APD/GBA (Belgium) - 84-2022
APD/GBA - 84-2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 6(1) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.08.2020 |
Decided: | 22.04.2022 |
Published: | 24.05.2022 |
Fine: | 5000 EUR |
Parties: | n/a |
National Case Number/Name: | 84-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR) |
Initial Contributor: | Maria Anagnostou |
The Belgian DPA fined a website provider €5000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.
English Summary
Facts
On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.
The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.
The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.
The controller stated modified its privacy policy and added a cookie policy during the proceedings.
The controller stated that it no longer operates sos.avocats.com.
Holding
The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.
The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.
The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.
The DPA fined the controller €5000 and ordered to suspend all processing of the lawyers' personal data listed on its website.
The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place. secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.