Infobel – €40,000 Fine (Belgium, 2025)

Infobel (the controller) is a commercial data broker who bought personal data from Z4, a telecom operator, regarding a customer (the data subject). Subsequently, the controller sold the personal data to Z3, a direct marketing company. The data subject received unsolicited direct marketing communications from Z1, a client of the direct marketing company and filed a complaint with the Belgian DPA against the controller and the other companies involved in the case. The current proceedings concern only the controller. The controller claimed that it had a right to access and use Z4’s database in particular for marketing purposes based on contractual agreements. The information referred to in the contracts amounted to the names, phone numbers, and addresses of customers who had a telephone connection with Z4 in Belgium and with 3rd party operators with which Z4 concluded agreements. The exceptions to the right to access and use of the databases were private numbers and the lists of restricted numbers which required the customer to opt-out from the database in order to be added to the restricted numbers list. The controller further specified that the data subject’s personal data (first and last name, street and house number, postal code, city and the creation date and source of the data) were added on 3 May 2006 to their database. The controller claimed that it added the personal data to the database on the basis of the consent of the data subject allegedly given by the data subject to Z4 when taking out a telephone subscription. The data subject denied having given consent for the processing of his personal data by the controller. The controller sold the data subject’s first and last name and address to a third party for a marketing campaign. The controller’s DPO stated that the database had not been used by the controller since 2023. The controller states that the data was deleted. Z4 contradicted the interpretation given by the controller to the contractual agreem