Belgian DPA fines data broker

---

Resale of data for marketing purposes without valid consent

After receiving postal marketing communications from a company he was not a customer of, the complainant in this case asked the company that sent the advertising mail how it had obtained his data. The data had been obtained from a media agency, which in turn had received it from the data broker Infobel. Infobel had initially obtained the data from a telecom operator.

When questioned in this case, the data broker stated that it resells personal data on the basis of the consent of the data subjects. However, the Belgian DPA’s Litigation Chamber points out that, in order to be valid under the General Data Protection Regulation (GDPR), consent must satisfy a series of conditions. Among other things, it must be:

• Informed: the data subject must know who is processing their data and why, in order to be able to give informed consent to the processing of their data. However, the complainant had not been informed anywhere that his data would be marketed by Infobel. This lack of information also prevented the complainant from contacting the company to exercise his right to withdraw his consent, as he was not aware that this company held and processed his data.
• Unambiguous: consent must be given actively; it cannot be assumed by default in the event of inactivity or a pre-checked box. However, according to the company, the complainant's consent to the resale of his data was derived from reading the terms and conditions, and not from a clear positive action on his part.
• Specific: a company seeking consent for various specific purposes should ask a separate consent for each purpose: the individual must be free to consent (or not) to each of them. However, in this case, no separate consent was sought for the resale of data for direct marketing purposes.

The Litigation Chamber therefore found that the conditions for consent within the meaning of the GDPR were not met and that Infobel had not demonstrated that the complainant had (validly) consented to the resale of his data.

Deletion of data, and communication to client companies

The Litigation Chamber therefore imposed a fine of €40,000 on Infobel for reselling data for marketing purposes without valid consent. In calculating the fine, the Litigation Chamber took into account the fact that, according to Infobel, the database in question has not been used since 2023 and that the data in this database has been deleted.
In addition, it ordered the company to delete any personal data for which it could not demonstrate that it had a legal basis (such as valid consent) for processing the data.
Finally, the Litigation Chamber ordered Infobel to contact the client companies that had received data from it and inform them, on the one hand, of the order to delete the data and, on the other hand, of the non-compliance with the GDPR of the consent on which their processing was based.

The parties concerned by the decision have 30 days to appeal.

Hielke Hijmans, Director of the Litigation Chamber: "The activities of data brokers entail that data is obtained indirectly and transferred to a multitude of actors with whom the data subject is not necessarily connected. Therefore, the data subject is not always aware that their data is being processed, for what purpose, and by whom. That is why we imposed a fine in this case, as the resale of data was not based on valid informed consent." 

Data broking: an activity that must be transparent

Data brokers are companies that collect personal data from various sources, sometimes indirectly, process it, and resell it to third parties who use it for various purposes (e.g., marketing, research, etc.).

The fact that the data processed and resold by data brokers is not generally collected directly from the data subjects can pose difficulties in terms of transparency, yet transparency is one of the cornerstones of the GDPR. It is because individuals are informed that their data is being processed that they can exercise their data protection rights, such as the right to object to the processing of their data or the right to have their data erased.

Data brokers must therefore be particularly vigilant about the information they provide to the individuals whose data they process. The Belgian has already sanctioned data brokers, notably in 2021, 2024, and 2025.