APD/GBA (Belgium) - 137/2021: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 61: Line 61:


=== Facts ===
=== Facts ===
An individual (the Complainant) received a direct marketing email from a company (the Defendant) in relation to their plans to renovate their property. The Complainant reached out to the Defendant to object to the further processing of their personal data for marketing purposes, to ask how the Defendant had obtained their personal data, and to request the erasure of their personal data.
An individual (the Complainant) received a direct marketing email from a company (the Defendant) in relation to their plans to renovate their property. The Complainant reached out to the Defendant to object to the further processing of their personal data for marketing purposes, to ask how the Defendant had obtained their personal data, and to request the erasure of their personal data. The Defendant first ignored the requests of the Complainant and later explained that it had bought the database from an external company, thinking that these data had been gathered lawfully.
 
The Defendant first ignored the requests of the Complainant. The Defendant later explained that it had bought the database from an external company, thinking that these data had been gathered lawfully.  
=== Holding ===
=== Holding ===
The Belgian DPA first stated that this case was touching upon to the core of the GDPR. Several violations were found, as further detailed below.
The Belgian DPA first stated that this case was touching upon to the core of the GDPR. Several violations were found, as further detailed below.


==== Violation of the right to information (Article 14 GDPR) ====
==== Violation of the right to information (Article 14 GDPR) ====
In accordance with [[Article 14 GDPR]], when personal data are not received from the data subjects directly, the data subjects must be informed by the controller at the latest within a month of receiving the personal data, or upon initiating contact. The Belgian DPA stressed that the exceptions to this obligation are to be interpreted very narrowly, as transparency is at the core of the GDPR.
In accordance with [[Article 14 GDPR]], when personal data are not received from the data subjects directly, the data subjects must be informed by the controller at the latest within a month of receiving the personal data, or upon initiating contact. The Belgian DPA stressed that the exceptions to this obligation are to be interpreted very narrowly, as transparency is at the core of the GDPR. In this case, it was found that the Defendant had failed to inform the data subjects following the indirect collection of their personal data and the intended processing.
 
In this case, it was found that the Defendant had failed to inform the data subjects about the indirect collection of their personal data and the intended processing.


==== Violation of the right to access (Article 15 GDPR), the right to object  (Article 21 GDPR) and the right to erasure (Article 17 GDPR) ====
==== Violation of the right to access (Article 15 GDPR), the right to object  (Article 21 GDPR) and the right to erasure (Article 17 GDPR) ====
In accordance with [[Article 15 GDPR]], data subjects have the right to request access and receive information about the processing of their personal data from controllers. Under [[Article 21 GDPR]] and [[Article 17 GDPR]], data subjects also have the right to object to the processing of their personal data, and to request the erasure of their personal data.
In accordance with [[Article 15 GDPR]], data subjects have the right to request access and receive information about the processing of their personal data from controllers. Under [[Article 21 GDPR]] and [[Article 17 GDPR]], data subjects also have the right to object to the processing of their personal data, and to request the erasure of their personal data.


In this case, the Complainant had exercised each of these rights by sending a request to the Defendant. In accordance with [[Article 12 GDPR#3|Article 12(3) GDPR]], the Defendant should have answered the Complainant within one month of receiving such request. Such answer should have included information about how the personal data were indirectly obtained by the Defendant, as well as information on the measures that the Defendant was intending to take in response of the exercise of the right to object (([[Article 21 GDPR#2|Article 21(2) GDPR]]) and the right to erasure ([[Article 17 GDPR]]). The Belgian DPA also held that, pursuant to [[Article 12 GDPR#4|Article 12(4) GDPR]], if the Defendant had decided not to take any action in relation to the Complainant's request, the Defendant should have informed the Complainant within 30 days about its decision and the reason why it would not provide the requested information.
The Belgian DPA observed that the Complainant had exercised each of these rights by sending a request to the Defendant and that, in accordance with [[Article 12 GDPR#3|Article 12(3) GDPR]], the Defendant should have addressed these requests timely and exhaustively. In particular, information should have been provided as to which measures the Defendant was intending to take in response of the Defendant's objection ([[Article 21 GDPR#2|Article 21(2) GDPR]]) and erasure request ([[Article 17 GDPR]]). The Belgian DPA stressed that the right to object is absolute in case of marketing-related processing and that data could only have been retained if they were processed for a different purpose with a separate legal basis (which was not the case in the situation at hand).
 
In this case, it was found that the Defendant had failed to answer the request of the Complainant, and should not have retained the personal data, given that they had been obtained for marketing purposes. With regard to Article 21 GDPR in particular, the Belgian DPA stressed that the right to object is absolute when a data subject objects to the processing of personal data for marketing purposes; the Defendant could only have retained the personal data if they were processed for a different purpose with a separate legal basis (which was not the case in the situation at hand).


As a result, the Belgian DPA found that the Defendant had violated Article 15, 21 and 17 GDPR, read in combination with Article 12(3) and (4) GDPR.
As a result, the Belgian DPA found that the Defendant had violated Article 15, 21 and 17 GDPR, read in combination with Article 12(3) and (4) GDPR.
Line 85: Line 79:


==== Aggravating and mitigating factors and imposition of a fine ====
==== Aggravating and mitigating factors and imposition of a fine ====
The Belgian DPA took into consideration the fact that the Defendant had ignored twice the Complainant's request, and considered such fact as an aggravating factor. However, the Belgian DPA also took into account the fact that the Defendant had ultimately deleted the personal data of the Complainant and had informed the latter about how it had obtained the personal data (although with some delay) ; this was considered as a mitigating factor.
The Belgian DPA took into consideration the fact that the Defendant had ignored the Complainant's request twice, and considered such fact as an aggravating factor. However, the Belgian DPA also took into account the fact that the Defendant had ultimately deleted the personal data of the Complainant and had informed the latter about how it had obtained the personal data (although with some delay); this was considered as a mitigating factor.


