Unknown – €50,000 Fine (Belgium, 2020)

The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then demanded payment of the reminder fee in addition to the original fine. The data subject then contacted the company and demanded, among others, information about which of his/her personal data had been processed. After this request was not properly fulfilled in a timely manner, the data subject filed a complaint against the controller During its investigations the DPA discovered that the controller violated several GDPR provisions. Firstly the DPA found that the controller failed to provide a proper privacy policy. The privacy policy on the controller´s website did not contain any information regarding the processing of personal data nor any contact information of the company. Secondly, the controller violated the data subject's right to information by failing to comply with the data subject's request for information on data processing. Lastly the controller infringed the principle of minimasation by processing the data subject's data for the purpose of sending a payment reminder only one day after the ticket had been issued even though the data subject had the opportunity to pay the fine without such a reminder at that time.