An unnamed telecom provider – Court Ruling (Belgium, 2025)

A customer (the data subject) filed a complaint against their telecom provider (the controller) after it failed to respond to their access request under Article 15 GDPR. The controller eventually responded to the request 14 months later, when the complaint was already pending. The Belgian DPA fined the controller €100,000 for violating Article 15 GDPR. The controller challenged the fine before the Belgian Court of Appeals. The Court reformed the DPAs decision and reduced the amount of the fine to €5,000. The Court found that the original €100,000 fine was disproportionate for a number of reasons: * the infraction was an isolated incident, affected a single data subject, and did not involve special categories of data; * the controller had no history of violating the GDPR; * the infraction caused no damage to the data subject but only mere inconvenience: * the infraction was not intentional; * the controller collaborated with the DPA during the investigation and implemented better procedures for handling access requests after the complaint was filed.