APD/GBA (Belgium) - 137/2021

From GDPRhub
Revision as of 20:02, 14 December 2021 by FeestHoed (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=137/2021 |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA (Belgium) - 137/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 14 GDPR
Article 15 GDPR
Article 17(1) GDPR
Article 21(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.12.2021
Published:
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: 137/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 137/2021 van 8 december 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian Data Protection Authority fined a company €10.000 for not ensuring bought data was gathered in a legal way, for not informing data subjects about data gathered indirectly from them, and for not informing a data subject about their decision not to provide information about their request.

English Summary

Facts

The complainant received a direct marketing letter in their mailbox based on their plans to renovate their property. The complainant reached out to the defendant to object to the further processing of their personal data, to ask for the source of their personal data, and to delete their personal data.

The defendant had bought the data from an external company. They opted to ignore the request of the complainant up to two times. The defendant claimed to have acted in good faith when they bought the database, they thought the database was completely legal. As such, they cannot be blamed in this regard.


Holding

The DPA held that this case goes to the core of the GDPR. When personal data are not received from the data subjects directly, the data subjects must be informed by the controller of the processing, at the latest within a month of receiving the personal data or upon initiating contact. It is irrelevant how the data were gathered in this aspect. Exceptions to this are to be interpreted very narrowly, as transparency is the core of EU law.

The controller is thus obliged to provide the data subject with information in accordance with Article 12(3) within one month of receiving the request, to inform the data subject about the processing of their personal data in Article 15 GDPR#, about the measures taken in response to the request and about the manner of processing, about the processing of their personal data, about the measures taken as a result of the exercise of the right to object in Article 21(2) and about the exercise of the right to deletion in Article 17 GDPR.

Additionally, the defendant must inform the data subjects on the retention period of their personal data, or the criteria used to determine such period. The personal data may no longer be processed for direct marketing purposes in accordance with Article 21(3), if the data subject objected to such processing. Only if the defendant processes the same data for a different purpose and on a separate legitimate basis, can it retain the data.

Furthermore, the DPA held that Article 24 GDPR puts an obligation on the controller to implement adequate technical and organisational measures to ensure its processing is done in compliance with the GDPR. As such, the defendant should have ensured that the database it bought was gathered in a legal and compliant manner. The defendant failed to do their due diligence.

The DPA also held that following Article 12(4), the defendant was obliged to inform the complainant within 30 days about its decision and the reason why it would not provide the requested information.

Based on the above, the DPA states that ignoring a data subject request twice is an aggravating factor. However, the defendant has deleted the personal data of the complainant and has informed the complainant, even though late. This can be seen as a mitigating factor.

The DPA holds that the defendant has acted in breach of Article 14(1), Article 14(2), Article 14(3), Article 15 GDPR, Article 17(1)(c) and Article 21(2) in combination with Article 12(3) and imposes a fine of €10.000 on them, as well as ordering them to ensure their practises are compliant with the above articles within 30 days of this decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_137/2021&oldid=21839"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki