In November 2021, the Belgian Data Protection Authority (DPA) admonished a fitness club for unlawfully transferring personal data from one of its members to another.
Due to an accounting mistake, the payments of club member A were attributed to the account of member B. Member A – wrongfully – appeared to owe outstanding membership fees. The mistake was discovered as one of the club’s employees gave club member A the contact data of club member B. He also included information on the member’s most recent club visits. Then they could settle the matter between each other. Apparently the employee forgot that personal data cannot be processed (let alone transferred) indiscriminately.
PRINCIPLES OF PURPOSE BINDING & DATA MINIMIZATION
First of all, personal data can only be used for the purpose it was retrieved for. Clearly member B did not provide his personal data in order for the club to share it, without permission, with other club members. The fact that member A paid the membership fee of member B is irrelevant and does not change this principle.
Besides, personal data should be processed in the least intrusive way and with as little data as possible. This is often referred to as the principle of data minimization. The club indeed had to use the personal data of both members to contact them upon discovering the error. However, to solve the issue (settlement of accounts), it was not necessary to bring two members in contact. The club could have easily just contacted each of them individually. There was no need to “intrusively” transfer the personal data, let alone include irrelevant information such as details on the most recent club visits.
During its investigation, the DPA recalled the principles of data minimization and purpose binding. It considered the violation of the fitness club a one-time incident due to human error. The club strongly regrets the incident and took measures to avoid future GDPR violations. Therefore, the DPA only admonished the club.
But it could have been worse… Infringements of the GDPR and its principles can have far-reaching consequences: fines by the DPA can amount to up to 20.000.000 euros or 4% of a company’s annual turnover.
So, you better think before you link.
Not sure if your company is GDPR compliant, or facing a data leak?
Feel free to reach out for more information on our GDPR audits and our legal services concerning data protection.
Laura Van Gompel
Lawyer – Managing Partner
- Corporate law
- Privacy & Technology
- International Contracts