Who: the Belgian Data Protection Authority (BDPA), anonymised plaintiff, anonymised defendant
Where: Belgium
When: 16 June 2020
Law stated as at: 1 July 2020
What happened:
By a decision issued on 16 June, the BDPA fined a non-profit association for not acting on a plaintiff’s opposition to having their personal data processed for the purposes of direct marketing, as allowed under section 21, Article 2 of the General Data Protection Regulation (GDPR), the continuing of such processing despite the opposition (section 21, Article 3 GDPR), and the breach of the plaintiff’s right to erasure (section 17, Article 1, (c) GDPR).
The defendant was an association active in organising entertainment shows and repeatedly sent ads by e-mail to the plaintiff, despite the latter’s “numerous” requests asking them to refrain from doing so. The BPDA attempted to contact the defendant to stop such activity, including by sending a cease-and-desist letter.
In the absence of cooperation from the defendant, the BPDA initiated proceedings and invited the parties to send their written arguments.
The BPDA points out that the only answer received from the defendant throughout the whole case is an e-mail merely stating (free translation) : “Are you guys serious? What are you talking about? E-mails? No wonder why the world is doing so poorly“.
After verifying that the plaintiff’s claim had merit, the BPDA notes that its injunctions were never answered by the defendant, who also never followed-up on any of the oppositions to processing or erasure requests from the plaintiff.
Moreover, the BPDA stresses the fact that not complying with a request for opposition to processing for direct marketing constitutes a serious offense (section 83, Article 2, (a) GDPR).
Based on these considerations, the BPDA issued a criminal fine to the defendant together with an order to comply with the plaintiff’s request within the month from its decision.
Why this matters:
This decision illustrates that the BDPA increased its focus on compliance with direct marketing rules (and made it one of its main objectives) and that the lack of cooperation from a data controller is taken into account as an aggravating factor when deciding on the sanction for a GDPR-breach.
