A data broker CANNOT rely on legitimate interest according to the Belgian data protection authority

A recent decision by the Belgian Data Protection Authority (DPA) explores the challenges for a data broker to rely on legitimate interest in its data monetization practices.

Below is a summary of the case.

The case emerged from two separate access requests filed under Article 15 of the GDPR by complainants against a data broker. Despite receiving responses from the controller, the complainants raised concerns over the processing of their personal data without consent, a possible violation of Articles 13 or 14 of the GDPR.

The Belgian DPA’s decision was multifaceted, addressing various GDPR infringements:

1. Unlawful and Unfair Processing of Personal Data: The DPA found that the controller i.e., the data broker, failed to establish a legitimate basis for processing personal data under Article 6(1)(f) GDPR since the reliance on legitimate interest was not adequately maintained. This failure was compounded by the indiscriminate processing of various data types and the excessive retention period, contravening GDPR Articles 5(1)(c) and (e), 24(1), and 25(1) and (2).
2. Access Request Violations: The controller’s method of responding to access requests was a significant point of contention. The DPA noted that the responses were not provided in the electronic format as required by GDPR, thus breaching Articles 12(1), (2), and (3) and 15(3). Moreover, the failure to disclose the sources of the personal data contravened Article 15(1)(g) GDPR, underlining the importance of transparency in data processing operations.
3. Insufficient Record of Processing Activities: The controller’s record of processing activities was found to be lacking in detail, specifically regarding the categories of data subjects and personal data. This was in violation of Article 30(1)(c) GDPR and emphasized the need for comprehensive documentation in data processing activities.

Because of the above-mentioned breaches, the Belgian DPA issued cumulative fines amounting to EUR 174,640.

The challenges relating to the lack of legitimate interest are particularly relevant since they address an issue that is frequently overlooked: companies need to be able to prove the actual legitimate interest underlying the data processing activity through a legitimate interest assessment that shall be adequately detailed and argumented to limit the risk of potential challenges.

Such an approach is often not followed by businesses that use legitimate interest as a sort of “catch all” legal basis applicable when the businesses are not able to justify otherwise the data processing. This is a quite risky practice, especially for data brokers that exponentially are under the radar of data protection authorities.

Indeed, for instance the Italian data protection authority issued all its major GDPR fines in relation to telemarketing practices where data brokers were performing a prominent role. On the topic, you can read among others the following article “€ 3M GDPR fine for privacy breaches in telemarketing practices in Italy”.