APD/GBA (Belgium) - 72/2025
From GDPRhub
| APD/GBA - 72/2025 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 15(1) GDPR Article 24(1) GDPR Article 25(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 01.02.2021 |
| Decided: | 22.04.2025 |
| Published: | |
| Fine: | 20,000 EUR |
| Parties: | An unnamed B2B data broker |
| National Case Number/Name: | 72/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | cci |
The DPA fined a B2B data broker €20,000 for unlawfully collecting and disclosing a data subject's email address, and for numerous other GDPR violations. In particular, the DPA held that the processing was not justified by the controller's legitimate interest.
English Summary
Facts
In 2021 the managing partner of a company (the data subject) received a direct marketing e-mail from another company. He filed an access request with the company and found that his personal data were provided by a B2B data broker (the controller).
The data subject then filed an access request with the data controller. In particular, he required a list of all the sources and the individual recipients of his personal data. The controller replied that his data were collected via the Crossroads Bank for Enterprises (that is, the Belgian public register for businesses) and other public sources, and refused to provide information on individual recipients.
The data subject later filed a complaint with the DPA. He complained about several violations of the GDPR, including the unlawful processing of his email and the incomplete response to his access request.
During the investigation, the DPA found that the controller relied on several data sources other than the Crossroads Bank, including the controller's affiliate companies. When questioned by the DPA, the controller itself was unable to provide a clear and complete picture of its sources.
Holding
The DPA held that the controller violated Articles 5(1)(a), 5(2), 6(1), 12(1), 14(1), 14(2),15(1), 24(1), and 25(1) GDPR. The DPA fined the controller for a total of €20,000:
- €8,000 for unlawfully processing the data subject’s email address (Articles 5(1)(a), 5(2), and 6(1));
- €6,000 for violating the principle of transparency and the transparency duties of data controllers (Articles 5(2), 12(1), 14(1), 14(2), 24(1), and 25(1));
- and €6,000 for failing to appropriately respond to the data subject’s access request (Article 15(1)).
On the nature of the data
The controller claimed that the email addresses it controlled, were contact information for a legal person. On this basis, the controller argued that it did not process personal data.
The DPA rejected this argument. In the present case, the data subject’s email included his name. Therefore, it referred to the data subject and constituted his personal data. It did not matter that the email was used for B2B marketing and that it referred to both the data subject and the company he was working for.
On the controller's legitimate interest
The controller claimed that the processing of the data was based on its legitimate interest under Article 6(1)(f) GDPR.
However, the DPA held that the controller could not rely on the legal basis of legitimate interest. So, the DPA concluded that the processing was unlawful.
In the DPA’s view, the controller failed to balance its interest with the rights and freedoms of the data subject for a number of reasons (among others: the processing did not meet the reasonable expectations of the data subject, and the data subject was not informed proactively and given the opportunity to object to the processing beforehand).
The DPA also pointed out that the controller’s legitimate interest assessment[1] was fundamentally flawed because it weighted the controller’s interest against his customers’ instead of the data subjects’.
On transparency
The controller argued that it was under no obligation to provide information to the data subjects. In the controller’s view, providing information was up to its clients, who acted as independent controllers of personal data and- unlike the controller- were in direct contact with the data subjects due to their marketing activities. Furthermore, the controller argued that the data subjects were informed anyway because the controller’s privacy statement included all the relevant information.
The DPA rejected both arguments. It held that all successive controllers along the data processing chain must separately inform data subjects. Furthermore, it stated that the controller could not reasonably expect the data subject to consult its privacy statement. Finally, it held that the controller’s privacy statement was incomplete either way.
Ultimately, the DPA held that the controller should have reached out in a direct and proactive way in order to provide the data subject with information. For this reason, the DPA found that the controller violated its transparency obligations.
On the access request
With regards to the access request, the controller claimed that providing the data subject with a list of individual recipients, would have involved a disproportionate effort. Therefore, the controller argued that was exempt from the obligation to do so, as stated by Article 14(5)(b) GDPR.
The DPA rejected this argument: it held that the exemption under Article 14(5)(b) did not apply to the data controller's obligation to respond to access request (Article 15 GDPR).
So, the DPA held that the controller was under an obligation to provide a list of individual recipients of personal data, rather than a mere list of categories of recipients. In this regard, the DPA also referred to the Österreichische Post case of the CJEU[2] as well as the Guidelines of the EDPB[3] and the Article 29 Working Party[4].
Finally, the DPA also held that the controller failed to inform the data subject about the sources of his personal data and the the length of its storage.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/48 Dispute resolution Decision on the merits 72/2025 of 22 April 2025 File number: DOS-2021-00561 Subject: Complaint against a data broker The Dispute Resolution of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Jelle Stassijns and Frank De Smet; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; In view of the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; In view of the documents in the file; has taken the following decision regarding: Complainant: X, hereinafter referred to as “the complainant” Defendant: Y, represented by Mr Wim Wijsmans, hereinafter referred to as “the defendant” Decision on the merits 72/2025- 2/48 I. Facts and procedure 1. Mr X (hereinafter referred to as “the complainant”) is a managing partner at the company Z1. After receiving a direct marketing e-mail from Z2 International Sarl, he submits a request to the latter to delete his data. On 15 January 2021, Z2 International informs the complainant that it has obtained the data from Y (the defendant) and added it to its database as of 7 January 2021. It further states that the data in question has now been removed from its database. The complainant then sends a request for access to the defendant on 15 January 2021. More specifically, it requests an overview of all the data that the defendant has collected from him, how the data was obtained, when the data was obtained, from which source the data was obtained, from which intermediaries the data was obtained, to which parties the data was passed on, the storage period, and how the data was processed. Furthermore, the complainant states in the same e-mail that he was not informed in accordance with Articles 13 and 14 GDPR at the time of the collection of the data or at the latest one month after the processing or at the time of first contact. In addition, the complainant refers to the rules of use of the Crossroads Bank for Enterprises (CBE), on the basis of which it would be unlawful to use personal data of the CBE for direct marketing purposes. The complainant also demands that the defendant cease all processing of his data and erase the data after he has obtained access. On 29 January 2021, the defendant responds to the complainant's e-mail. The defendant states that it is a supplier of a platform on which organisations can map out their business target group in great detail. This service can serve as a starting point for analyses, enrichments, or marketing and sales campaigns. The defendant informs the complainant that the data it processes is exclusively the data of the complainant's organisation as registered with the CBE. It adds a copy of the data in the e-mail attachment. The defendant confirms that the complainant’s data will be removed from its database, and that an automated removal request will be passed on to its customers. As regards the complainant’s question regarding the recipients of the data, the defendant argues that this would firstly require a disproportionate effort, and secondly that this is not a requirement under the GDPR, as naming the ‘categories’ of recipients is sufficient, namely: “organisations that attach importance to high-quality Decision on the merits 72/2025- 3/48 support for B2B marketing and sales campaigns, analyses of business target groups and keeping carefully constructed business databases up-to-date”. Finally, the defendant believes that it has never approached the complainant for marketing or sales purposes itself, and that the complainant’s assertion that it has an active role in the direct marketing communications it has received from Z2 is therefore incorrect. The defendant claims that Z2 has made improper use of its services by sending an unsolicited commercial message to the complainant's email address. The defendant informs the complainant that it will take appropriate action. 2. On 1 February 2021, the complainant files a complaint with the Data Protection Authority against the defendant. The complainant claims that the defendant uses his personal data from the KBO for direct marketing purposes. He refers to the privacy statement on the defendant's website, which at the time of the complaint stated the following: "All personal data in Y's database have as the ultimate source the Crossroads Bank for Enterprises or public sources". According to the complainant, the use of this data for direct marketing purposes would be unlawful on the basis of Article 2, § 1, paragraph 2 of the Royal Decree of 18 July 2008 concerning the commercial reuse of public data from the Crossroads Bank for Enterprises. Furthermore, the complainant states that when he requests access to his data from the defendant, he does not receive any details about the recipients of his data and the request thereof from the KBO. He states that the defendant refuses to fulfil its obligation to provide the information required in Article 14 GDPR to the data subjects. 3. On 24 February 2021, the complaint is declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG . 4. On 24 March 2021, the Dispute Chamber decides on the basis of Article 63, 2° and 94, 1° WOG to request an investigation from the Inspection Service. 5. On 24 March 2021, in accordance with Article 96, § 1 WOG, the request of the Dispute Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. 1 Art. 2.§ 1. The public data of the Crossroads Bank for Enterprises may be transferred by the management service to third parties for commercial reuse in accordance with the additional rules and conditions of this decision. However, third parties may not use and/or redistribute personal data for direct marketing purposes. Decision on the merits 72/2025- 4/48 6. On 20 May 2021, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector-General to the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG). 7. The report contains findings regarding the subject of the complaint and decides that Y has committed infringements of the following articles: ▪ Article 5.1.a and 5.2, as well as Article 6.1 of the GDPR; ▪ Articles 12.1, 12.2, 12.3 and 12.4 of the GDPR, as well as Articles 15, 17, 19, 21, Article 24.1 and 25.1 of the GDPR; ▪ Articles 12.1, 13.1 and 13.2, 14.1 and 14.2, 5.2, 24.1 and 25.1 of the GDPR. The report also contains findings that go beyond the subject of the complaint. The Inspection Service establishes, in broad terms, that Y has committed infringements of the following articles: ▪ Articles 4.11, 5.1.a and 5.2 of the GDPR, 6.1.a, as well as Articles 7.1 and 7.3 of the GDPR; ▪ Article 5 and Article 24.1 GDPR, as well as Article 25.1 and 25.2 of the GDPR; ▪ Article 30.1 and Article 30.3 of the GDPR; ▪ Article 38.1 and Article 39.1 of the GDPR. 8. On 18 June 2021, the Dispute Chamber decides on the basis of Article 96, § 2 WOG and applying Articles 63, 3° and 94, 2° WOG to request an additional investigation from the Inspection Service. 9. On 22 June 2021, the supplementary investigation by the Inspectorate is completed, the supplementary report is added to the file and the file is transferred by the Inspector- General to the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG). The supplementary report concludes that Y has also committed infringements of the following articles: ▪ Article 28.3 of the GDPR. ▪ Article 12.1, Article 14.2, Article 5.2, Article 24.1 and Article 25.1 of the GDPR. 10. On 21 January 2022, the Dispute Chamber decides on the basis of Article 95, § 1, 1° and Art. 98 WOG that the file is ready for processing on the merits, and the parties involved are notified by registered mail of the provisions as stated in article 95, § 2, as well as those in art. 98 WOG. They are also notified on the basis of art. 99 WOG of the deadlines for submitting their defences. Decision on the merits 72/2025- 5/48 As regards the findings relating to the subject of the complaint, the deadline for receipt of the defendant's conclusion of reply was set at 4 March 2022, that for the complainant's conclusion of reply on 25 March 2022 and finally that for the defendant's conclusion of reply on 15 April 2022. The deadline for receipt of the defendant's conclusion of response with respect to the findings that do not directly relate to the subject of the complaint was set at 4 March 2022. 11. On 21 January 2022, the complainant electronically accepts all communication regarding the case. 12. On 21 January 2022, the defendant also electronically accepts all communication regarding the case and indicates that she wishes to make use of the possibility to obtain a copy of the file (art. 95, §2, 3° WOG), which was sent to her on 26 January 2022. The defendant also indicates that she wishes to make use of the possibility to be heard, in accordance with article 98 WOG. 13. On 4 March 2022, the Disputes Chamber receives the conclusion of the answer from the defendant regarding the findings relating to the subject of the complaint. This conclusion also contains the response from the defendant regarding the findings made by the Inspectorate outside the scope of the complaint. 14. On 23 March 2023, the Disputes Chamber receives the conclusion of the reply from the complainant, regarding the findings relating to the subject of the complaint. 