First GDPR fine for Belgian company reversed in appeal

The Belgian Data Protection Authority (DPA) has imposed very few fines over the past two years compared to its colleagues in neighbouring countries. Apart from two smaller fines in a non-commercial context, it imposed only one, hefty, fine on a commercial company. This one fine was recently reversed in appeal by the so-called “Market Court” (Judgment in dutch), a special department of the Court of Appeal in Brussels that is competent for appeal proceedings against the Belgian DPA, the BIPT (Belgian Institute for Postal Services and Telecommunications), the FSMA (Financial Services and Markets Authority) and other market regulators.

So back to square one for the Belgian DPA and a serious blow for GDPR compliance in Belgium. Even more than before, companies are getting a feeling of impunity. However, that would not be a wise conclusion after investigating this story…

GDPR fine

Loyalty card created on the basis of identity card

In 2018, the Belgian DPA received a complaint from a customer about a liquor store. The plaintiff wanted a loyalty card from the store and in order to obtain it, she was obliged to have her electronic identity card read into the register of the liquor store. However, the lady did not wish to have her identity card read in electronically. She felt that this was an invasion of her privacy. Instead, she suggested that the personal data needed to create a loyalted card should simply be written down on paper. The liquor store refused this and then simply refused her the loyalty card stating that it could only be created electronically.

Why is this contrary to GDPR?

The Belgian DPA investigated the lady’s complaint in 2019 and identified three infringements of the GDPR for which it imposed a fine of EUR 10,000.

Firstly, according to the Belgian DPA, the principle of “minimum data processing” had not been respected. This simply states that you may not collect and process more data than you really need and that you may not keep it longer than is strictly necessary. In this case, in order to create the loyalty card, the liquor store entered all the data of the eID, such as surname, first name, address, etc., but also the photo and the barcode linked to the National Regististration number. In its decision, the Belgian DPA pointed out that the National Registration number is an item of information that is subject to strict rules for its consultation and use and that it may not be collected and processed systematically without justification.

The Belgian DPA also found that the liquor store did not obtain valid authorisation from its customers to collect all such data electronically. Data can only be processed on a very limited number of grounds. In this case, the liquor store relied on the consent of its customers (“may we collect your data as part of the management of your customer card?”). However, the problem was that such consent must be “free”, which means that customers must also be able to choose to refuse consent to read out their electronic ID card, but in that case they must not be penalised for this by not obtaining a loyalty card. In other words, even those who do not give consent to read out their ID card can obtain a loyalty card, and that was not the case here.

This decision of the Belgian DPA was, in our view, logical in all elements and a correct application of the basic principles of the GDPR. The systematic collection of so much detailed data about customers, including the National Registration number, solely for marketing purposes (in this case customer loyalty via a customer card) can in no way be justified under the GDPR.

Reversed in appeal

At the time, this was a sort of exemplary case for the Belgian DPA. The Chairman of the Disputes Chamber Hielke Hijmans, said on the Belgian DPA’s website at the time: “Companies or merchants need to handle personal data more consciously when they request all kinds of personal data for a service, especially if this is done without the customer’s valid consent. The GDPR provides principles and obligations that should serve as a guideline for processing personal data correctly”. The President of the Belgian DPA added: “This decision is an important new building block on the way to better protect the privacy of our citizens”.

It is therefore a serious step backwards for the Belgian DPA to now find that the Market Court has reversed this decision on appeal.

It is important to note that the Market Court does not actually refute the Belgian DPA’s reasoning in terms of content. The fact that the liquor store in question did not respect the principles of the GDPR is not disputed.

The entire decision of the Market Court revolves around the way in which the fine of the Belgian DPA was established and the procedures that were followed. For example, the Market Court found that the DPA’s decision was sloppy and that the description of the facts given in the decision did not always fully correspond to the documents in the file and to the facts.

The Market Court also ruled that the amount of the fine imposed (EUR 10,000) was insufficiently justified by the Belgian DPA. The Belgian DPA itself determines which sanction it imposes, but it must take a number of criteria into account, such as “the seriousness of the infringement; the duration of the infringement; the necessary deterrent effect to prevent further infringements” and it must motivate and substantiate its decision in the light of those criteria.

Furthermore, the Market Court states that “the offender must be informed, before a sanction is imposed, of the nature of the sanction envisaged and the extent of the sanction (where a fine is contemplated). The offender must be warned (in order to avoid unnecessary sanctioning) and given the opportunity to defend himself on the amounts of the fine proposed by the Chamber of Disputes before the sanction is effectively imposed and implemented”.

What should we learn from this?

Don’t be fooled by this decision. As said before, it does not make any judgment on the merits of the case, which is also not open to much discussion. Any data collection and processing under the GDPR must be proportionate and if you base yourself on consent, that consent must be “free”.

What does emerge from this decision is that the Belgian DPA may still be struggling with some -logical- growing pains. This was the first real fine under GDPR (with the exception of two rather anecdotal cases) and it is clear that the DPA’s Chamber of Disputes still has to grow into its role. Future decisions will undoubtedly be better and more precisely motivated and this also means that future offenders are less likely to get away with it.

In other words, what we need to remember above all is that there are effective checks on compliance with the GDPR and that, in the event of non-compliance, effective fines are imposed, fines that will be better motivated in the future and less easy to escape. In our view, this decision will strengthen rather than weaken the future functioning of the Belgian DPA.

So prepare your company in time by means of a thorough GDPR compliance exercise and certainly also ensure a thorough compliance exercise within your marketing department.

Questions about GDPR or in need of guidance?

Sirius Legal has been a true specialist in data protection and privacy for many years. Our team assists countless large and small companies and non-profit organisations from Belgium, the Netherlands, France and the rest of Europe with all possible questions concerning GDPR and data protection.

Among others, we offer the following services:

  • Full GDPR compliance audit trajectories;
  • Our Start2GDPR toolkit to get started yourself;
  • Specific subprojects for marketing departments, webshops, HR departments, etc…;
  • DPIA exercises for new apps, new websites, new tools such as CDP’s and marketing automation tools;
  • DPO-as-a-service;
  • Education, training and presentations;
  • Ad hoc questions;
  • Assistance with disputes, complaints and legal proceedings;
  • Advice on cyber risks and help and assistance with data breaches, hacking, data loss.

For all your GDPR related questions, you can always call or mail Bart Van den Brande: bart@siriuslegal.be or +32 486 901 931.