Regulatory actions, fines, warnings, and enforcement decisions
Een boete van 40.000 euro - De Belgische Autoriteit voor gegevensbescherming (APD).
De Belgische beschermingsautoriteit heeft Infobel een boete van 40.000 euro opgelegd. De verantwoordelijke, een bedrijf dat gegevens verzamelt en doorverkoopt, heeft persoonlijke gegevens verkocht voor direct marketingdoeleinden. Echter, het bedrijf heeft deze gegevens verwerkt zonder een voldoende juridische basis.
€40,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 40,000 on Infobel. The controller, a data broker, sold personal data for direct marketing purposes. However, it processed the data it had sold without a sufficient legal basis.
€9,700 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 9,700 on a Landlord. The controller installed video surveillance in and around a student residence. However, the surveillance was too invasive, resulting in it not being lawful.
9.700 euro boete - Belgische Autoriteit voor gegevensbescherming (APD).
De Belgische beschermingsautoriteit heeft een boete van 9.700 euro opgelegd aan een verhuurder. De verantwoordelijke partij had videobewaking geïnstalleerd in en rond een studentenhuis. Deze bewaking was echter te ingrijpend, waardoor deze niet legaal was.
6.000 euro boete - Belgische Autoriteit voor gegevensbescherming (APD).
De Belgische beschermingsinstantie heeft een vastgoedmakelaardij een boete van 6.000 euro opgelegd. De Belgische beschermingsinstantie had eerder al een aanwijzing gegeven aan de verantwoordelijke in een eerdere zaak, omdat deze persoonsgegevens verwerkte zonder voldoende juridische basis en niet had voldaan aan het recht van de betrokkene op verwijdering van die gegevens. De Belgische beschermingsinstantie heeft vastgesteld dat de verantwoordelijke niet had voldaan aan de gegeven aanwijzing, wat heeft geleid tot de oplegging van de boete.
€6,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA imposed a fine of EUR 6,000 on a real estate agency. The Belgian DPA had previously issued a remedy to the controller in an earlier case due to the controller processing data without a sufficient legal basis and failing to comply with the data subject's right to erasure. The Belgian DPA determined that the controller had failed to comply with the issued remedy, resulting in the fine being issued.
Een boete van 20.000 euro - De Belgische Autoriteit voor gegevensbescherming (APD).
De Belgische autoriteit voor gegevensbescherming heeft een bedrijf een boete van 20.000 euro opgelegd. Het bedrijf is verantwoordelijk voor de verwerking van persoonsgegevens en is actief in direct marketing. Tijdens deze activiteiten heeft het bedrijf niet voldaan aan verschillende principes van gegevensverwerking. Met name had het bedrijf geen voldoende juridische basis voor de gegevensverwerking, heeft het de betrokkenen niet geïnformeerd en heeft het geen informatie verstrekt die rechtmatig was opgevraagd.
€20,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA imposed a fine of EUR 20,000 on a company. The controller is a company engaging in direct marketing activities. During those activies the company failed to comply with multiple data processing principle. In particular the company had no sufficient legal basis for the data processing, failed to inform the data subjects and failed to provide data subjects with lawfully requested informations.
