An unnamed B2B data broker – €20,000 Fine (Belgium, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In 2021 the managing partner of a company (the data subject) received a direct marketing e-mail from another company. He filed an access request with the company and found that his personal data were provided by a B2B data broker (the controller). The data subject then filed an access request with the data controller. In particular, he required a list of all the sources and the individual recipients of his personal data. The controller replied that his data were collected via the Crossroads Bank for Enterprises (that is, the Belgian public register for businesses) and other public sources, and refused to provide information on individual recipients. The data subject later filed a complaint with the DPA. He complained about several violations of the GDPR, including the unlawful processing of his email and the incomplete response to his access request. During the investigation, the DPA found that the controller relied on several data sources other than the Crossroads Bank, including the controller's affiliate companies. When questioned by the DPA, the controller itself was unable to provide a clear and complete picture of its sources. The DPA held that the controller violated Articles 5(1)(a), 5(2), 6(1), 12(1), 14(1), 14(2),15(1), 24(1), and 25(1) GDPR. The DPA fined the controller for a total of €20,000: * €8,000 for unlawfully processing the data subject’s email address (Articles 5(1)(a), 5(2), and 6(1)); * €6,000 for violating the principle of transparency and the transparency duties of data controllers (Articles 5(2), 12(1), 14(1), 14(2), 24(1), and 25(1)); * and €6,000 for failing to appropriately respond to the data subject’s access request (Article 15(1)). On the nature of the data The controller claimed that the email addresses it controlled, were contact information for a legal person. On this basis, the controller argued that it did not process personal data. The DPA rejected this argument. In the present case, the data subject’s email included his name.
GDPR Articles Cited
In 2021 the managing partner of a company (the data subject) received a direct marketing e-mail from another company. He filed an access request with the company and found that his personal data were provided by a B2B data broker (the controller). The data subject then filed an access request with the data controller. In particular, he required a list of all the sources and the individual recipients of his personal data. The controller replied that his data were collected via the Crossroads Bank for Enterprises (that is, the Belgian public register for businesses) and other public sources, and refused to provide information on individual recipients. The data subject later filed a complaint with the DPA. He complained about several violations of the GDPR, including the unlawful processing of his email and the incomplete response to his access request. During the investigation, the DPA found that the controller relied on several data sources other than the Crossroads Bank, including the controller's affiliate companies. When questioned by the DPA, the controller itself was unable to provide a clear and complete picture of its sources. The DPA held that the controller violated Articles 5(1)(a), 5(2), 6(1), 12(1), 14(1), 14(2),15(1), 24(1), and 25(1) GDPR. The DPA fined the controller for a total of €20,000: * €8,000 for unlawfully processing the data subject’s email address (Articles 5(1)(a), 5(2), and 6(1)); * €6,000 for violating the principle of transparency and the transparency duties of data controllers (Articles 5(2), 12(1), 14(1), 14(2), 24(1), and 25(1)); * and €6,000 for failing to appropriately respond to the data subject’s access request (Article 15(1)). On the nature of the data The controller claimed that the email addresses it controlled, were contact information for a legal person. On this basis, the controller argued that it did not process personal data. The DPA rejected this argument. In the present case, the data subject’s email included his name.
Related Enforcement Actions (0)
No other enforcement actions found for An unnamed B2B data broker in BE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
22 April 2025
Authority
Autorité de Protection des Données
Fine Amount
€20,000
GDPRhub ID
gdprhub-9177About this data
Cite as: Cookie Fines. An unnamed B2B data broker - Belgium (2025). Retrieved from cookiefines.eu
Last updated: