Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=25/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-25-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=…”
|Jurisdiction=Belgium
|DPA-BG-Color=
|DPAlogo=LogoBE.png
|DPA_Abbrevation=APD/GBA
|DPA_With_Country=APD/GBA (Belgium)
|Case_Number_Name=25/2026
|ECLI=
|Original_Source_Name_1=APD
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-25-2026.pdf
|Original_Source_Language_1=French
|Original_Source_Language__Code_1=FR
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=05.02.2026
|Date_Published=
|Year=2026
|Fine=
|Currency=
|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=FPS Finances Belgium
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA issued a warning to the Federal Public Service for Finances to ensure compliance with security of personal data processing after an employee accessed the address of an individual and visited her at her home.
== English Summary ==
=== Facts ===
An employee of the Belgian Federal Public Service for Finances (the controller) accessed the address of a data subject and visited the data subject at her home.
The data subject filed a complaint with the Belgian DPA (ADP) against the controller.
=== Holding ===
The DPA issued a warning to the controller to ensure future compliance with [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
The DPA emphasised that the controller did not guarantee adequate data security at a prima facie analysis by failing to prevent the unlawful consultation and use of personal data by an employee.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the French original. Please refer to the French original for more details.
<pre>
1/6
Litigation Chamber
Decision 25/2026 of February 5, 2026
Case Number: DOS-2025-01830
Subject: Complaint concerning the consultation and use of a natural person’s address in a state database
The Litigation Chamber of the Data Protection Authority;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter “LCA”;
Having regard to the internal regulations of the Data Protection Authority, as approved by the Management Committee on April 25, 2024, and published in the Belgian Official Gazette on May 31, 2024;
Having regard to the documents in the file;
The following decision has been taken concerning:
The complainant: X, hereinafter “the complainant”
The respondent: FPS Finance, located at Boulevard du Roi Albert II 33, 1030 Brussels, hereinafter “the respondent”
Decision 25/2026 — 2/6
I. Facts and Procedure
1. The subject of the complaint concerns the consultation and use of a natural person’s address in a state database for the purpose of going to their home.
2. On April 27, 2025, Ms. Z, an employee of FPS Finance, appeared at the complainant’s home. 3. On April 28, 2025, the complainant filed a complaint with the defendant.
4. On May 5, 2025, the defendant informed the complainant that an internal investigation had been opened and asked her to schedule a telephone interview. The complainant agreed to a telephone interview that same day.
5. On May 5, 2025, the complainant filed a complaint with the Data Protection Authority (hereinafter “the DPA”). In her complaint, the complainant expressed concern about Ms. Z’s access to her address. She alleged that Ms. Z had used her access credentials to view the complainant’s address and had even gone to her home. 6. On May 12, 2025, the complaint was deemed admissible by the Frontline Service (hereinafter “FLS”) pursuant to Articles 58 and 60 of the LCA and was forwarded to the Litigation Chamber pursuant to Article 92, 1° of the LCA.
7. On June 17, 2025, the Litigation Chamber requested further information from the parties, in accordance with Article 94, §1, 1° of the LCA, in order to better understand the scope of the dispute. The parties were also informed that they had 14 days to submit their observations.
8. On July 1, 2025, the defendant submitted its observations to the Litigation Chamber within the allotted time. She explains that she took technical and organizational measures
by checking the agent’s access logs, conducting an investigation, and interviewing the agent,
who was reminded of the data protection rules. Her internal investigation reveals
that Ms. Z accessed the complainant’s data outside of any assigned
control or management duties and that she went to the
complainant’s home in a difficult family context between the parties. The defendant explains
that there are significant discrepancies between their respective statements.
1 Complaints deemed admissible are forwarded by the First Line Service to the Litigation Chamber for processing, in accordance
with Article 92, 1° of the Law of 3 December 2017 establishing the Data Protection Authority, as amended by the Law of 25 December 2023
(hereinafter “the New Data Protection Act”). The Data Protection Authority (DPA) reminds you that the Law of 25 December 2023 amending the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter “the DPA”), as well as the new internal regulations, entered into force on 1 June 2024. The new provisions apply to complaints, mediation cases, requests, inspections, and proceedings before the Litigation Chamber initiated from that date. You can consult the new LCA by following this link:
https://www.ejustice.just.fgov.be/cgi wet/article.pl?language=fr&dt=WET&nl=n&text1=gegevensbeschermingsautoriteit&choix1=en&trier=afk
ondiging&lg txt=f&type=&sort=&numac search=2017031916&cn search=&caller=list&&view numac=2017031916n and the internal regulations by following this link: https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-
des-donnees.pdf. However, cases initiated before June 1, 2024, remain subject to the provisions of the LCA (Law on Competition Acts) as amended by the Law of December 25, 2023, and the internal regulations as they existed before that date.
