the perpetrator is established. [39]

5.2 Penalty policy rules Dutch Data Protection Authority 2019 (Penalty Policy Rules 2019)
149. Pursuant to article 58, second paragraph, preamble and under i and article 83, fifth paragraph, of the GDPR, read in conjunction with article 14, third paragraph, of the Implementation Law GDPR, the AP is authorized to impose the KNLTB with an administrative fine of up to € 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher, in the event of a violation of article 5, first paragraph, preamble and under a jo. article 6, first paragraph, of the GDPR.

150. The AP has established Penalty Policy Rules 2019 regarding the implementation of the aforementioned authority to impose an administrative fine, including determining the amount thereof.

151. Pursuant to article 2 (2.2) of the Penalty Policy Rules 2019, the provisions with regard to violations for which the AP can impose an administrative fine of at most the amount of € 20,000,000 or, for an enterprise, up to 4% of the total worldwide annual turnover in the

152. In Appendix 2, the violation of article 5, first paragraph, preamble and under a, of the GDPR is classified in categories I, II, III or IV, depending on the classification of the underlying provision. This underlying provision is article 6 of the GDPR. This article is classified in category III.

153. Pursuant to article 2.3 of the Penalty Policy Rules 2019, the AP imposes the basic fine for violations subject to a statutory maximum fine of […] € 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher, within the penalty bandwidths specified in that article. Violations in category III of Appendix 2 of the Penalty Policy Rules 2019 have a penalty bandwidth between € 300,000 and € 750,000 and a basic fine of € 525,000.

154. Pursuant to article 6 of the Penalty Policy Rules 2019, the AP determines the amount of the fine by increasing the amount of the basic fine upwards (up to the maximum of the bandwidth of the category of fines linked to a violation) or downwards (up to the lowest minimum of that bandwidth). The basic fine will be increased or decreased depending on the extent to which the factors referred to in article 7 of the 2019 Penalty Policy Rules give cause to do so.

155. Pursuant to article 7 of the Penalty Policy Rules 2019, the AP, without prejudice to articles 3: 4 and 5:46 of the General Administrative Law Act (Awb), takes into account the following factors that are derived from article 83 (2) of the GDPR, in the Policy rules mentioned under a to k:
a. the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, as well as the number of data subjects affected and the extent of the damage they suffered;
b. the intentional or negligent nature of the breach;
c. the measures taken by the processor responsible […] to limit the damage suffered by data subjects;
d. the extent to which the processor responsible […] is responsible in view of the technical and organizational measures that it has carried out in accordance with articles 25 and 32 of the
GDPR;
e. previous relevant breaches by the processor responsible […];
f. the extent to which there has been cooperation with the supervisory authority to remedy the infringement and mitigate its potential negative effects;
g. the categories of personal data affected by the infringement;
h. how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the processor responsible […] reported the infringement;
i. compliance with the measures referred to in article 58 (2) of the GDPR, as far as they have previously been taken with regard to the processor responsible […] in question with regard to the same matter;
j. joining approved codes of conduct in accordance with article 40 of the GDPR or approved certification mechanisms in accordance with article 42 of the GDPR; and
k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or losses avoided, directly or indirectly, from the infringement.

156. Pursuant to article 9 of the Penalty Policy Rules 2019, the AP takes into account when determining the penalty, if necessary, the financial circumstances of the offender. In the event of a reduced or insufficient financial capacity of the offender, the AP can further mitigate the fine to be imposed, if, in application of article 8.1 of the policy rules, determination of a fine within the penalty bandwidth of the next lower category would nevertheless lead to a disproportionately high fine.

5.3 Systematics
157. For violations for which the AP can impose an administrative fine of no more than the amount of € 20,000,000 or up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher, the AP has divided the violations into four categories in the Penalty Policy Rules 2019, which are subject to increasing administrative fines. The categories of fines are classified according to the severity of the infringements of the aforementioned articles, category I containing the least serious violations and category IV the most serious violations.

158. Violation of article 6 of the GDPR is classified in category III, for which a penalty bandwidth between € 300,000 and € 750,000 and a basic fine of € 525,000 have been set. The AP uses the basic fine as a neutral starting point. Pursuant to article 6 of the Penalty Policy Rules 2019, the AP will adjust the amount of the fine based on the factors referred to in article 7 of the
Penalty Policy Rules 2019, by reducing or increasing the amount of the basic fine. This includes an assessment of (1) the nature, seriousness and duration of the offense in the specific case, (2) the intentional or negligent nature of the offense, (3) the measures taken to correct to limit the victims damage and (4) the categories of personal data affected by the infringement. In principle, this remains within the bandwidth of the penalty category linked to that violation. If necessary and depending on the extent to which the aforementioned factors give cause to do so, the AP can apply the penalty bandwidth of the next higher and the next lower category respectively.

