APD/GBA (Belgium) - 87/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=87/2024 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-87-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=...")
 
(Short summary; Comment; Subheadings)
 
(2 intermediate revisions by 2 users not shown)
Line 67: Line 67:
}}
}}


The DPA imposed a €172,431 fine to a controller for, among other things, failing to erase a data subject’s personal data in the context of direct marketing and for the unresponsiveness of the controller to the DPA
The DPA fined a controller for, among other things, failing to erase a data subject’s personal data in the context of direct marketing and for having an overloaded part-time DPO, which could not effectively perform their tasks. The DPA initially issued a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation.


== English Summary ==
== English Summary ==
Line 78: Line 78:
During the hearing, the controller explained that regarding the erasure of the data subject’s data, the process took place in several stages: the data subject initially complained about an excessive energy charge but this complaint evolved into an erasure request to terminate the customer relationship. The former DPO misunderstood that this was a GDPR issue. They then ordered their German processor to delete the data subject’s data using ‘code 43’. However, this code was used to restrict the processing rather than delete the personal data. The controller acknowledged this mistake made by the former DPO and also explained that (i) the absence of response to the DPA during the mediation was due to the former DPO, and that neither the current DPO, nor the management were aware of these problems and (ii) the former DPO did not process correspondence with the DPA or the data subject, nor did they share this information internally. They took measures to limit the processing of the data subject’s data without communicating with the latter, or with the DPA.  
During the hearing, the controller explained that regarding the erasure of the data subject’s data, the process took place in several stages: the data subject initially complained about an excessive energy charge but this complaint evolved into an erasure request to terminate the customer relationship. The former DPO misunderstood that this was a GDPR issue. They then ordered their German processor to delete the data subject’s data using ‘code 43’. However, this code was used to restrict the processing rather than delete the personal data. The controller acknowledged this mistake made by the former DPO and also explained that (i) the absence of response to the DPA during the mediation was due to the former DPO, and that neither the current DPO, nor the management were aware of these problems and (ii) the former DPO did not process correspondence with the DPA or the data subject, nor did they share this information internally. They took measures to limit the processing of the data subject’s data without communicating with the latter, or with the DPA.  


Despite the use of ‘code 43’ to limit the processing and the cessation of commercial calls to the data subject, newsletters continued to be sent until December 2022. The data subject had consented to receive these newsletters, which were managed by a separate network. In December 2022, the former DPO rectified the situation.  
Despite the use of ‘code 43’ to limit the processing and the cessation of commercial calls to the data subject, newsletters continued to be sent until December 2022. In December 2022, the former DPO rectified the situation.  


The controller also explained that it took initiatives to improve its responsiveness and comply with the DPA’s decisions, in particular with the hiring of a new DPO who worked full-time with a team of two people, and the current DPO regretted that the former DPO had not informed the data subject of this rectification.  
The controller also explained that it took initiatives to improve its responsiveness and comply with the DPA’s decisions, in particular with the hiring of a new DPO who worked full-time with a team of two people, and the current DPO regretted that the former DPO had not informed the data subject of this rectification.  
Line 87: Line 87:


=== Holding ===
=== Holding ===
Regarding the breach of Articles 17 and 21 GDPR, [[Article 17 GDPR|Article 17 GDPR]] establishes the right to erasure which allows data subjects to request deletion of their personal data if certain conditions are met. However, the right to erasure is not absolute: [[Article 17 GDPR#3|Article 17(3) GDPR]] provides for certain exceptions in which this right does not apply.
'''Violation of Articles 17 and 21 GDPR'''


Article 21(2) establishes that the data subject has the right to refuse any processing of their personal data for direct marketing purposes by indicating that they do not consent to receive marketing communications. The APD indicated that when the purpose pursued by the controller is ‘direct marketing’, the right to object is automatic and the controller may no longer process the data for such purposes once the data subject has expressed their objection.  
Regarding the breach of [[Article 17 GDPR|Articles 17]] and [[Article 21 GDPR|21 GDPR]], [[Article 17 GDPR]] establishes the right to erasure which allows data subjects to request deletion of their personal data if certain conditions are met. However, the right to erasure is not absolute: [[Article 17 GDPR#3|Article 17(3) GDPR]] provides for certain exceptions in which this right does not apply.  


The APD added that [[Article 21 GDPR#2|Article 21(2) GDPR]] applies at all times and is not subject to any conditions. The DPA considered that withdrawing consent and objecting to the processing for direct marketing purposes should, in principle, lead to the same end: the immediate cessation of the processing of data for direct marketing purposes and the automatic deletion of those data.
Article 21(2) establishes that the data subject has the right to refuse any processing of their personal data for direct marketing purposes by indicating that they do not consent to receive marketing communications. The APD indicated that when the purpose pursued by the controller is ‘direct marketing’, the right to object is automatic and the controller may no longer process the data for such purposes once the data subject has expressed their objection. The APD added that [[Article 21 GDPR#2|Article 21(2) GDPR]] applies at all times and is not subject to any conditions. The DPA considered that withdrawing consent and objecting to the processing for direct marketing purposes should, in principle, lead to the same end: the immediate cessation of the processing of data for direct marketing purposes and the automatic deletion of those data.  


The APD also pointed out that Articles 15 to 22 are intrinsically linked to [[Article 12 GDPR|Article 12 GDPR]], particularly with regard to the procedures for exercising the rights of data subjects.
In the present case, the data subject made an erasure request by revoking his consent, under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. The APD considered that it was clear from reading the data subject’s request that he expressed a firm desire to end all commercial relations with the controller. In addition to requesting the total deletion of his personal data, the data subject firmly objected to his data being processed for the purposes of direct marketing, which was later confirmed during the request for mediation he submitted.


In the present case, the data subject made an erasure request by revoking his consent, under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. The APD considered that it was clear from reading the data subject’s request that he expressed a firm desire to end all commercial relations with the controller. In addition to requesting the total deletion of his personal data, the data subject firmly objected to his data being processed for the purposes of direct marketing, which was later confirmed during the request for mediation he submitted.
First, the APD noted that on the basis of the statements made by the controller at the hearing, the controller had still not taken any concrete steps to respond to the data subject’s request for erasure and objection. The controller sent an email on 11 November 2023 informing the DPA that the data had been deleted, but the APD decided not to take this information into account as the proceedings had already been closed.  
First, the APD noted that on the basis of the statements made by the controller at the hearing, the controller had still not taken any concrete steps to respond to the data subject’s request for erasure and objection. The controller sent an email on 11 November 2023 informing the DPA that the data had been deleted, but the APD decided not to take this information into account as the proceedings had already been closed.  


Line 104: Line 103:
Therefore, the APD concluded that the controller failed to comply with Articles 17 and 21 GDPR.  
Therefore, the APD concluded that the controller failed to comply with Articles 17 and 21 GDPR.  


Regarding the breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the APD indicated that the principle of fairness and transparency laid down in this Article is not limited to the simple information and transparency obligations listed in the GDPR, but is a general principle and philosophy which must be respected for all processing.
'''Violation of Article 5(1)(a) GDPR'''
 
Regarding the breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the APD indicated that the principle of fairness, lawfulness and transparency laid down in this article is not limited to the simple information and transparency obligations listed in the GDPR, but is a general principle and philosophy which must be respected for all processing.


First, the APD took into account the fact that the sending of advertising messages and newsletters was based on the data subject’s consent by ticking a box. However, the DPA found that there was a contradiction in the timelines regarding the processing: the data subject exercised his right to erasure and objection in June 2022. Nonetheless, the controller used ‘code 43’ only in April 2023 which suggested that the data subject’s data was processed, even in a limited manner, at least until April 2023. Therefore, the processing of his personal data continued without any legal basis since the data subject withdrew his consent, thus, violating [[Article 6 GDPR|Article 6 GDPR]]. The APD did not take into account the argument that the consent box ticked by the data subject suggested perpetual consent.  
First, the APD took into account the fact that the sending of advertising messages and newsletters was based on the data subject’s consent by ticking a box. However, the DPA found that there was a contradiction in the timelines regarding the processing: the data subject exercised his right to erasure and objection in June 2022. Nonetheless, the controller used ‘code 43’ only in April 2023 which suggested that the data subject’s data was processed, even in a limited manner, at least until April 2023. Therefore, the processing of his personal data continued without any legal basis since the data subject withdrew his consent, thus, violating [[Article 6 GDPR|Article 6 GDPR]]. The APD did not take into account the argument that the consent box ticked by the data subject suggested perpetual consent.  
Line 112: Line 113:
Therefore, the APD concluded that the controller breached the principles of lawfulness and transparency set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] by failing to comply with the requirements of Articles 6 and 12 GDPR.
Therefore, the APD concluded that the controller breached the principles of lawfulness and transparency set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] by failing to comply with the requirements of Articles 6 and 12 GDPR.


Regarding the breach of Articles 5(2) and 24 GDPR, the APD indicated that the controller must implement appropriate technical and organisational measures to ensure that it is able to demonstrate that the processing is carried out in accordance with the GDPR.  
'''Violation of Articles 5(2) and 24 GDPR'''
 
Regarding the breach of [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]], the APD indicated that the controller must implement appropriate technical and organisational measures to ensure that it is able to demonstrate that the processing is carried out in accordance with the GDPR.  


First, the APD explained that with regard to [[Article 38 GDPR#2|Article 38(2) GDPR]], which states that the controller shall assist the DPO by providing the resources necessary to carry out their tasks, among other things, the following must be taken into account: (i) the DPO must be involved, where appropriate, in all matters relating to data protection, (ii) the controller must recognize and enhance the DPO’s role by management, (iii) the controller must allocate adequate time for the DPO to carry out its duties, (iv) the controller must communicate the appointment of the DPO to all staff to ensure that their role within the organisation is widely known, (v) the controller must ensure ongoing training to keep the DPO’s knowledge up to date.
First, the APD explained that with regard to [[Article 38 GDPR#2|Article 38(2) GDPR]], which states that the controller shall assist the DPO by providing the resources necessary to carry out their tasks, among other things, the following must be taken into account: (i) the DPO must be involved, where appropriate, in all matters relating to data protection, (ii) the controller must recognize and enhance the DPO’s role by management, (iii) the controller must allocate adequate time for the DPO to carry out its duties, (iv) the controller must communicate the appointment of the DPO to all staff to ensure that their role within the organisation is widely known, (v) the controller must ensure ongoing training to keep the DPO’s knowledge up to date.
Line 118: Line 121:
Second, the APD considered that in the present case, the inability of the controller to verify or conclusively confirm the actual deletion of the data subject’s data raised concerns about the effectiveness of the technical and organisational measures in place. Additionally, the DPA also took into account the fact that the former DPO worked part-time and was overloaded, which prevented him from responding effectively to the requests and considered that this highlighted the failure to put in place measures to ensure compliance with the GDPR. The APD also noted that the controller’s decision to hire a new full-time DPO was taken in response to the DPA’s investigation. However, such measures should have been put in place prior to the DPA’s intervention.
Second, the APD considered that in the present case, the inability of the controller to verify or conclusively confirm the actual deletion of the data subject’s data raised concerns about the effectiveness of the technical and organisational measures in place. Additionally, the DPA also took into account the fact that the former DPO worked part-time and was overloaded, which prevented him from responding effectively to the requests and considered that this highlighted the failure to put in place measures to ensure compliance with the GDPR. The APD also noted that the controller’s decision to hire a new full-time DPO was taken in response to the DPA’s investigation. However, such measures should have been put in place prior to the DPA’s intervention.


Therefore, the DPA concluded that the controller failed to comply with Articles 5(2) and 24 GDPR.  
Therefore, the DPA concluded that the controller failed to comply with [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]].  
 
'''Alleged violation of Article 31 GDPR'''


Regarding the alleged breach of [[Article 31 GDPR|Article 31 GDPR]], which states that the controller must cooperate with the DPA at its request, the DPA noted that the controller did not respond to the APD’s requests. The DPA indicated that this negligence appeared to result mainly from a confusion due to the fact that the controller was also subject to an investigation by another service of the APD. However, the latter held that the controller is obliged to cooperate with all the departments of the DPA. The APD considered that although the controller increased the number of staff and replaced the former DPO, these measures did not appear to be fully effective, in particular with regard to the examination of all the previous requests from the DPA.  
Regarding the alleged breach of [[Article 31 GDPR|Article 31 GDPR]], which states that the controller must cooperate with the DPA at its request, the DPA noted that the controller did not respond to the APD’s requests. The DPA indicated that this negligence appeared to result mainly from a confusion due to the fact that the controller was also subject to an investigation by another service of the APD. However, the latter held that the controller is obliged to cooperate with all the departments of the DPA. The APD considered that although the controller increased the number of staff and replaced the former DPO, these measures did not appear to be fully effective, in particular with regard to the examination of all the previous requests from the DPA.  


Therefore, the DPA held that the controller did not fully cooperate with the DPA during the mediation procedure, but it was not able to determine whether this lack of response was the result of confusion generated by the ongoing inspection or the result of a deliberate intention or gross negligence not to cooperate.  
Therefore, the DPA held that the controller did not fully cooperate with the DPA during the mediation procedure, but it was not able to determine whether this lack of response was the result of confusion generated by the ongoing inspection or the result of a deliberate intention or gross negligence not to cooperate.  
'''Imposition of a fine'''


Regarding the imposition of a fine, the DPA indicated that although it was not able to establish that the infringements had an impact on several of the persons concerned, it emphasized that the controller’s negligence justified the imposition of a fine. Therefore, the APD decided to impose a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation which would have devastating consequences for it, namely putting the jobs of 400 people at risk, and even leading to the cessation of activities in Belgium.
Regarding the imposition of a fine, the DPA indicated that although it was not able to establish that the infringements had an impact on several of the persons concerned, it emphasized that the controller’s negligence justified the imposition of a fine. Therefore, the APD decided to impose a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation which would have devastating consequences for it, namely putting the jobs of 400 people at risk, and even leading to the cessation of activities in Belgium.


== Comment ==
== Comment ==
''Share your comments here!''
This decision was quite interesting in two regards:
 
1) The Belgian DPA recalled what a controller is supposed to do with its DPO, particularly with regard to ensuring the DPO's ongoing training. Moreover, the extra workload of the DPO does not exempt the controller from his obligation to cooperate with the DPA's services.
 
2) This decision is also interesting for its considerations on the principle and methods of calculating an administrative fine (§§97-165) for which the Belgian DPA extensively used the [https://www.edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf EDPB guidelines on the calculation of administrative fines under the GDPR].


== Further Resources ==
== Further Resources ==

Latest revision as of 12:01, 19 June 2024

APD/GBA - 87/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 17 GDPR
Article 21 GDPR
Article 21(2) GDPR
Article 38(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.02.2023
Decided: 03.06.2024
Published:
Fine: 172,431 EUR
Parties: n/a
National Case Number/Name: 87/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: nzm

The DPA fined a controller for, among other things, failing to erase a data subject’s personal data in the context of direct marketing and for having an overloaded part-time DPO, which could not effectively perform their tasks. The DPA initially issued a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation.

English Summary

Facts

On 30 June 2022, the data subject purchased a product from the controller and discovered an unexpected charge of €1,50 relating to an ‘energy contribution’ on his bill of May 2022. The data subject asked to be reimbursed of this surcharge and that all his personal data be deleted. The controller refused to reimburse this surcharge but acknowledged receipt of the deletion request and confirmed it would be dealt with promptly.

The data subject continued to receive advertising communications from the controller. On 18 November 2022, the data subject requested mediation from the Belgian DPA (‘APD’). On 14 February 2023, in the absence of any response from the controller, the Mediation Service of the APD informed the data subject that he could convert his request for mediation into a complaint. The data subject did so on the same day.