15. On 15 April 2023, the Disputes Chamber receives the conclusion of the reply from the defendant regarding the findings relating to the subject of the complaint. 16. On 9 October 2024, the parties are informed that the hearing will take place on 4 November 2024. 17. On 4 November 2024, the parties are heard by the Disputes Chamber. 18. On 8 November 2024, the minutes of the hearing will be submitted to the parties. 19. On 15 November 2024, the Dispute Chamber receives from the defendant some comments regarding the minutes, which it decides to include in its deliberations. 20. On 19 February 2025, the Dispute Chamber informed the defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to give the defendant the opportunity to defend himself, before the sanction is actually imposed. On 13 March 2025, the Decision on the merits 72/2025- 6/48 Dispute Chamber receives the defendant's response to the intention to impose an administrative fine, as well as the amount thereof. II. Summary proceedings 21. On 6 March 2025, Y filed a claim before the court by summons. She claims, in the main order, to declare that the publication of the decision of the Dispute Chamber should be suspended until the decision becomes final (or reformed), i.e. until the expiry of the appeal period or until the ruling of the Market Court, and this under penalty of a penalty. In the subordinate order, Y claims to declare that the decision of the Dispute Chamber should be anonymised before its publication, and this under penalty of a penalty. Y hereby orders to be granted the right to check the anonymisation of the decision and to make suggestions for (additional) anonymisation. Furthermore, Y claims that the Data Protection Authority should refrain from any publication regarding the decision (via news reports or social media) in order to prevent Y's anonymity from being breached. 22. At the public hearing of 19 March 2025, the parties will be heard, the parties' documents will be filed, the debates will be closed and the case will be taken into deliberation. 23. On 26 March 2025, the interim relief judge declares Y's claim admissible but unfounded, and orders Y to pay the costs of the proceedings and the court fees. According to the president of the court, "no material evidence or elements of the allegations and doomsday scenarios presented by the claimant [Y] in the event of publication of the decision of the defendant [the Data Protection Authority]" are presented. Firstly, the interim relief judge rules that Y does not prove the urgency. According to the judge, the alleged damage to reputation is based on unilateral assertions, and financial damage to a commercial enterprise can be assumed to be repairable, unless proven otherwise. Y does not make it credible that its continued existence would be jeopardised by the mere publication of the decision. Furthermore, the judge points out that the publication of the decisions of the Dispute Chamber is based on the law (art. 95, § 1, 8°, 100, § 1, 16° and 108, § 3 WOG) and can therefore be fully expected. This publication cannot therefore be a sufficient reason for alleged damage. According to the judge, Y's position would lead to a ban on publication for any decision until a decision has been made on the appeal, while art. 108, § 3 WOG prescribes publication in order to protect the rights of third parties in the context of the appeal procedure. Secondly, the summary proceedings judge finds thatYdoes not show a sufficient appearance of law. The president of the court clarifies that the decision-making authority on publication is exclusive and Decision on the merits 72/2025- 7/48 solely vested in the Dispute Chamber. He notes that the legislator apparently assumed that publication is the rule and non-publication the exception. By preemptively obliging the Dispute Chamber to publish or not to publish, the president of the court would be appropriating the powers of the Dispute Chamber. Moreover, there would be no evidence that the Dispute Chamber would not act correctly. Finally, the president of the court recalls that publication is prohibited under art. 108, § 3 WOG was introduced to give third parties the opportunity to appeal against a decision of the Disputes Chamber. According to the chairman, the discussion in the current file appears to have a broader impact in that context and also affects the rights and interests of third parties. III. Reasoning III.1. Description of the contested processing activity by the defendant 24. The defendant, Y, is a subsidiary of the companies Z3 and W 2, registered in the Netherlands. The latter has entered into a data licence agreement with the company Z7, also registered in the Netherlands, on the basis of which Z7 supplies data to W, who then passes the data on to its subsidiaries, including the defendant. The defendant then grants (sub-)licences of the 4 data to its customers. In its “General Terms and Conditions (shortened)”, the defendant states that its customers can use the data for various purposes, including marketing and sales campaigns, enrichments, and analyses. In practice, the data is made available to customers via a portal of the defendant. 6 25. The categories of data that are supplied by Z7 to W, and that are then made available to its customers by the defendant, are described in Appendix 1 of the agreement between Z7 and W. These data concern a database of “Dutch Basic Data”, and, relevant within the scope of the present complaint, a database of “Belgian Basic Data”. According to the agreement, this latter database comprises 1.3 million company addresses and monthly updates of a certain list of data components. 2 Paragraph 1 defendant's summary conclusions 3Document 1 defendant's summary conclusions 4 Documents 4-5 defendant's summary conclusions 5Documents 6-7 defendant's summary conclusions 6 Paragraph 4 defendant's summary conclusions 7 Document 1 defendant's summary conclusions Decision on the merits 72/2025- 8/48 III.1.1. Qualification of the data 26. In its summary conclusions, the defendant states that it only processes personal data to a very limited extent. According to it, the processing that gave rise to the present complaint cannot be qualified as processing personal data, which means that the GDPR does not apply. According to the defendant, the e-mail address "[...]" is not personal data but data about a legal entity. She refers to Recital 14 of the GDPR: “The protection afforded by this Regulation applies to natural persons, irrespective of their nationality or place of residence, with regard to the processing of their personal data. This Regulation does not apply to the processing of data relating to legal persons and in particular companies established as legal persons, such as the name and legal form of the legal person and the contact details of the legal person.” (emphasis added by the defendant) According to the defendant, the email address “[…]” should be considered a contact detail of a legal person, and the GDPR does not apply in accordance with Recital 14.In general, the defendant states that the data in its databases can only be qualified as personal data in the case of sole proprietorships or the names of the directors of legal entities. 8 27. In this regard, the Dispute Chamber refers to Article 4.1 of the GDPR, where the term personal data is defined: “Personal data: any information relating to an identified or identifiable natural person (‘data subject’); is considered to be identifiable a natural person who can be identified directly or indirectly, in particular by an identifier such as a name…” 28. The complainant is a natural person who can be directly identified by the email address “[..]”, which means that this email address must be considered as personal data according to Article 4.1 of the GDPR. Although it is an email address used by the complainant in the context of a professional activity, it remains information about a natural person. The Court of Justice of the European Union has also ruled that the fact that information belongs to a professional context does not affect its classification as personal data. The Litigation Chamber also recalls that this Court already ruled in 2010 that the name of a legal person is a 8 Marginal number 52 summary conclusions of the defendant 9 CJEU, judgment of 9 March 2017, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni, C-398/15, ECLI:EU:C:2017:197, paragraph 34 and the case-law cited therein Decision on the substance 72/2025- 9/48 personal data is considered to be personal data if the name reveals the identity of one or more natural persons. Recital 14 serves to specify that the name of a legal person such as Y is not personal data if it does not contain information about a natural person. The processing of the complainant's e-mail address thus falls within the material scope of the Regulation, in accordance with Article 2.1 GDPR. These personal data do not fall within the categories of personal data described in Article 2.2 GDPR to which the GDPR does not apply. For the sake of completeness, the Dispute Chamber points out that recital 14 of the GDPR cannot constitute an exception to the material scope of the GDPR within the meaning of Article 2 GDPR. III.1.2. Scope of data processing 29. In paragraph 54 of its summary conclusions, the defendant provides an overview of the e-mail addresses included in its data bank. In total, the defendant is said to process 229,557 e-mail addresses. Based on its reasoning concerning the qualification of data, the defendant states that 161,387 – or 70.3% of the 229,557 – e-mail addresses are “impersonal”. Furthermore, the defendant states that 21,017 email addresses are likely to be personal data, 44,964 email addresses are “not assessed”, and 2,184 email addresses are “unknown”. Based on its hypotheses that 50% of the “unknown” email addresses, and 70% of the “not assessed” email addresses, are personal data, the defendant states that 53,584 email addresses are possibly personal data. However, according to the defendant, the GDPR does not apply to the majority of these email addresses because most of them are the contact address of a company. In this regard, it states that only the data relating to sole proprietorships can be considered personal data. 30. As explained above, the Dispute Chamber finds that the defendant incorrectly qualifies data, such as the complainant’s e-mail address, as not being personal data. Consequently, the Dispute Chamber also does not follow the defendant’s calculation based on its own qualification method. At least 68,165 e-mail addresses could possibly be personal data that also fall within the scope of the GDPR, since the defendant itself states that 21,017 e-mail addresses are likely to be personal data, 44,964 e-mail addresses are “not assessed”, and 2,184 e-mail addresses are “unknown”. In any case, the defendant itself concludes in May 2021 that it processes personal data on a large scale. Furthermore, the Inspection Service establishes in its investigation report that the defendant systematically and on a large scale processes personal data. During the hearing, the defendant states that 10 ECJ, judgment of 9 November 2010, Volkerund Markus Schecke GbR (C -92/09) and Hartmut Eifert (C-93/09) v Land Hessen, C-92/09 and C-93/09, ECLI:EU:C:2010:662, paragraphs 53 and 54 1 Annex 14 to the letter from the defendant to the GBA dated 5 May 2021 Decision on the substance 72/2025- 10/48 the amount of data processed today would not differ much from the amount that was communicated in the summary conclusions. 12 31. Furthermore, the Dispute Chamber notes that there is uncertainty regarding the original source of the data, and in particular whether the complainant's data were originally collected at the KBO. The complainant states in his complaint that the data were collected at the KBO. At the time of the complaint, the defendant states in her privacy statement the following: "All personal data in Y's database have the Crossroads Bank for Enterprises or public sources as their ultimate source". The defendant later amended this, so that her privacy statement at the time of this writing states that "the Crossroads Bank for Enterprises is not the source of the data included in our database". The defendant states in her summary conclusions that the data do not come from the KBO or other public sources, but from Z7. However, the defendant also states that she assumes that Z7's database of Belgian business information has been enriched with data from (among others) the KBO in order to guarantee its accuracy. Z7 allegedly obtained the data from Z3, and according to the defendant this party allegedly collected the data from various sources such as the KBO and Z6. During the hearing, the Dispute Chamber asks the defendant for an explanation of the relationship between Y and the KBO. The defendant replies that she has no relationship with the KBO, but that the original source of the data would in many cases be the KBO. She also states that the data does not come directly from the KBO, but that it may have been collected indirectly from the KBO by Z5. She infers this possibility from Z5's privacy statement. The defendant states that she has no insight into this. III.2. Lawfulness of processing (Articles 5.1.a and 5.2, as well as Article 6.1) 32. Article 5.1.a) GDPR stipulates that personal data must be processed in a lawful, fair and transparent manner with respect to the data subjects. Furthermore, Article 6.1 GDPR stipulates that the processing of personal data is only lawful if and to the extent that it is based on one of the legal grounds laid down in Article 6.1.a) – f) GDPR. The controller must check before processing whether the conditions of one of the possible legal grounds are met. Finally, the controller must be able to demonstrate that the processing is lawful, taking into account the accountability obligation imposed on him under Article 5.2 GDPR. 33. In the present case, the defendant relies on the legal basis provided for in Article 6.1.f) GDPR. This legal basis provides that the processing is lawful insofar as it is “necessary for 12PV Hearing, page 4 13 Marginal numbers 60 and 61 summary conclusions of the defendant 14PV Hearing, page 4 15PV Hearing, page 6 Decision on the substance 72/2025- 11/48 the protection of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. According to the Court of Justice, the legal basis referred to in this provision must be interpreted restrictively, since it allows the processing of personal data to be lawful without the data subject having given his consent. 