Belgian DPA imposes €50,000 Fine on Family Service

Jan 31, 2021

Source: European Data Protection Board

The BE DPA has just imposed a fine of 50,000 euro on the company Family Service, which distributes “pink boxes” well known by mothers and fathers-to-be in Belgium, for various breaches of the GDPR.

Family Service is a marketing company that distributes pink boxes that include samples, special offers and information sheets for future parents. The inspection service of the BE DPA launched an investigation into the company after a complaint was lodged at the DPA alleging the company transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.

The Inspection Service and the Litigation Chamber of the BE DPA found that the company was renting and/or selling personal data for commercial purposes. However, these practices were not indicated in the communication to customers in a clear and comprehensible manner. It is all the more important for the company in this case to properly inform the client about these practices, given that the pink boxes were distributed via gynaecologists and hospitals, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.

What’s more, the consent given by the customers for these transfers of data were not valid, as consent was clearly not informed, but also not specific (as consent for receiving the boxes automatically involved the transfer of data) or freely given (as the lack of consent involved the loss of some benefits).

Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro, and ordered the company to comply with the GDPR. Given the size of the company, this is a considerable amount, but the BE DPA decided that a significant sanction was needed as the business model of Family Service is clearly not compliant with the GDPR.

To read the decision (in Dutch) click here.

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

← EDPB celebrates Data Protection Day Polish DPA fines Smart Cities: Another fine for lack of cooperation with the Personal Data Protection Office →

Recent news

CSC elects 2nd Deputy Coordinator

Apr 10, 2024

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

Online conference”Call for GDPR update”

Mar 12, 2024

EFDPO, together with the Czech Association for Personal Data Protection and IAPP, co-organised the online conference “Call for GDPR update?”, which took place on 11.3.2024.

CEF 2024: Launch of coordinated enforcement on the right of access

Feb 28, 2024

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in...