€200,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational
€174,640 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin
€30,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 30,000 on the Belgian Order of Pharmacists. The controller had conducted disciplinary proceedings against the data subject (pharmacist). As part of the disciplinary proceedings, the controller had collected personal data from the data subject in their personnel file. During its investigation, the DPA found that the controller had violated principles of data processing according to the GDPR in this context. For example, the DPA found that storing informat
€2,500 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 2,500 on a company. The company operates a digital management platform where suppliers and customers can communicate and upload administrative documents. An individual, who is not themselves a member of the platform, had filed a complaint with the DPA. Since the complainant's roommate is a member of the platform, the complainant asked them to upload the joint water bill, which was in the complainant's name. The platform recognized the complainant's name
€20,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory. During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in
Belgian Data Protection Authority (APD)
Original fine summary: The Belgian DPA has imposed a fine of EUR 50,000 on the media company SA Rossel & Cie. During its investigation, the DPA found GDPR violations on three websites operated by the company. For instance, the company had placed cookies that were not required without the consent of the website visitors. Also, the company considered visiting other websites as consent for further cookie placement on these pages. In addition, the boxes for the consent of third-party cookies were al
€50,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as n
€10,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen). A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe. During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrar
€20,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined Ambuce Rescue Team EUR 20,000. The fine is related to the fines against Brussels Airport Charleroi and Brussels Airport Zaventem. Due to the Covid 19 pandemic, the airports used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms. In this process, Ambuce Rescue Team provided the questionnaires. Specifically, the DPA found that there was no valid l
€100,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid lega
€200,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal
€7,500 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 7,500 on a company. A former managing director had filed a complaint against the company with the DPA. In the context of being dismissed, the former managing director deleted all data on the work laptop before handing over the technical equipment. According to the managing director, only the private data, such as the private e-mail inbox, had been deleted. However, the company stated that the managing director had deleted both private and work-related da
Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for t
€1,200 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw d
€2,800 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined the NGO EU DisinfoLab EUR 2,700. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the
€75,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 75,000 on a bank. The DPA identified a conflict of interest regarding the data protection officer. In addition to his work as data protection officer, he was also head of a department to which he had to report in his capacity as data protection officer. The DPA considered this to be a violation of Art. 38 (6) GDPR.
€10,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 10,000 against a company. The data subject had repeatedly received mail with advertising content from a company, although he had objected to the processing of his personal data and requested the deletion of his data. However, the company did not respond to inquiries from the data protection authority in this regard. In addition, the company had not sufficiently informed the data subject about the processing of his personal data.
€100,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proce
€1,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD's decision.
€50,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients' contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising mea
€25,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA fined a mobile operator EUR 25,000. The controller had assigned the data subject's phone number to an unauthorized third party, causing the data subject to lose access to his/her phone number. As the SIM card of the data subject had been deactivated, that would have allowed the third party to access various personal data of the data subject in the period between September 16 and September 19, 2019, such as call history and accounts of various services (e.g. Paypal, WhatsApp and F
€10,000 fine - Belgian Data Protection Authority (APD)
Managing a fan page on Facebook without the data subject's permission and failing to comply with the data subject's request after exercising his or her right to object.
€15,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD) imposed a fine of EUR 15,000 on a company due to insufficient fulfilment of data subject rights. The controller is a debt collection agency which was commissioned by another company to collect debts owed to it. The data subject was issued a fine for illegal parking by the last-mentioned company. However, the data subject states that he/she did not receive the fine notice. Instead, the data subject only learned about it when he/she received an official reminder letter from t
€50,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then dem
€1,500 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD) imposed a fine against private individuals. The controllers installed video cameras on their private property, two of which were positioned in a way that they could capture images of the public space and the neighbor's private property. Also the controllers forwarded the images to a third party.
€1,500 fine - Belgian Data Protection Authority (APD)
The Belgian DPA (APD/GBA) imposed a fine of EUR 1,500 on a social housing company for non-compliance with several principles of the GDPR such as data processing as well as the principles of legality and transparency (e.g. insufficient privacy policy, lack of information on camera surveillance).
€5,000 fine - Belgian Data Protection Authority (APD)
Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000.
€3,000 fine - Belgian Data Protection Authority (APD)
A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.
€5,000 fine - Belgian Data Protection Authority (APD)
The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.
€600,000 fine - Belgian Data Protection Authority (APD)
The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences
€10,000 fine - Belgian Data Protection Authority (APD)
The company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered.
€1,000 fine - Belgian Data Protection Authority (APD)
The data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard.
€5,000 fine - Belgian Data Protection Authority (APD)
In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.
€1,000 fine - Belgian Data Protection Authority (APD)
The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.
€50,000 fine - Belgian Data Protection Authority (APD)
The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.
€50,000 fine - Belgian Data Protection Authority (APD)
According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
€15,000 fine - Belgian Data Protection Authority (APD)
An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.
€2,000 fine - Belgian Data Protection Authority (APD)
The company failed to act on requests from the data subject to get access to his data and to have his data erased.
€5,000 fine - Belgian Data Protection Authority (APD)
Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.
€5,000 fine - Belgian Data Protection Authority (APD)
Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.
€10,000 fine - Belgian Data Protection Authority (APD)
The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. In the meantime, the decision of the data protection authority has been annulled by a court: link
€2,000 fine - Belgian Data Protection Authority (APD)
The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.