The Belgian APD has just imposed a fine of 50,000 euros for various GDPR breaches to the company called "National service for the promotion of children's brands" or " Family Service ”(on its website), a company that distributes "pink boxes" to pregnant mothers.
Offenses include the company's lack of transparency towards its customers regarding its data sales activities (via transfers to its network of business partners) and the lack of valid consent.
The defendant is a marketing company which distributes "pink boxes" to consumers. These boxes include samples, specials and information sheets for expectant parents (especially pregnant mothers). The offers and samples contained in the “pink boxes” were made available to the Respondent through the Respondent's network of partners.
Regarding the personal data of (future) mothers collected by the defendant when new consumers registered, this was the following data: mother's name, mother's first name, baby's date of birth, baby's gender, baby's name, email address, street and house number, zip code and city.
These personal data were then transmitted by the defendant to third parties (so-called “structural business partners”) in exchange for the aforementioned offers and samples. These business partners were in effect data brokers who processed the data for marketing campaigns and sold it to other third parties.
The complainant had completed a registration form with the respondent - in order to receive a pink box - by which she authorized the processing of her personal data.
The complainant subsequently decided to withdraw her consent as she no longer wished to be contacted by third parties regarding promotions of childcare products.
However, even after withdrawing her consent, the Complainant still received unwanted phone calls from the Respondent's business partners in connection with certain promotions.
The complainant then decided to lodge a complaint with the Belgian data protection authority, alleging that the respondent had transferred his personal data to third parties, including data brokers, without having obtained his valid consent and without provide sufficient information in relation to the treatment (s) envisaged by the defendant and the third parties to whom his data was transferred.
The discussion in this decision revolves mainly around the (lack) of information given by the defendant on the sale and processing of personal data by its network of business partners as well as on the scope and (lack of) validity of the consent. given in relation to the treatment (s).
The inspection service and the litigation chamber of the Belgian DPA considered that the following violations were committed by the defendant:
1) Lack of information and transparency on the treatment (s) envisaged.
The defendant infringed Article 5 (1) (a) of the GDPR as well as Article 13 (lack of transparency) because the defendant was renting and / or selling personal data of consumers for commercial purposes (through its partners commercial) without informing consumers of these treatments in a clear and understandable manner.
An aggravating factor is the fact that the “pink boxes” were distributed via gynecologists and hospitals combined, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is the trade in personal data.
2) Lack of valid consent to process the data.
Article 6 of the GDPR, in particular Article 6 (1) (a) and (f) of the GDPR (free consent) was also violated by the respondent, as there could not be free, specific, informed consent and unambiguously given by consumers since this consent was:
a) - clearly not informed / informed (on further processing by the network of partners);
b) - non-specific (consent to receive boxes automatically implied the transfer of data);
c) - not free (because the absence of consent entailed the loss of certain advantages).
3) Lack of appropriate technical and organizational measures and disproportionate retention period.
Violation of article 25 of the GDPR, given that the defendant has not taken the appropriate technical and organizational measures to ensure that only the personal data necessary for each specific purpose of the processing are processed.
The 18-year retention period is disproportionate to the initial consent and reasonable expectations of the complainant and other affected parties.
For the rest, the defendant had not concluded the necessary subcontracts.
Given the number of people concerned (the company processes data relating to 21.10% of the Belgian population), the seriousness of the violation and the nature of the data processed (in particular data relating to children), the litigation chamber decided to fine the defendant 50,000 euros on the defendant and ordered the company to comply with the GDPR within 6 months.
You have questions relating to this subject, do not hesitate to contact me by sending me an email. at the address indicated in the “contact” section.
More information :