APD/GBA (Belgium) - 71/2025

APD/GBA - 71/2025
Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 5(1)(c) GDPR Article 25 GDPR Article 60 GDPR Article 100 LCA Article 95 LCA
Type:	Complaint
Outcome:	Upheld
Started:	29.08.2024
Decided:	22.04.2025
Published:	22.04.2025
Fine:	n/a
Parties:	n/a
National Case Number/Name:	71/2025
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	French
Original Source:	APD GBA (in FR)
Initial Contributor:	claratab

In a prima facie decision, the DPA warned a company that required consumers to create an account prior to lodging a complaint on its website. The practice does not comply with the principles of minimization and data protection by design and by default

English Summary

Facts

A consumer (the data subject) wanted to submit a complaint to a company (the controller). The controller's website stated that complaints could only be filed via the website and that an account with the company was needed to file a complaint. Even though it was possible to file a complaint by phone or letter, the website did not mention those options.

The consumer lodged a complaint to the Finnish DPA. In August 2024, the complaint was transmitted from the Finnish DPA to the Belgian DPA- the supervisory authority under Article 60 GDPR.

Holding

The DPA pointed out that, according to a joint reading of Article 5(1)(c) and 25 GDPR, the controller must comply with the principles of data protection, especially minimization, and that this compliance must begin when the means are determined and continue during data processing (data protection by design and by default).

The DPA also reminded that, according to the principle of minimization, only data that is adequate, relevant and necessary for the purpose for which it is to be used may be processed.

With regard to these principles, the DPA considered that the obligation to create an account to lodge a complaint led to unnecessary data processing, regarding the purpose pursued (the appropriate processing of a consumer’s complaint).

Even though other options where available to submit the complaint, the DPA highlighted that a company can’t reasonably expect consumers to know them if its website only indicates clearly an obligation to create an account to submit it online.

During the proceedings, the company modified its website by adding a “guest” option to file a complaint without creating an account.

Regarding to these evolutions, the DPA only warned the company that it may have breached Articles 5(1)(c) and 25 GDPR.

The decision was issued under Article 95 LCA, which means it is not a decision on the merits. The data subject may request a decision on the merits, in accordance with Article 100 LCA.

Comment

This decision should raise awareness among website publishers and companies: a lack of transparency can lead to a flagrant breach of data protection principles. Minimization is strongly reaffirmed by the DPA as a requirement for the processing of personal data, from its very design throughout its life cycle.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7

Litigation Division

Decision 71/2025 of April 22, 2025

File number: DOS-2024-04065

Subject: Complaint regarding the mandatory creation of a customer account

The Litigation Division of the Data Protection Authority, composed of Mr. Hielke

HIJMANS, President, sitting alone;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR",

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, as
1
amended by the Act of 25 December 2023, hereinafter "LCA";

Having regard to the internal regulations of the Data Protection Authority, as approved by the

Management Committee on 25 April 2024 and published in the Belgian Official Journal on 31 May 2024;

Having regard to the documents in the file;

Has taken the following decision regarding:

The complainant: X, hereinafter "the complainant"

The respondent: Y, hereinafter "the respondent"

1
The Data Protection Authority wishes to remind you that the new Data Protection Act, as well as the new internal regulations, entered into force on June 1, 2024. The new provisions apply to complaints, mediations, requests, inspections, and proceedings before the Disputes Chamber initiated from that date. Cases opened before June 1, 2024, are subject to the provisions of the Act prior to its amendment by the Act of December 25, 2023, as well as to the internal regulations that existed before that date. Decision 71/2025 — 2/7

I. Facts and Procedure

1. On 29 August 2024, a complaint was submitted to the Belgian Data Protection Authority (hereinafter the "DPA") by the Finnish Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto Dataombudsmannens byrå), in accordance with the cooperation procedure referred to in Article 60 of the GDPR, after which the DPA accepted its role as lead supervisory authority on 15 October 2024.

2. The subject of the complaint concerns the mandatory creation of an account on the defendant's website before submitting a complaint regarding its service. 3. In his complaint, the complainant alleges that, when he wishes to file a complaint

regarding the defendant's services, he is required to create a customer account. The complainant states that, when he attempted to contact the defendant by email, he was forced to create a customer account in order to send an email.

The complainant believes that the requirement to create an account cannot be imposed as a prerequisite

for filing a complaint. 4. During the preliminary examination phase, the Finnish authority sent the defendant a total of five questions, to which the defendant responded on July 1, 2024.

5. On November 12, 2024, the Litigation Chamber informed the parties, in accordance with Article 95(2) of the LCA, that a case was pending, the content of the complaint, and the possibility to inspect and copy the case file at the registry of the Litigation Chamber. By this notification, the parties were invited to submit any comments they might have in this regard to the Litigation Chamber.

6. At its request, the defendant received a copy of the case file on December 4, 2024. On December 18, 2024, the Litigation Chamber received the defendant's comments on the case. The defendant explains that it offers the possibility of filing a complaint without

using a customer account, namely via various telephone numbers,
social media, postal letters, and customer service counters. The defendant therefore

argues that no violation of the GDPR has occurred.

7. In accordance with Article 60.3 of the GDPR, the draft decision was posted on the

IMI platform on January 16, 2025.

8. On March 11, 2025, a revised draft decision was posted on the IMI platform, in which

the DPA took into account the comments made by the Finnish and Hungarian supervisory authorities

in accordance with Articles 60.4 and 60.5 of the GDPR.

2Hereinafter referred to as "the Finnish Authority" Decision 71/2025 — 3/7

9. In light of the comments submitted on the revised draft decision, the DPA wishes to clarify that, although the Finnish supervisory authority suggested a reprimand under

Article 58.2. b) of the GDPR, the Litigation Chamber notes that such a sanction can only be imposed in proceedings "on the merits" in accordance with national law.

3
The DPA has decided that the potential violations committed by the respondent are not such as to justify proceedings "on the merits."

Therefore, the DPA has decided to issue a warning under Article 58.2. a)

of the GDPR, in accordance with its national "light procedure."

4

10. Finally, this decision constitutes an action under Article 60.7. of the GDPR.

11. In accordance with Article 95 § 2, 3° of the LCA, as well as Article 47 of the Rules of Procedure, the parties may request a copy of the file. If one of the parties wishes to consult and copy the file, they must contact the registry of the Litigation Chamber, preferably at the following address: litigationchamber@apd-

gba.be.

II. Grounds

12. The Litigation Chamber recalls that Article 25 of the GDPR provides that data controllers must take into account data protection principles, both when determining the means of processing and when processing data itself (data protection by design and by default). As stated in the relevant EDPB guidelines, data controllers must

design and create services that ensure the effective implementation of data protection principles

such as lawfulness of processing, transparency, minimization

or data integrity and confidentiality, when planning a process and

continuously throughout processing.

13. With regard to the minimization principle set out in Article 5.1. c) of the GDPR, this

means that only personal data that is adequate, relevant, and limited to

what is necessary for the purpose will be processed. It seems to the Litigation Chamber

that a "guest account" option would be more compliant, rather than the mandatory creation

of a user account that requires the processing of a password and leads to the

collection of more data than necessary for the intended purpose, which, in this case, is to

adequately handle a customer complaint.

14. In accordance with Article 25 of the GDPR, read in conjunction with Article 5.1. c) of the GDPR, the

Litigation Chamber is of the opinion that the possibility of filing a complaint in the event

3
Art. 100, §1, 5° LCA
4Art. 95, §1, 4° LCA
5
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. Decision 71/2025 — 4/7

Redress of customer dissatisfaction must also be provided for without the mandatory creation of an online customer account.

15. In its letter of July 1, 2024, the defendant explains that "when you file a complaint

via the Y.com website, the sender must have a Y ID [username/password]." However, the

defendant asserts that no one is required to create a username or password

since it is possible to file a complaint by telephone. According to the defendant,

filing a complaint by telephone can be done using three different telephone numbers:

one for customer service, one for technical support, and one for billing inquiries. Furthermore, in its observations of December 18, 2024, the defendant explained that it offers customers the option of filing

a complaint via social media, by postal letter, or at a customer service desk, and that no account creation is required for these solutions.

16. Following informal research, the Litigation Chamber noted that the defendant's geo-targeted Finnish website provided the following information on how

to file a complaint: "Have a problem with a parcel? SignintoyouY.com profile, provide

us with the details and track the process as we put all hands on deck to investigate your
6
claim to see how we can make things right." In a video on the defendant's "file a claim" page explaining how to file a complaint, the following can be heard: "It's easy to

file a claim: start by logging in to your Y account."17. In light of these findings, the Disputes Division emphasizes that it is unreasonable to expect customers to know that they can file a complaint by telephone or other means, particularly when the defendant's website contains a complaints page that clearly states that a user account is required to file a complaint. The Disputes Division considers that, although the complainant could theoretically have filed a complaint through other channels without creating an account, such an expectation is unjustified given the clear information on the defendant's website. 18. For the sake of clarity, the Disputes Division is aware that the defendant uses a geo-targeted website, meaning that the content, language, value, or other elements of the website may vary depending on the location from which the visitor accesses it. To this end, it

is aware that some geo-targeted versions do indeed offer the possibility of filing

a complaint via a guest account. However, in this case, the complainant obtained access

via the Finnish version of the website, which did not provide for such a possibility
at the time the complaint was filed with the Finnish supervisory authority.

6 As displayed on the defendant's geo-targeted Finnish website accessed on October 17, 2024
7
As displayed on the defendant's geo-targeted Finnish website accessed on March 11, 2025 Decision 71/2025 — 5/7

19. In light of these elements, the Disputes Chamber is of the opinion that the defendant may
have violated Article 25 of the GDPR, read in conjunction with Article 5.1. c) of the GDPR, by requiring

the complainant to create a customer account in order to file a complaint.

20. Following a search conducted on January 13, 2024, the Litigation Chamber notes,

however, that the possibility of filing a complaint as a 'guest' has been added to

the Finnish extension of the defendant's website. The Litigation Chamber is

of the opinion that by taking these measures, the defendant has brought its practices into compliance with

the GDPR and fully addressed the complainant's concerns. The Litigation

Chamber will therefore take this into account in its assessment.

21. The Litigation Chamber concludes that the defendant may have violated the provisions of

the GDPR, which justifies a decision based on Article 95(1) of the LCA. In light of the measures taken by the defendant, including the introduction of the possibility

of filing a complaint as a temporary guest, the Litigation Chamber has decided to

issue a warning to the defendant. Specifically, the Litigation Chamber

warns the defendant that it may have violated Article 25 of the GDPR, read

in conjunction with Article 5.1. c) of the GDPR, by de facto not offering the complainant the

possibility of filing a complaint without creating an online account.

22. This decision is a prima facie decision taken by the Litigation Chamber

in accordance with Article 95 of the LCA based on the complaint filed by the complainant,

as part of the "procedure prior to the decision on the merits" and not a decision on the

merits of the Litigation Chamber within the meaning of Article 100 of the LCA.

23. The purpose of this decision is to inform the defendant that it may have committed a violation of the provisions of the GDPR and to allow it to continue complying with the aforementioned provisions.

24. However, if the defendant does not agree with the content of this decision prima facie and considers that it can provide factual and/or legal arguments that could lead to a new decision, it may request a review by the Litigation Chamber in accordance with the procedure established by Article 98 in conjunction with Article 99 of the LCA, known as the 'proceedings on the merits' or 'dealing with the merits'. This

request must be sent to the email address litigationchamber@apd-gba.be within

30 days of notification of this prima facie decision. If applicable,

the enforcement of this decision is suspended for the aforementioned period.

25. In the event of further processing of the case on the merits, pursuant to Article 98(2) and (3)

junctively with Article 99 of the LCA, the Litigation Chamber will invite the parties to submit their

8 "File a claim as a guest," as posted on the defendant's geo-targeted Finnish website, accessed on March 11, 2025
9 Section 3, subsection 2 of the LCA (Articles 94 to 97 inclusive). Decision 71/2025 — 7/7

The defendant may submit a request for the merits of the case to be dealt with via the email address

litigationchamber@apd-gba.be, within 30 days of notification of this decision.

If applicable, the execution of this decision is suspended during the aforementioned period.

Furthermore, the defendant may file an appeal against this decision in accordance with

Article 108, §1 of the LCA, within 30 days of notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant.

Such an appeal may be filed by means of an adversarial application which must

contain the information listed in Article 1034ter of the Judicial Code. The adversarial application

must be filed with the registry of the Market Court in accordance with Article 1034quinquies of the

12
Judicial Code, or via the e-Deposit system of the Justice Department (Article 32ter of the

Judicial Code).

(Sé). Hielke H IJMANS

President of the Litigation Chamber

11 "The application must contain, under penalty of nullity:

1° the day, month, and year;

2° the surname, first name, and address of the applicant, as well as, where applicable, their status and national registry number or company number;

3° the surname, first name, address, and, where applicable, the status of the person to be summoned;

4° the subject matter and a summary of the grounds for the application;

5° the name of the judge hearing the application;

6° the signature of the applicant or their lawyer."

12"The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry."