APD/GBA (Belgium) - 91/2025
From GDPRhub
| APD/GBA - 91/2025 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(1) GDPR Article 13 GDPR Article 17 GDPR Article 30(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 05.06.2025 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 91/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | APD (in NL) |
| Initial Contributor: | Le |
The DPA reprimanded a daycare center and its debt collection agency for unlawfully processing incorrect information about outstanding debt and failure to delete incorrect information.
English Summary
Facts
The data subject was a customer of a group of daycare centers in Belgium (the Company). The Company entered into an agreement with a debt collection agency (the Agency) to recover outstanding debts. The Company and the Agency are controllers of personal data.
In 2016, the Company sent to the data subject an invoice that remained unpaid, and then transferred it to the Agency.
In February 2017, the Agency addressed the data subject to demand the payment of the outstanding invoice. The data subject responded that the Company’s claim was unfounded and therefore the Agency had no legal basis to further process his data.
In June 2018, the Company acknowledged that an invoicing error is at the origin of the claim, waived the outstanding amount and informed the Agency accordingly. The data subject requested the erasure of his personal data. Then, the Agency informed the data subject that it had removed all of their data from its database.
Nevertheless, the Agency pseudonymised the personal data rather than erasing them.
In September 2018, the Agency sent 2 new payment requests to the data subject for the payment of the outstanding invoice. According to the Agency, the requests were sent accidentally because of a technical and a human error in the deletion process.
In October 2018, the data subject filed a complaint with the DPA (Autorité de protection des données-APD/Gegevensbeschermingsautoriteit-GBA).
In November 2018, the DPA initiated investigations on the matter against both controllers.
Holding
For the Company:
First, the DPA noted that the Company’s privacy notice did not provide information about the processing activity in the context of the collection of unpaid invoices and that information on dept collection agencies was missing from the categories of recipients. The DPA held that it could not be assumed that data subjects already had the information in question. Based on the foregoing, the DPA found that the Company violated Article 12(1) and Article 13 GDPR.
Second, the DPA found that the Company did not include information about the processing of personal data in the context of the collection of unpaid invoices in its register of processing activities, in violation of Article 30(1) GDPR. The DPA rejected their claim that they used a model registry from a third party that they assumed met all legal requirements. It highlighted that they cannot escape from responsibility because controllers are themselves responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that processing is carried out lawfully (Article 5(2) and Article 24(1) GDPR).
The DPA issued a reprimand for the violation of Article 12(1), Article 13 and Article 30(1) GDPR.
For the Agency:
The DPA argued that since the Company instructed the Agency to stop the collection procedure, the personal data were no longer needed for the purposes for which they were processed.
The DPA ruled that the Agency violated Article 17 GDPR by, first, failing to completely erase the data, and, second, merely pseudonymising them instead of erasing them.
The DPA reprimanded the Agency for the violation of Article 17 GDPR and ordered them to comply with the data subject's request to exercise his right of data erasure by completely deleting his data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12 Dispute resolution Decision on the merits 91/2025 of 5 June 2025 File number: DOS-2018-05915 Subject: Information and transparency obligations, the right to erasure and the position of DPO The Dispute Resolution of the Data Protection Authority; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter "WOG"; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision regarding: Complainant: X, hereinafter referred to as “the complainant” Respondent 1: Y1, represented by Master Liesbeth Weynants, hereinafter referred to as “ Respondent 1” Respondent 2: Y2, represented by Master Gerrit Vandendriessche and Master Jan Clinck, hereinafter referred to as “ Respondent 2” Decision on the merits 91/2025 — 2/12 I. Facts and procedure 1. The complainant was a client of Respondent 1, a group of day-care centres in Flanders and Brussels. In 2015, Respondent 1, as a member of Z (“…”), entered into an agreement with Respondent 2 for the collection of outstanding debts. Respondent 2 is a debt collection agency and carries out processing activities as described in the Act of 20 December 2002 on the amicable collection of consumer debts, hereinafter the “debt collection act”, and the Royal Decree of 17 