An interesting GDPR enforcement case came from Belgium in late May. Imagine that a data controller is sending unsolicited postal communications and ignoring data subject rights to object (Article 21) and to be forgotten (Article 17). On top of that, it misidentified legal basis and relied on the legitimate interest instead of consent (of course, no balancing exercises have been conducted and no safeguards have been put in place).
What could happen to such a data protection ‘nihilist’? Article 83(5) suggests that its DPO may start looking for another job. However, things may go upside down if the controller is a… non-profit organisation.
Not to keep an unnecessary suspense, the data controller in the case above was fined mere 1000 EUR (nope, I did not miss additional ‘zeros’). Of course, factoring in that it was the first case against this organisations and that the controller is a non-profit organisation with no regular turnover.
This all may be well true, but it seems that such ‘enforcement’ naturally tears the fabric of the GDPR as it factually gives all non-profit organisations carte blanche to violate ‘tastefully’ for their first time.
More details on this case:
This is an interesting case. It makes me think also of all data which is sold by data brokers to organisations who use legitimate interest for their processing, which is normally direct marketing/sales. One could argue that often this data is ‘scraped’ from public sites, but it is really still okay? And then what happens, as in Sweden that the data on the public site is not placed there by the data subject, but shared due to a legal loophole -at least in Sweden- utgivningsbevis.
I do not expect any case to pop up in Sweden shortly, but use of public data, to be reused for other purposes, is not really legal is it?