On July 30, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €20,000 fine on Belgian telecommunications provider Proximus N.V. (“Proximus”) for several data protection infringements related to Proximus’ public directory. In particular, the claimant requested that Proximus remove his contact details from the public directory and inform other publishers of public directories not to publish his personal data. Despite informing the claimant that it was going to proceed accordingly, Proximus still published his personal data in its public directory and shared it with other publishers of public directories.
In Belgium, consent to the publication of contact details in a public directory is regulated under the telecommunications law, which implements the ePrivacy Directive. As stated under Article 95 of the EU General Data Protection Regulation (the “GDPR”), consent under the ePrivacy Directive must meet the consent requirements of the GDPR.
In light of the above, the Litigation Chamber found that:
- Proximus qualifies as a data controller when it determines the purposes and means of the processing and takes the initiative of the processing activities, in particular when Proximus (1) requests, consults and stores the claimant’s personal data; (2) makes the claimant’s personal data available in its public directory; (3) shares the claimant’s personal data with third-party providers of directories.
- As the data controller, Proximus failed to provide clear and transparent information to the claimant regarding the processing activities and failed to facilitate the exercise of the claimant’s data subject rights.
- Proximus unlawfully processed the claimant’s personal data despite the claimant’s consent withdrawal request.
- Proximus did not take appropriate technical and organizational measures as it did not inform third-party controllers of the claimant’s consent withdrawal request. In light of this, subsequent processing by third-party controllers was unlawful.
- Proximus unlawfully transferred personal data to third-party providers of public directories in the absence of a valid legal basis.
The full decision is only available in Dutch.