Belgian DPA fines Family Service 50,000 euros for various breaches of the GDPR including the transfer of personal data to third parties.
Family Service, a Belgian company, which brands itself as a gatekeeper in family marketing has recently been fined by the Belgian DPA for various breaches of the GDPR. The company is well known for distributing “pink boxes” to expectant parents, helping brands market their products and services targeted to families. They contain samples, special offers and information sheets for these families. These pink boxes are typically distributed by gynaecologists and hospitals. That fact may have given the recipients the idea that this is a public sector initiative, rather than a private company whose core business is trading data.
The company was found to have transferred personal data to third parties without valid consent.
A complaint was filed with the Belgian DPA, claiming that the company transferred personal data to third parties including data brokers and that this was done without the valid consent of the customer, and without the provision of sufficient information. Through their investigation, the Inspection Service and the Litigation Chamber of the Belgian DPA found that not only was this consent indeed invalid, but the company was renting and/or selling personal data for commercial purposes. Customers were ill informed that the company behind the distribution of those boxes was in the practice of selling and/or renting this data as this was not communicated in a clear and comprehensible manner.
It became clear that the consent given to the company was neither informed, nor specific, as the consent was given based on the consumers’ receipt of those boxes. In addition, the Belgian DPA found that this consent was not freely given either, as a lack of consent in this case involved the family forgoing some benefits.
The Belgian DPA imposed a fine of 50,000 euro and ordered Family Service to comply with the GDPR.
The Belgian DPA, taking into account the reach of this company in determining the impact of this data breach, found that Family Service processes data of roughly 21.10% of the Belgian population. The company website itself boasts a coverage of roughly 97% of new and expectant parents in Belgium. The Litigation Chamber of the Belgian DPA decided to impose a fine of EUR 50,000, based on this reach, as well as the seriousness of the breach and the nature of the data processed (particularly data relating to children). This fine is considered to be a considerable amount based on the size of the company, however the Belgian DPA felt that a significant fine was necessary due to the seriousness of the GDPR breaches by this company. The authority also ordered the company to ensure compliance with the GDPR moving forward.