Posted on

Posted in Interim management


Six lessons to learn from the decisions of the Data Protection Authority

Since April 2, 2019 The Belgian Data Protection Authority (DPA) has taken a dozen decisions. We can learn six lessons from these decisions:

  1. Respond (timely) to requests for access, rectification, erasure

In a case about a request for access, the federal public service of health, food chain safety and environment, neglected the request. The request was made by mail, certified mail and e-mail, followed by an order of the DPA.

The federal public service, as a controller, was obligated to respond in thirty days. The DPA ruled that the federal public service made several mistakes: acting carelessly, neglecting the request for access and the late distribution of internal mail. The DPA reprimanded the federal public service.[1]

In two other cases, the DPA also reprimanded the controllers because they did not respond to requests in a timely manner, which is in thirty days. These cases were about a request for access and information[2] and a request for rectification of data[3].

  1. Make sure clients can register their official name.

In this case, a controller was imposed by the DPA to change its IT systems. The complainant wanted to rectify his name, but the problem was that his name contained letters and accents the controllers’ system did not recognize. The DPA ordered the controller to change its systems in order to make it possible to register names correct.[4]

  1. Only use the date for the goal they were collected for

The coordinator of a WhatsApp neighbourhood prevention network received several personal data of the members, such as phone numbers and email addresses. The coordinator later used this data to campaign for himself in the context of the municipal elections.

The DPA decided the data the coordinator received, were used for another goal than they were originally acquired for. The use of these data was an infringement of the GDPR, which led to a reprimand from the DPA.[5]

  1. Always be prepared

An applicant lodged a complaint following an unanswered request for the removal of his personal data, following an application. The DPA’s assessment based on the complaint was rather limited. It was considered that the company had not replied to the request within the correct timeframe and that it had initially provided insufficient information regarding data processing.

What is more striking about this case, however, is that the DPA’s inspection service was asked to conduct an investigation at the company. The inspection service went much further than the initial complaint. They examined the entire GDPR compliance of the company. Minor violations were found by the inspection service in various areas, and the DPA formulated a reprimand.[6]

  1. The GDPR always applies, even when other legislation applies

This case was about a security camera that was placed in the kitchen and living room of student housing. In this case the DPA determined that the household exemption, provided by the camera legislation, does not apply since the use of the camera does not relate to a personal and household activity. As a result, the lessor qualified as a controller who has the obligation to conform with the GDPR in addition to the legislation applying to the use of security cameras.[7]

  1. Do not send chain emails (data minimization) and do not just copy Identity cards

When sending an e-mail to different customers, a company placed all e-mail addresses in the CC field. As a result, all parties involved were informed that they had received this email and their personal details were shared with each other. The PGI ruled that such e-mails should be sent with the addressees in BCC.[8]

In another case, when applying for a loyalty card, a trader always copied the e-ID of his customers. This gave the trader access to, among other things, the photo and the National Insurance number of his customers. The trader offered no alternative to create a loyalty card and the customers had no free choice.

The DPA ruled this was excessive. To create a loyalty card, it is not necessary for a trader to have access to all data on an e-ID. Moreover, for e-IDs it is legally stipulated that they may only be read or used with free, specific and informed consent. The DPA sanctioned the trader for lack of consent and violation of the principle of data minimization. The trader was fined € 10.000![9]

The Main Theme

The lessons above show that the DPA inspects a wide range of aspects of your organization, ranging from job applications, creating loyalty cards to installing cameras. The main theme is that you must be able to prove at any time that your internal processes are in order … That is why we provide a few tips:

Train your employees. Human intervention often appears to be a weakness in data processing. That is why it is important that your employees know what they are doing. Ensure that they receive sufficient training in order for them to know how to act.

Test your IT infrastructure and policies. Often entrepreneurs think that they are sufficiently protected against threats from outside, data leaks, etc. However, practice shows that many companies are insufficiently protected. That is why it is important that you have your company tested. Think of an IT penetration test. In addition to the technological access to personal data, physical accessibility is often a problem. In many cases, it is relatively easy for an outsider to gain access to companies. You should also test this, for example by having someone unknown to your employees test to which areas he/she can have access.

Ask for advice. To be prepared for questions from customers, suppliers, applicants, (potential) contract partners and the DPA, you must have the right documents, notifications, permissions, sample clauses, processing agreements and process registers, in order to demonstrate that the personal data your company collects is managed correctly.

If you have any further questions, please contact us!