Belgian DPA fines SWDE €86,000 and rebukes missing Article 28 contract

The case

On 12 May 2026, Belgium’s Data Protection Authority (APD/GBA) announced three fines, two of which targeted Société Wallonne des Eaux (SWDE) over inbound call recordings and monitoring at its call center. The total reached €86,000: €85,000 for shortcomings in transparency, retention management and the unlawfulness of certain test recordings, and €1,000 for the “absence of a processor contract” with a provider assessing the call listenings for nearly five years. The decision also underscores the need for information that does not depend on Internet access, the need to allow objection to recording, and a one‑month limit required to benefit from the “call center exception” under Belgian electronic communications law. Official source: APD press release with links to decisions 101/2026–103/2026, including 102/2026 for SWDE (FR/NL). See “La Chambre Contentieuse inflige 3 amendes,” 12 May 2026. APD.

Legal reasoning

• Mandatory processor contract with each processor (GDPR Article 28). Article 28(3) requires a binding legal act specifying the subject matter, duration, nature and purposes of processing, the type of data, categories of data subjects, and the controller’s obligations and rights. Without this contract, a processor may act only on documented instructions, and the controller cannot demonstrate compliance (Art. 5(2) “accountability”). Official text: GDPR, Arts. 28 and 5(2), EUR‑Lex. EUR‑Lex — GDPR. For a practical overview, see our focus on GDPR Article 28 essentials.
• Correct role allocation. EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” stress that one must assess who determines the purposes and essential means in practice; the contract alone is not decisive—operational reality prevails. They detail mandatory DPA content and typical clauses (assistance, security, onward sub‑processing, audits, deletion/return). EDPB 07/2020.
• Legal basis and transparency. For call recording/monitoring, the APD found infringements of lawfulness and transparency (Arts. 5(1)(a), 6, 12–13), and storage limitation (Art. 5(1)(e)). GDPR sets no fixed duration but requires a “necessary” and documented period; under Belgian electronic communications law, the APD retained one month for the call center exception. The EDPB clarified the “legitimate interests” analysis (Art. 6(1)(f)) and its three‑step test (legitimate purpose, necessity, balancing) in Guidelines 1/2024. EDPB 1/2024.
• Luxembourg resonance. In Luxembourg, the CNPD reiterates lawfulness/transparency and the need to inform clearly at the start of any recorded conversation; it requires a sound legal basis, a defined retention period, and practical means to exercise rights. See CNPD thematic files (information, retention and up‑front warning in calls). CNPD — principles and CNPD — retention/PSP.

In short, the APD sanctions both substance (transparency, legal basis, retention) and form (processor contract), reflecting GDPR’s “accountability + chain of trust” approach: no recording without clear information and a valid basis; no delegated processing without a robust Article 28 DPA.

What changes in practice (Luxembourg, May 2026)

• Any support function that “listens to” calls (quality, training, disputes) must be framed by:
  • a documented legal basis (often legitimate interests — Art. 6(1)(f) — with a formal balancing test) or a sectoral obligation;
  • caller‑facing information at the start of the call (not website‑only);
  • a justified maximum retention with effective, auditable deletion;
  • practical objection modalities where legitimate interests are relied upon (e.g., “press # to refuse recording” or routing to a non‑recorded channel).
• If you outsource call listening assessment, transcription, quality analytics AI, or hosting: you must have a compliant processor contract under GDPR Article 28 with each provider and any sub‑processor (and keep your sub‑processor register current). The “small” €1,000 in SWDE shows that a documentation gap alone constitutes a separate infringement. APD, 12 May 2026. To operationalize this in Luxembourg, consider DPO governance for Luxembourg and the safeguards required when using AI for compliant analytics.
• LU teams should align with EU doctrine:
  • EDPB 07/2020 to allocate controller/processor roles and lock in clauses; EDPB 07/2020.
  • EDPB 1/2024 for scenarios relying on legitimate interests (quality recordings). EDPB 1/2024.
  • CNPD guidance on upfront information and retention. CNPD.

Common pitfalls (seen in audits)

1. “We have an NDA, that’s enough” — No. An NDA is not a DPA. Article 28(3) mandates specific clauses: data subject rights assistance, security, incident notification, audits, end‑of‑contract data handling, onward sub‑processing, etc. EUR‑Lex — Art. 28.
2. Back‑dated processor contract — A retroactive DPA does not fix the lack of a valid basis at the time of processing. The APD sanctioned 5 years without a compliant contract in SWDE. APD, 12 May 2026.
3. Information “hidden” in a web policy — Pointing to a web page is not enough if callers cannot access it or are not effectively informed before recording. The APD criticized conditioning access to information on having Internet for a mass‑market service. APD, 12 May 2026.
4. No objection mechanism — If quality recording relies on legitimate interests, provide a simple opt‑out (DTMF, routing to a non‑recorded agent). This aligns with EDPB 1/2024 and CNPD expectations on clear information. EDPB 1/2024; CNPD.
5. Uncontrolled “default” retention — Copy‑pasting a standard duration without effective deletion risks a sanction (Art. 5(1)(e)). Document the rationale, implement automatic erasure, and test it. Reference: storage limitation principle, GDPR. EUR‑Lex — Art. 5(1)(e).

In practice, Luxembourg leaders should check three “quick but critical” tracks: 1) each provider involved in call recording/listening/transcription has a complete, signed Article 28 DPA; 2) a clear information message is played at the start of each call, with an objection option where legitimate interests are used; 3) automated, tested deletion enforces the documented retention. The SWDE case shows that in 2026, authorities sanction both “paper” compliance (contracts) and “field” compliance (information, retention, rights).

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.