Eric De Wilde – May 12 2022- In November 2021 the Belgian Data Protection Authority (DPA) admonished a fitness club for unlawfully transferring personal data from one of their members to another.
Due to an accounting mistake, the payments of club member A were attributed to the account of member B. Member A – wrongfully – appeared to owe outstanding membership fees. The mistake was discovered and one of the club’s employees gave club member A the contact data of club member B. He also included information on the member’s most recent club visits. Then they could settle the matter amongst each other.
Apparently the employee forgot that personal data cannot be processed (let along transferred) indiscriminately.
First of all, personal data can only be used for the purpose it was retrieved for. Clearly member B did not provide his personal data in order for the club to share it, without permission, to other club members. The fact that member A paid the membership fee of member B is irrelevant and does not change this principle.
Besides, personal data should be processed in the least intrusive way and with as few data as possible. The club indeed had to use the personal data of both members to contact them and discover the error. However, to solve the issue (settlement of accounts) it wasn’t necessary to bring two members in contact. The club could easily just contact each of them individually. There was no need to “intrusively” transfer the personal data, let along include irrelevant information such as details on the most recent club visits.
With this decision, the DPA recalled the principles of data minimisation and purpose binding. It considered the violation of the fitness club a one-time incident due to an human error. The club strongly deplored the incident and took measures to avoid future GDPR violations. Therefore, the DPA only admonished the club.
But it could have been worse… Infringements of the GDPR and its principles can have far reaching consequences: fines by the DPA can amount to 20.000.000 euro or 4% of a company’s annual turnover.
So, you better think before you link.