Belgium
Nationale Maatschappij der Belgische Spoorwegen
GDPR enforcement action by Belgian Data Protection Authority (APD) on 2022-05-04.
Case details
- Authority
- Belgian Data Protection Authority (APD)
- Date
- 2022-05-04
- Controller / Processor
- Nationale Maatschappij der Belgische Spoorwegen
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (2) GDPR, Art. 21 (2), (3), (4) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen).
A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe.
During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrary to the railroad company's view, the DPA concluded that the newsletter was not necessary for the performance of the contracts between passengers and the company and that this performance interest therefore did not constitute a legal basis for the processing. Furthermore, the DPA found that the data subjects' right to object was not sufficiently taken into account, as it was not possible to unsubscribe from the newsletter directly via the e-mails.
Related fines