On June 8, 2020, the Belgian Supervisory Authority (“SA”) fined a (then ex-) politician €5,000 for sending political marketing materials without an appropriate legal basis. Although the fine was not massive, the case is interesting for another reason: the complaint was brought not by the individuals who received the marketing materials, but by their employer.
According to the SA, the politician exploited the employee list of a local Commune to identify recipients to whom the marketing materials would be sent. It is not clear how the politician obtained the list. When the Commune discovered that the list had been leaked, it notified a security breach to the SA and, at the same time, lodged a complaint against the politician.
The SA pointed out that the legislative history of the Belgian law implementing the GDPR indicates that anyone can bring a complaint for violations of the law, including legal persons, associations and institutions. In this sense, the Belgian law goes further than the GDPR, which provides “data subjects” the right to lodge a complaint (Art. 77(1) GDPR). The SA concluded in its decision that nothing in the GDPR prevents a Member State from expanding this right to other parties that may have legitimate grounds to bring a complaint.
This interpretation is not uncontested. After all, the GDPR is a “full harmonization” text – while it allows Member States to deviate from certain provisions, the GDPR generally indicates where they are allowed to do so. Recital 10 is quite clear in this respect:
“In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. […] Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful”. (emphasis added)
So while Member States may adopt divergent rules for certain provisions, Recital 10 suggests that this should occur only where the Regulation explicitly allows for it, not where the Regulation is silent. While expanding the range of parties who have the right to lodge a complaint might indeed help protect the rights of data subjects, as argued by the Belgian SA, the question is whether that objective is sufficient to undermine the harmonizing objectives of the GDPR. After all, EU lawmakers intended for the GDPR to:
“[…] provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States” (Recital 13). (emphasis added)
Similarly, Recital 11 refers to “equivalent” powers to monitor and ensure compliance.
Note: In a previous blog post, we addressed a related development in Germany. In that case, the question raised was whether a company can lodge a complaint against a competitor for violations of the GDPR under Germany’s Act Against Unfair Competition (see here). The case law is still not settled on this point. In February 2020, the High Court of Stuttgart allowed a company to bring a data protection complaint against its competitor on this basis. The Court found that while the GDPR is a full harmonization law, its provisions are not sufficiently clear to prevent a Member State from developing its own procedural rules on who can bring civil claims for violations of the GDPR. According to the Court, it cannot be inferred from Recitals 11 and 13 of the GDPR that sanctions and enforcement are exhaustively regulated by the GDPR alone.