RVS – 202203874/1/A3

{{COURTdecisionBOX

|Jurisdiction=Netherlands
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=RVS
|Court_Original_Name=Raad van State
|Court_English_Name=Council of State
|Court_With_Country=RVS (Netherlands)

|Case_Number_Name=202203874/1/A3
|ECLI=ECLI:NL:RVS:2026:746

|Original_Source_Name_1=Rechtspraak
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RVS:2026:746&showbutton=true&keyword=avg&idx=7
|Original_Source_Language_1=Dutch
|Original_Source_Language__Code_1=NL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|Date_Decided=11.02.2026
|Date_Published=11.02.2026
|Year=2026

|GDPR_Article_1=Article 6(1)(b) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1b
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=

|EU_Law_Name_1=Article 7 Charter
|EU_Law_Link_1=https://eur-lex.europa.eu/eli/treaty/char_2012/oj/eng
|EU_Law_Name_2=Article 8 Charter
|EU_Law_Link_2=https://eur-lex.europa.eu/eli/treaty/char_2012/oj/eng
|EU_Law_Name_3=Article 8 ECHR
|EU_Law_Link_3=https://www.echr.coe.int/documents/d/echr/Convention_ENG
|EU_Law_Name_4=
|EU_Law_Link_4=
|EU_Law_Name_5=
|EU_Law_Link_5=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_From_Body=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=lde
|
}}

A court held that the DPA insufficiently justified its refusal to act against a cinema that no longer accepted cash payments, failing to demonstrate that mandatory card payments pursued a sufficiently concrete and justified purpose under the GDPR.

== English Summary ==

=== Facts ===
After moving to a new building in 2018, Stichting Focus Filmtheater, the controller, abolished cash payments and allowed customers to pay only by debit card, credit card, or online. The data subject objected to this policy, arguing that forcing card payments unnecessarily involves the processing of personal data and infringes his right to privacy. He therefore filed a complaint with the DPA.

The DPA rejected the complaint following investigation, concluding that no likely violation of the GDPR occurred. It considered that card payments were used to ensure employee safety and to enable the performance of the contract with customers. The court of first instance upheld this view. The data subject then appealed to the Council of State, arguing that the DPA had failed to properly assess whether the processing was necessary and justified, and that less intrusive alternatives, such as allowing cash payments, were available.

=== Holding ===
The court held that the DPA’s decision was insufficiently reasoned and therefore unlawful. The court clarified that compliance with the GDPR generally implies compliance with Articles 7 and 8 of the EU Charter and Article 8 ECHR, so no separate human-rights analysis was required.

While the court accepted that “(social) safety” can in principle constitute a legitimate and well-defined purpose for processing personal data under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], it emphasised that such a purpose must be substantiated in the specific circumstances of the case. In this instance, the data subject had credibly argued that staff safety was not actually at risk, and the DPA had failed to demonstrate that abolishing cash payments materially improved employee safety. The mere fact that cash can be stolen was not sufficient to establish a concrete and justified purpose.

Because the existence of a legitimate purpose had not been adequately established, the DPA could not properly assess whether the processing was necessary for the performance of the contract or whether it was proportionate. As a result, the court annulled the DPA’s decision and ordered it to adopt a new decision that properly assesses the legitimacy of the purpose relied upon.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

<pre>
202203874/1/A3.

Date of judgment: February 11, 2026

DIVISION

ADMINISTRATIVE LAW

Judgment on the appeal of:

[appellant], residing in [place of residence],

appellant,

against the judgment of the Gelderland District Court of May 16, 2022, in case no. 20/68 in the proceedings between:

[appellant]

and

the Dutch Data Protection Authority (hereinafter: the Dutch Data Protection Authority).

Procedural history

By decision of April 16, 2019, the Dutch Data Protection Authority rejected [appellant]’s request for enforcement action against Stichting Focus Filmtheater and Focus Horeca B.V. (hereinafter: Focus).

By decision of November 27, 2019, the Dutch Data Protection Authority declared [appellant]’s objection to this request unfounded.

In its judgment of May 16, 2022, the District Court dismissed the appeal filed by [appellant].

[Appellant] filed an appeal against this judgment.

The Dutch Data Protection Authority (AP) and Focus submitted written explanations.

[Appellant] submitted a further document.

The Division heard the case on July 30, 2025, at which [appellant] and the AP, represented by Mr. W. van Steenbergen and Mr. A. Karimi, appeared.

