Last week the premier Dutch Tennis association was handed a €525,000 fine for selling members personal data to its sponsors without first obtaining consent. Identity Bank explores what happened, reasons for the fine, reactions and presents a solution on how this could potentially have been mitigated or avoided.
The Koninklijke Nederlandse Lawn Tennis Bond (KNLTB) sold personal data such as members names, gender, addresses and telephone numbers. In total, the personal data of 50,000 members was sold to one sponsor while another sponsor bought the personal data of about 300,000 members. The first association members knew about this is when they were subjected to marketing campaigns from the associations’ sponsors.
The sponsors proceeded to contact the affected members, ostensibly to offer the target groups information about tennis products and/or sports related offers. The association states that they only wished to pass on benefits to its members. Members became suspicious when they started to receive unsolicited post and phone calls from these organisations.
Enough members were sufficiently unhappy about their personal data being acquired and used in this way that complaints subsequently flooded into the Dutch Data Protection Authority - Autoriteit Persoonsgegevens (AP). Enough to warrant an umpire investigation and the eventual levying of the substantial fine.
The KNLTB is not happy. It intends to appeal and the general response on their website seems to be that they think the AP is acting heavy handed. Worse, it just doesn’t get it that what they did is illegal under EU GDPR law - hence the hefty fine.
The association counter lobbies that it was only trying to benefit its members, and if they wanted to, members could have unsubscribed, at any time, from marketing approaches. Not quite so easy when approaches are made via post and phone calls.
As the EU GDPR stands, the AP correctly applied the law because any association, business or organization must expressly seek permission from affected members BEFORE selling members personal data. You can read the AP ruling here and find documents on that page associated with the ruling. Everything is in Dutch.
And the final match result for members? There is talk of charging members higher subscriptions so the association can pay the fine. Bit of a double whammy for association members who rightly objected, not only has their personal data been sold for profit illegally by their association, but they are also going to be charged for the privilege of paying the fine!
But it doesn’t end there. The association is not only miffed about the fine, but also seems to be trying to instigate disquiet among other sports associations. In its reaction to the AP ruling it seems to imply that if it cannot have this revenue stream to fund its association then subscription charges will just have to go up and be passed on to its members, thus every sport association could potentially be affected. Let’s hit the pause button on this for a minute… “this revenue stream” really means we are selling your personal data! Which is of course illegal unless you have the explicit and freely given consent from affected members that they are happy for an association to do this.
The crux of this case seems to lie in the interpretation of how the personal data of an association can be used. KNLTB has argued - and continues to argue on its website - that it has a legitimate interest to sell the personal data of its members without obtaining their express permission to do this! The AP clearly does not agree with this interpretation.
As to the amount of the fine - there is a lot of moaning going on about the fine being disproportional for the association. It is not. Fines for non-compliance with EU GDPR rules have been known to everyone since 25 May 2018 when the regulation came into force. Heck, in the Netherlands the government even gave everyone a year’s grace while the AP set up shop. Yes the fines are high - but they are costly to make sure the EU GDPR is applied. That is, it will cost you more in fines if you are not GDPR compliant. Be under no illusions if you continue to think this won’t happen to your organization. It can. Recent rulings show that.
How Identity Bank can help associations to become GDPR compliant
We know that most associations want to do the right thing and become GDPR compliant. But it’s hard to know exactly what to do to achieve this. Here’s how Identity Bank helps not only associations, but also businesses, clubs, schools, any organization that needs to store personal data.
The intention of an association is fundamentally good, they want to give members opportunities to benefit from deals with sponsors while also generating a revenue stream to keep subscription costs low for their members. There is nothing wrong with this.
The problem lies in the digital roll out of this plan and the fact that you have to ask permission first to do this. In years gone by there would have been no problem for an association to put up posters in clubs and send out flyer offers to members. There is nothing wrong with continuing efforts to contact members, but in this digital age, as GDPR legislation strives to protect our digital rights, the methods used have to be different to comply with current legislation.
What associations need to have in place is a members consent management system. The reasons why associations are reluctant to have this could be due to the perceived costs and the administrative headache of doing this retrospectively for all club members, not to mention the ongoing administrative nightmare of trying to update and maintain members consent wishes.
This is where Identity Bank can help. Identity Bank has a cost effective consent management system that can be used to inform all members of an association that they need to make a personal account. The message that the association sends to members can be written by the association to encourage members to think about the goals of the association and support them. For example,
[Our association] values our members and we strive to provide you with the very best services that we can. To offer the best value for your membership subscription we have entered into partnerships with [xyz sponsors]. These sponsors, we think, are a good fit for our sport and can offer you substantial savings in sport related equipment and events, while helping us as an association to keep administration and subscription costs low. In order for you to benefit from potential offers we need you to give us your explicit consent for our sponsors to contact you.
At [our association] we take your personal data privacy very seriously and to help us remain compliant with the law we are using the data privacy services of Identity Bank.
We strongly encourage you to create a free personal Identity Bank account. Then, when you have logged into your account, you can manage consent permissions for each sponsor yourself. It is up to you to decide which sponsors can contact you, by what method and the type of personal data a sponsor is allowed to know about you. You can view and change your consent permissions at any time and our system will be automatically updated to reflect your wishes.
As shown in the message example, association members use their personal account to manage who is allowed to contact them and how, plus the type of personal data that an organization is allowed to have about them and for how long.
The benefits to associations of using Identity Bank are:
- A sponsorship revenue stream is still possible - and members are more likely to allow this, particularly if they are going to financially benefit from this, but they are only likely to do this if they have been expressly asked for their permission first! And of course, you as an association have a legal obligation to do this.
- All members can be contacted in one go. New memberships can easily be managed - thus keeping administrative costs low.
- Members manage their own consents so the association does not have to do this! This puts people in charge of their personal data - which clearly they should be - plus there is another administrative saving because the association does not have to maintain and manually manage this system.
- Associations can generate reports at any time to show membership consents.
- GDPR actions are logged to provide an audit trail - built in GDPR functionality ensures that the association follows regulation rules.
Using Identity Bank an association can clearly demonstrate to members and the Data Protection Authorities that it takes EU GDPR data privacy seriously! With an demonstrable GDPR audit trail an association’s efforts are more likely to be viewed favourably than without an adequate consent management system in place. Everyone protecting personal data must be seen to be doing - not just saying they are.
Can any association, club, school, business or organisation - anyone who works with personal data on members, customers and employees - really afford not to use Identity Bank?
Should have gone to Identity Bank!
See our website to find out how we can get your business or organization up and running today!