X, complainant – Dismissed (Belgium, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A complaint about a Belgian hospital using unsecured contact forms was dismissed because the complainant couldn't prove any personal disadvantage. The forms risked exposing sensitive health data, but the complaint was not upheld. This case underscores the need for secure data handling but also shows that complaints require evidence of personal impact.
What happened
A complaint was dismissed regarding a Belgian hospital's use of unsecured contact forms that risked exposing sensitive health data.
Who was affected
Patients using the hospital's contact forms, which were sent unencrypted and unsecured.
What the authority found
The Belgian authority dismissed the complaint as the complainant could not demonstrate personal disadvantage from the hospital's data handling practices.
Why this matters
This case illustrates the necessity for secure data handling practices in healthcare. It also highlights that complaints need to show personal impact to be upheld, guiding individuals on how to substantiate their claims.
GDPR Articles Cited
National Law Articles
Entities Involved
The Complainant in this case was a patient in a Belgian hospital. He noticed that the hospital was using unsecured contact forms on its website. In particular, these forms were sent to the hospital in an unencrypted manner and via an unsecured connection. As a result, the personal data contained in these forms, including sensitive health data, were potentially exposed to the risk of being intercepted by third parties and being read in the network traffic. The Complainant therefore filed a complaint with the Belgian DPA, considering that such processing was unlawful. On the basis of this complaint, the Inspection Service of the Belgian DPA conducted an investigation. During this investigation, the following (additional) breaches of data protection legislation were identified: * the hospital implemented insufficient technical and organisational measures to guarantee the protection of (health) data (Article 32 GDPR); * the DPO of the hospital was not directly reporting to the highest management level of within the organization (Article 38(3) GDPR). = The Belgian Law on the Establishment of the Data Protection Authority states that anybody can file a complaint with the Belgian DPA, provided that all the prescribed conditions in Article 60 of this law are met. In a previous decision, the Belgian DPA had already decided that an additional condition must be fulfilled, namely that the complainant demonstrates that he has sufficient interest. In a recent case, the Belgium Supreme Court ruled that anyone who believes that their rights under the GDPR have been violated can lodge a complaint with the supervisory authority, even if their personal data have not been processed, given that the refusal to provide personal data resulted in a disadvantage for the data subject (e.g. not being able to use a certain service). According to the Litigation Chamber of the Belgian DPA, the difference in this case was that the Complainant could not prove to have suffered from any disadvant
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for X, complainant in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. X, complainant - Belgium (2021). Retrieved from cookiefines.eu
Last updated: