GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid

Excerpt — On 12 May 2026, the Belgian DPA (APD) fined SWDE €86,000, including €1,000 for lacking a subcontracting agreement compliant with GDPR Article 28. Key lesson: without a complete DPA, any outsourced processing leaves the controller in breach. Sources: APD press release (12/05/2026) and Decision 102/2026.

The case

On 12 May 2026, the APD’s Litigation Chamber issued Decision 102/2026 against Société Wallonne des Eaux (SWDE) regarding call center call recording and listening for quality assessment and training. The APD imposed two fines totaling €86,000: €85,000 for transparency and lawfulness failures (Articles 5(1)(a), 6(1), 12(1), 13 GDPR, and Belgian e-privacy rules) and €1,000 specifically for the absence of an Article 28-compliant processing agreement with a provider in charge of evaluating the recordings. The decision also flagged retention of call recordings beyond one month, which is essential for the Belgian “call center exception.” See the APD release and the Decision 102/2026 (SWDE).

In the same batch, the APD also fined fintech Isabel SA (Decision 103/2026) for failing to acknowledge its role as controller for an identification/authentication service, underlining that misqualifying “controller/processor” triggers cascading violations. Source: Decision 103/2026.

Legal reasoning

• The Data Processing Agreement under Article 28 GDPR. Any processing entrusted to a provider requires a binding contract covering the mandatory Article 28(3) clauses (purpose, duration, nature and scope, data types, data subjects, security, confidentiality, DPIA/breach assistance, deletion/return, audits, onward subprocessors, etc.). Otherwise, the controller fails accountability (Articles 5(2), 24). References: CNPD – Chapter IV, Article 28 and CNPD – Processors. For the full framework, consult the GDPR text.
• Who is a controller and who is a processor? EDPB Guidelines 07/2020 take a functional approach: the controller determines purposes and essential means; the processor acts on behalf of another and per documented instructions. Misqualification, as noted in Isabel (103/2026), undermines the legal basis and data subjects’ rights. Reference: EDPB 07/2020.
• Transparency, legal basis and storage limitation. Beyond the missing DPA, the APD sanctioned SWDE for transparency (Articles 12–13), lawfulness (Article 6(1)), and storage limitation (Articles 5(1)(c) and (e)), tied to Belgium’s “call center exception”: if retention exceeds one month or information is lacking, the exception falls away. Reference text: Regulation (EU) 2016/679.
• Luxembourg regulated sectors: CSSF 22/806. For Luxembourg financial entities, CSSF Circular 22/806 on outsourcing (amended by 25/883) requires strong contractual governance and GDPR alignment (subprocessor chain, audit rights, data location). References: CSSF 22/806 official page and general presentation.

What it changes in practice

• Non-negotiable DPA. Any outsourcing involving personal data — call centers, call transcription, quality evaluation, cloud hosting, managed services, maintenance, managed security — requires an Article 28(3)-aligned DPA. A “PO + NDA” is not enough. CNPD expects clauses on technical/organizational measures, confidentiality, DPIA/breach support, end-of-contract data handling, and audit. See CNPD – Processors. If you need operational steering, an appointed DPO can help embed these requirements.
• Controlled subprocessing chain. A provider cannot appoint a subprocessor without prior written authorization and equivalent clauses (Article 28(2)–(4)). The controller remains exposed if the chain is undocumented and uncontrollable.
• Get the roles right. If your vendor “designs, configures and operates” a service that determines purposes and essential means (e.g., an identification service), it may be a controller — requiring its own legal basis and direct transparency. Refs: Isabel 103/2026 and EDPB 07/2020. For local support, see our GDPR Luxembourg page.
• Call recordings: transparency and duration. Even when justified (quality/training), incomplete information (Articles 12–13) or excessive retention triggers sanctions. In Belgium, the APD stresses that beyond one month the “call center exception” no longer applies; in Luxembourg, CNPD stresses strict proportionality. Refs: APD press release and Article 5(1)(e) GDPR.
• Luxembourg financial sector: reinforced clauses. CSSF 22/806 demands outsourcing controls on top of the DPA (critical/important classification, audit rights, reversibility, access/inspection, board involvement) consistent with GDPR; a “GDPR-only” contract without the CSSF backbone is insufficient. See CSSF 22/806. For implementation, an external DPO can secure compliance controls.

Common pitfalls (seen in audits)

1. Incomplete or missing DPA. Teams think vendor T&Cs suffice. Article 28(3) lists mandatory clauses. Without them, the controller cannot demonstrate compliance (Articles 5(2), 24). Ref: Chapter IV – Article 28 (CNPD).
2. Opaque subprocessing chain. Delegation to a “quality evaluator”, a hosting provider, then remote support outside the EEA without authorization or equivalent clauses: double non-compliance (Article 28(2)–(4)) and potentially an international transfer (Article 44 et seq.). Ref: EDPB 07/2020.
3. Misqualification of roles. Labeling as “processor” an operator that actually determines purposes/essential means (authentication, analytics) leads to the wrong legal basis and fines (see Isabel 103/2026).
4. Poor transparency and scattered information. Multiplying internal policies, FAQs and banners does not equal information that is “easily accessible and understandable” (Articles 12–13). Sanction confirmed in SWDE. Ref: Decision 102/2026.
5. Unbounded retention periods. “Quality” recordings kept for months without specific justification or automatic deletion breach Article 5(1)(e). Ref: EUR-Lex.

Official sources

• APD — Press release (12/05/2026)
• APD — Decision 102/2026 (SWDE)
• APD — Decision 103/2026 (Isabel SA)
• CNPD — GDPR Chapter IV (Article 28)
• CNPD — Processors
• EDPB — Guidelines 07/2020
• EUR-Lex — Regulation (EU) 2016/679
• CSSF — Circular 22/806 (official page)
• CSSF — General presentation

In short: the SWDE fine shows that lacking — even “occasionally” — an Article 28-compliant DPA can justify a sanction. In Luxembourg, lock down your clauses, document the subprocessor chain, bound retention, and ensure complete, accessible transparency.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.