Belgian DPA confirms the need for an accurate customer database

The facts

An individual received a direct marketing email inviting him to attend a workshop. The recipient of the email informed the sender that he had never provided the sender with his email address and asked how the sender got hold of this address and if there was any other information that the sender had on this individual.

The sender responded to this email asking for additional identification details but after several weeks and some mails back and forth, the recipient received another direct marketing email.

The recipient complained with the Belgian data protection authority and stated that its personal data was processed without a sufficient legal ground, and that he was not provided with information after his request to access his personal data.

The DPA’s decision…

The sender of the emails argued that the inclusion of the email address of the recipient was a result of a manual error following which an incorrect email address was added to the sender’s customer database. This resulted in the sending of the emails to the plaintiff.

The data protection authority confirmed in its decision that it believes that the sending of these emails was indeed the result of a human error, given the fact that the emails concerned workshops for a business public whereas the recipient of the emails is not a business.

However, notwithstanding the DPA’s acceptance of this human error, it considered that the sender materially infringed several basic rights of data protection law.

For example, the DPA considered that the sender did not comply with its obligation to immediately rectify personal data of which it is aware that is not correct. Also, the DPA has a specific issue with the fact that the plaintiff was not provided with direct access and copy of the information held by the sender. It further considered that any reasonable period to provide such information was exceeded.

Moreover, the DPA considered that from the above facts it follows that the sender had applied insufficient technical and organizational means to protect personal data, as required under the GDPR.

… and sanction

The DPA, also considering the important exemplary role of the sender, and taking into account its annual turnover (billions), imposed upon the sender a fine of 10.000 euros. It considered as particularly material the fact that the individual’s rights were not respected by the sender.

What do we learn from this decision

The decision is very interesting from several points of view, including the following:

• It clearly indicates that even an unintended error which leads to the unjustified processing of personal data, can lead to direct liability of the data controller
  The decision indicates clearly that alleged breaches of individuals’ rights are assessed very strictly
• It also re-emphasizes that companies must remember to take individuals’ questions seriously and that individuals are to be provided with information where relevant and justified under the circumstances
• Lastly, the decision shows again that the fines imposed are quite heavy. Although the facts are more nuanced, a 10.000 EUR fine for what basically boils down to a human error as a result of which 2 workshop invitations were sent, seems a high fine indeed. On a side note, that the company has a high turnover, does not in itself say anything on the financial position of that company.

Of course, we continue monitoring any developments in the field of privacy, GDPR and IT and data related issues. For more information, please contact Antoon Dierick.