Nationale Maatschappij der Belgische Sporen (NMBS) – Court Ruling (Belgium, 2023)
Belgium's railway company NMBS sent emails to train pass holders without giving them a way to opt-out. This lack of choice violated privacy rules that require companies to respect users' preferences. The case highlights the importance of providing clear options for users when sending marketing communications.
What happened
NMBS emailed railway pass holders about travel passes and COVID-19 information without allowing them to opt-out of future emails.
Who was affected
Train pass holders who received unsolicited emails from NMBS during the COVID-19 pandemic were affected.
What the authority found
The Belgian court found that NMBS violated multiple GDPR articles by not providing an opt-out option in their emails.
Why this matters
This ruling emphasizes that companies must respect users' choices regarding communications. It serves as a reminder for businesses to implement clear opt-out mechanisms to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated Articles 12(2), 21(2) and 21(4) GDPR. Moreover, the DPA held that the controller violated Article 5(1)(a), 5(1)(c), 5(2), 6(1), 12(2), 21(2) and 21(4) GDPR. The controller was fined €10,000 (a summary of this decision is available on the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_71/2022 hub]) and decided to appeal the decision with the Appeal Court on the following grounds: First, the controller contested the applicability of the GDPR, considering that the e-privacy directive was applicable as lex specialis. Second, the controller stated Article 6 ECFR had been breached because it had not been able to comment on a piece of evidence. Third, the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘Direct marketing’. It added that it had sent the e-mail in the first place because it was obligated to do so pursuant to the government's instruction. It had to provide COVID-19 related information and promote its full service as part of its public service obligation. Fourth, the controller argued that the DPA did not properly motivate the GDPR violations in the disputed decision
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Nationale Maatschappij der Belgische Sporen (NMBS) in BE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Nationale Maatschappij der Belgische Sporen (NMBS) - Belgium (2023). Retrieved from cookiefines.eu
Last updated: