Belgian DPA: fines prohibited in the absence of a prior order to comply?
18/06/2021

On 26 May 2021, the Belgian Market Court handed down a decision that may lead to much commentary: it set aside a fine issued by the Litigation Chamber of the Belgian Data Protection Authority (BDPA), and set out principles that may make it considerably more difficult for the Litigation Chamber to impose fines. 

This decision could force the Litigation Chamber to re-think its tasks, as the Market Court showed a marked preference for prior warnings and orders to comply with the General Data Protection Regulation (GDPR) over fines. It remains to be seen whether the Litigation Chamber will challenge this judgment before the Belgian Supreme Court. 

At the same time, the Market Court decision questions the relevance of “case law” of the Litigation Chamber, which may increase the importance of data protection litigators with a broad knowledge of possible arguments.

A) Summary of facts

The decision from the BDPA, which was partially quashed by the Market Court, concerned a bailiff’s office dealing with debt recovery (both amicable and judicial recover). 

When issuing a formal notice to debtors, the bailiff’s office also issues a form for the relevant debtor to fill in with personal data (name, surname, date of birth, address, telephone and mobile phone number, e-mail address). One such debtor filed a complaint with the BDPA, and the Litigation Chamber issued a decision in which it reprimanded the bailiff’s office, ordered it to change its processes to comply with the GDPR and (all at the same time) ordered it to pay a fine. The Litigation Chamber considered that the form did not comply with applicable data protection legislation.  

The bailiff’s office, disagreeing with the decision, appealed it before the Market Court, which partially annulled the BDPA’s decision: while there was non-compliance, the Market Court held that no fine should have been issued.  

B) Is the BDPA still allowed to issue fines? 

Yes, of course. However, the Market Court judgment drastically limits the BDPA’s powers regarding the issuing of fines. 

The Market Court found the Litigation Chamber guilty of a misuse of power, as it had issued a fine for a first offence. 

The Market Court went so far as to say that inflicting, as from the first offence, an administrative fine, is contrary to the proportionality principle, which implies that the sanction must be proportionate to the infringement. Sanctions listed in the GDPR (such as fines) should only be imposed on organisations/people who do not comply with injunctions from the Litigation Chamber. 

Therefore, before issuing a fine, the Litigation Chamber should have considered other possibilities to carry out its tasks (and to help the GDPR achieve its purpose), as it has a range of sanctions at its disposal (listed in Art. 100 of the Belgian Act of 3 December 2017 that created the BDPA).

Put differently, infringements should be sanctioned gradually and according to their seriousness.

The Market Court lists, by way of an illustration, the steps that the Litigation Chamber should take: 

Step 1: Warning or formal notice to the infringing company with a reminder of its duty to comply with the GDPR for the processing of personal data;
Step 2: An order to cease the infringement;
Step 3 (if applicable): Temporary restriction or suspension of the processing of personal data;
Step 4: Administrative sanctions in case of non-compliance with the GDPR.

C) What can (not) be taken into account to determine the proportionality and amount of a sanction

To determine the proportionality and amount of a sanction/fine, says the Market Court, the BDPA can take into account the nature of the activities of the infringing organisation. 

However, the Market Court stressed that the following cannot justify a higher sanction/fine: 

i. Breach of fundamental principles;

ii. The Litigation Chamber’s own “case-law”:

In a comment that could both help and harm defendants, the Market Court stated that the Litigation Chamber cannot be bound by its own case-law. As (a body of) an administrative authority, says the Market Court, the Litigation Chamber does not have the power to establish such “case-law” but must decide on a case-to-case basis only. 

The fact that the Litigation Chamber has already judged that the status of “public official” was an aggravating factor may not be taken into account. Also irrelevant is its “case-law” related to elected representatives – which cannot be applied by analogy to a bailiff’s office, as in the case at hand.   

iii. The profession of the organisation/person (the Market Court emphasised that there can be no “tariff” of sanctions based on the professions) 

iv. In this specific case, the duration of the breaches (in this particular, there was only one unique (time-limited) situation covered)

v. The fact that the organisation has been active for many years and employs a large numbers of collaborators

D) Parting thoughts

This is an important decision to keep in mind in case of litigation. In our own experience, it is not the first time that the Market Court has demonstrated its will to question certain approaches and methods from the BDPA and its Litigation Chamber. 

The comments regarding case law reinforce the need to ensure that any case before the BDPA is handled carefully, and all possible arguments are taken into account.

Organisations would do well to amend their judicial strategy accordingly when confronted with complaints or investigations before the BDPA – knowledge of all the possible arguments is even more important. 

Should you need any assistance in this respect, our team is always keen to help. 

The judgment is available online in French.

Related : NautaDutilh ( Mr. Peter Craddock ,  Mrs. Camille De Munter )

[+ http://www.nautadutilh.com]

Mr. Peter Craddock Mr. Peter Craddock
Local Partner
[email protected]utilh.com
Mrs. Camille De Munter Mrs. Camille De Munter
Associate
[email protected]

Lastest articles by Mr. Peter Craddock

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere
29/04/2021

On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specif...

Read more

A Christmas "present": say hello to penalty fines in Belgium for GDPR infringements
25/12/2020

On 23 December 2020, the Belgian DPA published two documents in relation to the Litigation Chamber's approach to decis...

Read more

(Alleged) data protection infringement? Say bye-bye to your .be domain name
02/12/2020

The Belgian Data Protection Authority (BDPA) published on 30 November 2020 a cooperation agreement with DNS Belgium, the r...

Read more

New Belgian DPA decision: employee consent sometimes works
18/11/2020

Yes, employee consent is possible in certain circumstances – but do not assume old processing activities fully compl...

Read more

Lastest articles by Mrs. Camille De Munter

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere
29/04/2021

On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specif...

Read more

A Christmas "present": say hello to penalty fines in Belgium for GDPR infringements
25/12/2020

On 23 December 2020, the Belgian DPA published two documents in relation to the Litigation Chamber's approach to decis...

Read more

LexGO Network