Decision 25/2026 — 3/6
9. On July 28, 2025, in accordance with Article 95, § 2 of the LCA, the Litigation Chamber informs the parties that the present case is pending, of the content of the complaint, and of the possibility of consulting and copying the file at the registry of the Litigation Chamber. The parties are invited to submit any comments they may have in this regard to the Litigation Chamber no later than August 12, 2025.
10. On August 1, 2025, the defendant informs the Litigation Chamber that it has no additional comments.
II. Reasoning
11. The data controller is the natural or legal person who determines the purposes and means of the processing.2 As a general rule, the employer is responsible for the processing carried out by its employees. However, when an employee exceeds the powers granted to them by their employer, they become the data controller.3 This does not preclude the employer from remaining responsible for implementing technical and organizational measures to prevent unlawful data processing.
12. In this case, it is undisputed that Ms. Z acted outside her duties by consulting the complainant’s address and going to her home. Ms. Z is therefore the data controller with regard to this consultation and use of the data.
13. Nevertheless, the defendant remains responsible for the processing with regard to access to the database by its employees and must, therefore, implement appropriate technical and organizational measures to ensure compliance with the principles set out in the GDPR. The choice of these measures must take into account “the nature, scope, context and purposes of the processing as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons.”4
14. The defendant states that it has implemented technical and organizational measures. It claims to have checked Ms. Z’s access logs, to have conducted an investigation, and to have interviewed and reminded Ms. Z of the rules.
15. In the absence of an in-depth discussion on these measures and within the framework of a prima facie decision, the Litigation Chamber cannot determine whether these measures, in this case, are appropriate within the meaning of the GDPR with regard to access to the National Register. It simply notes that, in this particular case, these measures did not prevent unlawful access to and use of the data.
Article 4.7. of the GDPR
3 §27-32 of Decision 64/2025 of the Litigation Chamber
4 Article 24.1 of the GDPR
Decision 25/2026 — 4/6
16. In accordance with Article 95, § 1, 4° of the LCA and Article 58.2.a) of the GDPR, the Litigation Chamber has the power to warn a data controller or processor that the planned processing operations are likely to infringe the provisions of the GDPR.
17. The Litigation Chamber considers, based on the aforementioned facts, that it is necessary to
conclude that the defendant is likely to have violated Article 5.1(f) of the GDPR, as it is
unable to prevent the unlawful access to and use of personal data by an employee, which could mean, prima facie, that the defendant does not
guarantee appropriate data security. This justifies, in this case, the issuance of a warning so that the defendant must ensure, in the future, that it has implemented appropriate measures to comply with Article 5.1(f).
18. The purpose of this warning is to remind the defendant, presumed to be the data controller, of its obligation to comply with the aforementioned provisions of the GDPR, so as to enable it to comply with these provisions in the future with regard to the processing operations at issue in this case. 19. This decision is a prima facie decision rendered by the Litigation Chamber
pursuant to Article 95 of the LCA (Law on Administrative Procedure) on the basis of the complaint filed by the complainant,
within the framework of the “preliminary proceedings” 5 and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.
20. If the defendant disagrees with the content of this prima facie decision
and believes that it can provide factual and/or legal arguments that could lead to a new decision, it may request a review by the Litigation Chamber according to the procedure established by Article 98 in conjunction with Article 99 of the LCA, known as the “proceedings on the merits” or “hearing of the case on the merits”. This request must be
sent to the email address litigationchamber@apd-gba.be within 30 days of the notification of this prima facie decision. Where applicable, the execution
of this decision is suspended during the aforementioned period.
21. Should the case proceed on its merits, pursuant to Article 98, paragraphs 2 and 3,
in conjunction with Article 99 of the LCA, the Litigation Chamber will invite the parties to submit their pleadings and to attach to the file all documents they deem relevant. Where applicable,
this decision is definitively suspended.
22. For the sake of completeness, the Litigation Chamber further notes that a proceeding on the merits of the case may lead to the imposition of the measures mentioned in Article 100 of the LCA.
5 Section 3, Subsection 2 of the LCA (Articles 94 to 97 inclusive).
6 “Art. 100. § 1. The Litigation Chamber has the power to:
Decision 25/2026 — 6/6
of the markets (Brussels Court of Appeal), with the Data Protection Authority as the defendant. Such an appeal may be lodged by means of an adversarial application which must contain the information listed in Article 1034ter of the Judicial Code. The adversarial application must be filed with the Registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the Justice e-Deposit computer system (Article 32ter of the Judicial Code).
(Section). Hielke HIJMANS
Director of the Litigation Chamber
7 “The application must contain, under penalty of nullity:
1° the date of the day, month, and year;
2° the applicant’s surname, first name, and address, as well as, where applicable, their capacity and national registration number
or company number;
3° the surname, first name, address, and, where applicable, capacity of the person to be summoned;
4° the subject matter and a summary of the grounds for the application;
5° the name of the judge seized of the application;
6° the signature of the applicant or their lawyer.”
8 “The application, accompanied by its annex, must be sent, in as many copies as there are parties involved, by registered letter
to the clerk of the court or filed with the registry.”
</pre>