During the hearing, the controller explained that regarding the erasure of the data subject’s data, the process took place in several stages: the data subject initially complained about an excessive energy charge but this complaint evolved into an erasure request to terminate the customer relationship. The former DPO misunderstood that this was a GDPR issue. They then ordered their German processor to delete the data subject’s data using ‘code 43’. However, this code was used to restrict the processing rather than delete the personal data. The controller acknowledged this mistake made by the former DPO and also explained that (i) the absence of response to the DPA during the mediation was due to the former DPO, and that neither the current DPO, nor the management were aware of these problems and (ii) the former DPO did not process correspondence with the DPA or the data subject, nor did they share this information internally. They took measures to limit the processing of the data subject’s data without communicating with the latter, or with the DPA.

Despite the use of ‘code 43’ to limit the processing and the cessation of commercial calls to the data subject, newsletters continued to be sent until December 2022. In December 2022, the former DPO rectified the situation.

The controller also explained that it took initiatives to improve its responsiveness and comply with the DPA’s decisions, in particular with the hiring of a new DPO who worked full-time with a team of two people, and the current DPO regretted that the former DPO had not informed the data subject of this rectification.

On 11 November 2023, the controller informed the APD that it had received an email from the German processor confirming that the data subject’s data had been deleted, and that it had sent an email to the latter informing him of this deletion.

On 15 March 2024, the APD informed the controller of its intention to impose an administrative fine and the amount of the fine, in order to give the controller, the opportunity to defend itself. On 5 April 2024, the APD received the controller’s response.

Holding

Violation of Articles 17 and 21 GDPR

Regarding the breach of Articles 17 and 21 GDPR, Article 17 GDPR establishes the right to erasure which allows data subjects to request deletion of their personal data if certain conditions are met. However, the right to erasure is not absolute: Article 17(3) GDPR provides for certain exceptions in which this right does not apply.

Article 21(2) establishes that the data subject has the right to refuse any processing of their personal data for direct marketing purposes by indicating that they do not consent to receive marketing communications. The APD indicated that when the purpose pursued by the controller is ‘direct marketing’, the right to object is automatic and the controller may no longer process the data for such purposes once the data subject has expressed their objection. The APD added that Article 21(2) GDPR applies at all times and is not subject to any conditions. The DPA considered that withdrawing consent and objecting to the processing for direct marketing purposes should, in principle, lead to the same end: the immediate cessation of the processing of data for direct marketing purposes and the automatic deletion of those data.

In the present case, the data subject made an erasure request by revoking his consent, under Article 17(1)(b) GDPR. The APD considered that it was clear from reading the data subject’s request that he expressed a firm desire to end all commercial relations with the controller. In addition to requesting the total deletion of his personal data, the data subject firmly objected to his data being processed for the purposes of direct marketing, which was later confirmed during the request for mediation he submitted.

First, the APD noted that on the basis of the statements made by the controller at the hearing, the controller had still not taken any concrete steps to respond to the data subject’s request for erasure and objection. The controller sent an email on 11 November 2023 informing the DPA that the data had been deleted, but the APD decided not to take this information into account as the proceedings had already been closed.

Second, the APD held that the application of ‘code 43’ restricted access to the data subject’s data within its system, but did not lead to their deletion. Therefore, certain processing operations such as telephone calls were restricted, however it did not stop the sending of newsletters.

Third, the controller implicitly invoked the exception provided for in Article 17(3)(b) GDPR, namely the retention of personal data in order to comply with legal obligations (‘tax audits’). The APD stated that the controller should have invoked this exception to justify the non-erasure. Nevertheless, the DPA found that this exception could not justify the processing of data for direct marketing purposes, whether by telephone or by email.

Therefore, the APD concluded that the controller failed to comply with Articles 17 and 21 GDPR.

Violation of Article 5(1)(a) GDPR

Regarding the breach of Article 5(1)(a) GDPR, the APD indicated that the principle of fairness, lawfulness and transparency laid down in this article is not limited to the simple information and transparency obligations listed in the GDPR, but is a general principle and philosophy which must be respected for all processing.

First, the APD took into account the fact that the sending of advertising messages and newsletters was based on the data subject’s consent by ticking a box. However, the DPA found that there was a contradiction in the timelines regarding the processing: the data subject exercised his right to erasure and objection in June 2022. Nonetheless, the controller used ‘code 43’ only in April 2023 which suggested that the data subject’s data was processed, even in a limited manner, at least until April 2023. Therefore, the processing of his personal data continued without any legal basis since the data subject withdrew his consent, thus, violating Article 6 GDPR. The APD did not take into account the argument that the consent box ticked by the data subject suggested perpetual consent.

Second, the APD noted that on the day of the hearing the controller had still not informed the data subject of the measures taken in response to his requests. Hence, the controller did not comply with its information and communication obligations under Article 12 GDPR.

Therefore, the APD concluded that the controller breached the principles of lawfulness and transparency set out in Article 5(1)(a) GDPR by failing to comply with the requirements of Articles 6 and 12 GDPR.

Violation of Articles 5(2) and 24 GDPR

Regarding the breach of Articles 5(2) and 24 GDPR, the APD indicated that the controller must implement appropriate technical and organisational measures to ensure that it is able to demonstrate that the processing is carried out in accordance with the GDPR.

First, the APD explained that with regard to Article 38(2) GDPR, which states that the controller shall assist the DPO by providing the resources necessary to carry out their tasks, among other things, the following must be taken into account: (i) the DPO must be involved, where appropriate, in all matters relating to data protection, (ii) the controller must recognize and enhance the DPO’s role by management, (iii) the controller must allocate adequate time for the DPO to carry out its duties, (iv) the controller must communicate the appointment of the DPO to all staff to ensure that their role within the organisation is widely known, (v) the controller must ensure ongoing training to keep the DPO’s knowledge up to date.

Second, the APD considered that in the present case, the inability of the controller to verify or conclusively confirm the actual deletion of the data subject’s data raised concerns about the effectiveness of the technical and organisational measures in place. Additionally, the DPA also took into account the fact that the former DPO worked part-time and was overloaded, which prevented him from responding effectively to the requests and considered that this highlighted the failure to put in place measures to ensure compliance with the GDPR. The APD also noted that the controller’s decision to hire a new full-time DPO was taken in response to the DPA’s investigation. However, such measures should have been put in place prior to the DPA’s intervention.

Therefore, the DPA concluded that the controller failed to comply with Articles 5(2) and 24 GDPR.

Alleged violation of Article 31 GDPR

Regarding the alleged breach of Article 31 GDPR, which states that the controller must cooperate with the DPA at its request, the DPA noted that the controller did not respond to the APD’s requests. The DPA indicated that this negligence appeared to result mainly from a confusion due to the fact that the controller was also subject to an investigation by another service of the APD. However, the latter held that the controller is obliged to cooperate with all the departments of the DPA. The APD considered that although the controller increased the number of staff and replaced the former DPO, these measures did not appear to be fully effective, in particular with regard to the examination of all the previous requests from the DPA.

Therefore, the DPA held that the controller did not fully cooperate with the DPA during the mediation procedure, but it was not able to determine whether this lack of response was the result of confusion generated by the ongoing inspection or the result of a deliberate intention or gross negligence not to cooperate.

Imposition of a fine

Regarding the imposition of a fine, the DPA indicated that although it was not able to establish that the infringements had an impact on several of the persons concerned, it emphasized that the controller’s negligence justified the imposition of a fine. Therefore, the APD decided to impose a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation which would have devastating consequences for it, namely putting the jobs of 400 people at risk, and even leading to the cessation of activities in Belgium.

Comment

This decision was quite interesting in two regards:

1) The Belgian DPA recalled what a controller is supposed to do with its DPO, particularly with regard to ensuring the DPO's ongoing training. Moreover, the extra workload of the DPO does not exempt the controller from his obligation to cooperate with the DPA's services.

2) This decision is also interesting for its considerations on the principle and methods of calculating an administrative fine (§§97-165) for which the Belgian DPA extensively used the EDPB guidelines on the calculation of administrative fines under the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/55



                                                                        Litigation Chamber


                                            Decision on merits 87/2024 of June 3, 2024


File number: DOS-2022-04748

Subject: Complaint for non-compliance with the right to erasure and opposition after the

receipt of commercial messages for direct marketing purposes




The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president, and gentlemen Romain Robert and Frank De Smet, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), (hereinafter “GDPR”);


Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter

“LCA”);

Considering the internal regulations as approved by the House of Representatives on

December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Has taken the following decision regarding:



The complainant:


The defendant: Company Y, hereinafter “the defendant”.                                                                        Decision on merits 87/2024 — 2/55



I. Facts and procedure

    1. On November 18, 2022, the complainant filed a request for mediation with the Authority of

        data protection (hereinafter “DPA”) against the defendant, which is transformed

        filed a complaint on February 14, 2023 due to his lack of response.


    2. The complaint relates to the receipt of regular, unsolicited commercial messages to

        direct marketing purposes on the part of the defendant, despite the exercise by the plaintiff of

        its right to erasure and opposition.

    3. On June 30, 2022, the plaintiff, having purchased the defendant's products from his

        representative, discovers an unexpected charge of €1.50 linked to an “energy contribution”

        on his invoice dated May 31, 2022. Faced with the refusal to reimburse this surcharge by the

        defendant, the complainant requests the deletion of all of his data

        personal. He sends this request by email to the address “…”, indicating that he does not

        no longer wishes to be a client of the defendant.

    4. On July 1, 2022, the defendant acknowledges receipt of the plaintiff's requests and confirms

        rapid processing of these.


        Despite the assurance given by the defendant regarding the consideration of requests
        made on June 30, 2022, the complainant continues to receive communications

        advertising by the defendant.


    5. On November 18, 2022, the complainant requests a mediation procedure with the Service

        of First Line (hereinafter “SPL”) of the APD. In the request form addressed to

        ODA, the complainant reiterates his wish to no longer have commercial relations with the

        defendant, explaining: “[...] I therefore requested a reimbursement which I did not have

        obtained I then requested, on July 1st, that all my data be erased which I do not
        would never order from them again. [...] Today, 4 and a half months later, I receive

        always advertising messages. » .


    6. On November 24, 2022, the SPL confirms receipt of the request for mediation and declares it

        admissible.

    7. On December 7, 2022, the SPL informed the defendant of the request for mediation, inviting her to

        respond to the complainant's request regarding the exercise of his rights, and to transmit

        a copy of his response to the SPL.


    8. On January 11, 2023, the complainant requested the status of the request for mediation and

        informal SPL that he continues to receive calls and emails from the defendant. THE
        January 13, 2023, the SPL responds by indicating that the file is being processed, that a




1Exhibit 1 – The request for mediation and its annexes.                                                                        Decision on merits 87/2024 — 3/55



        letter was sent to the defendant on December 7, 2022, granting it a period of one

        months to respond, and that a reminder would be issued to the defendant.

    9. On January 17, 2023, the SPL sends a registered letter with acknowledgment of receipt to the

        defendant, inviting it to respond to the initial request of December 7, 2022.


    10. On February 14, 2023, due to the lack of response from the defendant, the SPL informed the

        complainant that he can commute his request for mediation into a complaint in accordance with article

        62, §2, paragraph 4 of the LCA. The complainant requests this transformation on the same day.

    11. On February 20, 2023, the SPL notified the defendant that the mediation had failed due to

        his lack of reaction, then transmits the complainant's complaint to the Litigation Chamber

        in accordance with article 62, § 1 of the LCA.


    12. On May 15, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and

        Article 98 of the LCA, to process the file on its merits. The parties concerned are notified

        by registered mail of the provisions as set out in article 95, § 2 as well as in

        article 98 of the LCA. They are also informed, under article 99 of the LCA, of the

        deadlines for transmitting their conclusions. That same day, the Litigation Chamber clarified
                                                                                                   3
        that the language of the proceedings would be French, in accordance with the language policy.

        On May 15 and 19, 2023, the defendant and the plaintiff respectively acknowledged receipt

        some mail.


        The deadlines are June 26, 2023 for the submissions in response to the

        defendant; by July 17, 2023 for the complainant's reply conclusions; and August 7

        2023 for the defendant's reply submissions.


    13. On September 29, 2023, in the absence of conclusions filed by the parties, the Chamber
        Litigation summons, in accordance with article 52 of the ROI, the parties concerned to a

        hearing on October 12, 2023, to allow them to present their arguments orally.

        The defendant confirms its presence on October 3, 2023, while the plaintiff expresses

        his inability to attend the hearing in an email dated October 11, 2023.


    14. On October 12, 2023, the defendant was heard by the Litigation Chamber. During

        of this hearing, the defendant presents the following arguments:


            a) The responsibility of the data protection officer (hereinafter “DPO”): the

                problems with the APD began under the management of the former DPO, Mr. Z1 (hereinafter
                after “the former DPO”). Neither the current DPO, Mr. Z2 (hereinafter “the current DPO”) nor the

                management were not informed of these problems. The defendant justified the absence




2Art. 95, § 1, 1° and art. 98 of the aforementioned law of December 3, 2017.
3Data Protection Authority, “Note relating to the linguistic policy of the Litigation Chamber”, 01/07/2021,
available at https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-politique-linguistique-de-la-
chamber-contentious.pdf.                                                                  Decision on merits 87/2024 — 4/55


            response from the former DPO due to his work overload, emphasizing that the

            management was not informed of this overload.


        b) Inadequate management of letters: the former DPO did not process letters from

            the APD nor the complainant and did not share this information internally. The former DPO
            has taken measures to limit the processing of the complainant's data, without

            contact the complainant or the APD.


        c) The data erasure process: the defendant described the process

            erasure of the complainant's personal data, explained the error of the former

            DPO, mentioned the confusion around data localization and “code

            43”, and undertook to comply with the GDPR by informing the complainant of
            the erasure of its data.


        d) Responsibility for data processing: responsibility for processing

            data between “Y B ELGIUM” (hereinafter “the defendant”) and “Y LLEMAGNE” (hereinafter

            after “the German subcontractor”) was discussed, with reference to a contract of

            subcontracting.

        e) Organizational improvements: the contract of the old DPO ended, and the DPO

            currently works full-time with a team of two people to manage the company

            email “privacy@Y.be”. The defendant is committed to taking initiatives to

            improve its responsiveness and comply with APD decisions.


15. On October 27, 2023, the Litigation Chamber submits the minutes of the hearing to the
    parts.


16. On November 3, 2023, the defendant provided details in the minutes at the

    Litigation Chamber, which will be taken into consideration in this

    decision. The defendant further requests that, taking into account the circumstances
    specific to the case, the Litigation Chamber opts either for a suspension of the

    pronounced, as permitted by article 100, § 1, 3° of the LCA, either for a warning or

    a reprimand according to article 100, § 1, 5° of the same law.


17. On November 11, 2023, the defendant notifies, after the close of the debates, the Chamber

    Litigation having received an email from the German subcontractor, confirming the deletion of
    data of the complainant, and having sent an email to the complainant to inform him of this

    deletion.


18. On March 15, 2024, the Litigation Chamber informed the defendant of its intention

    to proceed with the imposition of an administrative fine as well as the amount thereof, in order
    to give the defendant the opportunity to defend herself before the sanction is

    actually inflicted.                                                                         Decision on merits 87/2024 — 5/55



    19. On April 5, 2024, the Litigation Chamber received the defendant's reaction concerning

        the intention to impose an administrative fine and the amount thereof. This response is
        examined by the Litigation Chamber as part of its deliberations.



