X versus Y – €5,000 Fine (Belgium, 2024)

Prior to April 2019, the company of controller ‘Y’ used to make direct marketing calls to the defendant and their clients using a call center. Upon receiving persistent marketing calls through masked numbers, the plaintiff ‘X’ exercised her right to object under Article 21 GDPR #2 on April 4th 2019. The defendant took notes of the objection but requested the plaintiff to provide the phone number of the incoming calls, expressing that such fraudulent and phishing activities usually have external sources. Three months later the plaintiff contacted the defendant again, on three different occasions, because the phone calls did not cease, and was met with the same request of providing the phone number. In December 2019, the plaintiff lodged a complaint by the Belgian DPA, which launched an investigation by January 2020. By December 2020 the Inspection Services of the DPA rendered its conclusions on the investigation. By September 2024, The DPA initiated a transaction procedure for the complaint. Firstly, the DPA takes notes on the findings of the investigation revealing that at least two databases are involved, one of them being a CMR (a Customer Relationship Management ) database through which data subject requests are managed. In the final transaction decision, the findings of the investigation are used for conclusions on the merits. The DPA found that the controller processed the data irregularly for direct marketing purposes, violating Article 5 GDPR #1a and Article 6 GDPR #1 and Article 21 GDPR#3 . That is because the controller processed the data of the subject irregularly, without registering the plaintiff in both databases before the objection was raised. This led to a wrong modification when the objection was made, leading to the contractor call center to continue the calls despite the objection. The DPA held that the objection must be upheld and the controller shall stop any unlawful processing of the plaintiff's personal data. Secondly, by repeatedly requ