February 2005 regulating the registration of persons carrying out an activity of amicable debt collection and the guarantees that these persons must have. 2 In 2016, Respondent 1 sends an invoice to the complainant that remains unpaid and is then transferred to Respondent 2. On 14 February 2017, Respondent 2 sends a reminder to the complainant to pay an outstanding invoice from Respondent 1. The complainant responds on 11 December 2017 that the claim of Respondent 1 is unfounded, and that Respondent 2 therefore has no legal basis to further process his data. In 2017 and 2018, correspondence follows between the complainant and Respondent 2 concerning the invoice, the dispute thereof and the processing of personal data. The complainant requests the deletion of his personal data. Respondent 1 acknowledges that an invoicing error is the origin of the claim and waives the outstanding amount. On 12 June 2018, Respondent 2 informs the complainant that, after receiving information from Respondent 1, it has come to the conclusion that Respondent 1 had provided incorrect information. Respondent 2 apologizes and indicates that it will cease all further collection steps. On 18 June 2018, the complainant repeats his request to erase his data. On 25 June 2018, Respondent 2 informs the complainant that it has deleted all of the complainant's data from its database. On 14 September 2018 and 22 September 2018, Respondent 2 sends new payment requests to the complainant for payment of the outstanding debt to Respondent 1. According to Respondent 2, these letters are sent by mistake due to a technical and human error in erasing the data. On the one hand, a technical error occurred in the deletion process when removing the complainant's data, which meant that an earlier written order for collection from Respondent 1 was not deleted. Because Respondent 2 could not link that order to an earlier 1Law of 20 December 2002 on the amicable collection of consumer debts. 2Royal Decree of 17 February 2005 regulating the registration of persons who carry out an activity of amicable debt collection and the guarantees that these persons must have. Decision on the merits 91/2025 — 3/12 or current file, a new collection file was opened for this purpose, and the new payment requests were sent to the complainant. 2. On 17 October 2018, the complainant lodges a complaint with the Data Protection Authority against Defendant 2. 3. On 8 November 2018, the complaint is declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Resolution Chamber on the basis of Article 62, § 1 WOG . 4. On 27 November 2018, the Dispute Resolution Chamber decides on the basis of Article 63, 2° and 94, 1° WOG to request an investigation from the Inspection Service. 5. On 27 November 2018, in accordance with Article 96, § 1 WOG, the request of the Dispute Resolution Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. 6. On 5 May 2021, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector-General to the Chairman of the Dispute Resolution Chamber (Article 91, § 1 and § 2 WOG). 7. On 14 February 2022, the Dispute Resolution Chamber will decide, on the basis of Article 95, § 1, 1° and Article 98 WOG, that the file is ready for consideration on the merits. 8. On 14 February 2022, the parties involved will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98WOG. They will also be notified, on the basis of Article 99 WOG, of the deadlines for submitting their defences. 9. On 28 February 2022, Respondent 2 files a reasoned objection with a request to change the procedural language to Dutch. 10. On 18 March 2022, the Dispute Chamber informs the parties that the procedural language is Dutch, and that the parties may express themselves in French or Dutch in the context of the proceedings before the Dispute Chamber, both in writing in their conclusions and orally during a possible hearing. It changes the deadlines in the conclusions calendar. 11. On 23 December 2024, the parties are informed that the hearing will take place on 24 March 2025. 12. On 24 March 2025, the parties are heard by the Dispute Chamber. 13. On 17 April 2025, the minutes of the hearing are submitted to the parties. 14. On 23 April 2025, the Dispute Chamber received some comments from Respondent 2 regarding the report, which it decided to include in its deliberations. Decision on the merits 91/2025 — 4/12 II. Reasoning Regarding Respondent 1 II.1. Preliminary considerations 15. First, Respondent 1 states that the facts date from before the entry into force of the GDPR, WOG and WVP. As a result, the GDPR would not apply. 16. The Dispute Chamber notes that Respondent 1 regards the conclusion of the agreement between Respondent 1 and Respondent 2, and the order for collection as the relevant facts. These took place on 7 September 2015 and 14 February 2017 respectively. Since the GDPR became applicable on 25 May 2018, it is indeed not applicable to these facts. However, the Dispute Chamber notes that the Inspection Service consulted the complainant's website on 20 April 2020 and 27 April 2021 to establish the first infringement (see section II.2 of this decision) and received and consulted the register of processing activities on 7 May 2020 to establish the second infringement (see section II.3 of this decision). These infringements postdate the application of the GDPR, on the basis of which the Dispute Chamber concludes that the GDPR applies to these two alleged infringements. 17. Secondly, Respondent 1 claims that the Inspection Service has unlawfully extended its authorisation to investigate. According to Respondent 1, the findings of the Inspection Service would be the result of investigations that go beyond the complaint. The Dispute Chamber notes that the complainant himself also states in his conclusions that his complaint did not relate to Respondent 1, but was only directed against Respondent 2. 18. In this regard, the Dispute Chamber refers to judgment 2022/AR/723 of 14 June 2023 of the Market Court, which ruled that companies must be aware that a single incident can give rise to a comprehensive inspection and substantial control of the GDPR compliance of a company or organisation, which in turn can lead to sanctions for non-compliance with certain GDPR obligations, which were not the initial impetus for the inspection. In this case, the Inspection Service determined that Respondent 1 had to be identified as the controller for the processing that led to the data exchange on which the further processing in the context of debt collection was based. The Dispute Chamber rules in light of judgment 2022/AR/723 of the Market Court that Respondent 1 has not demonstrated that the Inspection Service would have exceeded the discretionary margin of its authority. The Dispute Chamber emphasises that the investigative powers of the Inspection Service (Articles 64 to and including 90 WOG) are not limited to a mere determination of the accuracy of the content of the complaint. The 3 Available here: https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-14-juni-2023-van-het- marktenhof-ar-723.pdf Decision on the substance 91/2025 — 5/12 investigative powers must serve to investigate compliance with the provisions on personal data protection. For this reason, the investigation must also at the very least be able to address elements that are accessory to the subject of the complaint. II.2. Regarding the infringement of Articles 12.1, 13 and 14 GDPR by Respondent 1 19. The Inspectorate notes that Respondent 1's privacy statement did not provide any information about the processing activity in the context of the collection of unpaid invoices. It also noted that information about debt collection agencies was missing in the categories of recipients. Based on the foregoing, the Inspectorate notes that Respondent 1 has violated Articles 12.1, 13 and 14 GDPR. 20. First of all, Respondent 1 states that it assumed that the data subjects already had the information in accordance with Article 13 GDPR. However, this assertion is not substantiated by evidence. Respondent 1 also states that it adjusted its privacy statement on its website after the email from the Inspectorate. In the meantime, she would comply with the obligations in Articles 12.1, 13 and 14 GDPR by providing the necessary information regarding the processing of personal data, including clearly the transfer of data to debt collection agencies. 21. Since Respondent 1 does not submit evidence that would show that she could legitimately assume that the data subjects already had the relevant information at their disposal, the Dispute Chamber rules that this information had to be provided to the data subjects on the basis of Articles 12.1 and 13 GDPR. Since Respondent 1 did not do this, the Dispute Chamber rules that Respondent 1 has infringed Articles 12.1 and 13 GDPR. 22. Article 14 GDPR obliges the controller to provide certain information to the data subject when the personal data have not been obtained from the data subject. In the present case, there is no reason to show that Respondent 1 collected personal data that were not obtained from the data subjects. The Dispute Chamber therefore decides to dismiss this part of the file on the basis of Article 100, § 1, 1° WOG. II.3. Regarding the infringement of Article 30 GDPR by Respondent 1 23. The Inspection Service found that Respondent 1 did not include information in its register of processing activities about the processing of personal data in the context of the collection of unpaid invoices. Furthermore, the Inspection Service finds that Respondent 1 did not include the name and contact details of the controller and the Decision on the merits 91/2025 — 6/12 data protection officer in its register of processing activities. As a result, the Inspection Service finds that Respondent 1 has violated Article 30.1 of the GDPR due to the incomplete register of processing activities. 