16 34. The Court of Justice has held that Article 6.1.f) GDPR lays down three cumulative conditions that must be met for the processing of personal data referred to therein to be lawful, namely, firstly, the pursuit of a legitimate interest of the controller or of a third party, secondly, the necessity of processing personal data for the pursuit of the legitimate interest, and, thirdly, the condition that the interests or fundamental rights and freedoms of the data subject concerned do not override the legitimate interest of the controller or of a third party.7 35. In the present case, the Inspectorate finds that the defendant fails to comply with the obligations imposed by Articles 5.1.a), 6.1 and 5.2 GDPR. The Inspectorate finds that the defendant does not sufficiently take into account the three cumulative conditions that must be met in order to invoke the legal basis of a legitimate interest. According to the Inspectorate, the defendant in particular does not meet the condition that the interests or fundamental rights and freedoms of the person concerned do not outweigh the legitimate interest of the controller or of a third party (the "balancing test"). 36. This balancing of the competing rights and interests involved depends on the circumstances of the specific case. The controller must take into account the interests, fundamental rights and freedoms of the data subject, the impact of the processing on the data subject and the reasonable expectations of the data subject. Recital 47 of the GDPR provides that the interests and fundamental rights of the data subject outweigh the interest of the controller in particular when personal data are processed in circumstances in which the data data subjects could not reasonably have expected such processing. 16CJEU, judgment of 4 October 2024, Koninklijke Nederlandse LawnTennisbond v. Autoriteit Persoonsgegevens, C-621/22, ECLI:EU:C:2024:857, paragraph 31 and the case-law cited therein. 17 CJEU, judgment of 4 July 2023, Meta v. Bundeskartellamt, C-252/21, ECLI:EU:C:2023:537, paragraph 106 and the case-law cited therein; see also Guidelines 1/2024 on the processing of personal data based on Article 6(1)(f), GDPR, Version 1 of 8 October 2024. 18CJEU, judgment of 4 July 2023, Meta v. Bundeskartellamt, C-252/21, ECLI:EU:C:2023:537, paragraph 110 and the case-law cited therein. Decision on the substance 72/2025- 12/48 expect . In any case, a careful assessment is required to determine whether there is a legitimate interest, as well as to determine whether a data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing for that purpose can take place. 20 37. In its report, the Inspection Service refers to the judgment in the TK case, in which the Court of Justice ruled that “the reasonable expectations of the data subject that his personal data will not be processed when, in the circumstances of the case, he cannot reasonably expect any further processing thereof” are relevant. In that context, the Inspection Service notes that the fact that personal data of data subjects are processed in the context of and are accessible via the CBE or public sources does not imply that those data subjects may reasonably expect that those personal data will subsequently be made available to its customers systematically and for payment by the defendant without their consent and will therefore be further processed. III.2.1. Balancing of interests with regard to the interests, fundamental rights and freedoms of the data subject and the impact of the processing on the data subject 38. In its summary conclusions, the defendant states that its own interests, taking into account the measures it has provided, outweigh the rights of the data subjects. Like the Inspectorate, it refers to the TK judgment, and more specifically to points 54 and 55 of this judgment in which the Court of Justice ruled that it can be taken into account that the seriousness of the infringement of the fundamental rights of the data subject as a result of the processing may differ depending on whether the data concerned are available in publicly accessible sources. Furthermore, according to the defendant, it follows from the same judgment that this assessment must also take into account the nature of the personal data concerned and the processing, the specific method of processing and access to the data, and the reasonable expectations of the data subject. The defendant states that the data it processes are not sensitive since they are only “business data” that are always publicly available. 39. As regards the defendant's assertion that the data concerned are also publicly available in other ways, the Litigation Chamber is of the opinion that the defendant has not sufficiently demonstrated this. In this case, the complainant's data were public. 19 CJEU, judgment of 4 July 2023, Meta v. Bundeskartellamt, C-252/21, ECLI:EU:C:2023:537, paragraph 112. 20 Recital 47 GDPR. 21 CJEU, judgment of 11 December 2019, TK v Asociatia de Proprietari blok M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, paragraph 58 22 CJEU, judgment of 11 December 2019, TK v Asociatia de Proprietari blok M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, paragraph 54 Decision on the merits 72/2025- 13/48 available via the KBO, but the defendant states that the KBO was not the source for its database. It is therefore up to the defendant to demonstrate that all personal data it has are publicly available. 40. Furthermore, the defendant states that the number of data subjects whose personal data it would process is limited because it is a small percentage of people in relation to the population. The Dispute Chamber recalls that in May 2021 the defendant itself assessed that it processes personal data on a large scale. As set out in paragraph 26 of this decision, it cannot be ruled out that the defendant processes at least 68,165 e-mail addresses that may be personal data and fall within the scope of the GDPR. The ratio between the number of data subjects and the general population does not detract from the fact that the defendant processes personal data on a large scale. 41. The defendant further states that the data subjects have the possibility to object to the processing. In this regard, the Dispute Chamber refers to Chapter III.3 of this decision, which shows that the defendant does not take sufficient measures to proactively inform data subjects that their data are being processed. In the present case, the complainant was not informed by the defendant that his data would be processed, and he was also unable to exercise his right to object until he had obtained the necessary information from a client of the defendant. 42. The defendant then states that the risk of a data breach is limited because it has taken measures to secure it, and that, if a breach were to occur, its impact would still be limited because no sensitive data is processed and because the data is always publicly accessible. As mentioned above, the Dispute Chamber finds that the defendant has not demonstrated this last point. 43. The Dispute Chamber finds that the document "balancing of interests" drawn up by the defendant in April 2021 25 does not pay attention to the interests, fundamental rights and freedoms of the data subject, the impact of the processing on the data subject or the reasonable expectations of the data subject. In this way, it does not demonstrate that it assessed, prior to processing, the extent to which the data subjects could potentially experience negative consequences. Without these essential elements, there can be no balancing of interests as required by the Court of Justice. 23 Marginal number 78, page 29 defendant's summary conclusions 24 Appendix 14 to the defendant's letter to the GBA on 5 May 2021 25 Appendix 9 to the defendant's letter to the GBA on 5 May 2021 Decision on the merits 72/2025- 14/48 44. The Dispute Chamber notes that the defendant's "weighing of interests" shows misunderstandings regarding the required weighing of interests. To begin with, title 2.2 of the "Weighing of interests" reads as follows: "2.2 Weighing of interests: is the processing necessary to achieve one or more objectives of Y?" The question that the defendant poses to itself concerns the necessity test, and not a weighing of the conflicting rights and interests involved. Furthermore, the defendant writes in the same “weighing of interests” that “Y [always carefully weighs her interests] against the interest of providing customers with the necessary business information.” This is an incorrect test. The defendant must weigh her interests against the interests of the data subjects, and not against those of her customers. In summary, the Dispute Chamber finds that the defendant does not demonstrate that she has exercised a weighing of interests with regard to the interests, fundamental rights and fundamental freedoms of the data subject and the impact of the processing on the data subject. With regard to the reasonable expectations of the data subjects 45. The defendant states in its summary conclusions that the data subjects could reasonably have expected, based on the privacy statement of the KBO 27, that the defendant would make the data available to its customers. This would follow from the fact that the KBO explicitly refers in its privacy statement to the purpose of allowing the data for commercial or non-commercial reuse. However, the defendant acknowledges that third parties are not permitted to use and/or further distribute personal data included in the KBO and obtained via licenses for direct marketing purposes. In this context, the defendant states that it has prohibited the use of the data by its customers for direct marketing purposes in the relevant contracts. 46. The Dispute Chamber notes that the defendant, in assessing the reasonable expectations of the data subjects, refers to the privacy statement of the KBO and Article 2, § 1, paragraph 2 of the Royal Decree of 18 July 2008 on the commercial 28 reuse of public data from the Crossroads Bank for Enterprises. On the basis of this, data subjects could, according to the defendant, reasonably expect that the defendant would make the data available to its customers. The 26 CJEU, judgment of 4 July 2023, Meta v. Bundeskartellamt, C-252/21, ECLI:EU:C:2023:537, paragraph 110 and the case-law cited therein 27 Can be consulted via https://economie.fgov.be/nl/kruispuntbank-van-1 28Art.2.§1.The public data of the Crossroads Bank for Enterprises may be passed on by the management service to third parties for commercial reuse in accordance with the additional rules and the conditions of this decision. However, third parties may not use and/or redistribute personal data for direct marketing purposes. Decision on the merits 72/2025- 15/48 However, the defendant states that it has no relationship with the KBO and also has no sub-license to the KBO data, and that the legal obligations in that regard (presumably the prohibition on the use of that data by third parties for direct marketing) do not apply to it. 47. If the processing of personal data of the KBO means that data subjects should reasonably expect certain further processing, then this only extends to the processing of that personal data by licensees and third parties as described and framed in the privacy statement of the KBO and the royal decree of 18 July 2008. The Dispute Chamber emphasises that this excludes the possibility that third parties process the data for direct marketing purposes. However, the defendant states that it is not a licensee of KBO data, which means that the legal obligations that go with it do not apply, according to it. Furthermore, the defendant has not confirmed whether or not the data were originally collected from the KBO. As a result, it is impossible for it to rely on the reasonable expectations that the data subjects would have when the KBO processes their data. The Litigation Chamber therefore holds that the general possibility of commercial reuse of KBO data does not in any way imply that the data subjects in this case could reasonably have expected the defendant to process the data for its own purposes. 48. According to the Court of Justice, it is clear from recital 47 of the GDPR that the interests and fundamental rights of the data subject in particular outweigh the interest of the controller when personal data are processed in circumstances in which the data subject would not reasonably expect such processing. 49. Furthermore, the relationship between the data subject and the controller must be taken into account. Recital 47 GDPR provides that a legitimate interest may exist when there is a “relevant and appropriate” relationship between the data subject and the controller, for example in situations where the data subject is a customer or employee of the controller. In the present case, there was clearly no relevant or appropriate relationship between the complainant and the defendant and its customers. The complainant was not aware that the defendant was processing his data until he exercised his right of access to a third party who had obtained the data from the defendant. 50. It follows from the preceding points that the defendant has not demonstrated that the data subjects, including the complainant, could reasonably have expected such processing. 29 ECJ, judgment of 4 October 2024, Royal Dutch Lawn Tennis Association v. Dutch Data Protection Authority, C-621/22, ECLI:EU:C:2024:857, paragraph 45 and the case law cited therein Decision on the merits 72/2025- 16/48 The reason for this is in particular that the defendant cannot demonstrate specifically from which sources and at what time the data were first collected. As a result, it could not assess whether the data subject could reasonably expect at that time and in that context that his data would be further processed, and it could also not exercise a full balancing test. 51. Since the three-part test for processing data on the basis of a legitimate interest concerns cumulative conditions, it is not necessary to examine whether the defendant meets the other two conditions of Article 6.1.f) GDPR. The Market Court has already ruled in this regard that if one of the three elements of the three-part test is not met, the Dispute Chamber can correctly motivate that Article 6.1.f) GDPR cannot constitute a possible legal basis.0 52. In these circumstances, it must be held that the defendant has not demonstrated that its interest outweighs the interests and fundamental rights of the data subjects, so that the processing cannot fall under Article 6.1.f) GDPR. The defendant has thus breached the obligations imposed by Articles 5.1.a), 6.1 and 5.2 GDPR. III.3. Transparency and information obligations (Article 12.1, Article 13.1 and 13.2, Article 14.1 and 14.2, Article 5.2, Article 24.1 and Article 25.1 of the GDPR) 53. The Inspection Service finds that the defendant has committed an infringement of Article 12.1, Article 13.1 and 13.2, Article 14.1 and 14.2, Article 5.2, Article 24.1 and Article 25.1 of the GDPR, since the defendant's privacy statement is not transparent and understandable for the data subjects and contains incorrect information. Furthermore, the Inspection Service concludes that Y's privacy statement is incomplete, since not all the information that must be stated under Articles 13 and 14 of the GDPR is actually stated. In its supplementary investigation report, the inspection service establishes that Y has committed an infringement of Articles 12.1, 14.2, 5.2, 24.1 and 25.1 of the GDPR, because the defendant clarifies in its privacy statement that it processes personal data that originate from the CBE, the Annexes to the Belgian Official Gazette, public sources such as a company's website, but does not state that personal data are obtained from Z7. 54. Under Articles 13 and 14 of the GDPR, any person whose personal data are processed, depending on whether the data are collected directly from him or from third parties, must be informed of the elements listed in those articles. Where the data are collected directly from the data subject, the data data subject is informed of the elements listed in Articles 13.1 and 2 of the GDPR. Article 14.1 and 2 list similar elements, with the result that 30Court of Appeal of Brussels, 19 Chamber, Market Court Section, judgment of 14 June 2023, NMBS v. GBA, 2022/AR/723 Decision on the merits 72/2025- 17/48 understanding that Article 14 of the GDPR relates to data that is not collected directly from the data subject, but from third parties. This information must be provided to the data subject in accordance with Article 13 or Article 14 of the GDPR in the manner as determined in Article 12 of the GDPR. 55. In the present case, it is first established that the personal data processed by the defendant were not collected directly from the complainants. Consequently, only Article 14 of the GDPR applies, the first two paragraphs of which lay down the information that must be provided to the data subjects. 31 56. The Litigation Chamber recalls that an essential aspect of the principle of transparency, as emphasised in Articles 12, 13 and 14 of the GDPR, is that the data subject must be able to determine in advance the scope and consequences of the processing, so as not to be surprised at a later stage about the way in which his or her personal data have been used. The information must be specific and reliable, not formulated in an abstract or ambiguous manner and not be open to different interpretations. In particular, the purposes and legal grounds for the processing of personal data must be clear. 31 1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: a) the identity and contact details of the controller and, where applicable, of the controller's representative; b) the contact details of the data protection officer, where applicable; c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; d) the categories of personal data concerned; e) the recipients or categories of recipients of the personal data, where applicable; f) the intention of the controller to transfer the personal data to a recipient in a third country or to an international organisation; whether or not there is an adequacy decision by the Commission; or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), what the appropriate or suitable safeguards are, how a copy of them can be obtained or where they can be accessed. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information to ensure fair and transparent processing in respect of the data subject: a) the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; b) the legitimate interests pursued by the controller or by a third party, where the processing is based on point (f) of Article 6(1); c) the existence of the right of the data subject to request from the controller access to, and rectification or erasure of personal data or restriction of processing concerning him or her, as well as the right to object to processing and the right to data portability; d)where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; e)the right to lodge a complaint with a supervisory authority; f)the source from which the personal data originate, and, where appropriate, whether they come from publicly available sources; g)the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the interests and envisaged consequences of such processing for the data subject. Decision on the merits 72/2025- 18/48 57. Under Article 14.3 GDPR, which specifically concerns the modalities of the provision of information and as such constitutes an inherent addition to the core obligations of Articles 14.1 and 14.2 GDPR, the aforementioned information must be communicated to the data subjects within certain time limits. The general rule is that the controller must inform the data subjects within a reasonable period, but at the latest within one month of obtaining their personal data, about the processing, depending on the specific circumstances (Article 14.3.a) GDPR). However, according to the transparency guidelines under the GDPR, this period may be shortened to the extent that the personal data collected are intended for the purpose of contacting the data subjects, in which case the information must be provided at the time of the first contact with the data subject (Article 14.3.b) GDPR). 32 Finally, the one-month period may also be shortened if the personal data are communicated to a recipient within the meaning of Article 4.9 GDPR. In such circumstances, data subjects must be informed at the latest at the time when their personal data are provided to another recipient (Article 14.3.c) GDPR). 58. In the present case, the defendant states that the data subjects are informed by means of its privacy statement about the processing it carries out. In addition, the defendant states that it would not be obliged to provide the data subjects with the information included in Article 14 GDPR, since it could assume that the data subjects already have this information based on the legal context of the processing and the chain of data processing. Firstly, the data processing would be clearly to be expected based on the law, which means that data subjects are deemed to be aware of the obligation to publish company data with the KBO and the further processing by the defendant. Secondly, Z5 would guarantee that it will report this to the data subjects, and the defendant would then also impose this obligation on its customers. Taking into account Article 14.5.a) and Recital 62 of the GDPR, this means that the defendant is not required to comply with the transparency obligation for the processing operations it carries out. To the extent that its customers wish to carry out further processing operations (i.e. direct marketing), they are required to comply with this obligation. 59. The complainant claims that Y does not actively inform the data subjects when collecting or processing their data. This would make it impossible for the data subjects to be aware of the processing of their data by the parties in the chain of controllers that the defendant describes in its conclusions. The complainant 32Article 29 Data Protection Working Party – Guidelines on transparency under Regulation (EU) 2016/679 (WP260, rev. 01, 11 April 2018), adopted by the EDPB. Decision on the substance 72/2025- 19/48 contests the defendant's argument that it was not obliged to provide the information contained in Article 14 GDPR since it could assume that the data data subjects already had this information. The complainant was only informed of the fact that his data were being processed by the defendant when he exercised his right of access to a customer of the defendant. 60. First of all, the Dispute Chamber points out that all successive controllers (i.e., the defendant, Z7, Z5, and its customers) must inform individual data subjects regarding the data processing they carry out themselves. The exception in Article 14.5.a) GDPR, according to which Articles 14.1 to 14.4 GDPR do not apply to the extent that the data subject already has the information, is not relevant. The defendant cannot evade its information obligations on the basis of the fact that Z5 has already provided certain information, since Z5 is a separate controller. The information in at least Articles 14.1.a), b), c), and e) and 14.2.a), b), and f) could differ depending on the controller, so that it cannot be assumed that the data subjects would already have the information. The defendant also explicitly indicates this in connection with Z7, where it adds the underlined sentence in its comments on the PV of the hearing: “The defendant states, as the complainant also states, that Z7 is a separate controller, and not a processor. Consequently, both Z7 and the defendant have their own obligations in the context of transparency provided for in Article 14 GDPR.” 61. Articles 14.1 and 14.2 provide for an obligation to provide information proactively when the personal data have not been obtained from the data subject. The indirect collection of personal data from data subjects does not presuppose that the provision of information to data subjects must also be done only indirectly. On the contrary, it follows from the case-law of the Court of Justice and from the provisions of the GDPR that it is solely up to the controller who determines the means and purposes of the processing to inform data subjects in a fair and transparent manner. The 34 Litigation Chamber therefore concludes that in this case it is primarily up to the 33 Page 3 of the defendant's letter to the GBA on 15 November 2024 34Recital 60 — “The principles of fair and transparent processing require that the data subject be informed of the fact that processing is taking place and of its purposes. The controller should provide the data subject with the additional information necessary to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed. […]”; Article 14 GDPR — “1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: […]” (the Litigation Chamber underlines). See also CJEU, 1 October 2015, C-201/14, Smaranda Bara et al. v. Președintele Casei Naționale de Asigurări de Sănătate (ECLI:EU:C:2015:638), paragraph 31. Decision on the merits 72/2025- 20/48 the defendant is entitled to proactively inform the data subjects about the processing of their personal data by the defendant itself, in accordance with Article 14 GDPR. Since the defendant provides the data to other recipients, it must inform the data subjects at the latest at the time when the personal data are first provided (Article 14.3.c) GDPR). 62. Regarding the defendant's privacy statement, the Inspection Service notes that neither the version of 30 March 2021 nor the version of 5 May 2021 states that the personal data are obtained from Z7. The amended version of the defendant's privacy statement states that the KBO is not the source of the data 35 included in the database. However, the privacy statement at the time of the complaint stated the following: "All personal data in Y's database have as the ultimate source the Crossroads Bank for Enterprises or public sources." Based on the direct contradiction, which is not explained by a factual change in the source of the data, the Dispute Chamber concludes that the defendant has provided incorrect information to the data subjects with regard to Article 14.2.f) GDPR. This article obliges the controller to communicate the source of the personal data, and, where appropriate, whether they originate from public sources, to the data subjects. Furthermore, the Dispute Chamber notes that the defendant initially did not comply with Article 14.2.e) GDPR, which requires the controller to inform data subjects that data subjects have the right to lodge a complaint with a supervisory authority. This information is communicated in the current version of the privacy statement. 63. The Dispute Chamber concludes that the defendant failed to comply with its transparency and information obligations under Article 12.1, Article 14.1 and 14.2, Article 5.2, Article 24.1 and Article 25.1 of the GDPR by failing to proactively inform data subjects within the legally required period, and because the information it provided via its privacy statement was incomplete and incorrect. III.4. The rights of the data subject (Articles 12.1, 12.2, 12.3 and 12.4 GDPR, as well as Articles 15, 17, 19, 21, 24.1 and 25.1 of the GDPR) 64. Article 12, paragraph 1 GDPR provides that the controller must take appropriate measures to provide the data subject with information relating to the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Article 12 of the GDPR regulates the manner in which data subjects can exercise their rights and provides that the controller must facilitate the exercise of those rights by the data subject (Article 12.2 of the GDPR), 35Synthetic conclusions of the defendant, document 23 Decision on the substance 72/2025- 21/48 and must provide him with information on the measures taken in response to his request without delay and in any event within one month of receipt of the request (Article 12.3 of the GDPR). 65. Article 24 of the GDPR requires the controller, taking into account the nature, scope, context and purposes of the processing, to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation. 66. The Inspection Service finds that the defendant has committed an infringement of Articles 12.1, 12.2, 12.3 and 12.4 of the GDPR, as well as Articles 15, 17, 19, 21, 24.1 and 25.1 of the GDPR, since the defendant does not provide a documented answer to the Inspection Service's question as to how data subjects are specifically informed about the processing of their personal data by the defendant and how their rights are safeguarded in accordance with Articles 12, 15, 17, 19 and 21 of the GDPR. The Inspection Service concludes that the defendant's privacy statement and the (contractual) agreements between the defendant and its customers do not in themselves provide an answer to the complainant's rights provided for in the aforementioned Articles of the GDPR. III.4.1. Regarding the right of access 67. In his email of 15 January 2021, the complainant attempted to exercise his right of access under Article 15 GDPR. The defendant replied to the complainant's email on 29 January 2021, stating in its summary conclusions that it had handled the complainant's request in accordance with its obligations. 68. First, the complainant requested a full overview of the data that the defendant had collected from him. He requested copies, backups and other versions of the data, whether enriched or not. In accordance with Articles 15.1 and 15.3 GDPR, the data subject has the right to this information and to a copy of the data. In its email of 29 January 2021, the defendant therefore provided a copy of the data that it processes in relation to the complainant. Therefore, the Dispute Resolution Chamber decides that the defendant has not violated the GDPR on this point. 69. Secondly, the complainant requested an explanation of how, when, from which source, and from which intermediary(s) the defendant had obtained the data. Where the personal data are not collected from the data subject, as is the case here, Article 15.1.g) of the GDPR provides that the data subject has the right to obtain access to all available information on the source of that data. The defendant was thus obliged to answer these questions in full. In its response to the complainant's request, the defendant did not specifically answer the aforementioned questions. It does not inform the substantive decision 72/2025- 22/48 the complainant of how, when, from which source, or from which intermediaries it had obtained the data. However, she does refer to the KBO: “The data we have registered are exclusively the data of your organisation as registered by you with the KBO. Nevertheless, under the GDPR, data subjects can request us to have certain data deleted. This is in contrast to the KBO.” From this, the complainant could understand that the KBO was the source of the personal data of the complainant, which is at least misleading since the defendant indicates in its summary conclusions that the data were not collected at the KBO. In any case, the defendant did not answer the above questions, as a result of which the Dispute Chamber decides that the defendant has committed an infringement of Article 15.1.g) GDPR by not communicating all available information about the sources of the personal data of the complainant. 70. Furthermore, the complainant asked to which parties the defendant passes on or has passed on the data. 71. Based on Article 15.1.c) GDPR, the data subject has the right to obtain access to the recipients or categories of recipients to whom the personal data have been or will be disclosed. In its response to the complainant's questions, the defendant refers to Article 14.1 GDPR, which provides that where personal data have not been obtained from the data subject, the controller shall provide the recipients or categories of recipients of the personal data, read in conjunction with Article 14.5 GDPR, which provides that paragraphs 1 to 4 of Article 14.1 do not apply if and to the extent that providing such information proves impossible or would involve a disproportionate effort. On that basis, the defendant argues that it is not obliged to specify the recipients of the complainant’s data, but only the categories of recipients, which it defines as “organisations that attach importance to high-quality support for B2B marketing and sales campaigns, analyses of business target groups and keeping carefully constructed business databases up to date”. 72. First of all, the Dispute Chamber points out that Article 14.5 of the GDPR establishes an exception within the framework of Article 14 of the GDPR, and can in no way restrict the right of access based on Article 15 of the GDPR. The Court of Justice has ruled that the data subject must have the right to know who the specific recipients of his personal data were when these data have already been communicated to third parties. Only when it is not (yet) possible to identify these recipients, the controller is permitted to limit the information communicated Decision on the substance 72/2025- 23/48 to the relevant categories of recipients. During the hearing, the defendant stated that the judgment of the Court of Justice had not yet been published at the time of the request for access by the complainant, and that it had responded sufficiently to the request at the time. However, this reasoning cannot be followed, since that judgment merely provides clarification of an obligation that flows directly from Article 15.1.c) GDPR, and was already applicable beforehand. The Litigation Chamber recalls that this interpretation of Article 15.1.c) GDPR is also apparent from the EDPB guidelines on the right of access, as well as from the transparency guidelines, adopted in 2017 by the Article 29 Working Party and revised on 11 April 2018, 38 which was already available at the time of the request for access. 73. In view of the foregoing, the Litigation Chamber concludes that the defendant has infringed Article 15.1.c) GDPR by failing to communicate all available information on the specific recipients of the complainant's personal data. 74. Furthermore, in his request for access, the complainant asked for the storage period of his personal data. Article 15.1.d) GDPR provides that he has the right to access, where possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period. The defendant did not respond to this question. 75. In view of the foregoing, the Dispute Resolution Chamber finds that the defendant has infringed Article 15.1.d) GDPR by failing to communicate to the complainant all available information on the storage period. III.4.2. Concerning the right to erasure of personal data, the right to object, and the restriction of processing 76. In his email of 15 January 2021, the complainant also attempted to exercise his right to erasure under Article 17 GDPR and his right to restriction of processing under Article 18 in conjunction with 21 GDPR. The defendant replied to the complainant's email on 29 January 2021, confirming that the complainant's data would be immediately removed from its database, preventing further dissemination, and that a deletion request would be passed on to its customers. The 36CJEU, 12 January 2023, C-154/21, RW v. Österreichische Post (ECLI:EU:C:2023:3), paragraphs 39, 43 and 48. 37EDPB – Guidelines 01/2022 on the rights of data subjects – Right of access (v2.0, 28 March 2023), paras. 116- 117 38Article 29 Data Protection Working Party – Guidelines on transparency under Regulation (EU) 2016/679(WP260,rev.01,11 April 2018),pp.43-44:“The (names of) the actual recipients of the personal data, or categories of personal data, must be provided. In accordance with the principle of fairness, controllers should provide information about the recipients that is most meaningful to the data subjects. In practice, these will usually be named recipients, so that data subjects know exactly who has their personal data.” Decision on the merits 72/2025- 24/48 the defendant states in its summary conclusions that it handled the complainant's request in accordance with the obligations. 77. Since the defendant deleted the complainant's personal data in a timely manner and informed the recipients of the data thereof, the Dispute Chamber finds that the defendant did not violate Article 17, Article 18 in conjunction with Article 21 GDPR. 78. However, the Dispute Chamber notes that the complainant requested information about the recipients of the data in the same e-mail. The second sentence of Article 19 of the GDPR expressly grants the data subject the right to be informed by the controller of the specific recipients of the data concerning him, in the context of the latter's obligation to inform all recipients of the exercise of the rights to which this person has access under Articles 16, 17.1 and 18 of the GDPR. Since the defendant did not provide information on the specific recipients of the personal data, the Dispute Resolution Chamber decides that the defendant has committed an infringement of Article 19 of the GDPR. III.5. With regard to findings outside the scope of the complaint 79. In order to ensure effective and efficient enforcement of the complainant's rights, the Dispute Resolution Chamber decides not to address findings made by the Inspection Service outside the scope of the complaint in the present decision. This does not affect the fact that it is up to the defendant to take measures to ensure full compliance with all obligations arising from the GDPR. IV. On corrective measures and penalties 80. According to the wording of Article 100.1 of the WOG, the Dispute Resolution Chamber has the power to: 1° dismiss a complaint; 2° order that no prosecution be brought; 3° order that the judgment be suspended; 4° propose a settlement; 5° issue warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 39CJEU, 12 January 2023, C-154/21, RW v. Österreichische Post (ECLI:EU:C:2023:3), point 41 Decision on the substance 72/2025- 25/48 8° to order that the processing be temporarily or definitively frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10° to order the correction, restriction or erasure of data and the notification thereof to the recipients of the data; 11° to order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° to order the suspension of cross-border data flows to another State or an international institution; 15° to transfer the file to the public prosecutor's office in Brussels, which shall inform it of the action taken on the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. IV.1. Corrective measures IV.1.1. Regarding the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, since the defendant does not demonstrate that its interest outweighs the interests and fundamental rights of the data subjects, so that the processing cannot fall under Article 6.1.f) GDPR, and is unlawful due to a lack of a valid legal basis: 81. The Dispute Chamber decides, firstly, to order the defendant, pursuant to 58.2.g) GDPR and Article 100, § 1, 10° of the WOG, to erase personal data for which it cannot demonstrate that it has a valid legal basis for processing them in accordance with 5.1.a), 6.1 and 5.2 GDPR. In accordance with Art.108, § 1, third paragraph WOG, this order is not provisionally enforceable. 82. Furthermore, the Dispute Chamber decides to order the defendant pursuant to 58.2.g) GDPR and Article 100, § 1, 10° of the WOG to inform all recipients of the aforementioned personal data of the previous order and the present decision, and to emphasise that the cited legal basis for the processing does not correspond to the GDPR. 83. These orders are necessary to stop the unlawful processing of personal data. IV.1.2. Regarding the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 of the GDPR, because the defendant did not proactively inform the data subjects within the legally required period, and because the information she provided via her privacy statement was incomplete and incorrect: Decision on the merits 72/2025- 26/48 84. The Dispute Chamber decides to order the defendant pursuant to 58.2.d) of the GDPR and Article 100, § 1, 9° of the WOG to bring the future processing of personal data into compliance with the provisions of the GDPR, by proactively informing the data subjects within the legally required period, in accordance with Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 of the GDPR. 85. This order is necessary to bring the defendant into compliance with the information obligations. IV.1.3. Regarding the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, since the defendant did not provide all available information on the specific recipients, sources and storage period of the personal data to the complainant in the response to his request for access; and regarding the infringement of Article 19 GDPR 86. The Dispute Chamber decides to order the defendant, pursuant to 58.2.c) GDPR and Article 100, § 1, 6° WOG, to comply with the requests of the complainant to exercise his rights within a period of 30 days after the notification of this decision: i. by communicating all available information on the specific recipients of the personal data to the complainant in accordance with Article 15.1.c) and Article 19, second sentence, GDPR; ii. by communicating all available information on the storage period of his personal data to the complainant in accordance with Article 15.1.d); iii. by communicating all available information on the sources of the personal data to the complainant in accordance with Article 15.1.g). 87. In her response to the sanction form, Y states that she will make every effort to comply with the complainant's requests to exercise his rights, but that she has already deleted the data - following the complainant's request - in February 2021. The Dispute Resolution Chamber finds that this order is nevertheless necessary to safeguard the complainant's rights. The defendant must thus comply with the complainant's requests by providing all available information. IV.2. Administrative fines 88. In addition to the corrective measures, the Litigation Chamber decides to impose three administrative fines with a view to vigorously enforcing the rules of Decision on the substance 72/2025- 27/48 40 this Regulation. As is clear from recital 148 of the GDPR, the GDPR provides that, in the event of any infringement—including a first finding of an infringement—penalties, including administrative fines, are imposed in addition to or instead of appropriate measures. 89. The Litigation Chamber also pointed out that it is its sovereign responsibility as an independent administrative authority — in compliance with the relevant articles of the GDPR and the WOG — to determine appropriate corrective measures and sanctions. This follows from Article 83 of the GDPR itself, but the Market Court has also emphasised in its case law the existence of a broad discretionary power of the Dispute Chamber regarding the choice of the sanction and its scope, as inter alia in its judgments of 7 July 2021 and 6 September 2023.41 90. The fact that this concerns an initial finding of an infringement of the GDPR committed by the defendant does not in any way affect the possibility for the Dispute Chamber to impose an administrative fine. The Dispute Chamber imposes the administrative fine in application of Article 58.2.i) GDPR. The instrument of an administrative fine is in no way intended to end infringements; to that end, the GDPR and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, § 1, 8° and 9° WOG. 91. Article 83.3 GDPR prescribes the factors to be taken into account in each specific case when deciding whether to impose an administrative fine and the amount thereof. The Dispute Chamber shall take into account in particular the gravity of the infringements, the duration of the infringements, and the necessary deterrent effect to prevent future infringements. In order to avoid repeating the assessment of each factor, the Dispute Chamber refers to the assessment below, in which the imposition of an administrative fine and its amount are assessed together. 92. In order to impose an effective, proportionate and dissuasive fine in any event, supervisory authorities are expected to impose administrative fines 40Recital 148 of the GDPR provides that "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of the Regulation, in addition to or instead of appropriate measures imposed by supervisory authorities pursuant to this Regulation. Where the infringement is minor or the expected fine would impose a disproportionate burden on a natural person, a reprimand may be chosen instead of a fine. However, account should be taken of the nature, gravity and duration of the infringement, the intentional nature of the infringement, measures taken to mitigate harm, the degree of responsibility, or previous relevant infringements, the manner in which the infringement was committed, and the has come to the attention of the supervisory authority, with the compliance with measures taken against the controller or processor, with the adherence to a code of conduct and with any other aggravating or mitigating factor. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.” 41Court of Appeal Brussels, Market Court Section, 19th Chamber A, Markets Affairs Chamber, 2021/AR/320, pp. 37-47; Court of Appeal Brussels, Market Court Section, 19th Chamber A, Markets Affairs Chamber, 2020/AR/1160, p. 34. Decision on the merits 72/2025- 28/48 adapt and remain within the margin provided for in the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Version 2.1, Adopted on 24 May 2023). This may lead to significant increases or reductions of the fine, depending on the circumstances of the case. The application of these Guidelines is necessary to ensure the consistency of the application of the GDPR. In accordance with the EDPB Guidelines, administrative fines are fines for infringements of the GDPR calculated on the basis of a five-step method. 42 These five steps are systematically followed in the following paragraphs. The Litigation Chamber recalls that it is not obliged to examine criteria that are not 43 applicable. IV.2.1. Concurrence of infringements and the application of Article 83.3 GDPR 93. The Litigation Chamber decides to impose fines for the following infringements: i. Infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, since the defendant does not demonstrate that its interest outweighs the interests and fundamental rights of the data subjects, so that the processing cannot fall under Article 6.1.f) GDPR, and is unlawful due to a lack of a valid legal basis; ii. Infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and 25.1 GDPR, because the defendant did not proactively inform the data subjects within the legally required period, and because the information she provided via her privacy statement was incomplete and incorrect; iii. Infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, because the defendant did not communicate all available information about the specific recipients, the sources and the storage period of the personal data to the complainant in the response to his request for access. 94. As a first step, the Dispute Chamber establishes that there is one and the same infringing conduct. Processing personal data without a valid legal basis, without proactively informing the data subjects and without fully responding to the complainant's requests for access, constitutes, in the context of processing, a series of processing activities that are carried out with a single intention and that are contextually, spatially and temporally interrelated. They must be considered as "related" and as a single act. 42EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023), p. 9 43EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023), point 6 Decision on the substance 72/2025- 29/48 95. However, the Litigation Chamber finds that this conduct constituted three distinct infringements and that these infringements can be attributed side by side when calculating the fines. Namely, the provisions infringed pursue independent objectives (the principle of lawfulness, the duty to provide information, and the right of data subjects to access the processing of their personal data), whereby one provision is not excluded or covered by the applicability of the other, which justifies the imposition of separate fines. The Dispute Resolution Chamber refers as an example to the EDPB Binding Decision 1/2021: “As regards the meaning of Article 83(3) GDPR, the Board [EDPB] notes that, taking into account the views of the supervisory authorities concerned, multiple amounts may be set in the event of multiple infringements. However, the total fine may not exceed a maximum amount prescribed, in abstracto, by the GDPR” .44 96. Furthermore, Article 83.3 GDPR provides that where a controller, intentionally or negligently, in relation to the same or linked processing activities, commits an infringement of several provisions of this Regulation, the total amount of the fine may not exceed the maximum amount allowed for the most serious infringement. 97. In summary, the Litigation Chamber finds in the present case that it must impose three separate fines, and that the total fine cannot exceed the maximum amount for the most serious infringement. IV.2.2. Starting amount for the calculation 98. The calculation of administrative fines starts with a harmonised starting amount based on the EDPB Guidelines 04/2022. This takes into account the classification of infringements according to their nature under Article 83, paragraphs 4 to 6, GDPR, the gravity of the infringement and the turnover of the undertaking. Classification of infringements according to their nature under Article 83(4) to (6) of the GDPR 99. The GDPR distinguishes between two categories of infringements: those punishable under Article 83.4 of the GDPR on the one hand, and those punishable under Articles 83.5 and 83.6 of the GDPR on the other. The first category of infringements is punishable by a maximum fine of EUR 10 million or 2% of the total worldwide annual turnover in the 44 EDPB Binding Decision 1/2021 on the dispute arising from the draft decision of the Irish Supervisory Authority concerning WhatsApp Ireland pursuant to Article 65(1)(a) of the GDPR, adopted on 28 July 2021, Par. 324 45See also EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 17 46EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 18 Decision on the merits 72/2025- 30/48 the preceding financial year, whichever is higher. The second category may result in a fine of up to EUR 20 million or 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher. i. For the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, the heaviest administrative fine pursuant to Article 83.5.a) GDPR shall be up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; ii. For the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 as well as Article 25.1 GDPR, the heaviest administrative fine pursuant to Article 83.5.b) GDPR shall be up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; iii. For the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, the most serious administrative fine pursuant to Article 83.5.b) GDPR shall amount to up to EUR 20 000 000 or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 100. Given that the higher fines apply, pursuant to Articles 83.5.a) and 83.5.b) of the GDPR, the Litigation Chamber may impose an administrative fine of up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, per infringement. IV.2.3.Gravity of the infringementsin each individual case 101. Regarding the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, given that the defendant does not demonstrate that its interest outweighs the interests and fundamental rights of the data subjects, so that the processing cannot fall under Article 6.1.f) GDPR, and is unlawful due to a lack of a valid legal basis: i. Article 83.2.a) GDPR – Nature, gravity and duration of the infringement: Regarding the nature of the infringement, the Litigation Chamber notes that the principle of lawfulness (Articles 5.1.a) and 6 GDPR) is a fundamental principle of the protection guaranteed by the GDPR. This principle is also included in Article 8.2 of the Charter of Fundamental Rights of the European Union. Infringements of this core principle therefore constitute serious infringements. Regarding the gravity of the infringement, the Litigation Chamber notes that the processing at issue took place in the context of the defendant's business activities. The latter specialises in making data available for payment. Furthermore, the Litigation Chamber notes that the processing is extensive, and that the defendant concluded in May 2021 that it processes personal data on a large-scale. For these reasons, the infringement must be assessed more seriously. Thirdly, concerning the duration of the infringement, the Litigation Chamber notes that W, the parent company of the defendant, entered into a data licensing agreement with Z7 on 21 November 2017. The Litigation Chamber understands that the defendant has since made the relevant data available to its customers, leading the Litigation Chamber to conclude that the data infringement has been going on for several years. ii. Article 83.2.b) GDPR – the intentional or negligent nature of the infringement: In the present case, the Dispute Chamber finds that there is no – apparent – intention on the part of the defendant to intentionally infringe Articles 5.1.a), 6.1 and 5.2 GDPR by invalidly relying on Article 6.1.f) GDPR as a legal basis, but at least there is serious negligence, which satisfies the requirements of the 48 case law of the Court of Justice of the EU. The Dispute Chamber notes that the processing may have resulted from a misinterpretation by the defendant of Articles 2 and 4.1 GDPR, and recital 14 GDPR, as a result of which it did not consider the personal data in question to be personal data. Although the defendant is responsible for compliance with the GDPR, the Dispute Chamber considers that the infringement therefore appears to be unintentional. Nevertheless, the Dispute Chamber notes that the defendant processed these personal data in the context of its professional activities, where the processing of personal data is the core activity. The Dispute Chamber is therefore of the opinion that the defendant should have been aware that the processing at issue concerned personal data, and that it was unlawful processing, resulting from serious negligence. Consequently, the Dispute Chamber attaches more weight to this factor. iii. Article 83.2.g) GDPR – the categories of personal data to which the infringement relates: The processing at issue concerns the e-mail address used by the complainant in the context of a professional activity, by means of which he is directly identifiable. Although such personal data are prima facie not of a sensitive or special nature, the Dispute Chamber finds that they nevertheless belong to categories of personal data that data subjects would not normally reasonably expect to be collected indirectly from and subsequently processed by third parties. This category is considered neutral. 47Annex 14 to the letter from the defendant to the GBA dated 5 May 2021 48See judgment C-807/21, Deutsche Wohnen, ECLI:EU:C:2023:950, pt 78. Decision on the merits 72/2025- 32/48 102. Regarding the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR, because the defendant did not proactively inform the data subjects within the legally required period, and because the information it provided via its privacy statement was incomplete and incorrect: i. Article 83.2.a) GDPR – Nature, gravity and duration of the infringement: Regarding the nature of the infringement, the Litigation Chamber notes that the transparency and information obligations are fundamental principles of the GDPR. They enable the data subject to exercise the other rights granted by the GDPR, such as the right to object and the right to have data erased. Infringements of these core principles therefore constitute serious infringements, which can be punished with the highest administrative fines provided for in the GDPR. Regarding the gravity and duration of the infringement, the Litigation Chamber refers to the above findings that the defendant made financial gains over a period of several years by processing personal data without a valid legal basis. The fact that she did this without proactively informing the data subjects about the processing is in that context a serious breach. When data subjects are not informed about the processing of their personal data, they are deprived of the opportunity to exercise their rights and an imbalance arises in the relationship with the controller and recipients of the data. This opens the door to abuse and unlawful processing. ii. Article 83.2.b) GDPR – the intentional or negligent nature of the infringement: In this case, the Dispute Chamber found that there was no – apparent – intention on the part of the defendant to intentionally infringe Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR, but serious negligence, which meets the 49 requirements of the case law of the Court of Justice of the EU. The defendant was of the opinion that it was not obliged to proactively provide information to the data subjects because these data subjects had already been informed by a separate controller about the processing of the data. However, the defendant had its own, separate, obligation to provide information since it was itself a controller processing the data for its own purposes and with its own means. In addition, the defendant informed the data subjects in its privacy statement the following: “All personal data in Y’s database have as their ultimate source the Crossroads Bank for Enterprises or public sources”. Since it appears that the true source of the personal data is Z7, the 49See judgment C-807/21, Deutsche Wohnen, ECLI:EU:C:2023:950, pt 78. Decision on the merits 72/2025- 33/48 Litigation Chamber can only conclude that there is serious negligence in correctly informing the data subjects. iii. Article 83.2.g) GDPR – the categories of personal data to which the infringement relates: See above. 103. Regarding the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, since the defendant did not provide the complainant with all available information on the specific recipients, sources and storage period of the personal data in the response to his request for access: i. Article 83.2.a) GDPR – The nature, gravity and duration of the infringement: Regarding the nature of the infringement, the Litigation Chamber notes that the right of access is the gateway to the exercise of other rights provided for in the GDPR, such as the right to object to the processing of personal data (Article 21 GDPR) and the so-called right to be forgotten (Article 17 GDPR). It is therefore of the utmost importance that data subjects exercising their right of access are given access to all personal data concerning them and collected by the controller, and are given concise, transparent and comprehensible information about the circumstances in which their personal data are processed. By not providing the complainant with complete and sufficiently detailed information, the controller deprives him of the possibility to exercise an appropriate degree of control over his own personal data. Regarding the seriousness and duration of the infringement, the Dispute Chamber refers to the above findings that the defendant made financial profit over a period of several years by processing personal data without a valid legal basis and without proactively informing the data subjects. The fact that it refused to respect the complainant's right of access constitutes a serious infringement in this context. ii. Article 83.2.b) GDPR – the intentional or negligent nature of the infringement: In the present case, according to the Dispute Resolution Chamber, there is no – apparent – intention on the part of the defendant to intentionally infringe Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, but serious negligence, which satisfies the requirements of the case-law of the Court of Justice of the EU.50 The complainant explicitly requested to receive the information in the aforementioned articles, and Article 15.1 GDPR clearly establishes the obligation to provide this information. By only mentioning the categories of recipients, although the defendant must have the 50 See judgment C-807/21, Deutsche Wohnen, ECLI:EU:C:2023:950, pt 78. Decision on the substance 72/2025- 34/48 specific identity of these recipients; by not disclosing the actual sources; and by not providing information on the storage period, the Litigation Chamber considers it sufficiently proven that the infringement of Article 15 GDPR was committed by serious negligence. iii. Article 83.2.g) GDPR – the categories of personal data concerned by the infringement: See above. 104. On the basis of an assessment of the above factors, the gravity of each infringement as a whole is determined: i. As regards the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, the Litigation Chamber considers that it concerns a serious, extensive and long-term infringement of a fundamental principle of the GDPR in the context of the core activity of the defendant, which was committed with serious negligence. The Litigation Chamber concludes that it concerns an infringement of medium gravity. In accordance with paragraph 60 of the EDPB Guidelines, the Litigation Chamber should set the starting amount for the further calculation at a point between 10 and 20% of the applicable statutory maximum amount. The Litigation Chamber will set the starting amount for the further calculation at 15% of the statutory maximum amount set out in Article 83.5 GDPR; ii. As regards the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR, the Litigation Chamber considers that it concerns a serious, extensive and long-term infringement of a fundamental principle of the GDPR in the context of the defendant's core activity, which was committed with serious negligence, which leads the Litigation Chamber to conclude that it is an infringement of average gravity. In accordance with par. 60 of the EDPB Guidelines, the Litigation Chamber should set the starting amount for the further calculation at a point between 10 and 20% of the applicable statutory maximum amount. The Litigation Chamber will set the starting amount for the further calculation at 15% of the statutory maximum amount set out in Article 83.5 GDPR; iii. As regards the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, the Litigation Chamber considers that it is a serious infringement of 5EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), par 60 52EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), par 60 Decision on the merits 72/2025- 35/48 a fundamental principle of the GDPR in the context of the defendant's core activity, which was committed with serious negligence, which leads the Litigation Chamber to conclude that it is an infringement of average gravity. In accordance with par. 60 of the EDPB Guidelines, the Dispute Resolution Chamber should set the starting amount for the further calculation at a point between 10 and 20% of the applicable statutory maximum amount. The Dispute Resolution Chamber will set the starting amount for the further calculation at 15% of the statutory maximum amount set out in Article 83.5 GDPR. 105. In its response to the penalty form, the defendant states that the penalty form shows that there is no evidence of intent or manifest gross negligence. It states that it always acted in good faith, took measures and implemented a policy to comply with its obligations under the GDPR and that it cooperated with both the complainant and the Data Protection Authority. However, this would not be reflected in the calculation of the fines. The Dispute Chamber notes that the defendant does not contest the finding that the three infringements were of “average gravity”, which led to the starting amount being set at 15% of the statutory maximum amount. Furthermore, no material evidence or elements are put forward on the basis of which the determination of “average gravity” should be adjusted. IV.2.4. The defendant’s turnover as a relevant element to be taken into account with a view to imposing an effective, dissuasive and proportionate fine under Article 83.1 GDPR 106. In accordance with Article 83.1 GDPR, the Dispute Chamber must ensure that the administrative fines imposed are effective, proportionate and dissuasive. In doing so, it also allows a distinction to be made in the starting amounts according to the size of the undertaking. 107. Articles 83.4 to 83.6 GDPR provide that the total worldwide annual turnover of the preceding financial year must be used for the calculation of the administrative fine. In this regard, the term “previous” must be interpreted in accordance with the case-law of the Court of Justice in competition law, so that the relevant event for the calculation is the 54 decision of the supervisory authority imposing the fine, and not the time of the sanctioned infringement. 108. The Dispute Resolution Chamber specifies in this regard that at the time of sending the penalty form on 19 February 2025, it did not yet have the turnover figures for the year 53 EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), par. 60 54 EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), paragraph 131 Decision on the substance 72/2025- 36/48 2024 and therefore had to take into account the turnover figures for 2023. Since the turnover figures were not included in the defendant's 2023 annual accounts, the Dispute Chamber had to use the gross margin of 2023 as included in the annual accounts as an alternative. This gross margin amounts to EUR 52,404. The Dispute Chamber invited the defendant to submit the turnover figures for the 2023 financial year to the Dispute Chamber. 109. In her response to the sanction form, Y stated that she cannot estimate her future financial capacity. She also does not provide any additional turnover figures. The Dispute Chamber must therefore rely on the available data. 110. Based on the foregoing, the Dispute Chamber finds that 4% of the total worldwide annual turnover in the previous financial year amounts to EUR 2,096.16, which is less than EUR 20,000,000. Thus, the maximum administrative fine pursuant to Article 83.5 GDPR amounts to EUR 20,000,000. In concrete terms, this results in the following starting amounts: i. Regarding the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, the Dispute Resolution Chamber set the starting amount for the further calculation at 15% of the statutory maximum amount included in Article 83.5 GDPR. In this case, this results in a starting amount of EUR 3,000,000; ii. Regarding the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR, the Dispute Resolution Chamber set the starting amount for the further calculation at 15% of the statutory maximum amount included in Article 83.5 GDPR. This leads in this case to a starting amount of EUR 3,000,000; iii. Regarding the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, the Litigation Chamber set the starting amount for the further calculation at 15% of the statutory maximum amount included in Article 83.5 GDPR. This leads in this case to a starting amount of EUR 3,000,000; 111. In accordance with the EDPB Guidelines, for undertakings with an annual turnover of less than EUR 2 million, the Litigation Chamber may consider continuing the calculation on the basis of an amount between 0.2 and 0.4% of the established starting amount. The Litigation Chamber decides that this is appropriate in the present case, which leads to the following adjusted amounts: 55EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), paragraph 65 Decision on the substance 72/2025- 37/48 i. Concerning the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, the starting amount of EUR 3 000 000 is reduced to EUR 6 000 (0.2% of the starting amount); ii. As regards the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 as well as Article 25.1 GDPR, the starting amount of EUR 3 000 000 is reduced to EUR 6 000 (0.2% of the starting amount); iii. As regards the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, the starting amount of EUR 3 000 000 is reduced to EUR 6 000 (0.2% of the starting amount). IV.2.5. Aggravating and mitigating circumstances 112. According to the GDPR, after assessing the nature, gravity and duration of the breach, the intentional or negligent nature of the breach and the categories of personal data concerned by the breach (see above), the supervisory authority must take into account the other aggravating and mitigating factors listed in Article 83.2 i. Regarding the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, since the defendant does not demonstrate that its interest outweighs the interests and fundamental rights of the data subjects, so that the processing cannot fall under Article 6.1.f) GDPR, and is unlawful due to the lack of a valid legal basis: a. 83.2.c) GDPR – the measures taken by the controller or processor to mitigate the damage suffered by data subjects: Not applicable. b. 83.2.d) GDPR – the extent to which the controller or processor is responsible in view of the technical and organisational measures it has implemented in accordance with Articles 25 and 32: Not applicable. c. 83.2.e) GDPR – previous relevant infringements by the controller or processor: The Dispute Chamber takes into account the fact that the defendant has not been found guilty of previous infringements of the GDPR. This factor can therefore be considered neutral. d. 83.2.f) GDPR – the extent to which there has been cooperation with the supervisory authority to remedy the infringement and to limit the possible negative consequences thereof: The Dispute Chamber notes that the defendant has been cooperative towards it. In accordance with the EDPB guidelines, the Litigation Chamber considers the ordinary duty of cooperation as neutral in view of the general duty of cooperation under Article 31 GDPR. e. 83.2.h) GDPR – the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach: Not applicable. f. 83.2.i) GDPR – compliance with the measures referred to in Article 58(2), insofar as they have been taken previously in relation to the controller or processor concerned in relation to the same matter: Not applicable. g. 83.2.j) GDPR – adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42: Not applicable. h. 83.2.k) GDPR – any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made, or losses avoided, directly or indirectly resulting from the infringement: The defendant made financial profits over a period of several years by processing personal data without a valid legal basis, which is considered an aggravating circumstance. ii. Regarding the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR, because the defendant did not proactively inform the data subjects within the legally required period, and because the information she provided via her privacy statement was incomplete and incorrect: a. 83.2.c) GDPR – the measures taken by the controller or processor to limit the damage suffered by data subjects: The Dispute Chamber notes that the defendant has amended her privacy statement. However, she has not received any indication that the defendant also proactively provides the data subjects with information. This factor is considered neutral. Decision on the merits 72/2025- 39/48 b. 83.2.d) GDPR – the extent to which the controller or processor is responsible in view of the technical and organisational measures implemented by it in accordance with Articles 25 and 32: Not applicable. c. 83.2.e) GDPR – previous relevant breaches by the controller or processor: See above. d. 83.2.f) GDPR – the extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects: See above. e. 83.2.h) GDPR – the manner in which the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller or processor notified the breach: Not applicable. f. 83.2.i) GDPR – compliance with the measures referred to in Article 58(2) in so far as they have been taken previously in respect of the controller or processor in question in relation to the same matter: Not applicable. g. 83.2.j) GDPR – adherence to approved codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42: Not applicable. h. 83.2.k) GDPR – any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made or losses avoided, directly or indirectly resulting from the breach: Not applicable in relation to this breach. iii. Regarding the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, since the defendant did not provide the complainant with all available information on the specific recipients, sources and storage period of the personal data in the response to his request for access: a. 83.2.c) GDPR – the measures taken by the controller or processor to mitigate the damage suffered by data subjects: Not applicable. Decision on the merits 72/2025- 40/48 b. 83.2.d) GDPR – the extent to which the controller or processor is responsible in view of the technical and organisational measures it has implemented in accordance with Articles 25 and 32: Not applicable. c. 83.2.e) GDPR – previous relevant infringements by the controller or processor: See above. d. 83.2.f) GDPR – the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects: See above. e. 83.2.h) GDPR – the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach: Not applicable. f. 83.2.i) GDPR – compliance with the measures referred to in Article 58(2) in so far as they have been taken previously in relation to the controller or processor in question in relation to the same matter: Not applicable. g. 83.2.j) GDPR – adherence to approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42: Not applicable. h. 83.2.k) GDPR – any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made, or losses avoided, resulting directly or indirectly from the infringement: Not applicable to this infringement. 113. The Litigation Chamber finds that the defendant made financial profits over a period of several years by processing personal data without a valid legal basis, which is considered an aggravating circumstance with regard to the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR. Consequently, it decides to increase the fine for this infringement by EUR 2 000 to EUR 8 000. 