The Belgian Court of Cassation ruled in a judgment of October 7, 2021 that a data subject has the right to lodge a complaint with the Data Protection Authority against a processing practice that violates the GDPR (in this case, the data minimization principle of Article 6 of the GDPR), even when the personal data of the data subject has not been processed.
In the underlying case, a company required customers to have their electronic identity card read by the company’s computer system in order to obtain a loyalty card and receive discounts on purchases. It was not possible for customers to provide their personal data by other means, for example by providing strictly necessary personal data only on a paper form.
A customer of the company lodged a complaint against this processing practice with the Belgian Data Protection Authority. This customer had refused to provide the company with his identity card and to consent to the treatment, and was therefore refused a loyalty card. The complaint was investigated and the Data Protection Authority found that the practice in fact violated the principle of data minimization – the principle that the processing of personal data should be restricted. to what is necessary to achieve the relevant objectives.
Previously, the Belgian Court of Appeal considered that no real violation had been demonstrated. The reasoning of the court was based on the fact that the client had not provided his electronic identity card and that there had therefore been no processing of his personal data.
The Belgian Court of Cassation did not follow the reasoning of the Court of Appeal. The Belgian Supreme Court has pointed out that a breach of the GDPR also occurs when a controller requires data subjects to process their personal data in a non-compliant manner, in order to benefit from a benefit or a service. When the Data Protection Authority finds that a practice gives rise to a violation, it can take corrective measures and – if necessary – impose an administrative fine, even if the personal data of the complainant has not been effectively processed. .
Note: In the same judgment, the Belgian Court of Cassation also ruled on the conditions for valid consent under the GDPR.
Source: Cass. October 7, 2021, Data Protection Authority v. Verreydt bv, C.20.0323.N.