• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Belgian Supreme Court rules that Data Protection Authority may impose administrative fines even where a data subject’s personal data were not processed

November 2, 2021 By Yung Shin Van Der Sype, Paul Greaves and Wim Nauwelaerts

The Belgian Supreme Court ruled in a judgment of Oct. 7, 2021 that a data subject has the right to lodge a complaint with the Data Protection Authority against a processing practice that violates the GDPR (in this case, the data minimization principle in Article 6 of the GDPR), even where the data subject’s personal data were not processed.

In the underlying case, a company required customers to have their electronic identity cards read by the company’s computer system in order to obtain a loyalty card and to enjoy discounts on purchases. It was not possible for customers to provide their personal data by alternative means – for example by providing strictly necessary personal data only on a paper form.

A customer of the company filed a complaint against this processing practice with the Belgian Data Protection Authority. That customer had refused to provide the company with his identity card and refused to consent to the processing, and therefore had been denied a loyalty card. The complaint was investigated, and the Data Protection Authority found that the practice did in fact give rise to a breach of the data minimization principle – the principle that processing of personal data must be limited to what is necessary to achieve the relevant purposes.

Previously, the Belgian appellate court had found that no actual breach had been demonstrated. The court’s reasoning was based on the fact that the customer had not provided his electronic identity card and therefore there had been no processing of his personal data.

The Belgian Supreme Court did not follow the appellate court’s reasoning. The Belgian Supreme Court stressed that a breach of the GDPR also arises when a controller requires data subjects to have their personal data processed in a non-compliant manner, in order to enjoy a benefit or service. When the Data Protection Authority determines that a practice gives rise to a breach, it may take corrective measures and – where appropriate – impose an administrative fine, even if the personal data of the complainant were not actually processed.

Note: In the same judgment, the Belgian Supreme Court also ruled on the conditions for valid consent under the GDPR.

Source: Cass. 7 October 2021, Data Protection Authority v. Verreydt bv, C.20.0323.N.

Filed Under: Belgium, Data Protection, Enforcement, GDPR, International, Privacy Tagged With: Belgium, Data Protection

About Yung Shin Van Der Sype

Yung Shin is an associate with Alston & Bird’s Technology & Privacy Group and Privacy, Cyber & Data Strategy Team. She focuses her practice on IT law and HR-related matters, including privacy and data protection, IT contracts, and corporate security.

About Paul Greaves

Paul Greaves is a senior associate in the Brussels office and a member of Alston & Bird’sPrivacy, Cyber & Data Strategy Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.