The GBA today imposed a total of 174,640 euros in administrative fines and corrective measures on Black Tiger Belgium (formerly Bisnode Belgium), a company specializing in big data and data management, for various violations of the AVG. These penalties include unfair processing of personal data without proactively, individually and transparently informing data subjects about it. The GBA also identified violations in the areas of exercising data subjects' rights and maintaining a register of processing activities.
The GBA received a complaint about data processing operations by "data broker" Bisnode Belgium, a company that was later acquired and renamed Black Tiger Belgium. The complainants had exercised the so-called "right of inspection" with Bisnode Belgium, which allows any person at any time to ask an organization to see the data it holds about him.
At the time the complaints were filed, Bisnode Belgium operated a consumer database ("CMX") and an enterprise database ("Spectron"), through which Bisnode Belgium offered "Data Quality" (with a view to improving the quality of its customers' data) and "Data Delivery" (with a view to delivering data to its customers for, among other things, the creation of marketing campaigns) services. These databases were supplemented by personal data from various external sources, such as the Crossroads Bank for Enterprises as far as the Spectron database was concerned.
After the company was acquired by the Black Tiger group, only the "Data Quality" activities and the B2B database were retained.
The AVG requires processing of personal data to be based on a valid legal basis. In this case, Black Tiger Belgium invokes its legitimate interest to process the data. However, to be valid within the meaning of the AVG, the legitimate interest must meet certain conditions.
However, the GBA Dispute Chamber finds that these requirements have not been met.
It recalls, among other things, that an interest cannot be justified if it violates applicable law. For example, the law prohibits the redistribution of Crossroads Bank of Enterprises data for direct marketing purposes.
It also draws attention to the fact that the company indirectly collects and processes personal data on a large scale, over a long period of time (the data are kept for 15 years), without informing data subjects individually in a clear and proactive manner about the processing operations carried out. These processing operations may nevertheless have a significant impact on them. For example, one of the complainants stated that he was profiled by one of Black Tiger Belgium's customers based on data provided by the company. According to the GBA, Black Tiger Belgium did not sufficiently take this type of risk into account when balancing its legitimate interest against that of the data subjects. Moreover, Black Tiger Belgium's interest cannot prevail over that of data subjects from the moment when, in the absence of information about the processing operations carried out, they are unable to exercise appropriate control over their personal data.
The GBA believes that retaining data for 15 years is not justified, particularly in the context of providing "Data Quality" services, which require only the most current data to be retained.
Hielke Hijmans, chairman of the Dispute Resolution Chamber: "Transparency is the cornerstone on which the AVG is based. Because a person is aware that their data is being processed, they can exercise the rights granted to them by the AVG, such as the right to object to processing. It is essential for a data broker to comply with this obligation, which Black Tiger Belgium has failed to do."
In addition, the GBA found that Black Tiger Belgium had not fully responded to the complainants' requests for access. It also pointed out in its decision that information was missing from the company's register of processing activities.
Based on the breaches found, the GBA Dispute Chamber imposes 3 different administrative fines on Black Tiger Belgium, totaling 174,640 euros. These fines relate, on the one hand, to the unlawful and improper processing of personal data without informing the data subjects proactively, individually and transparently, on the other hand, to the failure to respond appropriately to the data subjects' requests to exercise their right of access, as granted by the AVG, and, finally, to violations related to the register of processing activities.
In calculating the fines, the Disputes Chamber took into account as a mitigating factor the fact that Black Tiger Belgium had terminated its data delivery ("Data Delivery") service and destroyed its consumer database ("CMX").
In addition to these fines, the Dispute Resolution Chamber also imposes a series of corrective measures on Black Tiger Belgium, including the termination of its B2B "Data Quality" services until the data subjects whose contact information is available to the company have been proactively and individually notified of the data processing operations carried out. In doing so, the company must, among other things, inform data subjects of their right to object to the processing of their data. As for the other data subjects, for whom Black Tiger Belgium does not have contact details in its possession, the Dispute Resolution Chamber definitively prohibits the processing of their personal data, in the absence of a valid legal basis within the meaning of the AVG.
Hielke Hijmans: "The long-standing breaches of the principles of lawfulness, propriety and transparency in the processing and commercialization of data are serious infringements, as they deprive data subjects of full control over their personal data. It is therefore important to impose a severe but proportionate sanction, the deterrent nature of which will sustainably improve the data protection of Belgians."
The parties affected by the decision have 30 days to appeal.
