Joris DeeneThe Data Protection Authority condemned on May 8, 2026, in its decision no. 99/2026, a law firm to a total fine of 4,920 euros for two violations of the General Data Protection Regulation (GDPR). The firm had never informed its clients about the processing of their personal data and had refused their request for access on unlawful grounds. The decision connects the dots: professional secrecy serves to protect clients, but it does not relieve lawyers of their GDPR obligations to that same client.
The facts
The complainants are a mother and her minor daughter. The mother was a client of the law firm from November 2019 to February 2020; since then an unpaid bill of about 3,800 euros was outstanding.
On Jan. 20, 2023, they submitted to their former counsel a request for access under Art. 15 GDPR. The request related to the personal data of the mother, daughter and husband, and included general information about the processing, an explanation of the lack of a privacy policy on the website, the non-confidential parts of the processing register, and information about the security measures and the legal basis of the processing.
The request was repeated three times - on Feb. 23, March 15 and April 3, 2023. Each time, the office replied partially. In its first two replies, it invoked doubts about the identity of the mother. In its third response, it requested 135 euros under Art. 12.5(a) AVG, claiming the request was “manifestly unfounded or excessive.” In addition, the firm argued that its website was a static HTML page without any processing, that the GDPR would be inherent to being a lawyer and that professional secrecy opposed the requested communication.
On June 5, 2024, the complainants filed a complaint with the DPA.
The decision
The DPA Litigation Chamber finds two separate violations and imposes separate fines for each. It rules that they are distinct behaviors - a general duty to inform, on the one hand, and an individual right of access on the other - each of which deserves its own penalty.
Violation of the principle of transparency (Art. 5.1(a), 12 and 13 GDPR)
The law firm does not demonstrate that it properly informed the complainants when collecting their personal data. The client agreement at the time did not contain any provision on the processing of personal data, and the firm stated that it did not see the added value of a document confirming its GDPR compliance: such compliance would - in its view - be inherent in the status of lawyer and professional secrecy.
The Litigation Chamber rejects that position. The transparency principle is a fundamental pillar of the GDPR: data subjects must know that their data is being processed and what processing is taking place so that they can exercise their rights. A law firm does not escape this duty. The fact that the firm has since amended its model contracts to include GDPR provisions, while ending the breach, does not change its finding.
Infringement of the right of access (arts. 12.2, 12.4 and 15 GDPR)
The Litigation Chamber dissected the four grounds for refusal relied upon by the office and rejected all of them.
The identity doubt. Art. 12.6 GDPR allows the controller, in case of reasonable doubt, to request additional information to verify the applicant's identity. It does not allow him to reject the request outright for that reason. The office had never asked the mother what documents she could provide, although she expressly requested them. The facilitation duty of Art. 12.2 GDPR requires a proactive attitude, not a dismissive one.
Third-party data. For the husband, the office rightly refused - the mother had not presented a power of attorney and could not request access to records pertaining exclusively to a third party. For the minor daughter, the situation is different. The firm knew it was the daughter of its former client and could not have been ignorant of the relationship between the two. The mother, together with her husband, exercised parental authority and was authorized to request access in that capacity.
The reliance on Art. 12.5(a) GDPR. Those invoking the “manifestly unfounded or excessive” exception bear the burden of proof and must substantiate the strictly interpreted terms. The office argued that the repeated requests were repetitive in nature, but the Litigation Chamber does not see in them multiple independent requests - but rather one and the same request that was repeated by necessity because the office did not handle it. Thus the repetition is not an indication of abuse, but the result of the unlawful refusals themselves.
Professional secrecy. The Litigation Chamber categorically rejects this argument: professional secrecy protects the client by requiring the lawyer not to disclose his confidential information to third parties. When the client himself requests access to his own personal data, there is no question of a third party and the argument lacks any basis.
Fines and injunction
The Litigation Chamber follows the methodology from the EDPB Guidelines 04/2022. The legal maximum is that of Art. 83.5 GDPR (20 million euros or 4% of annual worldwide turnover). The firm's annual turnover in 2024 was 406,909.53 euros. Both breaches qualify as of minor gravity, but the law firm is considered to have thorough legal knowledge and processed health data of the minor daughter. After proportional adjustment to the modest turnover and a mitigating circumstance of 30% for infringement 1 (due to the amended model contracts), the Litigation Chamber arrives at a fine of 2,520 euros for infringement 1 and 2,400 euros for infringement 2.
It also orders the office to comply with the complainants' request for access within one month.
