APD/GBA - 34/2020

From GDPRhub
Revision as of 21:06, 6 July 2020 by Curious Mouse (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2019-02426 |ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2019-02426
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 23.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: DOS-2019-02426
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: n/a

GBA found that the use of personal data obtained from the national data-bank of vehicles by insurance companies for the purpose of creating personalized price offers constitutes violation of Articles 5, 6, 12, 13 and 14 of GDPR. The agency that maintains this data base, the Federal Public Service Mobility and Transportation, was ordered to bring its data processing in compliance with Articles 5 and 6 within 6 months and Articles 12, 13 and 14 within 3 months. GBA has also issued a reprimand for the violation of Articles 12-14. No fines were issued because the predecessor of GBA had reviewed and issued conditions under which this processing could be approved back in 2017 under the previous data protection law.

English Summary

Facts

In May 2019 the Inspection service of the GBA started an investigation into the Federal Public Service Mobility and Transportation. GBA wanted to know about the information portal NV Informex, its access to the national data-bank of vehicles and the fact that data from this data-bank was shared with insurance companies for the purposes of creating personalized price offers to its potential customers. The report of the Inspection service found the following violations: 1. Breach of the principles of purpose limitation (Article 5) and lawfulness (Article 6) of processing; 2. Breach of the responsibilities of a controller (Article 24), security of processing (Article 32) and violation of the obligation to notify supervisory authority of the personal data breach (Article 33); 3. Breach of the requirements for designation (Article 37) and position (Article 38) of data protection officer; 4. Breach of the obligation to cooperate with the supervisory authority (Article 31); 5. Breach of transparency (Article 12) and information provision (Article 13) obligations.

Dispute

Holding

The Dispute Chamber of the GBA found that the use of personal data obtained via the data-bank of vehicles by customers of NV Informex, in particular insurance companies, for the purpose of creating personalized price offers constitutes direct marketing and violates Articles 5 and 6 of the GDPR and Article 25 of the Royal Decree of 8th of July 2013. The Federal Public Service Mobility and Transportation was ordered to bring this personal data processing in compliance with GDPR within 6 months.

The Dispute Chamber also issued a reprimand against the Federal Public Service Mobility and Transportation for violating Articles 12, 13, 14 of GDPR and ordered to bring the relevant information provisions in compliance with GDPR within 3 months.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.