比利时数据保护局（DPA）对一家协会处以1000欧元的罚款，该协会基于其合法权益（GDPR第6.1条f款），向（前）捐助者发送了直接的营销信息以进行筹款。在该协会的前捐助者向比利时数据保护局投诉后，DPA对该协会处以行政罚款，因为该协会未响应数据主体根据GDPR第17.1条的规定向数据控制者提出的数据删除请求以及根据GDPR第21.2条提出的异议权。

诉讼分庭裁定，数据控制者因此违反了GDPR第6.1、17.1，c）和d）、21.3和21.4条。

首先，诉讼分庭裁定数据控制者未遵守数据删除请求和响应数据主体的异议权。其次，诉讼庭认为，该协会不能有效地援引其合法利益作为抗辩，因为它不符合欧洲联盟法院判例法规定的累积条件，特别是Rigas的判决。根据此判例法，为了援引GDPR第6.1.f）条，数控制者必须证明i）数据处理所追求的利益可以被视为合法（“目的测试”）；ii）预期处理是必要的（“必要性测试” ）和iii）这些利益与相关个人的基本权利和自由之间的平衡考虑到了数据控制者或第三方的利益（“平衡测试”）。本案中，诉讼分庭裁定协会的行为不符合GDPR第6.1.f）条的第三项条件和法院的判例法。

更具体地说，诉讼分庭发现，对于数据主体是否可以合理地预期其数据在收集后的几年将被用于直接营销目的存有疑问（GDPR第47条）。此外，诉讼分庭认为，数据控制者没有充分促进异议权。

该决定执行了比利时数据保护局的2020-2025年战略计划，其中“直接营销”是优先战略要点之一。诉讼分庭在这方面还提到了比利时DPA第01/2020号建议。

原文如下：

The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.

The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.

First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.

More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.

This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.

转载：数据法律资讯