De Gegevensbeschermingsautoriteit, oftewel de nationale privacytoezichthouder van België, heeft op 29 mei de beslissing genomen een vereniging te beboeten. De vereniging in kwestie heeft zich schuldig gemaakt aan overtreding van artikel 21 AVG door berichten naar huidige en voormalige donoren te sturen ter fondsenwerving. Volgens de privacywaakhond valt de handelswijze van de vereniging daarmee te kwalificeren als "direct marketing" en voldoet het niet aan de waarborgen die zijn opgesteld in AVG.
The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.
The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.
First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.
More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.
This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.
Download hier de volledige beslissing van de Gegevensbeschermingsautoriteit in het Nederlands.
Dit nieuwsbericht is ook te vinden in het dossier AVG
