Family Service fined for unlawful consent practices Summary Decision of the Belgian DPA Family Service is an advertisement agency, offering so- The Belgian DPA imposed a fine of 50,000 EUR on Family called ‘gift packages’ for expecting parents, containing Service for the following violations: offers and samples of products and services. Expecting • Providing subscribers with a misleading impression parents can subscribe to the service, allowing Family regarding the use of their personal data when Service to pass on data to other entities. The gift subscribing to receive gift packages (GDPR, Article packages are distributed through a network of partners, 5(1)(a)). including hospitals and gynecologists. An individual filed a complaint with the Belgian Data • Retaining personal data for up to 18 years, which Protection Authority (DPA) after receiving targeted was deemed disproportionate, considering most advertising from an external company, which had of the offered products concerned infants (GDPR, obtained the complainant’s personal data from Articles 5(1)(c) in conjunction with Article 25). Family Service. The complainant claimed that she had • Failing to obtain free, specific, informed, and received multiple phone calls without giving her explicit unambiguous consent from data subjects, and consent to Family Service, and that these inquiries for processing data without the presence of a continued even after she had withdrawn her consent legitimate interest which could outweigh the and objected to receiving targeted advertising. interests of the data subject (GDPR, Articles 6(1)(a) Although the complainant had given her consent and (f)). while subscribing to the gift packages, the agreement • Failing to ensure that withdrawing consent was as failed to provide adequate information about how, to easy for data subject as providing it (GDPR, Article whom, and under which circumstances her personal 7(3)). data would be shared. As a result, the complainant was unable to make an informed decision about the • Failing to provide sufficient information to data intended use of her data, rendering her consent invalid subjects (GDPR, Article 13). and not freely given as required by the GDPR. • Non-compliance with the principle of storage Among other circumstances central to the case, limitation (GDPR, Article 5(1)(e)). Family Service had a policy of retaining personal data • Not taking the appropriate technical and about its subscribers for up to 18 years, when newborn organizational measures to secure the rights and children registered in the database would no longer freedoms of the data subjects, considering the be legally represented by their parents. Furthermore, nature, context, and purpose of the processing no record was kept of requests for rectification. Finally, activities in question (GDPR, Article 24). subscribers’ email addresses were intentionally kept even after data subjects had requested erasure to • The lack of processing agreements between Family ensure that no new accounts were created using the Service and one of their data processors (GDPR, same email address later. According to the DPA, these Article 28(3)). activities were against both the letter and the spirit of the GDPR. Published: 27-01-2021 Journal number: DOS-2019-04798 Tags: 01 Legal basis and principles of processing 83