114. In her response to the penalty form, Y states that the fact that the data in question are mainly data related to companies should be taken into account when considering the pursuit of financial profit as an aggravating circumstance. The Dispute Chamber rules that the mere fact that personal data also concern companies does not detract from the fact that making financial profit is an aggravating circumstance in the unlawful processing of personal data. IV.2.6. Alignment with maximum amounts 115. The maximum amounts for the fines in the present case have already been calculated above. As a reminder: i. For the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR, the heaviest administrative fine pursuant to Article 83.5.a) GDPR shall be up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; ii. For the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 as well as Article 25.1 GDPR, the heaviest administrative fine pursuant to Article 83.5.b) GDPR shall be up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; iii. For the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR, the most serious administrative fine pursuant to Article 83.5.b) GDPR shall amount to up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher. 116. At the time of sending the penalty form dated 19 February 2025, the Dispute Chamber does not yet have the turnover figures for the year 2024 and therefore takes into account the turnover figures for 2023. Since the turnover figures were not included in the defendant's annual accounts for 2023, the Dispute Chamber must use the gross margin for 2023 as included in the annual accounts as an alternative. This gross margin amounts to EUR 52,404. The defendant is invited to submit the turnover figures for the financial year 2023 to the Dispute Resolution Chamber. 117. Based on the foregoing, the Dispute Resolution Chamber finds that 4% of the total worldwide annual turnover in the preceding financial year amounts to EUR 2,096.16, which is less than EUR 20,000 000. Thus, the maximum administrative fine pursuant to Article 83.5.b) GDPR amounts to EUR 20,000,000 for each of the three infringements established. 118. In accordance with Article 83.3 GDPR, the total fine may not exceed that for the most serious infringement. In the present case, the Dispute Resolution Chamber intends to impose the following fines: i. Concerning the infringement of Articles 5.1.a), 6.1 and 5.2 GDPR: EUR 8,000; ii. Concerning the infringement of Articles 12.1, 14.1, 14.2, 5.2, 24.1 and also Article 25.1 GDPR: EUR 6 000; Decision on the substance 72/2025- 42/48 iii. Concerning the infringement of Articles 15.1.c), 15.1.d) and 15.1.g) GDPR: EUR 6 000. 119. The total fine is therefore EUR 20 000, which is well below the maximum fine of EUR 20 000 000. IV.2.7. Effectiveness, proportionality and deterrent effect Effectiveness 120. Recital 148 of the GDPR emphasises that administrative fines should be imposed "[i]n order to ensure more vigorous enforcement of the rules of this Regulation". The fine imposed should therefore be high enough to achieve this objective. 121. The Litigation Chamber considers that the fines of EUR 8000, 6000 and 6000 are suitable for vigorously enforcing the fundamental principles that have been infringed. Proportionality 122. The principle of proportionality means that the amounts of the fines must not be disproportionate to the objectives pursued and that the fine imposed must be proportionate to the infringement, viewed as a whole, taking into account in particular its seriousness. 123. In the present case, the three infringements in question were assessed as being of medium gravity. In accordance with paragraph 60 of the EDPB Guidelines, the Litigation Chamber should, in the case of infringements of medium gravity, set the starting amount for the further calculation at a point between 10 and 20% of the applicable statutory maximum amount. The Litigation Chamber notes that the financial profit that the defendant made from processing personal data without legal basis, proactive provision of information and compliance with the right of access, which should be strongly discouraged. Therefore, the Litigation Chamber set the starting amounts for the further calculation at 15% of the statutory maximum amount included in Article 83.5 GDPR. 124. However, the Litigation Chamber also takes into account the defendant's turnover, which means that it used only 0.2% of the starting amounts for the calculation of the fines (see above). In addition, the Litigation Chamber invited the defendant to provide information if it considers that the fines in question would irrevocably jeopardise its viability. However, the defendant does not provide any material evidence that could confirm this. 57EDPB - Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), par 60 Decision on the substance 72/2025- 43/48 Deterrent effect 125. When imposing a fine, the Litigation Chamber takes into account both the specific and the general deterrent effect. A fine is deterrent if it deters an individual from infringing the objectives and arrangements set out in EU law. 126. The deterrent effect of the fine must have two dimensions. It must deter the person on whom the fine is imposed from repeating the infringement in the future, but it must also deter other persons from repeating the infringing conduct of the first person. 127. Several factors determine the deterrent effect of a fine: the nature and amount of the fine and the likelihood of it being imposed are decisive in this respect. A fine must be high enough to have a significant financial impact on the undertaking committing the infringement, while the fine must be proportionate to the gravity of the infringement. In other words, the criterion of deterrence overlaps with that of effectiveness. 128. In the present case, the total amount of the fine is reduced to EUR 20,000. However, this amount remains sufficiently deterrent to prevent the defendant from repeating its infringement of the rules of the GDPR. Moreover, it is also intended to deter other undertakings from committing similar infringements. This fine, which is proportionate to the seriousness of the infringement and takes into account the turnover of the defendant, is intended to have both a specific and a general deterrent effect. Response from Y: 129. Y was given the opportunity to respond to the proposed fines. It did so on 13 March 2025. 130. First of all, Y states that there are special circumstances. First, the infringements, according to it, take into account to a very limited extent the context in which it conducts its business. She specifically states that it appears that all data are placed under the same heading of personal data, while a large part of the data processed by Y should not be qualified as such. In this way, a more serious infringement would be assumed than would actually be present. The Dispute Chamber rules that this concern is not pertinent because it has indeed made an analysis of the nature of the data that Y processes (see section III.1.1. Qualification of the data). Furthermore, Y states that the fact that the data concern companies should be reflected in the calculation of the fine. The Dispute Chamber Decision on the substance 72/2025- 44/48 rules that the mere fact that personal data also concern companies cannot be a mitigating circumstance. 131. Furthermore, Y states that it has taken measures to ensure that data are processed correctly. In particular, it has concluded contractual guarantees, has limited the amount of data made available to its customers, and has updated and deleted the data. The Dispute Chamber takes note of these measures, but finds that they form part of the legal obligations to which Y is bound and that they do not in any way constitute "special circumstances". Compliance with legal obligations is, as previously stated with reference to EDPB guidelines, a neutral circumstance. 132. Furthermore, Y considers that the total administrative fine would be disproportionate in light of Articles 83.1 and 83.2 of the GDPR. She substantiates this point by referring to decision 07/2024 of 16 January 2024 of the Dispute Chamber, in which the Dispute Chamber imposed administrative fines on Z6. According to Y, the sanction imposed on Y would be considerably heavier in relation to the sanction imposed on Z6. The Dispute Chamber finds that these two separate files are different and cannot be compared. This was confirmed by the interim relief judge in order 2025/25/C, in which the president of the court found that the situation of other companies, and specifically Z6, is not comparable to that of Y. 133. Furthermore, Y states that the proposed infringements have a very limited actual impact on the rights of the data subjects. These data would concern companies and would be publicly available. Regarding the last claim, that the data would be publicly available, the Dispute Chamber concludes that this was not demonstrated by the defendant. Y explicitly stated that the source of the data was not the KBO and does not provide any other evidence of the fact that the data would always be publicly available. Regarding the actual impact on data subjects, the Dispute Chamber recalls that the processing concerns a large number of data subjects. Furthermore, the Dispute Chamber recalls that these data subjects did not receive any information from Y regarding the processing of their data. They are therefore in a situation in which their personal data are repeatedly traded unlawfully and without their knowledge. This may give rise to the feeling that they are losing control over their data, and affects the core of the right to data protection. 134. In conclusion, the Dispute Chamber finds that Y does not adduce any new elements in its response to the sanction form on the basis of which the administrative fines should be adjusted. IV.2.8. Decision Decision on the merits 72/2025- 45/48 135. In view of the foregoing assessment of the relevant documents and the circumstances specific to this case, the Dispute Chamber considers it appropriate to impose an administrative fine of EUR 8,000 on the defendant on the basis of Article 83.2 GDPR, Article 100, §1, 13° and Article 101 WOG as a result of the infringement of the principle of legality (5.1.a), 6.1 and 5.2 GDPR). 136. In view of the foregoing assessment of the relevant documents as well as the circumstances specific to this case, the Dispute Chamber considers it appropriate to impose an administrative fine of EUR 6,000 on the defendant on the basis of Article 83.2 GDPR, Article 100, §1, 13° and Article 101 WOG as a result of the infringement of the information and transparency obligations (Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR) when processing personal data. 137. In view of the foregoing assessment of the relevant documents as well as the circumstances specific to this case, the Dispute Chamber considers it appropriate to impose an administrative fine of EUR 6,000 on the defendant on the basis of Article 83.2 GDPR, Article 100, §1, 13° and Article 101 WOG in the event of a breach of the information and transparency obligations (Articles 12.1, 14.1, 14.2, 5.2, 24.1 and Article 25.1 GDPR) when processing personal data. V. Provisional enforceability 138. In her response to the penalty form, Y requested that the provisional enforceability of the penalties be suspended. 139. Regarding the order based on Article 100, § 1, 10° of the WOG (the order to delete personal data for which Y cannot demonstrate that it has a valid legal basis for processing them), the Litigation Chamber recalls that this is not provisionally enforceable on the basis of Art. 108, § 1, WOG. 140. Regarding the other decisions based on Article 100 WOG, the Litigation Chamber refuses the requests for suspension of provisional enforceability for the following reasons. 141. Firstly, provisional enforceability is the standard situation for the national legislator. The European legislator has granted powers to take measures to the authority: it is therefore the authority that decides which (corrective) measure is most appropriate to implement – where necessary – resp. to impose on the defendant .8 58Judgment of the Court of Justice of 7 December 2023, UF and AB v. Land Hessen (Schufa), joined cases C-26/22 and C-64/22, ECLI:EU:C:2023:958, specifically §68; This of course concerns the initial judgment on such measures, and does not concern the issue of full jurisdiction in the event that an injunction is instituted. Decision on the merits 72/2025- 46/48 142. The fact that an injunction is possible before a judicial body after any decision has been taken on the matter does not affect the powers of the authority. In light of the separation of powers, the judiciary must assess a posteriori whether the supervisory authority has acted within the legal framework and its discretionary powers. When the court exercises its own power to suspend enforceability, this is a decision that falls within its discretion. 143. In light of the credibility of the powers granted to the authority by the European and national legislators, it cannot be the default situation that the enforceability of the decisions and measures taken by an authority is suspended as soon as a party requests this. If this were the default situation, it would undermine the entire intention of the legislator to be able to act decisively and effectively in a digitalised society. This does not fit in with the teleological design of the powers granted to the authority under the GDPR. 144. In this sense, it is therefore indeed the intention, both of the European and of the Belgian legislator, that a party in respect of which the Litigation Chamber takes measures should comply with the provisions of the decision of the authority without undue delay. Once again, the Dispute Chamber points out that this does not mean that suspension is not possible, but only if there are serious grounds for doing so. 145. Secondly, where provisional enforceability is not suspended and the decision would subsequently still be deemed defective, legal redress is in any case possible, since the judgments of the Market Court constitute the final substantive judgment in the cases concerned. In the present case, there is no indication that such legal redress would be difficult or impossible. VI. Publication of the decision 146. In Order 2025/25/C, the President of the Court ruled that the discussion in the present file appears to have a broader impact and also appears to affect the rights and interests of third parties. Moreover, the inspection report shows that the defendant processes a large amount of data. Given the importance of transparency with regard to the decision-making of the Dispute Chamber, the general interest and the rights of third parties, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties to be published directly.
- ↑ A legitimate interest assessment (informally referred to as LIA) is a document that details the controller's assessment of its legitimate interest, especially with regards to the balancing between its legitimate interest and the rights and freedoms of data subjects. Documenting this assessment in written form is not mandatory but many controllers do so as a matter of good practice, in order to comply with the principle of accountability (Article 5(2) GDPR).
- ↑ CJEU, case C-154/21 - Österreichische Post, 12 January 2023, margin numbers 39, 43 and 48 (available here).
- ↑ EDPB, 'Guidelines 01/2022 on data subjects' rights - Right of access', 28 March 2023 (Version 2.0), margins 116-117 (available here).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 43-44 (available here).