II. Motivation



    II.1. Introductory points


        II.1.1. On the joining of files


    20. During the hearing, the defendant emphasized that she was the subject of an investigation

        carried out by the Inspection Service (hereinafter “SI”) of the APD as part of a file

        distinct. This assertion was reiterated as part of his reaction to the hearing minutes of 3
                         4
        November 2023.

    21. On April 5, 2024, as part of its reaction to the sanction form of March 15, 2024, the

        defendant requested the joinder of the file (…)(subject of the IS investigation) with the file

        currently subject to this decision.


    22. Firstly, the defendant should be reminded that the IS is required to maintain secrecy

        the investigation, in accordance with article 64§3 of the LCA, which specifies that “the investigation is secret

        unless there is a legal exception, until the time of submission of the inspector general's report to

        of the Litigation Chamber”.

    23. Secondly, the Litigation Chamber emphasizes that it does not have the power to

        self-report an ongoing investigation carried out by the IS. It refers the defendant to

        Article 92 of the LCA for the conditions of referral. This article specifies that the IS can enter

        the Litigation Chamber after the closure of an investigation in accordance with article 91 §2 of

        the LCA.


    24. Thirdly, the Litigation Chamber recalls that the sanction form aims to

        allow the alleged perpetrator of the offense, in this case the defendant, to give
        his views on the amount of the proposed fine before its imposition and its

        effective execution. This defense process, provided through the sanction form

        on the amount of the proposed fine, does not open new debates on the

        findings already established by the Litigation Chamber, the latter being closed.


    25. In conclusion, the Litigation Chamber rejects the request to join the file (…) with

        the current file which is the subject of this decision.





4In its reaction to the hearing minutes of November 3, 2023 and the sanction form of April 5, 2024, the defendant specifies
that the file being inspected corresponds to the referenced file number (…).
5Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 6/55


        II.1.2. On the interpretation of article 21.2 of the GDPR


    26. In this case, the Litigation Chamber notes that the complainant made his request

        erasure (total deletion of their data) on June 30, 2022 by revoking their

        consent, in accordance with article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading

        of the complainant's request, that the latter expresses a firm desire to put an end to any

        commercial relationship with the defendant. To the extent that the complainant exercised his

        right to erasure under Article 17.1.b) of the GDPR, by revoking consent,

        the defendant should have granted the erasure request, delete all of the

        personal data of the complainant and stop direct marketing, since the legal basis

        invoked for this data processing is consent.

    27. Next, the Litigation Chamber emphasizes that article 21 of the GDPR covers two forms

        different from the right of opposition. On the one hand, in article 21.1, a possibility of opposing

        processing based on the legitimate interest of the data controller or on a

        public interest mission of the data controller (general opposition subject to

        weighting of interests).

    28. Furthermore, in accordance with article 21.2, the person concerned has the right to refuse

        any processing of their data for direct marketing purposes (opposition to marketing

        direct), thus indicating that it does not consent to receive marketing communications.

        When the purpose pursued by the data controller is direct marketing, the

        right of opposition is automatic: the data controller can no longer

        process data for such purposes, including profiling, to the extent it is related

        for this purpose, when the person concerned has expressed their opposition.

    29. The Litigation Chamber takes the position that article 21.2 applies at all times,

        since Article 21.2 grants an unconditional right to the data subject to object

        “at any time” to the processing of their personal data for the purposes of

        prospecting, including profiling to the extent that it is linked to such prospecting.
                                                                                         6
        The exercise of the right under Article 21.2 is not subject to any conditions. This item

        applies independently of the legal basis of the processing, and without any weighting

        interest is required. This position can also be deduced from the distinction between
        recitals 69 and 70 of the GDPR.


    30. The Litigation Chamber admits that a different reading of article 21.2, according to which

        this provision would be limited to the same legal bases for processing as Article 21.1

        GDPR [Article 6.1(e) and Article 6.1(f)], is not excluded. However, such a reading




6See WP29, Guidelines for automated individual decision-making and profiling for the purposes of
regulation (EU) 2016/679, WP251, rev.01, p21; Zanfir-Fortuna in The EU General Data Protection Regulation (GDPR): A
Commentary, OUP 2000, p. 518. Decision on merits 87/2024 — 7/55


    would change nothing in the defendant's obligations, because the withdrawal of consent under

    of article 17.1.b of the GDPR implies that all processing must cease.

31. The preceding points show that the withdrawal of consent (legal basis invoked

    by the defendant to justify direct marketing) and the opposition to the processing of

    data for direct marketing purposes should in principle lead to the same purpose:

    immediate cessation of data processing for direct marketing purposes and the

    automatic deletion of this data.


II.2. As for the alleged breaches of the GDPR


    II.2.1. Alleged violation of Articles 17 and 21 of the GDPR


        II.2.1.1.   Position of the defendant


32. The following arguments were raised by the defendant only during the hearing:


        a) Regarding the erasure of the complainant's data, the process was

            carried out in several stages. Initially, the complainant complained about energy costs
            excessive, but this complaint evolved into a request to terminate the relationship

            customer and erasure of data. The former DPO misinterpreted the situation, did not

            not understanding that this was a GDPR issue.


            The former DPO then ordered the German subcontractor to erase the data from
            complainant, using “code 43”. However, this code did not result in the removal

            complete data. The current DPO admitted that “code 43” was intended to

            limit processing rather than deleting data, recognizing an error

            of the former DPO.

            Despite the implementation of “code 43” to limit the processing of data and

            the cessation of commercial calls to the complainant, the sending of newsletters continued

            until December 2022. The defendant specified that the plaintiff had consented

            to receive these newsletters, which were managed by a separate network.

            It was not until December 2022 that the former DPO rectified the situation in response

            to SPL mail, making the data inaccessible to the defendant, but

            they were always present and accessible to other entities, notably to

            purposes of tax audits. The current DPO regretted that the former DPO did not

            informed the complainant of this rectification.

            On the day of the hearing, the defendant could not guarantee that the data had been

            actually deleted, due to lack of written confirmation from the German subcontractor to

            this subject. The current DPO offered to contact the German subcontractor to

            verify the deletion of the complainant's data.                                                                        Decision on merits 87/2024 — 8/55


            b) Regarding the request made by the current DPO on the obligation

                to inform the complainant of the measures taken in response to his request for

                deletion of data, the Litigation Chamber recalled the provisions of

                Article 12 of the GDPR. In response, the defendant undertook, during the hearing,

                to regularize the situation in accordance with article 17 of the GDPR and inform the

                complaining about the erasure of his data.

            c) With regard to the location of the complainant's data and the identification of the

                responsible for the processing, the defendant raised that the IS was investigating these

                questions in a separate file. Finally, the defendant indicates that it is

                the “sole” controller, according to the information available to it.

    33. On November 3, 2023, as part of his reaction to the minutes of the hearing (hereinafter “

        reaction to the PV)"), the defendant specified that the former DPO had requested activation

        of “code 43” for the complainant’s data from the German subcontractor on April 11

        2023, a fact that he recorded in a correspondence addressed to SI on April 18, 2023 in

        the context of the current Inspection (see Title II.1.1). However, the former DPO failed to

        inform the complainant and the SPL.


            II.2.1.2.   Position of the ChamberContentious


    34. Article 17 of the GDPR establishes the right to erasure which allows data subjects

        to request the deletion of their personal data if one of the conditions

        following is fulfilled: the data are no longer necessary for the purposes for which they were

        have been collected or processed (art. 17.1.a) of the GDPR); the person concerned withdraws their

        consent on which the processing was based, and there is no other legal basis

        for processing (art. 17.1.b) of the GDPR); the data subject objects to the processing

        under article 21.1, and there is no overriding legitimate reason for the processing (art. 17.1.c)

        of the GDPR); the data was processed unlawfully (art.17.1.d) of the GDPR); data
        must be deleted to comply with a legal obligation (art. 17.1.e) of the GDPR); THE

        data has been collected from a child in connection with the company's services

        information (art. 17.1.f) of the GDPR).


        However, the right to erasure is not absolute. Article 17.3 of the GDPR provides for certain

        exceptions in which this right does not apply, in particular when the processing of
        data is necessary to guarantee the exercise of the right to freedom of expression and

        information (art. 17.3.a) of the GDPR), to comply with a legal obligation or carry out a

        mission of public interest (or relating to the exercise of public authority vested in the

        responsible for the processing) (art. 17.3.b) of the GDPR), to carry out a mission of interest



7See point 21 of this decision.                                                                          Decision on merits 87/2024 — 9/55


        public in the field of public health (art. 17.3.c) of the GDPR), for archival purposes

        (art. 17.3.d) of the GDPR), or to establish, exercise or defend legal rights (art. 17.3.e)

        of the GDPR).


    35. Pursuant to Article 19 of the GDPR, the data controller is required to notify

        each recipient to whom the personal data has been communicated

        any rectification or erasure of personal data or any limitation

        of the processing carried out in accordance with Articles 16, 17.1 and 18 of the GDPR, unless a

        such communication proves impossible or requires disproportionate effort. THE

        controller provides the data subject with information about these

        recipients if they request it.


    36. Article 21 of the GDPR governs the right of opposition of data subjects. When the

        personal data are processed for prospecting purposes, the person

        concerned “has the right to object at any time to the processing of personal data

        personal data concerning it (...)” (art. 21.2 of the GDPR). If the data subject “objects to the

        processing for prospecting purposes, personal data is no longer

        processed for these purposes. » (art. 21.3 of the GDPR).


        When a person objects to the processing of data for prospecting purposes

        (opposition to direct marketing), it must not provide any justification for its request

        opposition. Consequently, the opposition must immediately result in the cessation of all

        processing of personal data for direct marketing purposes for the individual

        concerned, without the need for additional examination (see Title II.1.2).  10


    37. Articles 15 to 22 of the GDPR are intrinsically linked to article 12 of the GDPR which imposes

        obligations of the data controller, particularly with regard to the

        transparency of information and communications as well as the methods of exercise

        of the rights of the data subjects (art. 17 juncto 12 of the GDPR and art. 21.2 juncto 12 of the

        GDPR).


        The exercise of these rights, in this case the right to erasure (art. 17 of the GDPR) and the right

        opposition to direct marketing by the complainant (art. 21.2 of the GDPR) as well as respect for these

        rights by the data controller, who must demonstrate his response to the requests of the


8
 In the absence of a legal definition of the notion of prospecting, the APD has defined it as “Any communication, solicited or
unsolicited, aimed at promoting an organization or a person, services, products, whether paid
or free, as well as brands or ideas, sent by an organization or a person acting within a framework
commercial or non-commercial, directly to one or more natural persons in a private or professional context,
by any means, involving the processing of personal data. », see Recommendation No. 1/2020 of
January 17, 2020 relating to the processing of personal data for direct marketing purposes, page 8, available
on the APD website.
9 CJEU, Google Spain and Google, C-131/12, May 13, 2014, ECLI:EU:C:2014:317; CJEU, Manni, C-398/15, March 9, 2017,
ECLI:EU:C:2017:197; CJEU, Google), C‑507/17, September 24, 2019, ECLI:EU:C:2019:772; APD, Litigation Chamber,

Decisions 28/2020 of May 29, 2020, 32/2020 of June 16, 2020, 19/2021 of February 12, 2021, 109/2023 of August 9, 2023, 157/2023
10 November 27, 2023”, available on the APD website.
  See Recommendation No. 1/2020 of January 17, 2020 relating to the processing of personal data for the purposes of
direct marketing, page 53,.                                                                     Decision on merits 87/2024 — 10/55


        persons concerned, must be assessed and examined in accordance with the provisions

        of article 12 of the GDPR.


    38. Article 12 of the GDPR imposes on the data controller the obligation to take

        appropriate measures to communicate concisely, transparently,
        understandable and easily accessible, in clear and simple terms, all

        information relating to data processing to the data subject, in particular

        when it comes to responding to the rights set out in articles 15 to 22 of the GDPR (art. 12.1 of the GDPR

        GDPR). When a data subject makes a request in accordance with Articles

        15 to 22 of the GDPR, the data controller is required to respond within one month,

        with the possibility of a two-month extension, while informing the person concerned

        the reasons for this extension (art. 12.3 of the GDPR). If no response is provided to the

        request of the data subject, the controller must promptly
        inform, and at the latest within one month of receipt of the request,

        the person concerned of the reasons for his inaction but also of his right to file a

        complaint to a supervisory authority or to seek legal recourse (art.

        12.4 of the GDPR).


    39. In conclusion, non-compliance by the person responsible for processing a request made in
        under Articles 15 to 22 of the GDPR, in particular the right of erasure when the

        conditions of article 17 of the GDPR are met, or of the right of opposition when the

        conditions of article 21.2 of the GDPR are satisfied, may result in a violation not

        only Articles 17 and 21 of the GDPR, but also Article 12 of the GDPR due to

        non-compliance with communication and information obligations.


    40. In the present case, as mentioned above in Title II.1.2. of this decision, the Chamber
        Litigation notes that the complainant made his request for erasure (deletion

        total of his data) on June 30, 2022 by revoking his consent, in accordance with

        Article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading the complainant's request, that

        this expresses a firm desire to end any commercial relationship with the

        defendant. In addition to requesting the total deletion of their data (art. 17.1.b) of the

        GDPR), the complainant strongly objects to his data being processed for the purposes of

        direct marketing (art. 21.2 of the GDPR). To dispel any doubt regarding the requests of the

        complainant, the request for mediation introduced on November 18, 2022 and communicated on November 7
        December 2022 to the defendant clarifies the plaintiff's demands. These requirements

        relate both to the erasure of their data under Article 17.1.b) of the GDPR and to

        opposition to the processing of their data under articles 21.2 and 21.3 of the GDPR,





1GDPR, art. 12.1. ; This information may be provided in writing or by other means, including, where appropriate, by
electronic.                                                                     Decision on merits 87/2024 — 11/55



        which may lead to the application of articles 17.1 b) of the GDPR, as requested by
        complainant.


    41. In the present case, firstly, the Litigation Chamber finds, on the basis of the

        statements made by the defendant during the hearing which took place on October 12, 2023,

        i.e. more than a year after the complainant exercised his rights, the defendant has not

        still not taken concrete measures to respond to the erasure request and

        opposition of the complainant.

        The Litigation Chamber would like to point out that as of November 11, 2023, the defendant has

        notified the sending of an email to the complainant informing him of the overpressure of his data, without

        provide proof and clearly specify whether the opposition request had been processed.

        Litigation Chamber decided not to take this information into account in its

        deliberations because the debates had already been closed.

    42. Secondly, the Litigation Chamber notes that the application of “code 43” by the

        defendant on April 11, 2023 limited access to the plaintiff's data within its

        system, but did not lead to their deletion. This measure restricted certain

        treatments, including telephone calls, but she did not interrupt the sending of

        newsletters, which persisted until December 2022. Finally, the promise made by the

        defendant in an email of November 3, 2023, even after the close of the debates,

        concerning the erasure of the complainant's data, remains unsatisfactory in relation to

        to the complainant's requests. The latter had expressly opposed any treatment

        later of its data, in particular for prospecting purposes and had required the deletion

        full of its data.

    43. Thirdly, the Litigation Chamber notes an inconsistency in the chronology of the

        events, as presented during the hearing of October 12, 2023 and in the

        email in reaction to the hearing minutes. It seems unlikely that data processing

        for direct marketing purposes ended in December 2022 while the defendant

        indicates that “code 43”, at the origin of the limitation of data processing, is not

        only occurred in April 2023 (see point 33). This suggests that the complainant's data

        were accessible at least until April 2023 and not until December 2022.

        Litigation Chamber adds that the complainant indicated, on January 11, 2023, either

        after December 2022, continue to receive calls and emails from the

        defendant (see point 8).

