A curious settlement by the Belgian DPA over minor structural violations

Amusing settlement decision by the Belgian DPA published yesterday: 500 EUR & 250 EUR respectively, plus adaptations to policies and procedures, so that when people book a table in a given restaurant by phone their data isn’t included automatically in a third-party table booking system and then used to send commercial e-mails.

The lesson? If you are using a third-party customer/order/… management system, check whether they by default retain the right to use the data for their own purposes or for the benefit of others. If so, [beyond the question of whether they *should* be doing that or are even allowed to do that,] consider carefully how you wish to treat those who use other means of contact. Why? Because these individuals are *not* using that third-party system to communicate with you, and the usual mechanisms you have in place to make data subjects aware of that third party’s role might not be visible to individuals using other means of contact.

This is obviously relevant in a broader context. I have repeatedly talked about the importance of knowing how third-party systems work (notably AI systems) and whether you are unintentionally enabling someone else to be a (joint or sole) controller. This particular case illustrates again the need to understand processes and their consequences. [Our “Third-Party Risk Management Checklist” based on the GDPR, NIS2, DataGovernance Act and DORA can be of interest in that respect: https://lnkd.in/eeER4twD ]

Worth a read – even though the actual settlement amount seems a little on the low end and may make some larger companies a bit envious.

Decision (in Dutch): https://lnkd.in/eWn6DwZa

data protection privacy