APD/GBA - 04/2021
|APD/GBA - 04/2021|
|Relevant Law:||Article 5(1) GDPR|
Article 6 GDPR
Article 7 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 28 GDPR
National Service for the Promotion of Childcare products (Defendant)
|National Case Number/Name:||04/2021|
|European Case Law Identifier:||n/a|
|Original Source:||APD/GBA (in NL)|
|Initial Contributor:||Mathieu Desmet|
The Belgian DPA (APD/GBA) issued a fine of €50,000 against a private company for collecting personal data from its target audience (pregnant mothers) without valid consent. Personal data collected was then transferred to this company's network of partners which processed the data for direct marketing purposes and sold it to other third parties in breach of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The defendant is a marketing company that distributes "pink boxes" which targets pregnant mothers that include samples, special offers and information sheets for future parents.
The offers and samples contained in the "pink boxes" where made available by the network of partners of the defendant.
As to the data processed, the personal data of (future) mothers collected by the defendant included: the mother's name, mother's first name, date of birth of the baby, sex of the baby, name of the baby, e-mail address, street and house number, zip code and city.
This personal data was then transferred by the defendant to third parties (so-called "structural partners") in exchange for the aforementioned offers and samples.
These partners where in fact data brokers which processed the data for marketing campaigns and sold it to other third parties.
The complainant filled in a registration form with the defendant - when she received a pink box from - and authorized the processing her personal data. She was not informed clearly of the processing and possible subsequent processings (with regards to the defendant's network of partners).
The complainant subsequently decided to withdraw her consent as she no longer desired to be contacted by third parties concerning promotions for childcare products.
However, even after having exercised her right, the complainant still received unwanted phone calls from partners of the defendant in connection with certain promotions.
The complainant then lodged a complaint with the Belgian data protection authority alleging the defendant transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.
Dispute[edit | edit source]
The discussion mainly mainly revolved around the (lack of) information given by the defendant about the sale and processing of personal data by its the network of partners as well as the scope and validity of the consent given by consumers to the processing(s).
Holding[edit | edit source]
The Inspection Service and the Litigation Chamber of the Belgian DPA held that:
1) Lack of information and transparency about the processing(s)
The defendant had breached article 5, paragraph 1, a) of the GDPR as well as article 13 (lack of transparency) as the defendant was renting and/or selling personal data for commercial purposes via its partners without informing the consumers about these processings in a clear and comprehensible manner.
An aggravating factor is the fact that the pink boxes were distributed via gynecologists and hospitals combined with the company name of the defendant, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.
2) Lack of valid consent to process the data
Article 6 GDPR, in particular Article 6(1)(a) and (f) GDPR (Free consent) was also breached by the defendant, as there could be no free, specific, informed and unambiguous consent given by the customers as consent was in this case :
a) - clearly not informed (about further processings by the network of partners);
b) - not specific (as consent for receiving the boxes automatically involved the transfer of data);
c) - not freely given (as the lack of consent involved the loss of some benefits).
3) Lack of appropriate technical and organizational measures and disproportionate retention period
Article 25 GDPR, given that the defendant has not taken appropriate technical and organizational measures to ensure that only personal data is processed that is necessary for each specific purpose of the processing. The retention period of 18 years is disproportionate to the initial consent and reasonable expectations of the complainant and other parties involved. Moreover the defendant had not concluded the necessary processing agreements.
Decision of the Belgian DPA:
Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of €50,000 on the defendant, and ordered the company to comply with the GDPR within a 6 months period.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.