28th January, is World Data Privacy Day in the US, in Canada and in 47 European countries. Since 2007, this day is dedicated to raising awareness about the importance of protecting the privacy of personal information and to create a dialogue between international stakeholders.
We would like to take this occasion to briefly reflect on the 2019 case law of the Belgian Data Protection Authority (BDPA) and to highlight the BDPA’s enforcement priorities for 2020-2025.
Case law of the BDPA: 13 decisions on the merits in 2019, including 6 fines
The table below provides an overview of the 2019 case law of the BDPA.
Decision No. Date Complaint or own initiative inspection Subject - matter Sanction 01/2019 2 April 2019 Complaint Reuse of personal data for incompatible (direct marketing) purposes (elections) Reprimand 02/2019 2 April 2019 Complaint Accidental Cc instead of Bcc (purpose limitation principle) Reprimand 03/2019 2 April 2019 Complaint CCTV in common kitchen of student home Prohibition + order to delete data 04/2019 28 May 2019 2 complaints Reuse of personal data for incompatible (direct marketing) purposes (elections) by mayor Reprimand + fine of EUR 2,000 05/2019 9 July 2019 Repeated complaint Refusal to grant access to personal data (FPS PH) Reprimand (annulled by Markets Court) 06/2019 17 September 2019 Complaint Mandatory use of e-ID for customer loyalty card (no free consent) Fine of EUR 10,000 + binding order 07/2019 17 September 2019 Complaint Insufficient reply to request for access to personal data Dismissal + order to comply (within 3 months) 08/2019 17 September 2019 Complaint Refusal to comply with data deletion request candidate Reprimand 09/2019 17 December 2019 Complaint Refusal to comply with data deletion request Dismissal 10/2019 25 November 2019 Complaint Reuse of personal data for incompatible (direct marketing) purposes (elections) Reprimand + fine of EUR 5,000 11/2019 25 November 2019 Complaint Reuse of personal data for incompatible (direct marketing) purposes (elections) Reprimand + fine of EUR 5,000 12/2019 17 December 2019 Own initiative inspection Cookies: insufficient transparency + inadequate consent (pre-ticked boxes) Fine of EUR 15,000 13/2019 17 December 2019 Complaint Absence of response to data access and deletion request involving sensitive data (nursing home) Order to comply + fine of EUR 2,000In all cases but one (the "cookies” decision, see our article on this topic) an investigation was conducted following a complaint by a data subject.
In almost half of the decisions, an administrative fine was imposed (ranging from EUR 2,000 to EUR 15,000). Out of the six administrative fines that were imposed in 2019, three were imposed for reuse of personal data for incompatible (direct marketing) purposes in the context of the municipal elections.
In the cases based on a complaint, the BDPA almost always requested a formal inspection to be carried out, examining not only the complaint but the GDPR-compliance of the alleged infringer’s data processing activities as a whole.
Almost all decisions were published after full anonymization (except for case 05/2019).
‘Other’ decisions and the real cost of (non-)compliance
In 2019, the BDPA also published six ‘other’ decisions. These are preliminary decisions (e.g. warnings or orders to comply with a data subject access or rectification request) taken prior to an examination on the merits of the case.
The most noteworthy decision relates to the refusal of a bank to comply with a data rectification request. The BDPA stated very clearly in this case that the technical incapacity to comply with a well-founded data subject request (in this case, the bank’s IT system was technically unable to correctly register the complainant’s name in its database) is not an acceptable justification to refuse to comply with such request. The infringement was deemed to be proven and the bank was ordered to update its database within a period of one month. This case clearly shows that the ‘cost of (non-)compliance’ should not just be linked to the risk of administrative fines. Alternative sanctions (such as binding orders to comply or to cease a certain data processing activity) can have far-reaching consequences as well.
This decision was appealed before the Brussels Markets Court, but the appeal was dismissed.
Priorities for 2020-2025: “Guiding towards a digital world where privacy is a reality for everyone”
In its strategic plan for 2020-2025, the BDPA has identified the following priority sectors:
- Telecommunication and media
- Government
- Direct marketing
- Education
- SMEs
The BDPA also emphasised its focus on the following important GDPR instruments:
- The role of the Data Protection Officer
- Legitimacy of processing
- Data subject rights
Finally, also the following key social issues will be proactively addressed by the BDPA in the coming five years:
- Photos and cameras
- Online data protection
- Sensitive data
Next year, on World Data Privacy Day, we will have a look at how these priorities have been addressed after one year. In the meanwhile, do not hesitate to reach out to the Loyens & Loeff Privacy and Data Protection Team for data protection guidance in the Benelux and Switzerland.
