The BE DPA has just imposed a fine of 50,000 euro on the company Family Service, which distributes “pink boxes” well known by mothers and fathers-to-be in Belgium, for various breaches of the GDPR.
Family Service is a marketing company that distributes pink boxes that include samples, special offers and information sheets for future parents. The inspection service of the BE DPA launched an investigation into the company after a complaint was lodged at the DPA alleging the company transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.
The Inspection Service and the Litigation Chamber of the BE DPA found that the company was renting and/or selling personal data for commercial purposes. However, these practices were not indicated in the communication to customers in a clear and comprehensible manner. It is all the more important for the company in this case to properly inform the client about these practices, given that the pink boxes were distributed via gynaecologists and hospitals, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.
What’s more, the consent given by the customers for these transfers of data were not valid, as consent was clearly not informed, but also not specific (as consent for receiving the boxes automatically involved the transfer of data) or freely given (as the lack of consent involved the loss of some benefits).
Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro, and ordered the company to comply with the GDPR. Given the size of the company, this is a considerable amount, but the BE DPA decided that a significant sanction was needed as the business model of Family Service is clearly not compliant with the GDPR.
To read the decision (in Dutch) click here.
For further information, please contact the Belgian DPA: firstname.lastname@example.org