Isabel SA – €120,000 Fine (Belgium, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Isabel SA was fined €120,000 for not responding to a user's requests about their personal data. This matters because it highlights the importance of companies being responsive to privacy inquiries. If you run a business that handles personal data, you need to ensure you have a process in place to address user questions and requests.
What happened
Isabel SA failed to reply to a user's emails asking about their personal data rights.
Who was affected
The manager of a company who used the TruliUs authentication service was affected.
What the authority found
The authority found that Isabel SA did not comply with GDPR requirements for transparency and user communication.
Why this matters
This ruling emphasizes that companies must be proactive in handling user inquiries about personal data. Small business owners should ensure they have clear communication channels for privacy-related questions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject was the manager of a company who used TruliUs. TruliUs was a digital authentication and identification service developed by Isabel SA (the controller), allowing natural persons to prove their identity and authority to act on behalf of a company when accessing third party business platforms. In that capacity, the data subject used this solution to authenticate themselves and prove that they were authorised to act on behalf of their company when accessing their accountant’s digital platform. The data subject had sent two emails to the DPO contact address indicated in Trulius’ privacy notice, on 11 and 19 March 2021, but received no reply. On 29 March, 2021, the data subject lodged a complaint with the DPA against the controller. The controller argued that, for the TruliUs authentication and identification processing, it acted only as a processor and not as a controller. It submitted that TruliUs was a standardised service made available to its clients, who freely decided whether to use it and thereby determined the purposes and essential means of the processing. According to the controller, the purpose of authentication and identification served only its clients’ interests. It further argued that the clients determined key elements such as the recipients of the data, the data subjects concerned and the duration of the processing. Also, that the use of the service was optional because traditional identification methods remained available. The controller further relied on the service’s terms and its internal documentation, which classified itself as a processor acting on behalf of the client. Therefore, the controller considered the data subject’s company to be the controller. The data subject contested this position. They argued that their company could not be considered responsible for processing carried out through this platform, where their data were collected and processed. They stressed that neither they nor their platform had practical control ov
Related Enforcement Actions (0)
No other enforcement actions found for Isabel SA in BE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 May 2026
Authority
Autorité de Protection des Données
Fine Amount
€120,000
Enforcement Tracker ID
ETid-3174
GDPRhub ID
gdprhub-10006About this data
Cite as: Cookie Fines. Isabel SA - Belgium (2026). Retrieved from cookiefines.eu
Last updated: