Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Belgium: DPA issues €174,640 fine on Black Tiger for unlawful processing of personal data

On January 16, 2024, the Belgian data protection authority (Belgian DPA) published Decision No. 07/2024 as issued on the same day, in which it fined Black Tiger Belgium SA/NV (Black Tiger) €174,640 for violations of the General Data Protection Regulation (GDPR), following a complaint from individuals.

Background to the decision

The Belgian DPA received a complaint concerning the alleged unlawful processing and sale of personal data of the complainants by Black Tiger. The complainants claimed that Black Tiger, acting as a data broker, processed and commercialized large amounts of their personal data without their knowledge or consent.

Findings of the Belgian DPA

Upon investigating, the Belgian DPA concluded that Black Tiger:

  • collected the personal data of data subjects indirectly and for a period of at least 15 years, without providing individual information to the data subjects, in violation of Articles 5(1), 6(1), and 12(1) in conjunction with Articles 14(1) and 14(2) of the GDPR;
  • violated Articles 24(1), 25(1), and 25(2) of the GDPR owing to a lack of appropriate technical and organizational measures to ensure compliance with data protection principles, in particular the principles of data minimization and storage limitation, in an effective manner;
  • improperly handled the complainants' requests for access by opting to reply to the requests by post instead of in a conventional electronic form, constituting a violation of Articles 12(1), 12(2), and 12(3) read in conjunction with Article 15(3) of the GDPR; and
  • failed to keep a record of the categories of data subjects, the categories of personal data, and the processing activities, in violation of Article 30(1)(c) and 30(2)(a) of the GDPR.

Outcomes

In light of the above, the Belgian DPA imposed a combined fine of €174,640 on Black Tiger for the abovementioned violations. The Belgian DPA also imposed corrective measures to bring Black Tiger's activities into compliance with the GDPR, including:

  • providing the data subjects the opportunity to object to the processing of their personal data;
  • taking organizational measures to ensure that the retention period of the personal data is proportionate to the purposes of the processing, and only maintaining the most up-to-date personal data of data subjects; and
  • supplementing the record of processing activities with a clear description of the categories of personal data and data subjects.

You can read the press release in French here and in Dutch here and the decision, only available in Dutch, here. Please also see the European Data Protection Board summary here