    44. Fourth, the Litigation Chamber emphasizes that the continuous sending of newsletters,

        lasting at least until December 2022, or even until April 2023, despite the

        requests for erasure and opposition made by the complainant on June 30, 2022, under


1Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes.
13Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes.                                                                        Decision on merits 87/2024 — 12/55


        pretext of the existence of a separate system for the management of advertising emails, do not

        can justify the continued processing of the complainant's data for marketing purposes

        direct.


    45. Fifthly, the Litigation Chamber understands that the defendant invokes
        implicitly the exception provided for in article 17.3.b) of the GDPR, namely the conservation of

        data of the complainant in the German IT system to respond to

        legal obligations, in this case “tax audit”. The Litigation Chamber

        recalls that it was up to the defendant to invoke one of the exceptions under article 17.3

        of the GDPR, to justify this invocation, and to inform the complainant of the non-deletion in

        precisely reason for this exception (art. 12.1, 12.3 and 12.4 of the GDPR and art. 17.3 of the GDPR),

        which she did not do at that time. Nevertheless, the Litigation Chamber notes that

        this exception cannot justify the continued processing of the complainant's data
        for direct marketing purposes, whether by telephone canvassing or mail

        electronic.


    46. The above-mentioned information reveals that the processing of the complainant's data

        continued for prospecting purposes despite the request for erasure and opposition.

        This lawsuit indicates that the defendant not only did not stop all treatment
        personal data of the complainant for prospecting purposes, but did not

        clearly not deleted the complainant's data as soon as possible nor informed him

        of the response given to his requests.


    47. In view of the above, the Litigation Chamber concludes that the defendant does not

        complied with Articles 17 and 21 of the GDPR, while neglecting to respect the obligations of

        prompt, explicit and transparent response and communication as set out in
        Articles 12.1, 12.3 and 12.4 of the GDPR.



        II.2.2. Alleged violation of article 5.1.a) of the GDPR (principle of lawfulness, fairness and
            transparency)



            II.2.2.1.   Position of the defendant

    48. During the hearing, the defendant argued that direct marketing activities and

        the sending of newsletters was based on the consent of users, obtained via a

        Proactive opt-in mechanism with easy unsubscribe option.

        Other types of processing were mainly based on the need to carry out the

        CONTRACT.






14See minutes of hearing of October 12, 2023, B.2., p.6.                                                                        Decision on merits 87/2024 — 13/55



            II.2.2.2.   Position of the ChamberContentious


    49. The principle of lawfulness is one of the key principles of the GDPR and alone conditions the

        triggering of the other principles of the GDPR governing the processing of data

        personal character. According to this principle, personal data must be processed

        lawful, fair and transparent manner with regard to the person concerned. So that a

        processing of personal data is recognized as lawful, the processing must

        be based on the consent of the data subject or rely on another

        basis provided for by the GDPR in its article 6. 15


    50. Article 6.1 of the GDPR lists six legitimate grounds for processing: in addition to the

        consent (art. 6.1.a) of the GDPR), the processing of personal data may

        be necessary for the execution of a contract (art. 6.1.b) of the GDPR), to comply with an obligation

        legal (art. 6.1.c) of the GDPR), for the execution of a mission of public interest or relating to

        the exercise of public authority (art. 6.1.e) of the GDPR), for the purposes of legitimate interests

        pursued by the data controller or by a third party (art. 6.1.f) of the GDPR), or is

        necessary to safeguard the vital interests of the person concerned (art. 6.1.d) of the

        GDPR). In the absence of an adequate legal basis, the processing of personal data is

        prohibited.

    51. The continued processing of personal data for prospecting purposes, as

        cold calling or sending newsletters, despite a request for erasure

        without any exception provided for in article 17.3 of the GDPR being able to be invoked, or

        despite a request for opposition in accordance with articles 21.2 and 21.3 of the GDPR, may

        lead to a violation of article 6 juncto 5.1.a) of the GDPR when the processing of

        data continues without basis of lawfulness. In other words, non-compliance with requests


        erasure and/or opposition may go beyond the simple violation of Article 17 and/or 21 of the

        GDPR.

    52. The principle of loyalty and transparency established in Article 5.1.a) of the GDPR is not limited to

        to the simple information and transparency obligations listed in the articles of the

        GDPR, but consists of a general principle, the scope and philosophy of which must be

        respected for any treatment. This principle, enshrined in particular by article 12 of





15GDPR, art. 5, paragraph 1, a); art. 6 to 9; recital 40.
16See EPDB decision 01/021 in which it is stated: “Based on the above considerations, the EDPB underlines
that the principle of transparency is not circumscribed by the obligations arising from Articles 12 to 14 of the GDPR, although these
The latter are a concretization of the first. Indeed, the principle of transparency is a general principle that only

reinforces other principles (e.g. fairness, accountability), but from which many other provisions flow
of the GDPR. Furthermore, as noted above, Article 83(5) of the GDPR provides for the possibility of establishing a violation of the
transparency obligations regardless of the violation of the principle of transparency. Thus, the GDPR distinguishes the
broader dimension of the principle of more specific obligations. In other words, transparency obligations do not
do not define the full scope of the principle of transparency. ". (Free translation from the Litigation Chamber) EDPB, Binding
decision1/2021onthedisputerisenonthedraftdecisionoftheIrishSupervisoryAuthorityregardingWhatsAppIrelandunder
Article 65(1)(a) GDPR, July 28, 2021, §192.                                                                      Decision on merits 87/2024 — 14/55


              17
        GDPR aims to ensure that the people concerned are informed in a concise manner,

        transparent, understandable and easily accessible regarding the processing of their

        personal data. In addition, it obliges the data controller to take

        appropriate measures to respond effectively to requests made by

        data subjects pursuant to Articles 15 to 22 of the GDPR. This involves providing

        complete information, written in clear and simple language, and presented in a manner

        concise, easily accessible and easy to understand, with regard to the treatment of
                     18
        their data. By guaranteeing total transparency in data processing

        personal, this principle reinforces confidence in the processing of data and ensures the

        respect for fundamental rights regarding data protection.

    53. Finally, in accordance with article 5.2 of the GDPR, read in conjunction with article 24 of the GDPR, 19

        which enshrines the principle of responsibility (or “accountability”), the person responsible for

        processing is responsible for compliance with the principles of data protection

        personal, in this case the principle of lawfulness and transparency. He must take

        appropriate technical and organizational measures in order to guarantee and be able to

        to demonstrate that the processing of personal data complies with the

        legal obligations provided for by the GDPR; which implies that it must be able to provide

        proof of its compliance in response to any request from the authorities of

        control.


    54. In the present case, firstly, the Litigation Chamber took into account the

        explanations provided by the defendant concerning its direct marketing activities,

        including telephone calls and sending newsletters, which were based on the

        consent of customers under Article 6.1.a) of the GDPR. Furthermore, the Chamber

        Litigation noted that the defendant argued that the plaintiff had initially

        given consent by checking the “consent” box to receive messages

        advertising, and that the sending of newsletters was the subject of a separate management system.

    55. The Litigation Chamber noted that the complainant had exercised his right of erasure

        and opposition on June 30, 2022. During the hearing, the defendant confirmed that the

        complainant continued to receive commercial messages until December 2022.

        paradoxically, the defendant also indicated that the limitation of processing

        data using “code 43” was only implemented on April 11, 2023, which

        suggests that the complainant's data was processed, even in a limited way, at least

        until April 2023, and not December 2022. Thus, the processing of the complainant's data at



17
18See points 38 to 40 of this decision.
  Recitals 58 and 60 of the GDPR specify that “the principle of fair and transparent processing requires that the person
concerned is informed of the existence of the processing operation and its purposes" and that "the principle of transparency
requires that any information addressed to the public or the person concerned be concise, easily accessible and easy to follow
understand, and formulated in clear and simple terms (...)”.
19See Title II.2.3. of this decision.                                                                  Decision on merits 87/2024 — 15/55


    direct marketing purposes continued without basis of lawfulness, or withdrawal by the complainant

    of his consent. Since this consent has been withdrawn by the complainant (by

    the exercise of its right to erasure and opposition), the continued processing of its

    data for direct marketing purposes was carried out without basis of lawfulness, violating the
    principle of lawfulness set out in article 5.1.a) of the GDPR.


56. Furthermore, the Litigation Chamber does not find the argument put forward by the

    defendant according to which the complainant continued to receive messages

    commercial due to a so-called “consent box” initially checked,
    suggesting perpetual consent. The complainant had clearly revoked his

    consent by exercising your rights of erasure and opposition, and by declaring

    explicitly no longer purchase the defendant's products. Therefore, the

    defendant no longer had a legal basis to justify the processing of the data

    for direct marketing purposes, upon exercising your rights of opposition and erasure

    by the complainant. Furthermore, the argument put forward by the defendant, according to which the sending of
    advertising emails was justified by the existence of a separate management system, cannot

    convince the Litigation Chamber, as long as it is up to the person responsible for processing

    to organize yourself in such a way as to comply with the obligations of the GDPR.


57. Secondly, the Litigation Chamber notes that on the date of the hearing, the defendant
    had still not informed the complainant of the measures taken in response to the exercise of his

    rights of erasure and opposition. Furthermore, although she committed on November 3

    2023 to regularize the situation in accordance with article 17 of the GDPR, this declaration

    confirms the defendant's non-compliance with the principle of transparency set out in article

    5.1.a of the GDPR resulting from non-compliance with its obligations to provide information and

    communication, as defined in article 12 of the GDPR. Furthermore, the Chamber
    Litigation highlights that the opposition request remains unprocessed to this day.


58. Considering the time elapsed between the exercise of rights in June 2022 and the commitment to

    inform the plaintiff in November 2023, it is established that the defendant did not take the

    appropriate measures to communicate all information relating to the processing
    data, including responses to the rights of erasure and opposition, such as

    as required by Article 12.1 of the GDPR. Furthermore, the defendant did not provide information on the

    actions taken following erasure and opposition requests within the period of a

    month prescribed by article 12.3 of the GDPR, nor provided any justification to the complainant

    for its inaction contrary to what is required by Article 12.4 of the GDPR.

59. In conclusion, the defendant continued to process the plaintiff's data at

    direct marketing purposes, whether via telephone calls or emailing

    advertising, without legal basis within the meaning of Article 6 of the GDPR, for a period ranging from

    six to ten months after the latter made his request for deletion and opposition, Decision on the merits 87/2024 — 16/55


    violation of the principle of lawfulness. Furthermore, the defendant did not comply with the request

    deletion and opposition of the complainant, these requests having remained unanswered

    for more than one year and five months with regard to the erasure request, and

    still remaining unanswered regarding the opposition request.

60. In view of the above, the Litigation Chamber concludes that the defendant violated

    the principles of lawfulness and transparency set out in article 5.1.a) of the GDPR by not respecting

    not the requirements of Articles 6 and 12 of the GDPR.


    II.2.3. Alleged violation of Articles5. 2 and 24 of the GDPR (principle of liability)


        II.2.3.1.   Position of the defendant


61. The following arguments were raised by the defendant only during the hearing:


        a) Regarding the former DPO and his role, the defendant described him as

            competent in communication and labor law, but noted gaps in
            its management of communications with the IS, the SPL and the Litigation Chamber. These

            shortcomings have generated problems and highlighted weaknesses in its

            management of internal communications within the defendant, which

            ultimately led to his replacement.

        b) Regarding the complainant's request for erasure, although the former DPO

            has taken internal measures to deal with the complainant's requests, including

            using “code 43” and, according to the defendant, informing the IS within the framework

            of the inspection to which it was subject (see Title II.1.1), he however failed to

            respond to the SPL and inform the complainant. The former DPO thought that the data

            placed under the “code 43” category resulted in the deletion of data, and
            not a data limitation. The defendant also clarified that it does not

            could not verify or confirm the deletion of the complainant's data by the

            German subcontractor because no written confirmation had been provided by this

            last. The defendant confirmed that it no longer had control of this data.

            On November 3, 2023, in reaction to the hearing minutes, the defendant clarified that the

            misunderstanding with the German subcontractor regarding the categorization of

            data under “code 43” was the result of a mistaken belief by the former DPO

            and management who believed that this code resulted in the erasure of data

            personal while it actually resulted in their non-accessibility by the front desk
            of their system. This situation would be being rectified with the assistance of the

            new DPO (current DPO).


        c) With regard to the responsibility for data processing between the sub-contractor

            dealing with German and herself, the defendant expressed uncertainty as to the merits of the Decision 87/2024 — 17/55


            structure of this responsibility, while noting a tendency to consider oneself

            as the sole controller.

            In reaction to the hearing report, the defendant clarified that it is linked to the sub-

            German processor through a subcontracting contract (art. 28 GDPR).


        d) Regarding the exclusive access of the former DPO to the “privacy@Y.be” mailbox,

            the defendant explained that this created difficulties, particularly during
            absences due to illness or leave, affecting its ability to process requests for

            efficient manner. She pointed out that the former DPO, being employed part-time

            for three days a week, was often overloaded. The defendant announced

            the end of the contract of the former DPO following a notice period, specifying that

            since July 11, 2023, his successor has operated full time, supported by two

            other collaborators, for shared management of the mailbox which contains all
            emails, including those from APD. This new organization aims to guarantee

            better responsiveness. The defendant undertook to comply with the

            decisions of the APD and not to retain customer data unnecessarily.

            In reaction to the hearing minutes, the defendant reaffirmed its desire to reduce the

            risk of unprocessed correspondence, by taking administrative measures,

            namely the establishment of a team of three people, including the new DPO

            (current DPO), to manage the email box.



        II.2.3.2.   Position of the ChamberContentious

62. With regard to the principle of liability (art. 5.2 of the GDPR), the Chamber

    Litigation reminds that the data controller must implement measures

    appropriate technical and organizational measures to ensure and be able to

    demonstrate that the processing is carried out in accordance with the GDPR and other laws of

    protection of personal data (art. 24.1 of the GDPR). These measures are reviewed and

    updated if necessary. Then, article 24.2 of the GDPR establishes that “when it is
    proportionate to the processing activities, the measures [referred to in Article 24.1.

    of the GDPR] include the implementation of appropriate policies regarding

    protection of data by the data controller” (this is the Litigation Chamber

    which underlines).

63. Recital 74 of the GDPR adds that “it is important, in particular, that the person responsible for the

    processing is required to implement appropriate and effective measures and is

    even demonstrate compliance of processing activities with the [GDPR], including

    the effectiveness of the measures. These measures should take into account the nature, scope, and substance of the decision 87/2024 — 18/55



        context and purposes of the processing as well as the risk that it presents for the

        rights and freedoms of natural persons”.

    64. In execution of the principle of responsibility, it is therefore up to the data controller

        to develop internal procedures allowing the persons concerned to exercise

        effectively their rights, and to integrate respect for GDPR rules into their processing

        and procedures, for example, by ensuring the existence and effectiveness of procedures for

        processing of requests from data subjects (art. 25 of the GDPR).


    65. Measures implemented in accordance with the principle of accountability, read

        jointly with the principle of transparency (art.5.1.a) of the GDPR), aim to enable
                                                                              20
        data subjects to control the processing of their data.

    66. With regard to the data protection officer (DPO), Chamber 21

        Litigation reminds that the GDPR clearly defines the responsibilities of the manager

        data processing, in particular Article 38.2 of the GDPR. This article states that “

        the data controller and the processor assist the data protection officer

        data to carry out the missions referred to in Article 39 by providing the resources

        necessary to carry out [its] missions, as well as access to personal data

        personnel and processing operations, and allowing it to maintain its

        specialized knowledge” (emphasis added by the Litigation Chamber).


    67. In this regard, the Litigation Chamber is of the opinion that the following aspects, in particular,
                                           22
        must be taken into consideration:

            - The association of the DPO or, where applicable, his team, in all questions relating

                to data protection. This includes informing and consulting the DPO as soon as

                that a data processing project is envisaged, thus promoting compliance with the

                GDPR and encouraging an approach oriented towards data protection from

                design (known as “by design”). The DPO must naturally

                become a central interlocutor within the organization, for example by participating

                to working groups dedicated to data processing activities within

                the company;


            - Recognition and promotion of the DPO function by management

                senior (e.g. board level);

            - Adequate time allocation so that the DPO can perform effectively

                of its tasks is essential. This aspect is of particular importance when

                The DPO carries out his role part-time, whether internal or external to the organization.



20See recital 78 of the GDPR.
21Litigation Chamber, decision 41/2020, paragraphs 87 and 88.
22WP29, “Guidelines for Data Protection Officers (DPDs)”, 16/FR WP, 243 rev.01, April 5, 2017,
p. 16. Decision on merits 87/2024 — 19/55


                The lack of time allocated to the DPO to carry out his duties could

                cause conflicts of priorities and compromise its ability to accomplish its

                missions. To remedy this situation, WP29 recommends determining,

                jointly with the DPO, the estimate of the time necessary to exercise its

                function (the need is greater when entering the function). He can be

                useful to establish a work plan that prioritizes the DPO's tasks to ensure that he

                has the time necessary to fully assume his responsibilities. Of
                Furthermore, it is essential that the allocation of resources for the DPO be proportional

                the size, complexity, structure and risks associated with the activities of

                data processing. As a result, the more processing operations are

                complex or sensitive, the more resources allocated to the DPO must be

                substantial;

            - An official communication of the designation of the DPO to all staff

                to ensure that its role within the organization is widely known;


            - Adequate support in terms of financial resources (including

                budget for awareness-raising actions or recruitment of a team

                temporary or permanent), and infrastructure (premises, installations,
                equipment) and personnel, if applicable;


            - Default access to legal documentation related to data processing

                personal involving the organization with third parties, in particular partners and

                The subcontractors ;

            - Access to internal communication tools in the accomplishment of its

                missions in order to be able to raise awareness and train on the requirements of the GDPR, including

                raising awareness of good practices and managing incidents such as e-

                fraudulent emails or data breaches;

            - Access to other services, such as human resources, legal department,

                IT department, security, etc., to enable the DPO to receive the

                support, contributions and essential information from these other services 23;


            - Continuing training to maintain the specialized knowledge of the DPO

                day ;

            - Depending on the size and structure of the organism, it may be necessary to constitute

                a team around the DPO. In such cases, it is appropriate to clearly establish the

                internal structure of the team as well as the tasks and responsibilities of each

                member.Similarly, when the DPO function is outsourced to a service provider

                services, a team of people working on behalf of that entity can

23Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number 20 (C.H. Beck 2020, 3rd Edition).                                                                 Decision on merits 87/2024 — 20/55


            assume the missions of the DPO as a group, under the responsibility of a

            designated primary contact person for the customer.

68. Ultimately, the DPO function must be exercised effectively to ensure effective management practices.

    effective and GDPR-compliant data protection. The data controller is

    legally required to put in place the necessary structures and measures to facilitate

    the work of the DPO and guarantee the protection of personal data. This involves

    provide the DPO with adequate resources depending on the nature of the processing

    data carried out and the associated risks, as well as the provision of time and
    access necessary to facilitate and support the role within the organization.


69. On the basis of the factual elements present in the file, the Litigation Chamber

    notes the following:

        a) With regard to the request for deletion and opposition made as of

            June 30, 2022:

                i. The defendant restricted the processing of data by using the “code

                   43”, thus making the data inaccessible from the front desk of their

                   system. However, this measure does not respond to initial requests

                   of the complainant, who requested the total deletion of his data and

                   objected to any further processing for prospecting purposes, placing

                   thus highlighting a clear gap in technical measures and
                   organizational structures in place.


                ii. The complainant's personal data was, in any event

                   until the date of the closure of the debates, always kept by the deputy

                   German treatment of the defendant despite his request for deletion and
                   opposition. The inability to conclusively verify or confirm

                   the effective deletion of this data raises concerns about

                   the effectiveness of the internal procedures currently in place, both in

                   regarding the deletion of data that coordination between

                   various entities of the defendant to comply with the GDPR.

        b) With regard to responses to requests for deletion and

            objection of the complainant:

                i. Until the date of the close of the proceedings, the defendant had still not

                   not responded to the complainant's requests for deletion and opposition,

                   thus revealing a major flaw in the implementation of measures

                   appropriate technical and organizational measures to ensure compliance with

                   rights of data subjects under the GDPR.                                                                   Decision on merits 87/2024 — 21/55


                   ii. The justification for receiving newsletters based on the

                      consent of the complainant, even when he has exercised his right

                      erasure and opposition, reveals a failure in the measures

                      aimed at guaranteeing transparency, respect for consent, and

                      deletion and opposition of data, including in entities

                      distinct within the defendant's network, in contradiction with the

                      GDPR requirements.

           c) With regard to the DPO and the new measures taken by the defendant,


                    i. The defendant admitted that the former DPO worked part-time and
                      was in an overload situation, which prevented him from responding

                      effectively multiple letters. This situation is worrying, because the

                      DPO plays a vital role in ensuring GDPR compliance.

                      In accordance with the GDPR, the data controller must

                      provide the DPO with all the necessary means to enable him to accomplish

                      its tasks and obligations adequately in accordance with Article 38

                      of the GDPR (see points 66 to 68). The fact that the former DPO worked on time

                      partial while being overloaded highlights a failure in the implementation
                      appropriate organizational measures to ensure the

                      GDPR compliance.


                   ii. The Litigation Chamber notes that the defendant's decision

                      to hire a new full-time DPO was taken following

                      the inspection carried out by the IS (see Title II.1.1). These corrective measures taken

                      in reaction to the IS investigation (see Title II.1.1), highlight a
                      breach of the principle of liability arising from article 5.2 juncto

                      24 of the GDPR. Such measures should have been put in place

                      prior to APD intervention to ensure compliance

                      continues with the GDPR.


                   iii. Despite the communication problems of the former DPO, the lack of
                      response to requests from the SP and the investigation carried out by the SI (see Title II.1.1),

                      the defendant did not adopt a more cautious approach by taking

                      adequate measures to improve its processes and ensure compliance

                      to the GDPR, both for past and future requests from individuals

                      concerned. For example, it would have been wise to ask the new DPO,

                      engaged since July 11, 2023 and assisted by two administrators,

                      consult all the emails still present in the mailbox «



24See also points 64 to 70. Decision on merits 87/2024 — 22/55


                   privacy@Y.be” in order to process unresolved requests. To hide behind

                   behind an alleged ignorance of the content of the emails

                   precedentand lay the responsibility on the formerDPWe do not exonerate it in any way

                   responsibility of the defendant, especially since it was, according to the
                   declarations of the defendant, the subject of an investigation by the SI and was immediately

                   aware of the problems of the former DPO. Although the defendant

                   has taken certain measures to remedy the situation, in particular by

                   hiring a new full-time DPO and strengthening the team, these

                   measures remain insufficient in the eyes of the Litigation Chamber.

                   The defendant, by virtue of the principle of liability, should have taken into account
                   given the contentious context and the need to respect the provisions of the

                   GDPR, take proactive measures to improve its processes and

                   ensure GDPR compliance.


70. Furthermore, the absence of technical or organizational measures, such as the absence of
    measures limiting the retention of data beyond what is necessary or the

    lack of knowledge of the codes used in requests for deletion of

    data or opposition, may compromise the confidentiality and security of the data

    personal data of the persons concerned. Consequently, the Litigation Chamber attracts

    the defendant's attention to the imperative of respecting the principle of security and

    confidentiality set out in Article 5.1.f) of the GDPR, in conjunction with Article 32 of the GDPR.
    Finally, the Litigation Chamber strongly encourages the defendant to continue its

    efforts in implementing measures to effectively support the function of the DPO.


71. In view of the above, the Litigation Chamber concludes that the defendant does not

    complied with articles 5.2 and 24 of the GDPR.


    II.2.4. Alleged violation of Article 31 of the GDPR (cooperation with the data protection authority
        control)


        II.2.4.1.  Position of the defendant


72. During the hearing, the defendant raised several arguments:


        a) The problems with the APD began under the management of the former DPO. Neither the DPO

            nor management were informed of the APD requests (see Title II.2.3)

        b) The current DPO discovered the correspondence from the Litigation Chamber

            only two weeks before the hearing, and only the former DPO was informed of the

            ODA correspondence.                                                                       Decision on merits 87/2024 — 23/55


            c) The defendant clarified that the former DPO had not transmitted internally the

                information including the invitation to conclude and the mediation emails sent

                by the SPL, thus hindering any appropriate response.


            d) The former DPO had not properly processed letters from the APD nor those from the

                complainant, and had not shared this information internally, due to his

                work overload (see Title II.2.3).

            e) Despite measures taken to limit the processing of the complainant's data,

                no contact has been made with the complainant or the APD, and the emails from the APD are

                remained unprocessed in the “privacy@Y.be” mailbox.

    73. In reaction to the minutes, the defendant specified that the former DPO had not responded to the

        APD communications due to its workload from December 2022 to March

        2023, a justification emanating from the former DPO himself, and not from the defendant. Of

        Furthermore, the former DPO would not have informed management of this work overload. This same

        argument of non-reaction was also invoked to justify the lack of response to the

        IS communications during this period.



            II.2.4.2.   Position of the ChamberContentious


    74. Article 31 of the GDPR states that the controller, the processor, and the case

        Where applicable, their representatives must cooperate with the supervisory authority, upon request.
        the latter, in the execution of its missions. This cooperation is of crucial importance

        to enable the supervisory authority to effectively carry out its functions and missions

        in the field of data protection. In this regard, it is appropriate to read article 31 of the

        GDPR in conjunction with Articles 57 and 58 of the GDPR, which define the missions and

        the investigative powers of the supervisory authority.


    75. The general duty of cooperation set out in Article 31 of the GDPR is reinforced by Article
        83.4.a) of the GDPR which qualifies this cooperation as “an obligation incumbent on the person responsible for the

        treatment and the subcontractor. ". Failure to comply with this obligation of cooperation

        furthermore constitutes a full-fledged infringement of the GDPR, as set out in Article 83 of the GDPR.

        GDPR:


        “Violations of the following provisions are subject, in accordance with paragraph 2,

        administrative fines of up to EUR 10,000,000 or, in the case of
        company, up to 2% of the total annual worldwide turnover of the preceding financial year, the

        the highest amount being retained: a) the obligations incumbent on the person responsible for

        processing and the subcontractor under Articles 8, 11, 25 to 39, 42 and 43; […]”.



25Article 57 of the GDPR defines the extended missions assigned to supervisory authorities, while Article 58 of the GDPR
specifies the broad investigative powers conferred on them under the Regulation.                                                                      Decision on merits 87/2024 — 24/55


    76. Article 83 of the GDPR also sets out the criteria used to decide on the imposition

        a fine and its amount. Significantly, the degree of cooperation

        is explicitly mentioned as one of the eleven criteria influencing the determination of

        these sanctions (art. 83.2 of the GDPR).


    77. Recital 82 of the GDPR also reinforces this obligation of cooperation by requiring

        including the keeping of records of processing activities, as well as the obligation to
        make these records available to the supervisory authority upon request. This consideration

        aims to enable the supervisory authority to verify and control the operations of

        processing, as well as to carry out its missions in accordance with Article 57 of the GDPR.


    78. The Litigation Chamber recalls that both those responsible for processing and those responsible for processing

        processors report directly to the supervisory authorities under the obligations

        to maintain and provide appropriate documents upon request, to cooperate with
        investigations and to comply with administrative injunctions. More precisely, the duty

        general cooperation 26 implies that the controller and the processor

        must :


            a) Respond to requests from the supervisory authority: When the supervisory authority,

                such as ODA, requests information, data or responses relating to

                to the processing of personal data, the controller and the subcontractor
                processing party must provide this information completely and on time.

                outsourced;


            b) Collaborate actively: The controller and the processor must

                work closely with the supervisory authority to help it carry out

                its missions, in particular by providing information on the practices of

                processing of data and taking measures to remedy possible

                GDPR violations;

            c) Comply with the instructions of the supervisory authority: If the supervisory authority gives

                specific instructions for complying with the GDPR, the controller

                processing and the subcontractor must follow them appropriately.

                It is important to note that this list is not intended to be exhaustive.


    79. In summary, the fundamental objective of this general obligation of cooperation imposed on

        each controller and processor aims to ensure effective supervision

        and scrupulous compliance with data protection rules. THE

        controllers and processors must actively cooperate and collaborate

        fully with the supervisory authority to ensure compliance with the provisions of the


26CEPD, Guidelines 07/2020 concerning the notions of controller and processor in the GDPR,
Version 2.0, Adopted on July 7, 2021, point 9. Substantive decision 87/2024 — 25/55


    GDPR and protecting the data rights of data subjects

    personal. This obligation, combined with the principle of responsibility set out in article

    5.2 of the GDPR, reinforces the role of the supervisory authority in the exercise of its powers

    with a view to effective application of the rules for the protection of personal data.

80. Failure to comply with this obligation exposes you to separate administrative fines.

    in accordance with article 83.4.a) of the GDPR. Finally, the violation of this obligation to

    cooperation can also be considered a violation of the principle of

    liability (art. 5.2 of the GDPR).

81. In this case, the Litigation Chamber notes that the SPL has taken steps

    to the defendant with a view to mediation. More specifically, the SPL addressed

    two requests dated December 7, 2022 and January 17, 2023, to which the

    defendant did not respond. Furthermore, the SPL included the complainant's request in the
    request for mediation, thus reminding the defendant of its duty to respect

    in particular the right to erasure of the complainant. However, despite these steps, the SPL

    had to notify the failure of mediation on February 20, 2023, due to the lack of reaction

    of the defendant, both at mediation and at the request of the plaintiff (see points 4 to 11).

82. Concerning the emails and letters from the SPL addressed to the defendant, the Chamber

    Litigation notes the absence of technical and organizational measures which

    would allow the defendant to have an overview of the issues related to the

    GDPR processed by the former DPO and/or to verify the correct processing of requests

    addressed to the former DPO, which highlights the negligence of the defendant (see Title II.2.3).

83. On the one hand, the Litigation Chamber notes that this negligence seems to result

    mainly from confusion due to the fact that the defendant was subject to a

    inspection carried out by the IS (see Title II.1.1), which remains secret in accordance with article

    63§3 of the LCA. In this context, the Litigation Chamber emphasizes that the defendant
    is required to cooperate with all APD services. Lack of response to a letter

    sent by one of the APD services, in this case an invitation to cooperate in mediation

    by the SPL, could be interpreted as a refusal of cooperation and potentially

    be considered a violation of Article 31 of the GDPR.

84. On the other hand, the Litigation Chamber observes that the defendant is trying to clear its

    liability by attributing negligence for not responding to SPL communications,

    of the IS, the Litigation Chamber and the complainant to his former DPO. The defendant

    maintains that she was not informed of the latter's excessive workload, which

    would have hampered its ability to respond favorably to requests for ODA and

    complainant.                                                                Decision on merits 87/2024 — 26/55


    It should be remembered that the GDPR sets out several articles establishing the obligations

    of a data controller or a subcontractor, in particular articles 5, 6, 9, 25, 32,

    33, 37 or even 38 of the GDPR. By virtue of the principle of responsibility (see Title II.2.3), the

    data controller must demonstrate compliance with the provisions of the GDPR by
    adopting appropriate technical and organizational measures to protect the

    rights and freedoms of natural persons. In the event that the data controller

    would appoint a DPO for its litigation department or use an email address

    generic like “privacy@Y.be” to respond to people’s requests

    concerned, it is our responsibility to ensure that emails are addressed to this address

    are regularly consulted and processed, even in the event of resignation of a person having
    worked in the department in question and/or the DPO, or in the event of work overload of the DPO.

