An unnamed data subject – Complaint Upheld (Belgium, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Belgian national post service Bpost (the controller) delivered a registered mail to a recipient (the data subject). An employee of the controller took a picture of the data subject’s ID, in order to prove that their identity had been verified during the delivery. The data subject filed a complaint over this practice. They claimed that there was no legal basis for taking and storing a picture of their ID. They also claimed that the practice was unnecessary, in violation of the GDPR principles of data minimisation and storage limitation. The data subject did not, however, object to the use of their ID for verification per se. Rather, the data subject challenged the fact that their ID was photographed, and that the picture was stored. So, the use of IDs for verification purposes only was never questioned in the case. The DPA found that the controller violated the principle of data minimisation and issued a warning. On lawfulness The controller argued that the processing was based on its legal obligation to verify the recipient’s identity and store proof of the verification. In this regard, the controller invoked the Royal Decree on postal servicesRoyal Decree of March 14, 2022 on postal services.. The DPA accepted the argument and held that the Act constituted a clear, precise, and predictable legal basis for processing personal dataIn this regard, the DPA referenced the Privacy International ruling of the CJEU. See CJEU, Case C- 623/17, Privacy International, 6 October 2020, margin number 68 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-623/17 here]).. For this reason, the DPA held the processing to be lawful. On data minimisation The DPA observed that ID cards include data which are not listed on the registered mail itself (such as birth data, birthplace, and identity card number). The DPA held that these data were irrelevant to the verification of identity because the controller could not check them against any other data in its
GDPR Articles Cited
Entities Involved
The Belgian national post service Bpost (the controller) delivered a registered mail to a recipient (the data subject). An employee of the controller took a picture of the data subject’s ID, in order to prove that their identity had been verified during the delivery. The data subject filed a complaint over this practice. They claimed that there was no legal basis for taking and storing a picture of their ID. They also claimed that the practice was unnecessary, in violation of the GDPR principles of data minimisation and storage limitation. The data subject did not, however, object to the use of their ID for verification per se. Rather, the data subject challenged the fact that their ID was photographed, and that the picture was stored. So, the use of IDs for verification purposes only was never questioned in the case. The DPA found that the controller violated the principle of data minimisation and issued a warning. On lawfulness The controller argued that the processing was based on its legal obligation to verify the recipient’s identity and store proof of the verification. In this regard, the controller invoked the Royal Decree on postal servicesRoyal Decree of March 14, 2022 on postal services.. The DPA accepted the argument and held that the Act constituted a clear, precise, and predictable legal basis for processing personal dataIn this regard, the DPA referenced the Privacy International ruling of the CJEU. See CJEU, Case C- 623/17, Privacy International, 6 October 2020, margin number 68 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-623/17 here]).. For this reason, the DPA held the processing to be lawful. On data minimisation The DPA observed that ID cards include data which are not listed on the registered mail itself (such as birth data, birthplace, and identity card number). The DPA held that these data were irrelevant to the verification of identity because the controller could not check them against any other data in its
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for An unnamed data subject in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. An unnamed data subject - Belgium (2025). Retrieved from cookiefines.eu
Last updated: