The BE DPA has just imposed a fine of 50,000 euro on a company which distributes promotional packages well known by mothers and fathers-to-be in Belgium, for various breaches of the GDPR.
The defendent is a marketing company that distributes promotional packages that include samples, special offers and information sheets for future parents. The inspection service of the BE DPA launched an investigation into the company after a complaint was lodged at the DPA alleging the company transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.
The Inspection Service and the Litigation Chamber of the BE DPA found that the company was renting and/or selling personal data for commercial purposes. However, these practices were not indicated in the communication to customers in a clear and comprehensible manner. It is all the more important for the company in this case to properly inform the client about these practices, given that the promotional packagaes were distributed via gynaecologists and hospitals, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.
What’s more, the consent given by the customers for these transfers of data were not valid, as consent was clearly not informed, but also not specific (as consent for receiving the boxes automatically involved the transfer of data) or freely given (as the lack of consent involved the loss of some benefits).
Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro, and ordered the company to comply with the GDPR. Given the size of the company, this is a considerable amount, but the BE DPA decided that a significant sanction was needed as the business model of the company is clearly not compliant with the GDPR.
To read the decision (in Dutch) click here.
For further information, please contact the Belgian DPA: email@example.com
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.