    On this last point, the Litigation Chamber recalls that it is up to the person responsible for

    processing to comply with the provisions of Article 38 of the GDPR.


85. Taking into account the particular context surrounding the current inspection (see Title II.1.1) and
    the overload of work observed at the former DPO, the Litigation Chamber notes that

    the defendant did not properly verify the processing of requests addressed to

    the former DPO. Although measures were taken, such as increasing the workforce

    and the replacement of the old DPO, they did not seem fully effective, in

    particular regarding the review of all previous ODA requests, including

    including those of the complainant, which remained unanswered, as well as potentially
    other previous requests. To remedy this situation, the defendant could have

    consider taking additional measures, such as upgrading with the

    new data protection team, emphasizing the need

    to examine the contents of the aforementioned email address, with the aim of correcting

    possible breaches of the former DPO and to guarantee an adequate response to all

    the requests of the people concerned. In any case, compliance with the GDPR
    is the responsibility of the data controller, and not the skills and responsibilities of a DPO.


86. Concerning the absence of submission of conclusions, the Litigation Chamber considers that the

    defendant has the freedom to choose whether she wishes to defend herself, present her arguments

    and support its position in a formal and structured manner. In the absence of such
    approach, the Litigation Chamber could be forced to render a decision by

    default. In this case, the defendant had the opportunity to orally present its

    arguments when summoned to the hearing.


87. In view of the above, the defendant did not fully cooperate with the APD, in
    particularly with the SPL, during the mediation procedure. However, the Chamber

    Litigation was not able to determine whether this lack of response was the

    result of confusion generated by the inspection in progress (see Title II.1.1), or the result Decision on merits 87/2024 — 27/55


        a deliberate intention or gross negligence not to cooperate, which leads to

        conclude that there is no violation of Article 31 of the GDPR.



III. As for corrective measures and sanctions


    III.1. Corrective measures and sanctions


    88. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:

       1° close the complaint without further action;


       2° order the dismissal of the case;

       3° pronounce a suspension of the sentence;

       4° propose a transaction;


       5° issue warnings or reprimands;

       6° order to comply with the requests of the person concerned to exercise these rights;


       7° order that the person concerned be informed of the security problem;

       8° order the freezing, limitation or temporary or definitive ban on processing;


       9° order compliance of the processing;

       10° order the rectification, restriction or erasure of the data and the notification of

       these to the recipients of the data;

       11° order the withdrawal of the approval of certification bodies;


       12° give fines;

       13° issue administrative fines;


       14° order the suspension of cross-border data flows to another State or a
       international body;


       15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the

       follow-up given to the case;

       16° decide on a case-by-case basis to publish its decisions on the website of the Authority of

       Data protection.

    89. The aforementioned article 100 specifies the list of sanctions in article 58.2 of the GDPR.


    90. As for the administrative fine which may be imposed in execution of article 83 of the

        GDPR and articles 100, 13° and 101 LCA, article 83 of the GDPR provides: Decision on the merits 87/2024 — 28/55


"1. Each supervisory authority shall ensure that administrative fines imposed in

under this article for violations of this regulation, referred to in paragraphs 4,

5 and 6 are, in each case, effective, proportionate and dissuasive;

2. Depending on the specific characteristics of each case, administrative fines are

imposed in addition to or in place of the measures referred to in Article 58(2),

points a) to h), and j). To decide whether to impose an administrative fine and to

decide the amount of the administrative fine, it is duly taken into account, in each case

of species, of the following elements:

(a) the nature, seriousness and duration of the violation, taking into account the nature, scope or

the purpose of the processing concerned, as well as the number of data subjects affected

and the level of damage they suffered;

(b) the fact that the violation was committed deliberately or negligently;


(c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;


(d) the degree of responsibility of the controller or processor, taking into account

technical and organizational measures that they have implemented under the

articles 25 and 32;

(e) any relevant breach previously committed by the controller or

the subcontractor ;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation

and to mitigate possible negative effects;


g) the categories of personal data affected by the violation;

(h) the manner in which the supervisory authority became aware of the violation, in particular whether, and

to what extent the controller or processor has notified the violation;

(i) where measures referred to in Article 58(2) have been previously ordered

against the controller or subcontractor concerned for the same purpose,

compliance with these measures;

(j) the application of codes of conduct approved pursuant to Article 40 or

certification mechanisms approved pursuant to Article 42; And


k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or

indirectly, as a result of the violation.”                                                                             Decision on merits 87/2024 — 29/55


    III.2. Violations noted


    91. The Litigation Chamber notes that there are, in this case, serious violations of the rights

         fundamentals of the persons concerned (see Title II.2). More specifically, the Chamber


         Litigation notes the violations of the following provisions of the GDPR, all attributable
                                       27
         to a single behavior of the defendant giving rise to several violations described

         below :

             a) Violation of articles 17 and 21 of the GDPR (see Titles II.1.2 and II.2.1)


                 The defendant violated Articles 17 and 21 of the GDPR by failing to respond within

                 deadlines for a request for erasure of personal data and

                 opposition to the processing of this data for direct marketing purposes, 28

                 more than a year after the complainant exercised his rights. Note that these data

                 were still present on the defendant's servers at the time of


                 hearing, including those processed for direct marketing purposes.

             b) Violation of Article 5, paragraph 1, point a) of the GDPR (see Title II.2.2)


                 The defendant did not inform the plaintiff of the measures taken in response to his

                 requests for erasure and opposition, as required by its obligations

                 information and communication set out in Article 12 of the GDPR, violating the

                 principle of transparency set out in article 5.1.a) of the GDPR. Furthermore, the pursuit

                 processing data for direct marketing purposes in the absence of a basis

                 legal, as required by GDPR, constitutes a violation of the principle of


                 lawfulness established in article 5.1.a) of the GDPR. In this case, the defendant invoked

                 consent as a legal basis. However, since this consent has

                 been removed by the complainant (by exercising his or her right of opposition and erasure),

                 the continued processing of their data for direct marketing purposes is unlawful,

                 violating the principle of lawfulness set out in Article 5.1.a) of the GDPR.


             c) Violation of articles 5.2 juncto 24 of the GDPR (see Titles II.2.3 and II.2.4)




27EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), available on the website https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-
calculation-administrative-fines-under fr.
28See points 5 and 40 of this decision.
29
  Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 1, 7 or 54;
These Article 29 Working Group (G29) Guidelines provide practical guidance and assistance
to the interpretation concerning the new obligation of transparency applicable to the processing of personal data
personnel under the General Data Protection Regulation (hereinafter “GDPR”). Transparency is an obligation
global within the meaning of the GDPR which applies to three central areas: 1) communication to data subjects
information relating to the fair processing of their data; 2) the way in which data controllers
communicate with data subjects about their rights under the GDPR; and 3) the way in which those responsible for
treatment facilitates the exercise by the persons concerned of their rights. These guidelines set out the general principles
relating to the exercise of the rights of the persons concerned rather than dealing with specific modalities for each of the rights

of these people under the GDPR. In other words, they provide guidance on the concepts and principles
underlying rules to be respected when exercising the rights of data subjects, rather than providing instructions
details on how to exercise each specific right in a practical manner.                                                                    Decision on merits 87/2024 — 30/55



               To the extent that the defendant did not respond within the prescribed time limits to the
               requests for erasure of personal data and opposition to processing

               of this data for direct marketing purposes, this resulted in the maintenance of the

               processing of the complainant's personal data without respecting the

               data protection principles set out in article 5.1 of the GDPR (see above). This

               failure highlights faulty management of requests from

               data subjects, in particular with regard to the right of erasure and

               opposition of the complainant. In addition, this gap in the management of requests from

               persons concerned is reinforced by the inadequacy of the measures taken by the

               defendant, such as the use of “code 43” to restrict processing

               data, deemed inadequate to respond to the initial requests of the

               complainant. This situation also highlights a lack of control over possible

               codes used to respond to requests from data subjects. By
               elsewhere, the persistence of data in the defendant's servers as well as

               the problems linked to the DPO highlight a defect in the implementation of

               technical and organizational measures necessary for compliance with the GDPR,

               thus revealing an additional gap in technical procedures and

               organizational. Consequently, the defendant violated Article 5.2 juncto 24

               of the GDPR.



    III.3. Corrective measures and sanctions imposed by the Litigation Chamber.


    92. As an independent administrative authority, the Litigation Chamber has the power

        exclusive right to determine appropriate corrective measures and sanctions

        in accordance with the relevant provisions of the GDPR and the ACL. This skill

        arises specifically from Articles 58 and 83 of the GDPR, as confirmed by the

        jurisprudence of the Court of Markets in its judgments of July 7, 2021, September 6, 2023
                                        30
        or even December 20, 2023, which clearly highlighted the extent of power
        discretion of the Litigation Chamber concerning the choice and scope of sanctions.


    93. In this perspective, the Litigation Chamber will take into consideration all the

        relevant circumstances of the case, including – within the limits set out below in

        Title III.3.2. – the reaction of the defendant dated April 5, 2024 to the sanctions

        envisaged which were communicated to him via the sanction form of March 15
             31
        2024.

        However, the Litigation Chamber recalls that the sanction form aims to

        allow the alleged perpetrator of the offense, in this case the defendant, to



30Cour des Marchés, 2021/AR/320, p. 37-47; 2020/AR/1160, p. 34; 2023/AR/817, p. 57, 61 and 62.
31Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 31/55


        defend against the amount of the proposed fine before its imposition and execution

        effective. The defense process provided for through the sanction form on the

        amount of the proposed fine does not open new debates on the findings already

        established by the Litigation Chamber, the latter being closed. In addition, the mail

        accompanied by the sanction form does not constitute a decision likely to

        appeal before the Market Court under article 108 of the law of December 3, 2017

        establishing the Data Protection Authority.

    94. Continuing this explanation, the Litigation Chamber invites the defendant to

        consult section “Title II.1.1” of this decision for further explanations

        detailed and recalls that it rejects the request to join the file (…) with the file

        subject to this decision. Likewise, the Litigation Chamber rejects

        the considerations set out in points 2.2.1 to 2.2.4 of the reaction to the sanction form
        submitted on April 5 by the defendant, arguing that the debates are closed; and that the

        corrective measures envisaged and pronounced are compliant in concreto. However,

        these considerations will be taken into account when calculating the fine, because the fine form

        sanction aims to allow the defendant to contest the amount of the fine

        proposed.



        III.3.1. Corrective measures


    95. In reaction to the sanction form, the defendant claims to have carried out the erasure

        data and have notified the recipients concerned, in particular the subcontractor
        German ; it also supports setting up processing operations in

        compliance with the provisions of the GDPR. Consequently, it requests the deletion of

        the warning issued. However, the Litigation Chamber reminds the defendant that

        these notifications were received on November 11, 2024 or April 5, 2024, after the closing

        debates. Consequently, the Litigation Chamber is not able to verify the

        veracity of the arguments put forward by the defendant and is forced to reject these

        arguments, the debates being closed.

    96. The Litigation Chamber adopts the following corrective measures:


            a) In accordance with article 58.2. c) of the GDPR and article 100, § 1, 6° of the LCA,

                order the defendant, due to the violation of articles 17 and 21 of the
                GDPR, to satisfy the complainant's requests for erasure and opposition, and this

                within 30 days from notification of this decision.







32Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 32/55


               b) In accordance with article 58.2.g) of the GDPR and article 100, §1, 10° of the ACL,


                   to order the defendant to erase the data and notify them

                   here to the recipients of the data, in accordance with article 19 of the GDPR.


               c) In accordance with article 58.2. d) of the GDPR and article 100, § 1, 9° of the LCA,

                   order the defendant, due to the violation of Article 5.1 a) as well

                   that of articles 5.2 juncto 24 of the GDPR, to put the processing operations in

                   compliance with the provisions of the GDPR.


               d) In accordance with article 58.2. a) of the GDPR and article 100, § 1, 5° of the LCA,

                   issue a warning to the defendant party, due to the violation of the

                   articles17,21,5.1. a), 5.2 juncto24 of the GDPR, aiming to improve the management of future

                   processing of requests from data subjects made under the

                   articles 15 to 22 of the GDPR.




          III.3.2. Administrative fines


     97. According to Article 83 of the GDPR, the supervisory authority has the discretionary power to impose a

          fine. This power is explained in the EDPB guidelines.                33


     98. In accordance with recital 148 of the GDPR, sanctions, including fines

          administrative measures, may be imposed in addition to or in place of measures

          appropriate in the event of a serious breach, even when it is a first

          finding of a breach. Thus, the fact that this is a first observation of a

          infringement does not prevent the Litigation Chamber from being able to impose a fine


          administrative, in accordance with article 58.2. i) GDPR. The administrative fine does not aim




33EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), points 15, 20, 69, 84,
144. See also the judgment of 7 December 2023, SCHUFA Holding C-26/22 and C-64/22, ECLI:EU:C:2023:958), conclusions
of Advocate General Pikamae in the TR case (C-768/21, EU:C:2024:291), as well as “Guidelines on the application and

setting administrative fines for the purposes of the [GDPR]” of the Article 29 Data Protection Working Group,
adopted on October 3, 2017, p.5 (hereinafter the “guidelines on the application and setting of administrative fines to
purposes of the GDPR).
34Recital 148 of the GDPR states that: “In order to strengthen the application of the rules of this regulation, sanctions,
including administrative fines, should be imposed for any violation of the Regulation, in addition to or instead of
appropriate measures imposed by supervisory authorities under this Regulation. When the offense is minor
or that the likely fine would impose a disproportionate burden on a natural person, blame may be preferred to
fine. However, it is appropriate to take into account the nature, seriousness and duration of the violation, and the intentional nature

the violation, harm reduction measures, degree of liability or relevant prior violations,
the manner in which the violation was brought to the attention of the supervisory authority, compliance with the measures taken
against the controller or subcontractor, compliance with a code of conduct and any other circumstances
aggravating or mitigating. The imposition of sanctions, including administrative fines, should be subject to
appropriate procedural guarantees in accordance with the general principles of Union law and the Charter, including a
effective remedy and due process” (emphasis added).
35CJEU, December 5, 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 38: “[…] the principles, prohibitions and

The obligations set out in the GDPR are aimed in particular at "data controllers" who, as highlighted in the
recital 74 of the GDPR, are responsible for any processing of personal data carried out by them or for
their account and who must therefore not only implement appropriate and effective measures, but also be in
able to demonstrate that their processing activities comply with the GDPR, which includes the effectiveness of the measures they
have taken to ensure this compliance. Where an infringement referred to in Article 83(4) to (6) of this Regulation has
been committed, this responsibility constitutes the basis for the imposition of an administrative fine on the controller
in accordance with this article 83. » Decision on the merits 87/2024 — 33/55


                                                 36
        in no way to put an end to the offenses, but above all aims to guarantee rigorous respect

        rules set out in the GDPR.


