Marketing company fined €50K
On January 28, 2021 the Belgium Data Protection Authority announced a fine of €50,000 to the company Family Service for various violations to the GDPR.
Following an investigation into a complaint regarding the use of “pink boxes” containing sponsored gifts, the Belgian DPA found that Family Service had transferred personal data belonging to +1 million customers – including children – to third parties without providing sufficient information or obtaining valid consent from the users.
Sharing data without consent
Family Service is a marketing company that distributes pink boxes that include samples, special offers and information sheets for future parents.
After a complaint, the DPA launched an investigation into the company transferring personal data to third parties without obtaining valid consent from the customers and not providing parents with sufficient information about what data was collected, for what purpose and who was going to process it.
Data collection was not indicated to the users in a clear and comprehensible manner. Moreover, the consent boxes were distributed via gynecologists and hospitals leading users to believe the consent box originated from the public sector and not a private company whose core business is trading data.
The DPA considered consent not to be valid as it was not clearly informed, not specific (as consent automatically involved the transfer of data), and consent was not freely given (as the lack of consent involved the loss of benefits).
DPA warns other companies
Calculating the fine, the DPA considered the severity of the violation, the fact that it involved approximately 21% of the Belgian population; that the personal data also belonged to children; and that personal data was sold for financial gain.
The Belgian DPA has requested Family Service to comply with the requirements of the GDPR when collecting, sharing and processing personal data on the internet.
Furthermore, the Belgian DPA issued a warning to other companies whose business plan involves the collection and sharing of personal data for profits. The DPA is on the lookout for companies who might not be in compliance with the GDPR.