APD/GBA - 34/2020
|APD/GBA - DOS-2019-02426|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 6(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
|National Case Number/Name:||DOS-2019-02426|
|European Case Law Identifier:||n/a|
|Original Source:||GBA (in NL)|
GBA found that the use of personal data obtained from the national data-bank of vehicles by insurance companies for the purpose of creating personalized price offers constitutes violation of Articles 5, 6, 12, 13 and 14 of GDPR. The agency that maintains this data base, the Federal Public Service Mobility and Transportation, was ordered to bring its data processing in compliance with Articles 5 and 6 within 6 months and Articles 12, 13 and 14 within 3 months. GBA has also issued a reprimand for the violation of Articles 12-14. No fines were issued because the predecessor of GBA had reviewed and issued conditions under which this processing could be approved back in 2017 under the previous data protection law.
In May 2019 the Inspection service of the GBA started an investigation into the Federal Public Service Mobility and Transportation. GBA wanted to know about the information portal NV Informex, its access to the national data-bank of vehicles and the fact that data from this data-bank was shared with insurance companies for the purposes of creating personalized price offers to its potential customers. The report of the Inspection service found the following violations: 1. Breach of the principles of purpose limitation (Article 5) and lawfulness (Article 6) of processing; 2. Breach of the responsibilities of a controller (Article 24), security of processing (Article 32) and violation of the obligation to notify supervisory authority of the personal data breach (Article 33); 3. Breach of the requirements for designation (Article 37) and position (Article 38) of data protection officer; 4. Breach of the obligation to cooperate with the supervisory authority (Article 31); 5. Breach of transparency (Article 12) and information provision (Article 13) obligations.
The Dispute Chamber of the GBA found that the use of personal data obtained via the data-bank of vehicles by customers of NV Informex, in particular insurance companies, for the purpose of creating personalized price offers constitutes direct marketing and violates Articles 5 and 6 of the GDPR and Article 25 of the Royal Decree of 8th of July 2013. The Federal Public Service Mobility and Transportation was ordered to bring this personal data processing in compliance with GDPR within 6 months.
The Dispute Chamber also issued a reprimand against the Federal Public Service Mobility and Transportation for violating Articles 12, 13, 14 of GDPR and ordered to bring the relevant information provisions in compliance with GDPR within 3 months.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.