5.4 Penalty level
159. Pursuant to article 6 of the Penalty Policy Rules 2019, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to the maximum of the bandwidth of the category of fines linked to an infringement) or downwards (up to the lowest minimum of that bandwidth). The basic fine will be increased or decreased depending on the extent to which the factors mentioned in article 7 give reason to do so.

160. According to the AP, the following factors as mentioned in article 7 are relevant for determining the penalty in this case:
- the nature, the seriousness and duration of the infringement;
- the intentional or negligent nature of the infringement (culpability);
- the measures taken by the processor responsible to limit the damages for the subjects involved.

161. Pursuant to article 8.1 of the Penalty Policy Rules 2019, AP can, when determining the penalty, in case the penalty category for the violation does not allow a suitable punishment, adjust the bandwidth of the penalty to the next category up or next category down.

Relevant factors for determining the amount of the penalty

Nature, seriousness and duration of the infringement
162. Pursuant to article 7, preamble and under a, of the Penalty Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the infringement. In assessing this, the AP will include the nature, extent or purpose of the processing as well as the number of data subjects affected and the extent of the damage suffered by them.

163. The protection of natural persons when processing personal data is a fundamental right. Under article 8 (1) of the Charter of Fundamental Rights of the European Union and article 16 (1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to protection of his personal data. The principles and rules governing the protection of individuals with regard to the processing of their personal data should respect their fundamental rights and freedoms, in particular their right to protection of personal data. The GDPR aims to contribute to the creation of an area of ​​freedom, security and justice and of an economic union, as well as economic and social progress, the strengthening and convergence of the economies within the internal market and the well-being of natural persons. The processing of personal data must be at the service of humans. The right to protection of personal data is not absolute, but must be considered in relation to its function in society and must be balanced against other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be done properly and lawfully. It must be transparent for natural persons that their data are collected, used, consulted or otherwise processed and to what extent the personal data are processed or will be processed.

164. Pursuant to article 5 (1), preamble and under a jo. article 6, first paragraph, of the GDPR, personal data must be processed in a manner that is lawful (among others) with regard to the data subject, in the sense that there is a legal basis for this. In light of the above, these are fundamental provisions of the GDPR. If this is done in contradiction with this, it will go to the very heart of the rights of data subjects to respect for their privacy and the protection of their personal data.

165. On June 11, 2018, KNLTB provided personal data (of a large part) of their members, as a more or less common method in order to generate extra income, to [CONFIDENTIAL] and at least on June 29, 2018 to [CONFIDENTIAL]. The provisions could not be based on a legal basis as referred to in article 6, first paragraph, of the GDPR. The relevant provisions have therefore been unlawful.

It concerns two provisions that have affected many subjects. To [CONFIDENTIAL], a file with personal data of 50,000 data subjects has been provided. In addition, the KNLTB has unnecessarily provided a lot of personal data to [CONFIDENTIAL] by providing a personal data file of 314,846 data subjects from which [CONFIDENTIAL] would ultimately select 39,478 persons (less than 13%) to approach in the context of its telemarketing campaign. The AP takes the position that (at least part of) the selection could have taken place by the KNLTB itself, so that the personal data of far fewer data subjects would have been provided.

166. In further assessing the seriousness of the violation, the AP will consider the large number of data subjects and the amount of personal data provided. On the other hand, the AP in this case, considers the categories of personal data to which the infringement relates. This included name and address details, gender, (mobile) telephone number and e-mail address, but not personal data that fall within the special categories of personal data as referred to in article 9 of the GDPR. To AP, it has not been shown that the KNLTB has provided personal data of minors to [CONFIDENTIAL] and [CONFIDENTIAL].

167. In view of the above, the AP is of the opinion that there has been a serious breach, but there is no reason to increase or decrease the basic fine.

Intentional or negligent nature of the infringement (culpability)

168. Pursuant to Section 5:46 (2) of the Awb, when imposing an administrative fine, the AP takes into account the extent to which the offender is culpable. Pursuant to article 7 (b) of the Penalty Policy 2019, the AP takes into account the intentional or negligent nature of the infringement.

