Belgian DPA continues to impose sanctions

/Juridisch

In this case, the plaintiff (an individual citizen) periodically received gadgets and newsletters from the organization. After a while the plaintiff complained with the organization asking the latter to stop sending promotional items and erase the individual from its mailing list. As the non-profit organization did not comply with this request and kept sending promotional items, the plaintiff filed a complaint with the Belgian data protection authority ("DPA").

The Data Protection Authority investigated the complaint and issued its ruling in a 14-page long decision. It lays emphasis on the repeated breach by the not-for-profit organization and the fact that it did not terminate its promotional activities, even after receiving the official complaint from the DPA.

Additionally, interesting also is to note that the authority digs deeper into the notion of “legitimate interests”, on which the organization relied, and that the DPA formulates the conditions under which this legal ground for data processing can be invoked.

The DPA applies the “Rigos” judgment of the European Court of Justice of 4 May 2017 (case C-13/16), and states that applying the “legitimate interest” ground requires that:

  1. The interests pursued by the processing activities must be “legitimate”
  2. The processing must be “necessary” to achieve these interests
  3. A “balancing exercise” must be performed between these interests and the interests, fundamental freedoms and basic rights of the individuals concerned.

In this case, the DPA found that the non-profit organization could not invoke the legitimate interest ground as a legal basis for processing the personal data, as there was an insufficient balance with the plaintiff’s individual rights (and more in particular that the plaintiff could not effectively oppose to the processing of his data).

However, in its decision the DPA explicitly states that processing activities for direct marketing purposes as such, “could” be considered as carried out with an eye on pursuing the legitimate interest of the data controller.

Considering the nature and the duration of the infringement, and also the fact that the organization did not put a halt to its direct marketing practices after receiving the complaint by the Belgian DPA, the latter imposed upon the organization of financial sanction of 1.000 euro. To further motivate this fine, the DPA also considered the limited turnover of the organization.

This decision is interesting as it explains how the “legitimate interest” ground can be applied in practice. It also shows that this legal ground may have a wider scope than generally assumed.

Moreover, the decision once again shows that an individual complaint can lead to close scrutiny upon organizations’ internal processes and GDPR approach and that the DPA is not afraid to impose sanctions upon organizations.