On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR. In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.
The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”). The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients. The relevant data were mainly used for advertising by postal mail.
Legal basis
The Belgian SA argued that the company could not rely on the legitimate interest legal basis.
First, some aspects of the processing (i.e., the processing of data obtained from some public databases) appeared to violate the laws governing those databases because those laws prohibited the use of that data for advertising purposes.
Second, the Belgian SA considered that most of the processing did not meet the necessity test – that is to say, the processing was not necessary to achieve the data broker’s purposes. The Belgian SA found that the company was collecting too much data to achieve its stated purposes, in violation of the data minimization principle, and retaining that data for too long (15 years). The Belgian SA indicated, in particular, that the principle of data accuracy should not be used to justify the collection of large amounts of data, in particular if that data is used to create detailed profiles.
Third, the Belgian SA decided that most of the processing operations did not meet the balance of interest test – meaning that the interests of the individuals whose data was being processed outweighed the data broker’s interests. The fact that the company had no direct contact with the individuals whose data it was collecting, that the data broker processed a large amount of data, and that it combined data from different sources worked against the controller in the balancing test. The Belgian SA also considered that the company underestimated the potential negative impact of the processing on individuals, for example, where the data are used for credit scoring purposes by it clients. Finally, the SA decided that the processing was not within the reasonable expectations of data subjects.
Transparency
The company obtained the personal data it processed from third parties, rather than obtaining it directly from data subject. Where data is obtained in this manner, the transparency obligations in Art. 14 GDPR apply. To meet the requirements of Art. 14 GDPR, the company relied on the contractual obligations it imposed on its data providers and clients to inform data subjects about its processing operations. The Belgian SA however, rejected this approach, indicating that it was not convinced that the measures in place were sufficient and sufficiently clear. Moreover, the Belgian SA indicated that there was no guarantee that individuals would be informed within 30 days after the collection of their data, as required by Art. 14(3)(a) GDPR – effectively expanding this requirement to Art. 14(3)(b) & (c) GDPR. Finally, as the company processed the contact details of data subjects, the Belgian SA decided that it would not be impossible or overly cumbersome to inform data subjects individually, so the company could not take advantage of the “disproportionate effort” exception in Art. 14(5)(b) GDPR.
Right of Access
The Belgian SA decided that when a DSAR is filed electronically, the response should also be provided electronically, not by postal mail. In addition, the sources of the data and the individual recipients of the data should be provided in the initial response to the DSAR.
Finally, the company asked the Belgian SA to refer a question to the Court of Justice of the EU. The company argued that the SA, because of the court-like manner in which it enforces the GDPR, meets the requirements to refer questions to the CJEU. However, the Belgian SA refused this request, pointing to earlier judgments of the Brussels Court of Appeal holding that the SA is not a tribunal and therefore not able to refer questions to the CJEU.