169. As the AP has already considered above, it may presume culpability if the perpetrator has been established. KNLTB provided personal data without legal basis. Moreover, the personal data have been provided deliberately. In light of the above, the AP therefore considers the violation to be culpable. This culpability is not altered by the fact that the KNLTB has sought advice from a law firm to review the policy with regard to sharing personal data with sponsors. The Sports & Privacy Manual, commissioned by [CONFIDENTIAL] to be drawn up by a law firm, dates from 2017. The manual deals in an "accessible way" with the basic principles of privacy law and only relates to the Wbp and not to the GDPR.

170. If and as far as KNLTB has obtained other, additional, advice from a law firm specifically with regard to (the policy surrounding) the provisions, it has not submitted this to the AP. Although an appeal to the absence of all blame is the route of the KNLTB

to demonstrate this absence by making known what exact advice has been requested and what the content of the advice has been [40], KNLTB failed to do this.

Measures taken to limit the damage suffered by those involved

171. The AP considers that the KNLTB has taken various measures to limit the damage suffered by those involved. The KNLTB did not provide personal data until after the consent of the Council of Members had been obtained. In addition, the members of the KNLTB were informed about the intended provisions in various ways (including newsletters and the KNLTB website). In addition, the agreements between the KNLTB and the relevant sponsors include a confidentiality clause, which obliges [CONFIDENTIAL] and [CONFIDENTIAL] to maintain the confidentiality of personal data, which stipulates that personal data may not be provided to third parties without the permission of KNLTB and that the personal data will be destroyed after termination or dissolution of the agreement. At the request of the KNLTB, [CONFIDENTIAL] also ended the telemarketing campaign prematurely.

172. In view of the foregoing, although the extent of the damage suffered by the parties involved is limited, it is not so that the AP sees it as a reason, in this case, to reduce the basic fine. After weighing the above factors, the basic amount remains at € 525,000.

Proportionality

173. Finally, based on articles 3:4 and 5:46 of the Awb (proportionality principle), the AP does assess whether the application of its policy for determining the amount of the fine, given the circumstances of the specific case, has a disproportionate outcome. This takes into account the extent to which the offense can be blamed on the offender (Section 5:46 (2) of the Awb). Application of the principle of proportionality also implies that the AP takes into account, if necessary, the financial circumstances of the offender when determining the fine.

174. The KNLTB takes the view that a fine is at the expense of all associations and individual members of the KNLTB. The KNLTB has been struggling with declining membership numbers and declining income for years.

In view of this and in view of the necessary substantial investments in, for example, ICT facilities, the liquidity position of the KNLTB has come under pressure. It is true that the KNLTB has a positive general reserve, but according to the KNLTB this reserve must be kept as a minimum, to be able to keep obligations towards personnel en rental agreement.

175. The AP considers that, according to its 2018 annual accounts, the KNLTB has healthy liquidity and solvency.[41] The general reserve (equity) on December 31, 2018 amounted to € 6,356,139. At the same time, KNLTB had € 6,057,018 in liquid assets and € 974,982 in receivables per that same date. The AP sees no reason to assume that the KNLTB would not be able to bear a fine of € 525,000 given its financial position. Leaving aside whether the general reserve should be available as the minimum necessary capital, the general reserve also falls within the bandwidth of 5 to 8 million euros after payment of the fine.[42]

Conclusion

176. The AP sets the total fine amount at € 525,000.[43]

6. Judgement

Fine
The AP imposes to the KNLTB, for violation of article 5, first paragraph, preamble and under b of the GDPR and article 5, first paragraph, preamble and under a jo. article 6 (1) of the GDPR, an administrative fine of € 525,000 (in words: five hundred and twenty-five thousand euros).

Yours sincerely,
Personal Data Authority,

w.g.

mr. A. Wolfsen Chairman

Remedies clause

If you do not agree with this decision, you can submit a notice of objection to the Dutch Data Protection Authority within six weeks after the date of sending the decision. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Object to a decision, at the bottom of the page under the heading Contact the Dutch Data Protection Authority. The address for submitting on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague.
Include 'Awb objection' on the envelope and put 'objection' in the title of your letter. In your notice of objection, write at least:
- your name and address;
- the date of your notice of objection;
- the reference (case number) mentioned in this letter; or attach a copy of this decision; - the reason (s) why you do not agree with this decision; - your signature.