    99. The GDPR requires each supervisory authority to ensure that fines

        administrative measures imposed are effective, proportionate and dissuasive in each

        case in point (art. 83.1 of the GDPR). In addition, when determining the amount of the fine,

        the supervisory authority must take due account, for each specific case, of several

        specific elements, such as the nature, seriousness and duration of the violation, taking into account

        the nature, scope or purpose of the processing concerned, as well as the number of

        data subjects affected and the level of damage they suffered (art. 83.2. a) of the

        GDPR); as well as the intentional or negligent nature of the violation (art.83.2.b) of the GDPR)

        ; and the categories of personal data affected by the violation (art. 83.2.

        g) GDPR). Consequently, article 83.2 provides that in order to decide whether it is appropriate to impose

        an administrative fine and to decide the amount of the administrative fine, a

        authority must take into account all the factors set out in Article 83.2(a)

        to k), without exceeding the legal maximum amount set in article 83.4 to 83.6 of the
               37
        GDPR.



            III.3.2.1.  Grounds for imposing a fine


   100. The Guidelines on the application and setting of administrative fines for the purposes
                                      38
        of Regulation (EU) 2016/679 emphasize that, to ensure a harmonized approach to

        sanctions, supervisory authorities must assess the appropriateness of imposing a fine in

        based on a set of criteria specified in article 83.2 of the GDPR. These lines

        guidelines specify that administrative fines are “remedial measures”

        whose objective may be “to restore respect for the rules or to sanction a

        unlawful conduct (or both).”


   101. As the CJEU highlighted in its judgment in case C-311/18 (Facebook Ireland and

        Schrems), “the choice of the appropriate and necessary means falls to the supervisory authority”, which

        must make this choice taking into account all the circumstances of the concrete case, which

        the Litigation Chamber makes throughout its development in Title III.3 of the

        this decision.

   102. In its Deutsche Wohnen judgment, the CJEU ruled as follows:





36
  To this end, the GDPR and the LCA provide for several corrective measures, including the orders mentioned in article 100, §
37 5°, 6° and 9° of the LCA.
  In two judgments of December 5, 2023, the CJEU answers these questions by specifying the conditions allowing
national supervisory authorities to impose an administrative fine on one or more controllers: Deutsche
Wohnen, C-807/21, ECLI:EU:C:2023:950, and Nacionalinis visuomenės sveikatos centras, C-683/21, ECLI:EU:C:2023:949.
38WP29, “Guidelines Guidelines on the application and setting of administrative fines for the purposes of
Regulation (EU) 2016/679), 17/FR, WP 253, October 3, 2017 (hereinafter “WP253 Guidelines”), p.6.                                                                         Decision on merits 87/2024 — 34/55


       “The existence of a system of sanctions making it possible to impose, when circumstances

       specific to each specific case justify it, an administrative fine in application

       of article 83 of the GDPR creates, for data controllers and subcontractors, a

       incentive to comply with this regulation. Through their dissuasive effect, fines

       administrative measures contribute to strengthening the protection of individuals


       with regard to the processing of personal data and therefore constitute an element

       key to guaranteeing respect for the rights of these people, in accordance with the purpose of this

       regulation to ensure a high level of protection of such persons with regard to the
                                                          39
       processing of personal data. »


   103. In the same judgment, the CJEU notes “that Article 83 of the GDPR does not allow the imposition of

        an administrative fine for a violation referred to in paragraphs 4 to 6 thereof, without it being

        established that this violation was committed deliberately or negligently speaking responsibly

        of the processing, and that, therefore, a culpable violation constitutes a condition for the imposition
                              40
        of such a fine. »


   104. In his conclusions in the Land Hessen case, Advocate General Pikamae explains that the

        GDPR allows supervisory authorities to impose sometimes very high fines,

        constituting an effective element of their arsenal for enforcing regulations, in

        in addition to the other corrective measures provided for in Article 58.2 of the GDPR. So,

        the supervisory authority enjoys a margin of maneuver and is free to choose among these

        measures to remedy the violation noted.    41


   105. Although the Litigation Chamber was unable to note that the offenses impact

        several people concerned, she emphasizes that the negligence of the defendant

        justifies the imposition of a fine.


   106. In accordance with the obligation of Article 83.2 of the GDPR, the Litigation Chamber examined

        all the factors set out in Article 83.2, points a) to k), to justify both the fine

        that its amount. This detailed examination is presented in Title III.3.2.2 of this decision.

        For the sake of clarity and readability, the Litigation Chamber refers the defendant to this




39CJEU, 5 December 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 73.
40Paragraph 75 of the judgment.
41Conclusions of Advocate General Pikamäe in the Land Hessen case, C-768/21, ECLI:EU:C:2024:291. The general advocate
underlines that when a supervisory authority finds a personal data breach when examining a

complaint, it is obliged to intervene to respect the principle of legality and define appropriate corrective measures
to remedy the violation. This obligation is in accordance with article 57.1 a) of the GDPR, which tasks the authority with controlling
application of the regulations and ensuring compliance. Ignoring an established offense would be inconsistent with this mandate. He
also recalls that the supervisory authority acts in the interest of the person or entity whose rights have been infringed
(§41). To effectively deal with infringements, article 58.2 of the GDPR provides for a “catalogue of corrective measures”
which the authority must use to re-establish a situation consistent with Union law, regardless of the seriousness of the offense (§42).
The Advocate General specifies that Article 58.2 of the GDPR must be interpreted in the light of recital 129 of this regulation, according to
which “any measure[must][...]be appropriate, necessary and proportionate in order to guarantee compliance with this Regulation,
taking into account the circumstances of the case.” In other words, the power conferred on the supervisory authority to use

corrective measures is subject to the condition that the measure is “appropriate”, that is to say that it must be able to restore
a situation consistent with Union law (§45). The Advocate General also indicates that Article 58.2 of the GDPR is limited to
state that each supervisory authority “has the power” to adopt all of the corrective measures listed.                                                            Decision on merits 87/2024 — 35/55


title, specifying that the results of this examination not only justify the amount of

the fine, but also the decision to impose a fine on the defendant. Bedroom

Litigation summarizes below the reasons why it decides on the imposition

of a fine and refers the defendant to Titles II.2 and III.3.2.2 of this decision.

    a) Nature, seriousness and duration of the violation (art.83.2.a) of the GDPR): The case subject to the

        Litigation Chamber concerns a prolonged violation of the provisions

        essential elements of the GDPR, affecting the fundamental rights of the complainant in matters

        data protection.

            i. The request for erasure and opposition was still not respected

               more than a year after the exercise of the rights by the complainant, thus violating the

               articles 17 and 21 of the GDPR.

            ii. The lack of response to these requests led the defendant to process the

               data of the complainant to send promotional emails during

               a period of at least six months.

           iii. Despite the absence of conclusions filed by the defendant, the Chamber

               Contentieuse summoned the latter to a hearing where she confirmed

               Her presence. The defendant was informed of the matter and could not

               ignore the complainant's requests recalled by the invitation to the hearing

               sent by the Litigation Chamber. Upon receipt of this summons,
               the defendant should have been proactive in consulting her

               email containing all exchanges, check the status of requests and

               respond.The Litigation Chamber recalls that the defendant indicated

               during the hearing that she had access to the electronic mailbox of the former DPO,

               managed since then by the new DPO, and that she held all the emails

               sent by ODA. However, today at the hearing, the defendant still had not
               did not respond to the complainant's requests and even questioned the

               need to respond to it, ultimately promising to do so as soon as possible.

               promptly. This approach is interpreted by the Litigation Chamber

               as a demonstration of flagrant negligence, in violation of the

               articles 17 and 21 of the GDPR. The defendant had, thanks to this

               summons, an additional period to respond to requests from the
               complainant, and attempt to demonstrate, even belatedly, compliance with the

               provisions of the GDPR.


    b) Negligence or intentional nature of the violation (art. 83.2. b) of the GDPR):

        Several elements demonstrate manifest negligence on the part of the
        defendant in the management of requests from data subjects. This

        negligence is aggravated by prolonged non-compliance with erasure requests Substantive decision 87/2024 — 36/55


    and opposition of the complainant, the inappropriate use of “code 43” to limit the

    processing of data and the prolonged maintenance of processing of data of the

    complainant for direct marketing purposes, even after their erasure requests

    and opposition. During the hearing, the defendant had still not taken any
    appropriate measures to remedy the situation, indicating the seriousness and

    persistence of the violation. This manifest negligence results from procedures

    inadequate internal systems and ignorance of GDPR obligations, particularly in

    blaming his former DPO.

c) Degree of responsibility of the defendant taking into account the measures

    technical and organizational measures implemented in accordance with Articles 25

    (art. 83.2. d) of the GDPR): The defendant is entirely responsible for the

    management of requests from data subjects, including requests

    erasure and opposition of the complainant.

         i. The defendant places responsibility on the former DPO, which does not justify

            under no circumstances prolonged non-compliance with an erasure request and

            opposition, nor non-compliance with the provisions of the GDPR in a more

            general. This attitude raises serious questions about the management

            responsibilities and internal governance of the defendant.

        ii. The Litigation Chamber recalls that a data controller cannot

            can evade its obligations by invoking the responsibility of the DPO

            to justify breaches of the GDPR. Even if the House
            Litigation had to follow the defendant's argument, it

            recalls that the defendant had been alerted of the situation on two occasions

            : on the one hand, by being the subject of an investigation by the IS (as part of a

            other file), and on the other hand, by the invitation to the hearing sent by the

            Litigation Chamber. In such a context, continuing to claim that the

            DPO is responsible raises serious doubts about the management by the

            defending its obligations under the GDPR and calls into question its
            ability to meet these obligations.


        iii. By using “code 43”, the defendant demonstrated a lack of

            mastery of its own codes and nomenclatures, which led to
            limitation of processing instead of responding adequately to requests

            erasure and opposition of the complainant. Such a lack of control is

            concerning. Furthermore, the defendant was unable to determine the existing link

            between it and the German subcontractor before concluding that there was a

            subcontracting contract. This confusion over the role of the subcontractor and

            inability to determine whether data has been erased raises merits Decision 87/2024 — 37/55



                        doubts about the management of future requests from data subjects and

                        compliance with articles 15 to 22 of the GDPR.

            d) Other aggravating and mitigating circumstances (art. 83.2. k) of the GDPR):

                time of the hearing, the defendant had still not responded to the

                requests from the complainant, despite the obligation to respond within one month.


        For the remainder, in particular the categories of personal data concerned

        by the violation (art. 83.2. g) of the GDPR) or the measures taken to mitigate the damage suffered
        by the complainant (art. 83.2. c) of the GDPR), the Litigation Chamber refers the defendant

        in Titles II.2 and III.3.2.2 of this decision, as well as the summary in section

        III.3.2.2.7. All the factors set out in Article 83.2, points a) to k), were examined there,

        and it appears that the result of this examination ultimately applies, in the present case, to

        justify the imposition of the fine as well as its amount.


   107. The defendant thus adopted behavior giving rise to several violations of the

        provisions of the GDPR (art. 83.3 of the GDPR), these violations being precisely identified in
                               42
        Article 83.5 of the GDPR: Non-compliance with requests for a significant period

        erasure and opposition of the complainant, leading to continued processing of his

        personal data for direct marketing purposes, even after its requests

        erasure and opposition; and highlighting the absence of guarantees allowing

        to ensure compliance with the fundamental principles of the GDPR.

   108. These elements fully justify the imposition of an administrative fine to guarantee

        respect for the rights of the people concerned and strengthen the dissuasive effect of sanctions

        provided for by the GDPR.



            III.3.2.2.  Starting amount of calculation


   109. To determine the amount of the fine in the case submitted to it, the Chamber

        Litigation recalls that it takes into account the EDPB guidelines on the calculation of
                                  43
        administrative fines.

   110. In order to impose an effective, proportionate and dissuasive fine in all circumstances

        cause, the supervisory authorities, of which the Litigation Chamber is a part, are supposed to

        adjust administrative fines while remaining within the range provided for in the

        EDPB guidelines up to the legal maximum amount. This can lead to

        significant increases or reductions in the fine, depending on the circumstances of the case

        of species.




42CJEU, Judgment of December 5, 2023, Deutsche Wohnen, C-807/21, ECLI:EU:C:2023:950, points 61 to 79.
43EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), in particular points 49 and 50. Decision on the merits 87/2024 — 38/55


             III.3.2.2.1.    Classification of violations under Article 83.4 and 83.5 of the
                 GDPR


111. The GDPR distinguishes two categories of violations: those punishable according to article 83.4 of the

     GDPR, on the one hand, and those punishable under Article 83.5 and 83.6 of the GDPR, on the other

     go. The first category of violations carries a maximum fine of 10 million

     EUR or 2% of the company's annual turnover, whichever is higher.

     retained. As for the second category, it can give rise to a maximum fine of 20
     million EUR or 4% of the company’s annual turnover, the highest amount

     also being retained.


112. In this case and based on the violations set out in Title III.2 of this decision,
     the Litigation Chamber notes that the highest fine applies in accordance with

     in article 83.5 of the GDPR. Indeed, in the event of violation of the basic principles of processing

     under article 5 of the GDPR as well as the rights of the persons concerned in accordance with

     Articles 17 and 21 of the GDPR, the Litigation Chamber may impose a fine

     administrative tax of up to EUR 20,000,000 or, in the case of a company, up to 4%

     of its total global annual turnover for the previous financial year, the highest amount
     high being retained, as provided for in the provisions of section 83.5. a) and b) of the GDPR.



             III.3.2.2.2.    Seriousness of the violation in the present case


113. Nature, seriousness and duration of the violation (art. 83.2.a) of the GDPR) – The case subject to the

     Litigation Chamber concerns a prolonged violation of the essential provisions of the

     GDPR, which aim to protect the fundamental rights of individuals with regard to
     concerns the processing of their personal data. The GDPR establishes a solid framework for

     responsibility for data controllers, in particular in Chapter III, which is

     dedicated to the rights of data subjects. These rights, set out in articles 15 to 22,

     give individuals direct control over their personal data, ensuring

     thus effective protection of their privacy. Thus, violations of articles 17 and 21 of the

     GDPR are particularly serious because they infringe fundamental rights

     of individuals regarding the protection of personal data.

114. Despite the rights exercised by the complainant, who expressly requested the deletion of

     his personal data and objected to the processing for direct marketing purposes, the

     defendant did not respond to these requests for more than a year, lacking this
     manner to its obligations established by the GDPR. This behavior resulted in the maintenance

     the processing of the complainant's data for direct marketing purposes, whether via

     telephone calls or sending advertising emails, over a period of six to ten

     months, even after his requests for erasure and opposition, thus violating the principles

     set out in article 5.1.a) of the GDPR.                                                                 Decision on merits 87/2024 — 39/55


115. In reaction to the sanction form and therefore after the closure of the debates, the defendant

     underlines that the complainant did not “explicitly mention Article 21 of the GDPR in his

     request ". On this point, the Litigation Chamber, on the one hand, refers the defendant to

     paragraph 34 of its present decision, and on the other hand, adds that it would be excessive to
     ask a concerned person to explicitly mention the articles of the GDPR because

     this could make the exercise of rights more difficult for individuals who are not

     familiar with legal terminology. The main thing is that the request is formulated

     in a clear and understandable manner, what a data controller, or his DPO, should

     be able to clarify in case of doubt, and thus treat it in accordance with the

     provisions of the GDPR.

     Next, the defendant emphasizes that after following up on the erasure request

     based on Article 17(a), (b) and (c) of the GDPR, there is no additional obligation to

     notification to the data subject of the further use of the data for purposes

     direct marketing. Unfortunately, as noted by the Litigation Chamber, the
     defendant was late in responding to the plaintiff's erasure request, which allowed

     the continuation of the processing of data for direct marketing purposes for a period

     significant, in contradiction with his request for opposition.


