The Belgian DPA imposed a fine of 20,000 EUR on telecom operator Proximus for several data protection infringements during the processing of personal data for the purpose of publishing public telephone directories.
A Belgian citizen (the plaintiff) had requested Proximus, the publisher of a public directory, to retract the publication of his personal data in Proximus’ public directory, as well as the publication of the personal data in the directory of other publishers. Proximus, as publisher of its own public directory, had confirmed towards the plaintiff it would no longer publish the personal data, and would also inform other publishers of a public directory to not publish the personal data of the plaintiff. However, a few months later, the plaintiff discovered his personal data had not only been published in the directory of Proximus, but also in the ones of other publishers of a public directory. In its communication towards the plaintiff, Proximus also mentioned it had transferred the personal data of the plaintiff to other publishers of a public directory.
Background: lex specialis of the e-Privacy Directive
In Belgium, the consent for the publication in a public directory is given in accordance with the provisions of national telecommunications law. Those provisions are the national implementation of article 12 of the e-Privacy Directive. Although the e-Privacy Directive forms lex specialis vis-à-vis the GDPR (as lex generalis), as stated in article 95 GDPR, the provisions with regard to consent of the GDPR remain applicable as preconditions for lawful processing with regard to the consent in article 12 e-Privacy Directive .
Decision of the Litigation Chamber
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
– Proximus publishes its own public directory and must therefore be considered as a controller for several relevant processing activities. As such, it has a responsibility to align the withdrawing of the data subject’s consent with the actual processing activities. It is apparent that Proximus did not take the appropriate measures to ensure and be able to demonstrate that the personal data of the complainant was not unlawfully processed after the withdrawal of the consent. Thus, Proximus had not fulfilled its obligations (appropriately) as a controller, and therefore infringed article 6 GDPR read in conjunction with article 7 GDPR, as well as articles 24 and article 5.2 GDPR.
– Proximus did not provide the data subject with transparent information during and after the handling of his request, nor did it appropriately facilitate the exercise of his data subject rights, and therefore infringed article 12 and article 13 GDPR.
The Litigation Chamber decided not to pseudonymise the name of the defendant, as the publication of that identity was in the public interest.
You can find the final decision in Dutch here.
For further information, please contact the Belgian DPA: firstname.lastname@example.org