24. Respondent 1 firstly states that it created the register using a model that it received from Kind & Gezin, and that it could assume in good faith that this model met all legal requirements. Secondly, it states that it has already made the necessary adjustments. Its register now clearly states the “collections of unpaid invoices” and also specifies the purpose thereof, the data subjects, the source of the data, the data, the recipient of the data, the legal basis, and the storage at Respondent 2 on the client web platform. 25. The Dispute Resolution Chamber recalls that, under Articles 5.2 of the GDPR and 24.1 of the GDPR, controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that processing is carried out in accordance with this Regulation. Respondent 1 cannot rely on a model that it would have received from a third party to escape this responsibility. The Dispute Resolution Chamber finds that Respondent 1 infringed Article 30 of the GDPR. III. Reasons concerning Respondent 2 III.1. Preliminary observations 26. First, Respondent 2 claims that the DPA did not act as a fully independent supervisory authority within the meaning of Article 52.1 of the GDPR. The file would have been handled by the Dispute Resolution Chamber and examined by the Inspection Service before the members of these bodies were appointed by the House of Representatives. Furthermore, Respondent 2 states that the Inspector Generals who acted in the case were not sufficiently independent. As a result, Respondent 2 states that the complaint should be dismissed. However, Respondent 2 does not make it concretely plausible anywhere that the GBA did not act as a fully independent supervisory authority, or that the Inspector Generals who acted in the case were not sufficiently independent. Respondent 2 does not provide any concrete, factual elements that would show that the members and Inspectors General did not act independently. The Dispute Chamber therefore decides to reject this argument. 27. Secondly, Respondent 2 states that it cannot be charged with infringements that were not the subject of the complaint. According to Respondent 2, the Inspectorate could not lawfully extend the scope of its investigation and had to limit itself to the scope of the complaint and the mandate given to it by the Dispute Chamber. In this regard, the Dispute Chamber refers to section II.1 of this decision. III.2. Regarding the infringements within the scope of the complaint (Articles 5.1.a) GDPR, 12, 17 and 25 GDPR) 28. The Dispute Chamber notes that findings 3 and 4 of the Inspectorate share the same factual basis. In order to promote the efficiency and unity of the assessment, these points will be dealt with jointly. 29. Respondent 2 received incorrect information about the complainant from Respondent 1, which, it claims, led to an unjustified collection procedure being initiated. Following communication about this, the complainant submitted a request to Respondent 2 on 11 December (before the entry into force of the GDPR) and again on 18 June 2018 to erase his personal data. 30. Article 17.1 GDPR grants the data subject the right to erasure of personal data, and obliges the controller to erase such personal data without undue delay, where one of the following applies: “a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; [ …] d) the personal data have been unlawfully processed; […]” 31. The Inspectorate stated that, since Respondent 1 instructed Respondent 2 to discontinue the collection procedure, the personal data were no longer necessary for the purposes for which they were processed. Thus, the complainant had a right to erasure based on Article 17, paragraph 1.a) of the GDPR. The Dispute Chamber qualifies this position. The complainant's personal data were passed on to Respondent 2 on the basis of incorrect information. Thus, from the start of the data processing, there was no valid legal basis, and the complainant's right to erasure derives from Article 17, paragraph 1.d). 32. Respondent 2 informed the complainant on 25 June 2018 that his personal data would be erased. However, one e-mail was saved due to a technical error, which later led to a second collection file being created and a new payment order being sent to the complainant. 33. Failure to erase all personal data constitutes a violation of Article 17 GDPR. Decision on the merits 91/2025 — 8/12 34. Respondent 2 argues in her conclusions that the failure to delete one e-mail cannot be blamed on her. The Dispute Chamber reminds the court that the storage of an e-mail constitutes processing, and that, in accordance with Article 24.1 of the GDPR, controllers must take appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. Failure to take appropriate technical and organizational measures to ensure complete deletion is therefore attributable to the controller. 35. In view of the foregoing, the Dispute Chamber finds that Respondent 2 has infringed Article 17 of the GDPR by failing to delete all of the complainant's personal data. 36. After the initial error, which led to the incorrect restart of the collection procedure, Respondent 2 decided to pseudonymise the personal data instead of erasing it. During the hearing on 24 March 2025, the Dispute Chamber asked Respondent 2 whether this is a general policy of Respondent 2, namely whether data is pseudonymised instead of erased. Respondent 2's DPO replied that Respondent 2 erases data when it has been wrongly passed on by the client, for example because the payment had already been made. When a data subject requests data erasure, Respondent 2 pseudonymises the data instead of erasing it completely. This means that some of the personal data is deleted, while certain data is retained. 