NMBS – €10,000 Fine (Belgium, 2022)

A Twitter user notified the Belgian DPA (APD/GBA) of an email she had received from the Belgian National Railway (NMBS) about the "Hello Belgium Railway Pass", which is a ticket for Belgian residents providing them with a number of free train rides. After having reviewed the facts provided by the Twitter user, the DPA decided to initiate an investigation into the incident on its own motion. In its investigations, the DPA found that the email contained the general terms and conditions of the NMBS, instructions on how to use the railway pass correctly and Covid related information. However, the communication also included information of promotional nature and no unsubscribe button or link was provided. In the proceedings, the controller brought forward that the email was intended to remind the recipients to always ensure their safety when traveling and to remind them of the contractual conditions. It, therefore, considered the email as necessary for the performance of the contracts concluded with the ticket holders under Article 6(1)(b) GDPR. The DPA rejected the argument of the controller that sending an email with promotional content was necessary for the performance of the contract under Article 6(1)(b) GDPR. It found that the purpose of informing the ticket holders about the contractual conditions and safety precautions could also have been achieved by publishing the information on the controller's website. It further found that the email constituted direct marketing according to Article 21(2) GDPR and by not providing the possibility to opt-out of receiving similar emails in the future the controller violated Article 12(2) and 21(2), (4) GDPR. Consequently, the DPA held that the controller violated Article 5(1)(a), (c), (2), 6(1), 12(2) and 21(2), (4) GDPR and, therefore, issued a fine of €10,000 against the controller.