Zorg & Gezondheid – Complaint Upheld (Belgium, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Belgian DPA upheld a complaint against Zorg & Gezondheid for not responding to a data subject's questions about data processing. The authority found that the organization failed to provide transparency and access to personal data. This decision stresses the importance of organizations being transparent and responsive to individuals' data requests.
What happened
Zorg & Gezondheid did not respond to a data subject's questions and access request regarding personal data processing.
Who was affected
Individuals contacted by Covid-19 contact tracers who sought information about how their data was being processed.
What the authority found
The DPA ruled that Zorg & Gezondheid failed to provide necessary transparency and access to personal data, violating GDPR requirements.
Why this matters
This ruling underscores the need for organizations to be transparent and responsive to data subjects' inquiries, emphasizing the importance of clear communication about data processing activities.
GDPR Articles Cited
On 3 February 2022, the data subject was called by Covid-19 contact tracer (controller) after a confirmed Covid-19 infection within the family of the data subject. The data subject asked questions to an employee of the controller on the phone regarding data processing done by the controller. However, this employee was not able to answer the questions regarding this processing. On 4 February 2022, the data subject also filed an access request, to which the controller did not respond either. The data subject filed a complaint at the Belgian DPA on 21 March 2022 regarding two potential violations: a lack of transparency and the failure to address the data subject’s request. The investigation service of the DPA (investigation service) started an investigation into the controller and determined that the data subject did not have a sufficient interest. In her complaint, the data subject did not link the processing operation of the controller to herself. She was not able to prove that the controller was processing personal data at all and if so, what kind of personal data the controller was processing. Therefore, the data subject was acting in public interest, which made the complaint inadmissible according to the investigation service. The data subject disagreed and stated that the controller had asked for several categories of personal data (including medical information) regarding the data subject and her family in a phone call. According to the data subject, it seemed that this personal data was also saved by the controller, since the mother and husband of the data subject were called shortly after the data subject provided their contact details. The DPA disagreed with its investigation service, and stated that the complaint was admissible. The DPA stated that Article 58 WOG (Act establishing the DPA) allowed every data subject with a ‘sufficient interest’ to submit a complaint. The DPA confirmed that the controller processed the data subject’s personal data and s
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Zorg & Gezondheid in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Zorg & Gezondheid - Belgium (2022). Retrieved from cookiefines.eu
Last updated: