May an online platform publish my professional data without permission?

You are a doctor, physical therapist or other health care provider and discover that your professional information (name, address, phone number) is on a commercial online platform. You have never given permission for this and wonder if this is allowed.

In a ruling of 3 September 2025, the Brussels Market Court overturned a fine imposed by the Data Protection Authority (DPA) on this issue. The court ruled that while a platform may be able to rely on a "legitimate interest" (and thus not require consent), the DPA should redo its homework. The DPA should have justified the balancing of interests much more thoroughly and examined the concrete impact on health care providers.

The facts and legal context

The case revolved around an Internet platform that helps patients find and contact health care providers in Belgium. This platform offered two types of profiles:

1. Paying profiles: Healthcare providers who subscribed received an expanded profile with increased visibility and online booking tools.
2. Free profiles: Healthcare providers who did not have a subscription were still displayed on the platform with basic professional information (name, first name, specialty, phone number and address).

A number of health care providers filed a complaint with the DPA because their data was used without their consent for these "free profiles.".

The Litigation Chamber of the DPA ruled in favor of the health care providers. In a decision of 14 June 2023 (No. 75/2023), it imposed an administrative fine of 10,000 euros on the platform and ordered it to cease processing. The DPA ruled that the platform had committed two violations of the General Data Protection Regulation (GDPR). :

• There was no valid legal basis for the processing. The DPA considered that the balancing of interests under the "legitimate interest" (Art. 6.1.f GDPR) was negative for the platform.
• The platform had not adequately facilitated the exercise of the right to data deletion, resulting in a late response to a deletion request.

The platform disagreed and filed an appeal with the Market Court.

Market court decision

The Markets Court overturned the DPA's entire decision. The court's reasoning was based on two pillars: the legal basis for processing and the handling of the deletion request.

1. Unlawful processing and the "legitimate interest.

This was the crux of the case. The platform argued that it did not need consent because it could rely on the legal ground "legitimate interest" (Article 6(1)(f) GDPR). To use this legal ground, three conditions must be met: a purpose test, a necessity test and an interest test.

The DPA and the platform agreed that the processing served a legitimate purpose and was necessary. The discussion focused entirely on the third condition: the balancing of interests. Do the commercial interests of the platform outweigh the data protection rights of health care providers?

The Market Court ruled that the analysis of the DPAwas manifestly insufficiently substantiated on this point. The court identified several flaws in the DPA's decision:

• No concrete impact analysis: The DPA had not done an impact assessment of the concrete effects of the processing on the health care providers involved.
• No research on neutrality: The DPA had not examined how the data were presented. Citing German case law, the court said that a relevant criterion is whether publicly available data is presented in a "sufficiently neutral and non-discriminatory manner."
• Misconception of "consent. The DPA incorrectly stated that consent would be "the most appropriate legal ground." The Market Court recalled that Article 6 GDPR does not provide a hierarchy of legal grounds.
• Ignoring market practice: The platform had argued that competitors do exactly the same thing and also rely on the legitimate interest. The DPA had not responded to this argument.

Because the DPA's balancing of interests was insufficiently substantiated, the decision was overturned on this point.

2. The violation of the right to data erasure

The DPA also blamed the platform for responding too late to a registered letter dated October 25, 2021, in which the health care providers requested removal.

However, the platform was able to prove that it had never received this letter due to exceptional circumstances: the letter was delivered to the registered office (an apartment building) at a time when the business manager was abroad and the rest of the staff was obliged to telecommute due to corona measures .

The Markets Court found that the platform did act promptly (within 24 hours) once it actually became aware of the request via a letter from the DPA Inspection Service on Jan. 13, 2022. The DPA itself had admitted that the platform had acted "promptly."

Given these specific circumstances and the fact that the platform did offer other channels to exercise rights (such as an email address), the Court held that the platform could not be accused of lack of facilitation. Therefore, this part of the DPA decision was also overturned.

Legal analysis and interpretation

This ruling is of great importance for the "data economy," and in particular for companies that collect and structure publicly available data (data aggregators).

The Court does not say that publishing professional data without consent is always permissible. It does say that the DPA was too hasty in dismissing the legal basis of “legitimate interest”.

Crucial is the introduction of the criterion of neutral and non-discriminatory display. The DPA should have examined whether the "free profiles" were displayed in a fair manner, or whether they were presented in a misleading or negative way (e.g., as "incomplete" or "unverified") so as to pressure healthcare providers to take a paying profile. Such a practice would probably do the balancing of interests to the platform's disadvantage. By not examining this, theDPA's decision was insufficiently justified.

The ruling on the right to erasure is a demonstration of pragmatism. The GDPR imposes a duty to "facilitate" the exercise of rights, but this is not an absolute obligation of result that does not take into account reality. The Court accepted that in the exceptional context of the corona pandemic, a company could not be blamed for missing a physical registered letter, especially when it responded immediately as soon as it was notified through another channel (the DPA itself).

What this specifically means

For online platforms and data collectors

• You can rely on "legitimate interest" (Art. 6.1.f GDPR) for processing public professional data, but your balancing of interests must be watertight and concrete.
• Crucial: Make sure the display of "free" or "non-paying" profiles is completely neutral and non-discriminatory. Any suggestion that a free profile is "worse" or "incomplete" could tip the balance against you.
• Document your balancing of interests thoroughly, ideally in a Data Protection Impact Assessment (DPIA).
• Provide clear, accessible and functioning channels (such as a privacy e-mail address) through which data subjects can exercise their rights.

For caregivers and other professionals

• Just because your professional information is public (e.g., on your own website or with your professional association) does not mean that anyone can just reuse it for any commercial purpose.
• If you want to be removed from a platform, your first step is to exercise your right to object (Art. 21 GDPR) or right to erasure (Art. 17 GDPR).
• Preferably do this through the channels provided by the platform itself (e.g., the email address in their privacy policy). As this case demonstrates, this is often more efficient than a registered letter.
• If the platform refuses or fails to respond in a timely manner, you may file a complaint with the Data Protection Authority.

Frequently Asked Questions

Is "consent" always necessary to process personal data?
No. The GDPR provides six possible legal grounds for lawful processing in Article 6. Consent (sub a) is one of them, but "the protection of legitimate interests" (sub f) is also one. As the Market Court confirmed in this judgment, there is no hierarchy among these legal grounds.

What is the difference between the right to erasure (Art. 17) and the right to object (Art. 21)?
The right to erasure (also called "right to be forgotten") applies in specific cases, for example, if the data have been processed unlawfully or are no longer necessary for the purposes for which they were collected. If the processing (as in this case) is based on a "legitimate interest," the data subject can invoke the right to object (Art. 21 GDPR). You can then object to the processing "on grounds relating to your particular situation."

Within what time frame must a company respond to my removal request?
According to Article 12(3) of the GDPR, the data controller must provide information on the action taken on the request "without delay and in any case within one month" of receiving it. In this ruling, the platform was not penalized for a delay because it acted immediately (within 24 hours) after it actually became aware of the request.

Conclusion

This ruling is an important vindication for the DPA. It confirms that "legitimate interest" is a real and full-fledged legal basis for commercial databases processing public data, but at the same time imposes strict requirements on the balancing of interests. The DPA should have examined the concrete impact and especially the neutrality of the publication, which it failed to do. At the same time, the ruling shows that practical realities (such as the impact of the corona pandemic on telework) weigh in when assessing whether a company has properly fulfilled its duties under the GDPR.