Considerations

Legal Framework

1. The legal framework is included in the appendix, which forms part of this judgment.

Introduction

2. [Appellant] wants to be able to purchase a cinema ticket at Focus with cash. In 2018, Focus moved to a new building, and since then, cinema tickets can only be purchased by debit or credit card, or online via the website. Drinks in Focus’s catering facilities can also only be paid for by debit or credit card. [Appellant] believes this violates his right to privacy, as it unnecessarily processes his personal data. He has therefore requested the Dutch Data Protection Authority (DPA), pursuant to the General Data Protection Regulation (hereinafter: GDPR), to investigate and take enforcement action against Focus’s removal of the option for cash payments.

3. Based on desk research, the DPA did not consider it plausible that a violation of the GDPR might occur because Focus does not accept cash payments. The DPA therefore rejected the enforcement request.

Court Ruling

4. The court ruled that the DPA rightly rejected [appellant]’s enforcement request. According to the court, the purpose of processing personal data for debit card payments is to increase the safety of Focus’s employees, primarily volunteers. The purpose of processing personal data when purchasing a cinema ticket via the website is the correct delivery of the cinema ticket. According to the court, these purposes are clear and justified. Furthermore, the processing of personal data is necessary for the performance of the agreement with the cinema visitor, as referred to in Article 6, paragraph 1, introductory sentence and under b, of the GDPR. Finally, the court finds that the processing of personal data is proportionate to the interests served. The purpose for which Focus processes the personal data cannot reasonably be achieved in a less detrimental manner. Allowing cash payments would, after all, undermine Focus’s objective of ensuring the safety of its employees. Moreover, the processing of personal data is limited to what is necessary for the purposes for which it is processed. Focus uses a Payment Service Provider (hereinafter: PSP) for debit card payments, and by applying PAN Masking technology, only the last four digits of masked bank account numbers, along with the amounts and dates of payment, are visible. The court dismissed [appellant]’s appeal.

The Appeal

Scope of the Proceedings

5. In its ruling, the District Court also addressed [appellant]’s appeal insofar as it concerns the processing of personal data during a visit to the Focus website. [Appellant] stated on appeal that he is explicitly concerned with the option to pay with cash, and not so much with the data processing on the website. If he had been able to pay with cash, he would not have filed an enforcement request. The Division will therefore limit itself on appeal to assessing the rejection of the enforcement request insofar as it relates to debit card payments.

Grounds of Appeal

6. [Appellant] argues that the District Court wrongly failed to assess the application against Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter: ECHR). According to [appellant], the processing of personal data for debit card payments is not necessary in a democratic society. Furthermore, the District Court wrongly considered that this constitutes an agreement. This is because there is no unambiguous, voluntary consent of a data subject, but rather an obligation unilaterally imposed by Focus. Moreover, according to [appellant], in some cases, the processing of special personal data as referred to in Article 9 of the GDPR occurs. It is conceivable that viewing certain films, for example, could reveal a visitor’s political or sexual preferences. Special personal data may not, in principle, be processed without consent.

Furthermore, [appellant] argues that employee safety is generally a legitimate objective, but that it has not been demonstrated that employee safety is at stake in this specific case. Therefore, there is no legitimate objective in this case, and the objective is formulated too generally to be clearly and explicitly defined.

Furthermore, [appellant] argues that the district court wrongly considered the processing of personal data to be proportionate. The district court failed to explain why the purpose of processing personal data could not be achieved in another way that is less detrimental to the data subject. According to [appellant], the fact that Focus uses PAN masking technology does not mean that the data is processed securely, because digital systems are always vulnerable. Finally, [appellant] considers requiring people who want to see a film without sharing personal data to buy their cinema ticket elsewhere to be a form of discrimination.

Assessment by the Division

The relationship between the GDPR, the EU Charter, and the ECHR

7. As the Court of Justice of the European Union (hereinafter: the Court) stated in its judgment of 5 June 2023, Commission v. Poland, ECLI:EU:C:2023:442, paragraph 332, the GDPR aims, inter alia, to ensure a high level of protection of the fundamental freedoms and rights of natural persons with regard to the processing of personal data. Such processing is therefore, in principle, deemed to comply with Articles 7 and 8 of the EU Charter, provided that the conditions for the lawful processing of personal data under the GDPR are met. As the Division considered in its judgment of 3 April 2024, ECLI:NL:RVS:2024:1387, paragraph 5, the rights guaranteed in Articles 7 and 8 of the Charter have the same meaning and scope as the corresponding rights guaranteed in Article 8 of the ECHR, which constitutes a minimum level of protection (see the judgment of the Court of Justice of 13 March 2025, Deldits, ECLI:EU:C:2025:172, paragraph 46). Therefore, the Division sees no grounds for a separate assessment under Article 8 of the ECHR.

What data is processed?

8. When a PIN payment is made for a cinema ticket at the box office or a drink in a catering establishment, the visitor’s bank account number, the amount, and the payment date are processed. Because Focus uses a PSP to process financial transactions, the so-called PAN Masking technique is applied to the visitor’s bank account number. This technology is an international standard, established by the Payment Card Industry Security Standards Council (PCI SSC) for secure financial transactions. By applying this technology, only the last four digits of the bank account number, the amounts, and the payment dates are visible to Focus.

Is this a case of special personal data?

9. [Appellant] first invoked Article 9 of the GDPR at the hearing before the Division. In the Division’s opinion, this should be interpreted as a further argument to his previously raised argument that the processing violates Article 8 of the ECHR. Therefore, raising this argument for the first time at the appeal hearing is not contrary to due process. However, the Division finds that it has not been demonstrated that special personal data, as referred to in Article 9, paragraph 1, of the GDPR, is being processed in this case. No data is being processed that reveals the visitor’s political views or sexual orientation, or other categories of special personal data referred to in Article 9, paragraph 1, of the GDPR. It has not been demonstrated that data is processed regarding the films for which tickets are purchased, let alone whether such information qualifies as “special personal data.” It is unclear how the last four digits of the bank account number, the amounts, and the payment dates could be used to deduce special personal data.

Is there an agreement?

10. Contrary to [appellant]’s argument, there are no grounds for concluding that an agreement with Focus cannot be considered an agreement within the meaning of Article 6, paragraph 1, introductory sentence and (b), of the GDPR. When a visitor purchases a cinema ticket or refreshments, an agreement is concluded. The fact that a visitor cannot choose the payment method does not mean that an agreement cannot exist. As the Division previously considered in its ruling of 10 November 2021, ECLI:NL:RVS:2021:2511, paragraph 9, it falls outside the Division’s jurisdiction to assess whether the agreement complies with contract law. Contrary to [appellant]’s argument, the concept of “agreement” in the GDPR does not have independent EU law significance. It follows from Guidelines 2/2019 of the European Data Protection Board on the processing of personal data pursuant to Article 6(1)(b) of the GDPR that the concept of “agreement” and its validity must be interpreted according to national law. While these guidelines are not legally binding, they are nevertheless relevant in interpreting the GDPR in this case. In Dutch law, the concept of “agreement” and its interpretation fall within the domain of private law. [Appellant] can therefore challenge in civil courts whether this agreement is invalid because it was not concluded freely.

Is the processing necessary for the performance of the agreement?

– What is the assessment framework?

11. As the Division considered in the judgment of 10 November 2021, paragraph 10, referred to above, the processing of personal data may be lawful if it is necessary for the performance of the agreement. To this end, it must first be assessed whether the purpose for which the personal data is processed is specific and explicitly defined. Article 5, paragraph 1, introductory sentence and (b), of the GDPR stipulates that the purpose must also be legitimate.

If there is a specific, explicitly defined, and legitimate purpose, it must further be assessed whether the processing of the personal data in question also achieves that purpose. If the processing of the personal data is necessary for achieving the specific purpose in this sense, it must then be assessed whether the infringement of privacy is proportionate to the interests served by the processing of the personal data. As the Division previously ruled in its judgment of 20 September 2017, ECLI:NL:RVS:2017:2555, in light of the EU Charter, it must be assessed whether the infringement of privacy is limited to what is strictly necessary to achieve the objective. In particular, it must always be assessed whether the purpose for which the personal data is processed cannot reasonably be achieved in another way that is less detrimental to the data subjects involved in the processing of personal data. The intensity with which this must be done is partly determined by the specificity of the alternatives proposed. In other words, the more detailed the data subject describes the alternative, the more in-depth the AP’s investigation must be. The Division adds that this does not mean that if the data subject proposes few or no alternatives, the AP is not required to conduct an investigation. Certain alternatives may be so obvious that the AP must consider them in its assessment, even without the data subject pointing this out.

– Is there a specific, explicitly described, and legitimate purpose for the processing?

