APD/GBA (Belgium) - 103/2026

Summary

Belgium's data protection authority (APD/GBA) fined Isabel SA €120,000 for incorrectly claiming processor status rather than controller status for its TruliUs digital authentication service. The DPA found the misclassification breached the accountability principle and led to violations of transparency, data subject access rights, data minimization, and data protection by design. The case centered on a complaint filed in 2021 by a data subject who received no response to privacy inquiries and was not properly informed about data collection through the authentication platform.

Full text

Help APD/GBA (Belgium) - 103/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:32, 18 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators44 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:32, 18 May 2026 APD/GBA - 103/2026 Authority: APD/GBA (Belgium) Jurisdiction: Belgium Relevant Law: Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13 GDPR Article 15 GDPR Article 25(2) GDPR Type: Complaint Outcome: Upheld Started: 29.03.2021 Decided: 12.05.2026 Published: Fine: 120,000 EUR Parties: Isabel SA National Case Number/Name: 103/2026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): French Original Source: APD (in FR) Initial Contributor: ds The DPA fined a controller €120,000 for wrongly qualifying itself as a processor rather than a controller. It held that this breached the accountability principle and led to further infringements concerning transparency, the right of access, data minimisation and data protection by default. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject was the manager of a company who used TruliUs. TruliUs was a digital authentication and identification service developed by Isabel SA (the controller), allowing natural persons to prove their identity and authority to act on behalf of a company when accessing third party business platforms. In that capacity, the data subject used this solution to authenticate themselves and prove that they were authorised to act on behalf of their company when accessing their accountant’s digital platform. The data subject had sent two emails to the DPO contact address indicated in Trulius’ privacy notice, on 11 and 19 March 2021, but received no reply. On 29 March, 2021, the data subject lodged a complaint with the DPA against the controller. The controller argued that, for the TruliUs authentication and identification processing, it acted only as a processor and not as a controller. It submitted that TruliUs was a standardised service made available to its clients, who freely decided whether to use it and thereby determined the purposes and essential means of the processing. According to the controller, the purpose of authentication and identification served only its clients’ interests. It further argued that the clients determined key elements such as the recipients of the data, the data subjects concerned and the duration of the processing. Also, that the use of the service was optional because traditional identification methods remained available. The controller further relied on the service’s terms and its internal documentation, which classified itself as a processor acting on behalf of the client. Therefore, the controller considered the data subject’s company to be the controller. The data subject contested this position. They argued that their company could not be considered responsible for processing carried out through this platform, where their data were collected and processed. They stressed that neither they nor their platform had practical control over the platform, the authentication flow or the categories of data collected and that he had no direct contractual relationship with the controller regarding the processing. Moreover, the data subject complained that they could not understand the actual scope of the processing at the moment their data were collected. The privacy notice did not correspond to the data collected via the service and they were not properly informed why several personal data, namely nationality, eID photo, place of birth and date of birth, were required for the authentication process. The controller argued that the information obligations did not apply to it, because it considered itself a processor. It further claimed that Article 13 GDPR does not require a controller to list the categories of personal data collected directly from the data subject. Finally, it relied on Article 13(4) GDPR, arguing that the data subject already had the relevant information through the TruliUs terms of use. The controller also claimed that for the same reason it was not required to respond the data subject and that the lack of response was because of a technical problem caused by an update from its email provider. The data subject further questioned the necessity of collecting several identity data through this service. They emphasised that other authentication systems, including government platforms, required less data for identification purposes. The controller, in the alternative that it was decided that it was not the processor, submitted that, when designing the service, the data collected had been considered necessary for the purpose of authenticating and identifying users. Holding The DPA first examined whether the controller acted as controller or processor because this qualification was the preliminary issue on which the rest of the case depended. The DPA rejected the controller’s claim that it was merely a processor for the data subject’s company. The DPA emphasised that whether an entity acts as controller or processor must be assessed in light of the actual processing operations, regardless of how the parties describe their roles in contractual documents. The controller had designed, developed and marketed TruliUs as a service enabling natural persons to authenticate and identify themselves as authorised representatives of companies. It therefore determined the purpose of the processing before any client used the service. The DPA also found that the controller determined the essential means of the processing. It had defined the categories of data collected via its service, the categories of data subjects, the retention period, the possible recipients and the overall technical infrastructure. The DPA further rejected the controller’s attempt to assign itself different roles. The controller accepted that it was a controller for certain operations but it claimed to be only a processor for the authentication and identification activity. The DPA considered this distinction artificial as all these operations served the same purpose. Accordingly, the DPA held that the controller by wrongly qualifying itself as a processor, breached the accountability principle under Article 5 (2) GDPR. The DPA then pointed out that since the controller was responsible for the authentication and identification processing, it had to inform the data subject in a transparent and easily accessible manner at the time of collection. The DPA accepted that Article 13 GDPR does not expressly require a list of data categories in cases of direct collection. However, it held that Article 5(1)(a) GDPR and Article 12(1) GDPR still require the data subject to understand the scope of the processing. It noted that the information provided was incomplete and misleading and the more complete information was presented only after the data had already been collected. The DPA therefore found a violation of Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 13 GDPR. Regarding the data subject’s access requests, the DPA stated that the controller had to respond to the access requests within the deadline. It held that an internal technical failure did not exempt the controller from liability. The controller was required to implement technical and organisational measures ensuring the data subject requests were effectively received and handled in time. The DPA therefore found violations of Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 15 GDPR. The DPA found that the controller had additionally infringed Article 5(1)(c) GDPR and Article 25(2) GDPR by collecting data exceeding what was necessary for the pursued authentication and identification purposes. The DPA noted that more than t

Entities