37. The Dispute Chamber recalls that pseudonymised data always remain personal data within the meaning of Article 4.1 of the GDPR (see also Article 4.5 GDPR). By pseudonymising personal data instead of erasing it after a request based on Article 17 GDPR, Respondent 2 refuses to comply with the right to erasure. Unless an exception in Article 17.3 GDPR can be invoked, which is not invoked in the present case, the refusal to erase personal data constitutes a breach of Article 17 GDPR. 38. The Dispute Chamber finds that Respondent 2 infringed Article 17 GDPR by firstly not completely erasing the data, and secondly by pseudonymising it instead of erasing it. III.3. Regarding the breach outside the scope of the complaint (Article 38.6 GDPR) 39. Article 38.6 GDPR provides that the Data Protection Officer (hereinafter: DPO) may fulfil other tasks and duties. The controller is obliged to ensure that these tasks or duties do not lead to a conflict of interest. Decision on the merits 91/2025 — 9/12 40. In its investigation report, the Inspectorate established a “possible conflict of interest” due to the combination of the role of DPO with the role of Compliance Officer. It established that Respondent 2 had not provided for measures to prevent conflicts of interest. 41. Respondent 2 states in its conclusions that the Inspectorate only writes in a conditional manner, and nowhere specifically demonstrates that there is an actual conflict of interest. Furthermore, it states that it had taken measures to avoid conflicts of interest, and that since 14 May 2021 it has had an external DPO, who also appeared before the Disputes Chamber during the hearing. This external DPO does not combine the role of DPO with the function of compliance officer. 42. In view of the measures taken by Respondent 2 following the investigation by the Inspection Service, the Dispute Chamber finds that this element of the file does not require further processing. Taking into account the efficient and effective performance of its duties, the Dispute Chamber decides, on the basis of Article 100, § 1, 6° WOG, to dismiss this file insofar as it relates to a possible infringement by Respondent 2 of Article 38, paragraph 6, of the GDPR. IV. Measures 43. Under Article 100 of the WOG, the Dispute Chamber has the power to: 1° dismiss a complaint; 2° order that no prosecution be instituted; 3° order a suspension of the judgment; 4° propose a settlement; 5° issue warnings and reprimands; 6° to order that the data subject’s requests to exercise his/her rights be complied with; 7° to order that the data subject be informed of the security problem; 8° to order that the processing be temporarily or definitively frozen, restricted or prohibited; 9° to order that the processing be brought into line; 10° to order the rectification, restriction or erasure of data and the notification thereof to the recipients of the data; 11° to order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; Decision on the substance 91/2025 — 10/12 14° to order the suspension of cross-border data flows to another State or an international institution; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the action taken on the file; 16° to decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority. IV.1. Measures concerning Respondent 1 44. The Dispute Chamber ruled that Respondent 1 infringed Articles 12.1, 13 GDPR by not providing sufficient information to data subjects. Furthermore, the Dispute Chamber ruled that Respondent 1 infringed Article 30 GDPR because its register of processing activities was incomplete. 45. The Dispute Chamber takes into account the mitigating circumstances cited by the Inspection Service in the investigation report, and in particular the measures taken by Respondent 1 to stop these infringements. As a result, it is not considering imposing an administrative fine. 46. The Dispute Chamber decides to formulate a reprimand on the basis of Article 100, § 1, 5° WOG for the infringement of Articles 12.1, 13 and 30 GDPR. IV.2. Measure concerning Respondent 2 47. The Dispute Chamber ruled that Respondent 2 infringed Article 17 GDPR by firstly not completely erasing the data, and secondly by only pseudonymising instead of erasing it. 48. The Dispute Chamber decides on the basis of Article 100, § 1, 6° WOG to order Respondent 2 to comply with the data subject's request to exercise his right to erasure by completely erasing his data. 49. Furthermore, the Dispute Chamber decides to formulate a reprimand on the basis of Article 100, § 1, 5° WOG for the infringement of Article 17AVG. Decision on the merits 91/2025 — 12/12 (Get). Hielke IJMANS Director of the Dispute Chamber
