Parking ticket control company fined for several GDPR violations Summary A company responsible for parking ticket controls • Failing to implement appropriate technical and issued a fine for illegal parking to an individual (‘the organizational measures, considering the nature, data subject’). However, the data subject claimed context, and purpose of processing (GDPR, Articles that he had never received the fine. He first learned 5(2) and 24(1) and (2)). about the fine when a debt collection agency sent The debt collection firm was fined 15,000 EUR for the him a reminder letter, which included additional fees. following violations: It was later discovered that this reminder letter was sent out just a day after the original fine was issued. • Requesting excessive amounts of information Thus, information about the data subject’s name and about the data subject (GDPR, Article 5(1)(c)). address had been processed unnecessarily during • Processing data without a legal basis (GDPR, Article the period in which individuals can pay the fine before 6). a reminder is sent, contrary to the principle of data • Failing to provide the data subject with adequate minimization in GDPR, Article 5(1)(c). information (GDPR, Article 12(3) in conjunction with The data subject contacted the parking control Article 14)). company, requesting information about the data • Failing to implement appropriate technical and being processed about him. When the request organizational measures, considering the nature, was not properly fulfilled—partly due to the data context, and purpose of processing (GDPR, Articles controller’s inaccurate instructions regarding the 5(2) and 24(1) and (2)). correct communication channels, and partly due to an incorrect interpretation of the exemption to the data Our remarks subject’s right to access. As a result the data subject • Data controllers must establish standardized filed a complaint about the data controller with the internal procedures to effectively accommodate Belgian Data Protection Authority (DPA). data subject’s exercise of their rights under GDPR. As separate data controllers, both the parking This involves providing the data subject with clear control company and the debt collection firm were information about to whom and using which investigated and sanctioned by the DPA. communication channels their right to access can be exercised. Decision of the Belgian DPA • Data controllers should remain cautious when The parking control company was fined 50,000 EUR for interpreting the exemptions to the rights of data the following violations: subjects. The restriction of data subjects’ rights is regulated in Article 13 of the Belgian Data Protection • Failing to comply with the data subject’s right to Act. These exemptions must be understood access (GDPR, Articles 14(1) and (2) in conjunction restrictively as they deprive the data subjects of with Article 12(1) and (3)). their rights to information, including information • Unnecessarily processing the personal data of the about the existence of other rights such as the data subject (GDPR, Article 5(1)(c)). rights to rectification, objection, or erasure. Published: 23-12-2020 Journal number: DOS-2019-02751 Tags: 01 Legal basis and principles of processing 85