12. In response to [appellant]’s enforcement request, the Dutch Data Protection Authority (AP) submitted written questions to Focus on September 19, 2018, and October 23, 2018, including the purpose of processing personal data, as referred to in Article 5, paragraph 1, introductory sentence and under b, of the GDPR. In its response of September 26, 2018, Focus stated only that it had chosen to work exclusively with debit card payments to better guarantee the safety of its hospitality staff and cinema cashiers. On June 11, 2019, Focus responded to [appellant]’s objection, explaining that it considers it its duty of care to protect the safety of its employees as best as possible, especially now that the cinema employs many volunteers. Furthermore, Focus does not want to unnecessarily burden them with the responsibility for cash. According to Focus, it is a common knowledge that the absence of cash in a business reduces its attractiveness to potential robbers.

13. The Division finds that the court wrongly considered the safety of Focus employees a legitimate objective for introducing mandatory debit card payments and abolishing cash payments. As the Division considered in the aforementioned ruling of November 10, 2021, paragraph 12, the concept of (social) safety is indeed broad, but not so vague or unspecific that it is not explicit enough. (Social) safety can therefore be a legitimate objective for introducing mandatory debit card payments. However, based on the available information, it cannot be established that the safety of Focus employees is at stake in this specific case. [Appellant] has disputed this with reasoned arguments, and the Dutch Data Protection Authority has not submitted any counterarguments. There is no evidence that abolishing cash in this case has a material effect on employee safety. The mere fact that cash is susceptible to theft is insufficient in itself to consider (social) safety a legitimate objective for mandatory debit card payments.

14. In view of the foregoing, the Dutch Data Protection Authority (DPA) has insufficiently substantiated its rejection of [appellant]’s enforcement request for this reason alone. Since it cannot be determined whether there is a legitimate purpose for the processing, the Division does not address the question of whether the processing of personal data in question actually achieves that purpose, and whether the infringement of privacy is proportionate to the interests served by the processing of the personal data.

15. [Appellant]’s argument is successful.

Should preliminary questions be submitted?

16. [Appellant] has requested that preliminary questions be submitted to the Court of Justice. The questions raised by [appellant] concern the interpretation of the concept of contract in the GDPR, direct assessment against Article 8 of the ECHR, and the question of whether security, in general, is a sufficiently specific and expressly defined purpose. The Division addressed these questions in considerations 7, 10, and 13. In view of the Court’s judgments of 6 October 1982, Cilfit, ECLI:EU:C:1982:335, paragraph 16, and 6 October 2021, Consorzio Italian Management, ECLI:EU:C:2021:799, paragraph 36, the Division sees no reason to submit preliminary questions, because, also in view of the Court’s case law, there can be no reasonable doubt as to how the questions raised should be answered.

Conclusion

17. The appeal is well-founded. The contested judgment must be set aside. Following the District Court’s instructions, the Division will uphold the appeal against the decision of 27 November 2019. That decision is eligible for annulment due to its conflict with Article 7:12, paragraph 1, of the General Administrative Law Act (hereinafter: GALA). The Dutch Data Protection Authority must issue a new decision, taking into account the considerations in this ruling. The Division will set a deadline for this. To ensure an efficient resolution of the dispute, the Division also finds reason to determine, pursuant to Article 8:113, paragraph 2, of the General Administrative Law Act (Awb), that an appeal against the new decision may only be lodged with it.

18. The Dutch Data Protection Authority must reimburse the legal costs.

Decision

The Administrative Jurisdiction Division of the Council of State:

I. declares the appeal well-founded;

II. sets aside the contested ruling;

III. declares the appeal against the decision of the Dutch Data Protection Authority of 27 November 2019, reference number Z2019-09555, well-founded;

IV. sets aside that decision;

V. orders the Dutch Data Protection Authority to issue a new decision, taking into account the considerations in this ruling, within eight weeks of dispatch and to publish it in the manner prescribed by law;

VI. Orders that an appeal against the new decision to be taken may only be lodged with the Division;

VII. Orders the Dutch Data Protection Authority to reimburse [appellant] for the legal costs incurred in connection with the handling of the appeal and the further appeal, amounting to €54.21.

VIII. Orders the Dutch Data Protection Authority to reimburse [appellant] for the court fee paid by him for the handling of the appeal and the further appeal, amounting to €452.00.

Thus decided by Mr. W. den Ouden, presiding judge, and Mr. E.A. Minderhoud and Mr. G.O. van Veldhuizen, members, in the presence of Mr. A.E. Kamperman, clerk of the court.

signed by Den Ouden

presiding judge

signed by Kamperman

Registrar

Pronounced in open court on 11 February 2026

1000

ANNEX

General Data Protection Regulation

Article 5

Principles governing the processing of personal data

1. Personal data shall:

b) be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

Article 6

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
</pre>