Missing consent entails fine of EUR 50,000 in Belgium
The Belgian data protection agency, APD, has issued a fine to an unnamed social network in the amount of EUR 50,000 for collecting and using personal data without having a legal basis for doing so.
The social network allowed its users to invite contacts (regardless of whether they were already members of the network or not) to the online platform. Hence, the social network collected and stored data about users’ contacts and at the same time sent out invitations to such contacts added by the user.
The social network argued that the processing of personal data was based on consents and thereby lawful.
The right to import and store users’ contact information and then send such contacts an invitation was based on the consent of the network’s users. Therefore, by storing data from non-members of the network without their consent and sending them invitations, the social network processed data without a valid legal basis.
In addition, the invitation process was arranged in such way that all of a user’s contacts were automatically added, unless the user rejected this by actively removing a number of preticked boxes, including consent to the transfer.
The consent was therefore not a voluntary and unambiguous act within the terms of the GDPR, which is why the consent was not valid either.