Belgian Data Protection Authority fines telecom company €100,000 for GDPR breach

The Belgian Data Protection Authority (DPA) announced a €100,000 fine against a major telecommunications company for violating the General Data Protection Regulation (GDPR). The decision, made public just three days ago, stems from a complaint filed by a customer who experienced a 14-month delay in receiving a response to their data access request.

The case, which began in January 2022, highlights the importance of timely compliance with data subject rights under the GDPR. According to the Belgian DPA's decision, the unnamed telecom company failed to adequately handle the customer's request for access to their personal data, as mandated by Article 15 of the GDPR.

The timeline of events reveals a series of missteps by the company. On January 25, 2022, the complainant contacted the telecom provider via its Messenger chat, requesting the contact information for its Data Protection Officer (DPO). The company responded that it did not have a DPO email address but would process the request through the chat. The customer then exercised their right of access, specifying the desired information format and timeframe.

Despite multiple follow-ups from the customer, including a warning of their intention to file a complaint with the DPA, the company failed to provide a satisfactory response. It wasn't until March 28, 2023, during the course of the DPA's investigation, that the telecom company finally furnished the requested information – more than 14 months after the initial request.

The Belgian DPA's Litigation Chamber, which issued the decision, emphasized the fundamental nature of the right of access in data protection law. This right, enshrined in Article 15 of the GDPR and Article 8.2 of the Charter of Fundamental Rights of the European Union, is considered a cornerstone of data protection. It serves as a gateway for individuals to exercise other GDPR rights, such as the right to rectification and erasure.

In its assessment, the DPA considered several factors outlined in Article 83 of the GDPR for determining the appropriate sanction. These included the nature, gravity, and duration of the infringement, the intentional or negligent character of the violation, and the categories of personal data affected.

The Litigation Chamber concluded that while the violation was not intentional, it demonstrated serious negligence on the part of the telecom company. The DPA noted that as a telecommunications provider, the company's core activities involve processing personal data, which should have prompted a higher standard of care in handling data subject requests.

Moreover, the DPA highlighted that the violation persisted for over 14 months, far exceeding the one-month response time mandated by Article 12.3 of the GDPR. This article allows for a two-month extension in complex cases, but the DPA stressed that such extensions should be exceptional and properly communicated to the data subject.

In determining the fine amount, the DPA took into account the company's annual turnover, which exceeded €1 billion in 2023. The €100,000 penalty represents less than 0.01% of this figure, falling well within the maximum limits set by the GDPR for such violations (up to €20 million or 4% of global annual turnover, whichever is higher).

The decision also sheds light on the scope of the right of access. While the complainant had requested information about which employees had accessed their personal data, the DPA clarified that such details are not covered by Article 15 of the GDPR. The right of access pertains to one's own personal data, not to the personal data of the company's employees who may have processed it.

This case serves as a reminder to organizations of the importance of having robust processes in place for handling data subject requests. The DPA emphasized that companies must ensure all staff, from directors to front-line employees, understand and can effectively implement procedures for responding to GDPR-related inquiries.

The telecom company has the right to appeal the decision within 30 days before the Belgian Market Court. However, as of the time of this report, it is unclear whether the company intends to contest the fine.

This ruling aligns with a broader trend of increased enforcement of data protection regulations across Europe. Data protection authorities are showing a willingness to impose significant fines for violations, particularly when they involve the fundamental rights of data subjects.

For businesses operating in the EU or processing EU citizens' data, this case underscores the need for:

• Clear and accessible channels for data subject requests
• Prompt and thorough responses to access requests
• Well-trained staff capable of recognizing and properly handling GDPR-related inquiries
• Robust internal processes to ensure compliance with statutory response times

As data protection continues to be a priority for regulators and individuals alike, companies must remain vigilant in their GDPR compliance efforts to avoid similar penalties and reputational damage.

Key facts

Date of decision: August 23, 2024

Fine amount: €100,000

Violation: Breach of GDPR Article 15 (right of access)

Duration of violation: 14 months

Company's annual turnover: Over €1 billion (2023)

Fine as percentage of turnover: Less than 0.01%

Initial data access request date: January 25, 2022

Date of satisfactory response: March 28, 2023

Appeal period: 30 days from notification

Appeal body: Belgian Market Court