APD/GBA (Belgium) - 103/2026
Belgian DPA fines digital authentication service €120k for misclassifying as processor and violating GDPR transparency
Summary
Belgium's Data Protection Authority (APD/GBA) issued a €120,000 fine to an operator of a digital authentication and identification service for wrongly claiming processor status instead of controller status under GDPR. The entity violated multiple articles including the accountability principle, transparency obligations, and data minimization by collecting excessive personal data (nationality, eID photo, place of birth, date of birth) without proper justification and failing to respond to data subject access requests. The DPA found breaches of Articles 5(1)(a), 5(1)(c), 5(2), 12(1), 13, 15, and 25(2) GDPR.
Full text
Help APD/GBA (Belgium) - 103/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:32, 18 May 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 edits Tag: submission [1.0] Latest revision as of 07:47, 19 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 editsmTag: Visual edit Line 73: Line 73: }}}} The DPA fined a controller €120,000 for wrongly qualifying itself as a processor rather than a controller. It held that this breached the accountability principle and led to further infringements concerning transparency, the right of access, data minimisation and data protection by default.The DPA fined an operator of a digital authentication and identification service €120,000 for wrongly qualifying itself as a processor rather than a controller. It held that this breached the accountability principle and led to further infringements concerning transparency, the right of access, data minimisation and data protection by default. == English Summary ==== English Summary == Line 88: Line 88: Moreover, the data subject complained that they could not understand the actual scope of the processing at the moment their data were collected. The privacy notice did not correspond to the data collected via the service and they were not properly informed why several personal data, namely nationality, eID photo, place of birth and date of birth, were required for the authentication process.Moreover, the data subject complained that they could not understand the actual scope of the processing at the moment their data were collected. The privacy notice did not correspond to the data collected via the service and they were not properly informed why several personal data, namely nationality, eID photo, place of birth and date of birth, were required for the authentication process. The controller argued that the information obligations did not apply to it, because it considered itself a processor. It further claimed that [[Article 13 GDPR|Article 13 GDPR]] does not require a controller to list the categories of personal data collected directly from the data subject. Finally, it relied on [[Article 13 GDPR#4|Article 13(4) GDPR]], arguing that the data subject already had the relevant information through the TruliUs terms of use. The controller also claimed that for the same reason it was not required to respond the data subject and that the lack of response was because of a technical problem caused by an update from its email provider. The controller argued that the information obligations did not apply to it, because it considered itself a processor. It further claimed that [[Article 13 GDPR]] does not require a controller to list the categories of personal data collected directly from the data subject. Finally, it relied on [[Article 13 GDPR#4|Article 13(4) GDPR]], arguing that the data subject already had the relevant information through the TruliUs terms of use. The controller also claimed that for the same reason it was not required to respond the data subject and that the lack of response was because of a technical problem caused by an update from its email provider. The data subject further questioned the necessity of collecting several identity data through this service. They emphasised that other authentication systems, including government platforms, required less data for identification purposes. The data subject further questioned the necessity of collecting several identity data through this service. They emphasised that other authentication systems, including government platforms, required less data for identification purposes. Line 105: Line 105: Accordingly, the DPA held that the controller by wrongly qualifying itself as a processor, breached the accountability principle under Article 5 (2) GDPR.Accordingly, the DPA held that the controller by wrongly qualifying itself as a processor, breached the accountability principle under Article 5 (2) GDPR. The DPA then pointed out that since the controller was responsible for the authentication and identification processing, it had to inform the data subject in a transparent and easily accessible manner at the time of collection. The DPA accepted that [[Article 13 GDPR|Article 13 GDPR]] does not expressly require a list of data categories in cases of direct collection. However, it held that [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 12 GDPR#1|Article 12(1) GDPR]] still require the data subject to understand the scope of the processing. It noted that the information provided was incomplete and misleading and the more complete information was presented only after the data had already been collected. The DPA therefore found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].The DPA then pointed out that since the controller was responsible for the authentication and identification processing, it had to inform the data subject in a transparent and easily accessible manner at the time of collection. The DPA accepted that [[Article 13 GDPR]] does not expressly require a list of data categories in cases of direct collection. However, it held that [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 12 GDPR#1|Article 12(1) GDPR]] still require the data subject to understand the scope of the processing. It noted that the information provided was incomplete and misleading and the more complete information was presented only after the data had already been collected. The DPA therefore found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR]]. Regarding the data subject’s access requests, the DPA stated that the controller had to respond to the access requests within the deadline. It held that an internal technical failure did not exempt the controller from liability. The controller was required to implement technical and organisational measures ensuring the data subject requests were effectively received and handled in time. The DPA therefore found violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 15 GDPR|Article 15 GDPR]].Regarding the data subject’s access requests, the DPA stated that the controller had to respond to the access requests within the deadline. It held that an internal technical failure did not exempt the controller from liability. The controller was required to implement technical and organisational measures ensuring the data subject requests were effectively received and handled in time. The DPA therefore found violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 15 GDPR]]. The DPA found that the controller had additionally infringed [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]] by collecting data exceeding what was necessary for the pursued authentication and identification purposes. The DPA noted that more than ten data items were collected to create and share a user’s profile, and that the controller did not demonstrate the necessity of this. It further noticed that the controller had failed to implement technical and organisational measures ensuring that, by default, only necessary data were processed.The DPA found that the controller had additionally infringed [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]] by collecting data exceeding what was necessary for the pursued authentication and identification purposes. The DPA noted that more than ten data items were collected to create and share a user’s profile, and that the controller did not demonstrate the necessity of this. It further noticed that the controller had failed to implement technical