Legal analysis and interpretation
Professional secrecy and GDPR are complementary, not substitutable
The reasoning that compliance with the GDPR would be “inherent” in the status of a lawyer illustrates a misconception that appears more widely among liberal professionals. Professional secrecy is an external duty of confidentiality: the lawyer may not disclose client information to third parties. The GDPR regulates the internal relationship between the controller and the data subject: how his data is used, on what legal basis, how long it is kept, what rights he can exercise.
The two regimes do not run into each other. One does not dispense with the other. Indeed, professional secrecy presupposes transparency vis-à-vis the client: a lawyer who cannot tell his client what data he keeps about him can hardly make it credible that he keeps that data confidential. Moreover, the Litigation Chamber emphasizes that a law firm, given its legal expertise, is expected to show increased diligence.
The fiction of the repeated request
The analysis under Art. 12.5 GDPR deserves special attention. The Litigation Chamber does not accept that a data controller which itself does not answer or only partially answers a request for access may subsequently invoke the repeated requests of the data subject in order to make the latter pay compensation. One request that remains unanswered remains one request, no matter how many times it is reminded.
This reasoning is consistent with the EDPB guidelines 01/2022 on the right of access, which aim to interpret the exceptions to the principle of free access and the obligation to process requests strictly. Those who wish to invoke the exception bear the burden of proof and must objectively demonstrate that the request itself, and not the consequences of one's own failure to respond, causes the repetitiveness.
Identity doubt as duty of facilitation, not right of refusal
Art. 12.6 GDPR is a tool to prevent abuse by third parties, not to provide the controller with a ground for rejection. Anyone who has reason to doubt the identity of a requester must specify concretely what additional information is needed to dispel that doubt. Mere reliance on “doubts” without operational follow-up is not sufficient. That the defendant here was a law firm weighs heavily in the assessment of negligence: the Court of Justice in Deutsche Wohnen confirmed that even a merely negligent breach is sufficient for the imposition of an administrative fine under Art. 83 GDPR, and in the case of a professional lawyer, the threshold of such negligence may be low.
Specifically, what does this mean?
For law firms and other liberal professionals. An up-to-date privacy notice is not a luxury but a GDPR obligation. When establishing the relationship, inform clients in writing about the purposes of processing, legal basis, retention periods, recipients and their rights. Work with model contracts that include a specific GDPR clause and publish a privacy notice on the website, even if that website does not technically collect data - the information obligation extends beyond online processing. Handle access requests proactively: within the response period, ask exactly what information is missing to establish identity, giving concrete options (copy of identity card, video call, physical appointment).
For data controllers in general. The exception of Art. 12.5 GDPR is not a management tool to get rid of troublesome requests. Those invoking it must demonstrate in writing and with reasons why the request does not meet the objective conditions, or why it is truly repetitive. A request that is repeated because the previous one was not granted does not count as a new request.
For data subjects requesting access. Formulate the request precisely - refer to Art. 15 GDPR and specify the categories of information you want (data, purposes, legal basis, recipients, retention period, origin). Include proof of identity or explicitly ask how you can substantiate your identity. If the request is refused or only partially answered, repeat it and keep all correspondence; this decision shows that a complaint to the DPA, even in combination with a commercial dispute between parties, can succeed.
Frequently asked questions (FAQ)
Should a law firm have a privacy notice even if the Web site does not collect data?
Yes. The information obligation under Art. 13 GDPR applies to all personal data the firm collects - at intake, in file management, in correspondence, in accounting. Whether or not that collection is through the website is not in itself decisive. A privacy statement on the website is a common and transparent channel for fulfilling this duty.
May a controller charge a fee for a request for access?
Only exceptionally. An initial access is in principle free of charge. Art. 12.5.a) GDPR allows a “reasonable fee” only when a request is “manifestly unfounded or excessive.” The controller bears the burden of proof of this, and the exception is strictly interpreted. A request repeated several times because it was previously not granted does not qualify as repetitive.
What to do when a request for access is denied due to doubt about identity?
Ask the data controller in writing what additional information he requires. If he does not respond or still refuses despite documents provided, a complaint can be filed with the Data Protection Authority. The Litigation Chamber will not accept vague identity doubts as grounds for rejection; the data controller is expected to actively facilitate the exercise of the right.
Conclusion
This decision is a reminder that a law firm, like any other data controller, is fully subject to its clients' obligation of transparency and right of access. Professional secrecy, however absolute towards third parties, offers no defense in Belgium against one's own client exercising its GDPR rights. For those who process personal data professionally - liberal professionals, SMEs, healthcare providers - this case is a reminder that compliance does not end with the drafting of a privacy statement, but is lived out in daily dealings with data subjects.
Dutch 
English