APD/GBA (Belgium) - 56/2021

From GDPRhub
APD/GBA - 56/2021
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: 26.04.2021
Fine: 100000 EUR
Parties: n/a
National Case Number/Name: 56/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian Data Protection Authority (in FR)
Initial Contributor: n/a

The Belgian DPA fined a financial institution €100,000 for failing to implement adequate security measures to control employee access to the Belgian Central Credit Register in violation of Articles 32, 25, 24, and 5(2) GDPR.

English Summary


The decision concerns access by employees within an unnamed financial institution to the Central Credit Register ('CCR') operated by the Belgian National Bank.

Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password.

A file in the CCR concerning the complainant was accessed at least 20 times between April 2016 and August 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, it is known that one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of their joint estate following their divorce.

The complaint argued that the financial institution failed to take appropriate measures to secure its processing activities as required by Article 32 GDPR. A separate complaint, which is still pending before the Belgian DPA, was also filed by the complainant against her ex-husband.


The Litigation Chamber ('the Chamber') found that the financial institution had clearly violated its obligation to ensure the security of processing activities under Article 32 GDPR, because it had not implemented any measures to control managers' access to the CCR. It highlighted that measures to ensure the security of processing are particularly important where sensitive data - such as the financial data regarding data subjects' credit worthiness contained in the CCR - is processed, as the threat to data subjects' fundamental rights is higher. The Chamber also noted the absence of a system to register managers accessing the CCR, which prevented data subjects from exercising their right of access regarding the processing, as well as prevented the financial institution itself from monitoring which employees had access and whether this was for an appropriate purpose.

In addition to the violation of Article 32 GDPR, the Chamber found that the financial institution had violated:

  • Article 25 GDPR on data protection by design and default; and
  • Article 5(2) and 24 GDPR on the accountability principle.

Based on these violations, the Chamber imposed a €100,000 fine on the financial institution. In deciding the amount of the fine, the Chamber considered:

  • the sensitive nature of the personal data;
  • the length of the period (April 2016 to August 2018) of the relevant processing operations;
  • that the personal data was accessed 20 times;
  • that few additional measures had been put in place since the incident to enhance the security of processing;
  • that without the complaint, there would have been the risk of further unlawful processing operations.


This is the second highest fine issued by the Belgian DPA under the GDPR. The highest was the €600,000 fine against Google on the right to be forgotten, available on the GDPRhub here: APD/GBA - 37/2020.

In their short commentary on the decision, linked below, Craddock et al. also highlight the fact that part of the infringement, as well as at least some of the 20 instances of access, occurred before the GDPR became applicable, and argue that this may form part of any appeal by the financial institution.

Further Resources

Craddock, De Munter, Wellens, Willems, 'Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere' (29.04.2021): https://www.e-nautadutilh.com/56/4427/landing-pages/news-item.asp?sid=f38ffc41-d18e-45f8-ab46-5e0783261fc7 (accessed 05.05.2021).

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.