A new Belgian DPA decision on data minimisation and data protection by design + by default, this time against an international shipping & logistics company (ahem – certain quotes make its identity easy to find). The decision is short as it focusses solely on one issue: the obligation to create an account in order to file a complaint regarding the handling of parcels.
Most relevant excerpts:
Para. 17: “it is unreasonable to expect customers to know that they can file a complaint by telephone or other means, particularly when the [controller’s] website contains a page dedicated to complaints that clearly states that a user account is required to file a complaint. The Litigation Chamber considers that, although the complainant could theoretically have lodged a complaint through other channels without creating an account, such an expectation is unreasonable given the clear indications on the [controller’s] website.
18: “[s]ome [localised] versions [of the website] offer the option of filing a complaint via a guest account.
=> For the country in question, no guest account yet at the time of the complaint, but for others yes.
20: “The Litigation Chamber notes, however, that the possibility of filing a complaint as a ‘guest’ has been added to the [country-specific] extension of the [controller’s] website. The Litigation Chamber is of the opinion that, by taking these measures, the [controller] has brought its practices into compliance with the GDPR and has fully addressed the complainant’s concerns. […]
21: “The Litigation Chamber concludes that the [controller] may have violated the provisions of the GDPR […]. In light of the measures taken by the [controller], in particular the introduction of the possibility to lodge a complaint as a temporary guest, the Litigation Chamber has decided to issue a warning to the [controller]. More specifically, the Litigation Chamber warns the [controller] that it may have violated Article 25 of the GDPR, read in conjunction with Article 5.1. c) of the GDPR, by not offering the complainant the possibility to lodge a complaint without creating an online account.
The lesson? If something can in theory be done without an account, forcing the creation of an account to do that might be viewed as an infringement of the data minimisation principle + of the principles of data protection by design & by default.
Don’t take that as the absolute truth, though – don’t forget that accounts have various uses, and some user account benefits may be important to justify making them mandatory for certain actions. Just think about your justification carefully, because you might have to share it with a regulator some day.
Decision of 22 April 2025 (in French): https://lnkd.in/eWuk2e4M
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