In conclusion, taking into account all the facts of the case, including its mitigating and aggravating factors, the Belgian DPA held that the Defendant had acted in breach of [[Article 14 GDPR#1|Article 14(1)]], [[Article 14 GDPR#2|Article 14(2)]], [[Article 14 GDPR#3|Article 14(3)]], [[Article 15 GDPR]], [[Article 17 GDPR#1c|Article 17(1)(c)]] and [[Article 21 GDPR#2|Article 21(2) GDPR]], read in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]], and decided to impose a fine of €10,000 on the Defendant. The Belgian DPA further issued an injunction against the Defendant to bring their processing practices in compliance with the GDPR within 30 days of this decision.  
In conclusion, taking into account all the facts of the case, including its mitigating and aggravating factors, the Belgian DPA held that the Defendant had acted in breach of [[Article 14 GDPR#1|Article 14(1)]], [[Article 14 GDPR#2|Article 14(2)]], [[Article 14 GDPR#3|Article 14(3)]], [[Article 15 GDPR]], [[Article 17 GDPR#1c|Article 17(1)(c)]] and [[Article 21 GDPR#2|Article 21(2) GDPR]], read in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]], and decided to impose a fine of €10,000 on the Defendant. The Belgian DPA further issued an injunction against the Defendant to bring their processing practices into compliance with the GDPR within 30 days of this decision.  


== Comment ==
== Comment ==

Latest revision as of 10:35, 16 December 2021

APD/GBA (Belgium) - 137/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 14 GDPR
Article 15 GDPR
Article 17(1) GDPR
Article 21(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.12.2021
Published:
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: 137/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 137/2021 van 8 december 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined a company €10,000 for having bought and used a database for marketing purposes, without ensuring that this database had been gathered lawfully, and for failing to respect the rights of the data subjects, including the right to information, the right to object, and the right to erasure of personal data.

English Summary

Facts

An individual (the Complainant) received a direct marketing email from a company (the Defendant) in relation to their plans to renovate their property. The Complainant reached out to the Defendant to object to the further processing of their personal data for marketing purposes, to ask how the Defendant had obtained their personal data, and to request the erasure of their personal data. The Defendant first ignored the requests of the Complainant and later explained that it had bought the database from an external company, thinking that these data had been gathered lawfully.

Holding

The Belgian DPA first stated that this case was touching upon to the core of the GDPR. Several violations were found, as further detailed below.

Violation of the right to information (Article 14 GDPR)

In accordance with Article 14 GDPR, when personal data are not received from the data subjects directly, the data subjects must be informed by the controller at the latest within a month of receiving the personal data, or upon initiating contact. The Belgian DPA stressed that the exceptions to this obligation are to be interpreted very narrowly, as transparency is at the core of the GDPR. In this case, it was found that the Defendant had failed to inform the data subjects following the indirect collection of their personal data and the intended processing.

Violation of the right to access (Article 15 GDPR), the right to object (Article 21 GDPR) and the right to erasure (Article 17 GDPR)

In accordance with Article 15 GDPR, data subjects have the right to request access and receive information about the processing of their personal data from controllers. Under Article 21 GDPR and Article 17 GDPR, data subjects also have the right to object to the processing of their personal data, and to request the erasure of their personal data.

The Belgian DPA observed that the Complainant had exercised each of these rights by sending a request to the Defendant and that, in accordance with Article 12(3) GDPR, the Defendant should have addressed these requests timely and exhaustively. In particular, information should have been provided as to which measures the Defendant was intending to take in response of the Defendant's objection (Article 21(2) GDPR) and erasure request (Article 17 GDPR). The Belgian DPA stressed that the right to object is absolute in case of marketing-related processing and that data could only have been retained if they were processed for a different purpose with a separate legal basis (which was not the case in the situation at hand).

As a result, the Belgian DPA found that the Defendant had violated Article 15, 21 and 17 GDPR, read in combination with Article 12(3) and (4) GDPR.

Violation of the obligation to implement appropriate technical and organisational measures (Article 24 GDPR)

The DPA also held that Article 24 GDPR puts an obligation on the controller to implement adequate technical and organisational measures to ensure its processing is done in compliance with the GDPR. As such, the Defendant should have ensured that the database which it had bought was gathered in a legal and compliant manner. In this case, however, the Belgian DPA found that the Defendant had failed to conduct due diligence before buying and using the database. As a result, the Belgian DPA also found a violation of Article 24 GDPR by the Defendant.

Aggravating and mitigating factors and imposition of a fine

The Belgian DPA took into consideration the fact that the Defendant had ignored the Complainant's request twice, and considered such fact as an aggravating factor. However, the Belgian DPA also took into account the fact that the Defendant had ultimately deleted the personal data of the Complainant and had informed the latter about how it had obtained the personal data (although with some delay); this was considered as a mitigating factor.

In conclusion, taking into account all the facts of the case, including its mitigating and aggravating factors, the Belgian DPA held that the Defendant had acted in breach of Article 14(1), Article 14(2), Article 14(3), Article 15 GDPR, Article 17(1)(c) and Article 21(2) GDPR, read in combination with Article 12(3) GDPR, and decided to impose a fine of €10,000 on the Defendant. The Belgian DPA further issued an injunction against the Defendant to bring their processing practices into compliance with the GDPR within 30 days of this decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.