APD/GBA (Belgium) - 102/2026

Summary

The Belgian Data Protection Authority (APD/GBA) imposed two fines totaling €86,000 on SWDE (Société Wallonne des Eaux), a public water provider, for violating GDPR transparency and processor agreement requirements. The authority found that SWDE systematically recorded calls without adequately informing callers, failing to provide meaningful opportunity to object before recording began, and did not maintain a valid data processor agreement as required. The investigation was triggered by an employee complaint in April 2020 regarding call monitoring practices.

Full text

Help APD/GBA (Belgium) - 102/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:41, 26 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators47 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:41, 26 May 2026 APD/GBA - 102/2026 Authority: APD/GBA (Belgium) Jurisdiction: Belgium Relevant Law: Article 5(1)(a) GDPR Article 6(1) GDPR Article 6(1)(e) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 28(3) GDPR Type: Complaint Outcome: Other Outcome Started: 16.04.2020 Decided: 12.05.2026 Published: Fine: 86,000 EUR Parties: SWDE (Société Wallonne des Eaux) National Case Number/Name: 102/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: APD (in FR) Initial Contributor: ds The DPA imposed two fines totalling €86,000 on a public water provider for failing to adequately inform callers about call recordings, to let them object before recording began, and to conclude a valid processor agreement. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts SWDE (Société Wallonne des Eaux), the controller, was an autonomous Belgian public provider responsible for the management and supply of drinking water in Wallonia. It served around 1.1 million customers and supplied water to around 2.5 million people. To handle customer requests, it operated a general telephone number through a call centre. Simple requests were handled by the Front Office, while more complex or specific requests were transferred to, or handled by, different Back Offices, including the Litigation Department. On 16 April 2020, an employee (the data subject) of the controller filed a complaint with the DPA. Since the data subject was still employed by the controller, they asked the DPA not to disclose their identity to it. The data subject alleged that the controller systematically recorded and monitored incoming and outgoing calls for service quality control and staff training, without sufficiently informing employees about the processing of their personal data. They also alleged that employee files had been transferred to a company outside Belgium and that the recordings were insufficiently secured. The controller stated that it had started recording incoming calls to the Front Office in November 2018 and to certain Back Offices in March 2020, in order to assess the quality of staff responses, train employees and improve its services. It stated that regular recordings had been implemented in the Front Office and in the East and West Back Offices, but not in the central Back Office (Litigation Department). However, recordings had also been considered for this Department. According to the controller, only three test recordings were carried out in the Litigation Department between October and November 2020, to allow the department’s supervisor to test and understand the recording platform. After those tests, the controller decided not to continue monitoring the calls in that department. It stated that this decision had been communicated orally to the employees concerned, but it had no written evidence of that communication. Following the complaint, the DPA carried out a broader investigation into the controller’s call-recording practices, especially its compliance with the transparency obligations toward callers. Concerning this matter, the controller indicated that the information made available to callers was confined to a pre-recorded message stating: “As part of our efforts to improve our services, this call may be recorded”. The controller argued that the callers could always refuse the recording of their conversation by requesting it immediately from the call centre agent who answered the phone. This message was later modified on October 25, 2022, and allowed callers to opt out of the recording by pressing 0. The controller informed the DPA that it used a Software-as-a-Service (SaaS) application provided by an IT service provider for the call-recording system. That provider had been involved in the processing since January 2019. However, according to the controller, a written contract with the provider was only signed in December 2023. Holding The DPA’s investigation did not establish the alleged third-country transfer or the alleged security infringement. It nevertheless found several GDPR violations in relation to the call-recording system. The DPA first examined the recordings under the Belgian Law on Electronic Communications, in particular Article 124 LCE, Article 125 LCE and Article 128 LCE. Under these provisions, call recordings involving employees required either the consent of all persons concerned or a statutory exception. The DPA accepted that the regular recordings in the Front Office and in the East and West Back Offices fell under the Belgian “Call Center Exception” under Article 128 LCE, since they concerned customer-service calls recorded for quality-control purposes. The DPA further stated that this did not remove the need for a separate GDPR lawful basis. It therefore accepted Article 6(1)(e) GDPR, as the recordings were linked to the controller’s public-interest task of providing an effective water-supply service. Regarding the three test recordings in the Litigation Department, the DPA held that this department was not covered by the Call Centre Exception, and the controller had not obtained valid consent from all persons concerned. The test recordings were therefore unlawful under the Belgian Law on Electronic Communications and, as a result, also infringed Article 5(1)(a) GDPR and Article 6(1) GDPR. The DPA further found that not all employees had been given sufficiently clear and complete information about the recording and monitoring of their calls. It also found that there were violations of the transparency principle toward callers. The pre-recorded message used by the controller did not provide the essential information pursuant to Article 13 GDPR. Even after the controller improved the message in October 2022, the DPA considered that the information remained insufficient for callers without easy internet access, since they were not clearly told how to obtain the information offline. This infringed Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 13 GDPR. The DPA also found that, until 25 October 2022, callers could not effectively object before recording began. They could only object once connected to an employee, by which point the recording had already started. Therefore, the DPA held that the controller had failed to facilitate the exercise of the right to object before the recording began. This violated Article 12(2) GDPR and Article 24 GDPR in relation to Article 21 GDPR. The DPA further determined that the controller had not ensured, until January 2024, that recordings were deleted within the applicable one-month retention period. In addition, it found that it had not carried out a DPIA for the call-recording system before starting the processing. The controller had also failed to notify and document unintentional recordings caused by a system misconfiguration. The DPA, concluded that the SaaS provider used for the call-recording system acted as the controller’s processor from January 2019. It also assessed that no valid data processing agreement with the processor under Article 28(3) GDPR was in place until December 2023. The DPA therefore found that the controller had violated Article 28(3) GDPR. The DPA ordered the controller to implement, within four months, measures ensuring adequate transparency for all callers to its general number, including callers without internet access. Moreover, it imposed a €85,000 fine for the lack of transparency toward callers and the failure to enable them to object effectively be

Entities