     Even following the defendant's reasoning, according to which the plaintiff would not have
     formulated as a request for erasure without explicit mention of Article 21 of the GDPR,

     concerning the right to object to the processing of data for prospecting purposes, the

     Chambre Litigation underlines that the right of erasure has been ignored for more than a

     year, thus resulting in a continued violation of the complainant's rights. This finding is crucial, because

     even in the absence of an explicit mention of Article 21, the processing of data for

     prospecting purposes – as for other purposes – should have been interrupted as soon as
     receipt of the erasure request. Consequently, maintaining the processing of

     data of the complainant for direct marketing purposes – even following the arguments of

     the defendant according to which this period would have only been 2 weeks (see point 118)

     – violates the rights of the complainant. For the remainder, the Litigation Chamber returns the

     defendant in paragraph 36 of its decision.

116. The Litigation Chamber emphasizes that direct marketing is crucial for the activities

     of the defendant, which sells its products nationally. The treatment

     data for direct marketing purposes therefore represents an essential component

     of its commercial model, directly affecting its customer relations and therefore its turnover

     business. Failure to respect the rights enshrined in the GDPR, such as the rights
     erasure and opposition, can lead to harmful consequences for life

     privacy of the persons concerned. This results in exposure to advertisements Decision on merits 87/2024 — 40/55


        targeted and intrusive, as well as by disruptions in their daily lives caused by

        unsolicited telephone calls or emails.


   117. It appears from the hearing that the use of incorrect codes was systematic and does not appear

        be limited to the complainant. However, the number of people whose data would have been
        processed in violation of the aforementioned provisions (see Title II.2) remains unknown. By

        Consequently, the Litigation Chamber cannot determine the exact number of people

        concerned, which could have confirmed the systemic nature of the violations

        mentioned above and increase their severity. Thus, the Litigation Chamber is limited to

        examine the case of the complainant, the only person concerned identified as being affected

        by violation of the provisions in question.

        In response to the sanction form, the defendant confirms that the violation did not affect

        only one person concerned and that they are limited to a single territory, in this case

        Belgium.


   118. Concerning the duration of the violation (see Title II, as well as paragraph 61 of this
        decision) the Litigation Chamber notes that the latter continued for a

        significant period, which increases the seriousness of the infringement.


        In reaction to the sanction form, the defendant emphasizes that the impact on the

        person concerned during this period was very limited since the complainant would not have

        received only a few advertising messages by e-mail and a limited number of attempts
        of telephone contacts, i.e. “+/- 5 during a very limited period of 2 weeks at

        more (24.11.2022 – 7.12.2022) » . The Litigation Chamber refers the defendant to

        points 8, 21, 30, 31, 33 and 42 of this decision, emphasizing that the defendant has

        made a promise to respond to the complainant's requests dated June 30, 2022

        only on November 3, 2023. This period of silence is undeniably long and does not

        does not respect the one-month time limit provided for in Article 12 of the GDPR. Finally, the Litigation Chamber

        notes that the defendant has not implemented “code 43” to delete data from the

        complainant until April 11, 2023 (see paragraph 33). This suggests that the complainant's data

        were not deleted but remained accessible and were processed, even
        limited manner, at least until April 2023, and not until December 2022 (see points

        32, 33, 40, 43, 42). In this context, the question of the duration of the violation remains

        factually objective, allowing the Litigation Chamber to conclude that the period

        infringement is significant.


   119. Negligence or intentional nature of the violation (art. 83.2.b) of the GDPR) – Several
        elements testify to manifest negligence on the part of the defendant in the

        management of requests from the people concerned. On the one hand, the prolonged non-compliance with



44Reaction of the defendant to the sanction form dated April 5, 2024, p.7.                                                                  Decision on merits 87/2024 — 41/55


     requests for erasure and opposition by the complainant, in particular by not responding

     within the prescribed deadlines; as well as the inappropriate use of “code 43” which resulted in

     a limitation of processing, not only reveal the unsuitable nature of the

     internal procedures, but also ignorance of the rights set out in articles 15 to 22
     of the GDPR and the obligations incumbent on the data controller.


120. This negligence is aggravated by the prolonged continuation of the processing of the data of the

     complainant for direct marketing purposes, even after their requests for erasure and

     opposition. At the time of the hearing, the defendant had still not taken the
     appropriate measures to remedy the situation and respond to the request

     of erasure and opposition of the complainant which demonstrates the serious and persistent nature

     of the violation.


121. All of these elements illustrate serious negligence in the management of requests from
     complainant, indicating that the violation of articles 17, 21, 5.1.a) and 5.2 juncto 24 of the GDPR

     actually arises from negligence on the part of the defendant.


122. In reaction to the sanction form, the defendant emphasizes that she was not
     negligent because she trusted her DPO, who did not inform her of her problems

     resources. Furthermore, given that only the DPO had access to the mailbox and that the

     defendant was not the recipient of the initial correspondence sent by mail

     electronic to the former DPO, she considers that she cannot be accused of negligence.

     However, the Litigation Chamber reminds the defendant that she received a letter

     recommended dated January 17, 2023 (see point 9). Then, the Litigation Chamber
     refers the defendant to points 54 to 57 of this decision before adding that,

     in accordance with article 38.b) of the GDPR which states that “The data protection delegate

     data reports directly to the highest level of manager management

     treatment or subcontractor", the defendant could have identified the problem(s) and the

     resolve rather than placing blind trust in the DPO. Consequently, the

     Litigation Chamber cannot agree with the arguments put forward by the defendant for

     the aforementioned reasons (Title II.I.3, in particular points 55 and 57.c) of this
     decision). The Litigation Chamber confirms that serious negligence in the management of

     claims of the complainant are established, which indicates that the violation of articles 17, 21, 5.1.a)

     and 5.2 juncto 24 of the GDPR does indeed arise from the negligence of the defendant.

123. Categories of personal data affected by the violation (article 83,

     paragraph 2 (g) GDPR) – The data in question concerns contact details

     of the complainant, including his or her last name, first name, postal address, telephone number and

     email address. Although this information is not considered “data

     sensitive” within the meaning of article 9 of the GDPR, they make it possible to identify or contact a

     specific person.                                                                       Decision on merits 87/2024 — 42/55



   124. Classification of the seriousness of the violation and setting the appropriate starting amount –
        The assessment of the above elements – namely the nature, seriousness and duration of the violation,

        as well as the deliberate or negligent nature of the violation and the categories of data to be

        personal nature concerned – helps determine the degree of seriousness of the violation

        in its entirety. According to this assessment, the seriousness of the violation can be described as “

        low”, “medium” or “high”.


            a) For violations of low severity, when calculating the administrative fine,

                the supervisory authority sets a starting amount for the subsequent calculation including

                between 0 and 10% of the applicable legal maximum amount.

            b) For violations of medium severity, when calculating the administrative fine,

                the supervisory authority sets a starting amount for the subsequent calculation including

                between 10 and 20% of the applicable legal maximum amount.

            c) For violations of high severity, when calculating the administrative fine,

                the supervisory authority sets a starting amount for the subsequent calculation including

                between 20 and 100% of the applicable legal maximum amount.


   125. In this case, the seriousness of the violation is considered “medium”, for the

        reasons summarized below: the complainant's rights of erasure and opposition do not have

        been respected; the principle set out in article 5.1.a) of the GDPR was not respected; the violation
                                                                                          46
        has lasted for a prolonged period of at least one year; several elements reveal

        manifest negligence on the part of the defendant, which aggravates the seriousness of
        the offense; although the data in question is not considered sensitive,

        they constitute identification or contact information.


   126. In this context, it is difficult to maintain that the degree of the violation is “low”, but

        rather that it is “medium” or “strong”. It should also be taken into account that

        that only one person is affected by this violation. This circumstance allows the

        Chamber Contentious to deduce that the violation is of “medium” seriousness.

   127. In response to the sanction form, the defendant requests that the violations be

        reclassified as “low” rather than “medium”. Furthermore, it underlines that the former DPO

        took measures and communicated with the APD in April 2023: apparently, the former DPO

        was wrongly convinced that her communication in the context of the inspection she was carrying out

        the subject (see Title II.1.1) would be inserted in the file currently processed by the Chamber

        Contentious. The Litigation Chamber cannot accept the argument according to which a

        response to the SI could be interpreted as a response to requests made in

        under Articles 15 to 22 of the GDPR, as prescribed by Article 12 of the GDPR, which mentions



45EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), fn. 60.
46See in particular Title III.3.2.2.2 of this decision.                                                                       Decision on merits 87/2024 — 43/55


        a direct response to the people concerned. Otherwise, a violation

        could be repaired while waiting for a supervisory authority to be informed of a potential

        violation by complaint or on its own initiative. This conclusion is not only

        erroneous in law but would void the exercise of rights by the persons concerned of their

        substance. In this context, it is difficult for the Litigation Chamber to qualify the

        violation of “low”, thus once again confirming the “medium” character of the

        breach.

   128. Consequently, the Litigation Chamber should apply, for violations arising

        of the unique behavior of the defendant (falling under article 83.5 of the GDPR, with a

        medium severity), a theoretical starting amount for the subsequent calculation of the fine

        administrative costs of between €2,000,000 and €4,000,000.


   129. Taking into account the circumstances assessed in light of Article 83.2 a), b) and g) of the GDPR,
        the Litigation Chamber decides to consider a theoretical starting amount of

        2,000,000 EUR.



                III.3.2.2.3.    Turnover of the controller and considerations
                    additional factors taken into account by the Litigation Chamber for

                    determine the amount of the fine


   130. The GDPR requires each supervisory authority to ensure that fines

        administrative measures imposed are effective, proportionate and dissuasive in each
        case in point (art. 83.1 of the GDPR).


   131. To achieve this, supervisory authorities should apply the definition of the concept

        as adopted by the Court of Justice of the European Union (hereinafter “CJEU

        ") for the purposes of Articles 101 and 102 of the TFEU, namely that the concept of enterprise means

        as an economic unit which can be constituted by the parent company and all

        subsidiaries concerned. In accordance with EU law and case law, a company must
        therefore be considered as an economic unit carrying out activities

        commercial/economic, whatever its legal form 47. The objective is to ensure

        that the sanctions are adapted to the size and economic power of the company


   132. Supervisory authorities are expected to adjust administrative fines based on

        the seriousness of the violation, while respecting the range provided in the guidelines





47Recital 150 of the GDPR; WP Guidelines 253, pp. 6-7. The case law of the CJEU gives the following definition: “the
concept of enterprise covers any entity carrying out an economic activity, regardless of its legal status and its
method of financing" (case C-41/90, Höfneret Elser/Macrotron, ECLI:EU:C:1991:161, point 21). The notion of business" must
be understood as designating an economic unit, even if this economic unit is constituted, from a point of view
legal, by different natural or legal persons" (case C-217/05, Confederación Española de Empresarios de
Estaciones de Servicio, ECLI:EU:C:2006:784, paragraph 40). ; CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t.
Commission, ECLI:EU:C:2009:536), points 60-61.                                                                      Decision on merits 87/2024 — 44/55



        of the EDPB up to the legal maximum amount. This may lead to surcharges or

        significant reductions in the fine, depending on the circumstances of the specific case

   133. In addition, Articles 83.4, 83.5 and 83.6 of the GDPR provide that the annual turnover

        global total for the previous financial year must be used to calculate the fine

        administrative. In this regard, the term “precedent” must be interpreted in accordance with the

        jurisprudence of the CJEU in matters of competition law, so that the event

        relevant for the calculation of the fine is the decision of the supervisory authority relating to

        the fine, and not the time of the sanctioned offense.48


   134. Consequently, as an extension of the above, the Litigation Chamber

        considers that it can be based on the consolidated turnover figures for the 2023 financial year of the

        defendant is more than 50,000,000 EUR 49to determine the amount of the fine

        administrative burden that it intends to impose on the defendant. The Litigation Chamber

        hereby refers to the annual accounts of the defendant (company Y) as

        deposited with the National Bank of Belgium (BNB) on September 25, 2023, making

        appear a turnover of more than 50,000,000 EUR for the financial year 2023.


   135. Taking into account the minimum and maximum amounts per level set in the directives,

        on the one hand, and the annual turnover of the controller, on the other hand, the

        Litigation Chamber decides concretely to lower the final starting amount for the

        category of offenses (falling under article 83.5 of the GDPR, with a degree of seriousness

        average) to a starting amount adjusted to 245,000 EUR.


                III.3.2.2.4.    Aggravating and mitigating circumstances


                                              50
   136. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons

        the imposition of an administrative fine and its amount in concrete terms, taking into account

        take into account other aggravating or mitigating circumstances listed in article 83.2 of the
        GDPR:


            a) Measures taken to mitigate the damage suffered by the complainant (art. 83.2.c) of the

                GDPR)


                     i. With regard to the measures taken to mitigate the damage suffered by

                        the complainant, the Litigation Chamber recognizes the efforts undertaken by the

                        defendant to remedy the problems encountered with the former DPO,

                        in particular by reacting to its inaction or incompetence. This happened

                        materialized by the establishment of a new team dedicated to the management



48EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023),
paragraph 131.
49Annual account for the 2023 financial year available on the website: https://consult.cbso.nbb.be/consult-enterprise.
50Cour des Marchés 2020/1471 of February 19, 2020. Decision on the merits 87/2024 — 45/55



                       requests from the people concerned but also to any questions
                       relating to data protection. The objective of this initiative is to

                       strengthen the responsiveness of the defendant in matters of protection of

                       data and guarantee its compliance with the GDPR.


                    ii. However, it should be noted that the Litigation Chamber emphasizes that the

                       defendant had an annual turnover of more than
                                                                51
                       50,000,000 EUR for the financial year 2023, which illustrates that it had the

                       financial means necessary to establish and set up a team

                       dedicated to managing requests from data subjects as well as
                       any questions relating to data protection, consisting of more

                       of somebody. Likewise, these financial resources could have

                       allow a quicker reaction to the incompetence of one's former

                       DPO.


                   iii. In addition, the Litigation Chamber takes into consideration the commitment

                       taken by the defendant during the hearing, where they undertook to regularize

                       the situation in accordance with Article 17 of the GDPR and to inform the complainant

                       the erasure of its data. The Litigation Chamber emphasizes that
                       this commitment only covered part of the complainant's requests (for

                       recall, a request for erasure and opposition), which gives rise to

                       concerns about the defendant's total commitment to respect

                       fully the rights of the persons concerned.


                   iv. Although steps have been taken to remedy the problems

                       previous agreements with the former DPO and to regularize the situation, there are still

                       gaps in the defendant's response to the plaintiff's requests.

            b) Degree of responsibility of the defendant taking into account the measures

               technical and organizational measures implemented in accordance with Articles 25

               (art. 83.2.d) of the GDPR)


                    i. The Litigation Chamber, assessing the level of responsibility of the
                       defendant, notes that it is entirely responsible for the management

                       requests from data subjects, including requests

                       erasure and opposition of the complainant.






5The annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a turnover
increasing: ([.. EUR] EUR on February 29, 2020, [.. EUR] on February 28, 2021 [.. EUR] on February 28, 2022. With a turnover
always exceeded 50 million euros over this period, it is obvious that the defendant had the resources
financial necessary to set up a team or department (including several employees and/or DPO)
dedicated to managing requests from data subjects and data protection issues. ; Account
annual available on the site: https://consult.cbso.nbb.be/consult-enterprise.                                                                Decision on merits 87/2024 — 46/55


                 ii. This responsibility encompasses various aspects, including the effectiveness of

                    execution of requests, definition of specific codes for

                    respond appropriately to requests made under the

                    articles 15 to 22 of the GDPR, as well as the understanding and implementation
                    clear and effective procedures by all staff,

                    directors to internal staff.


                iii. The defendant, by using “code 43”, demonstrated a lack of

                    mastery of its own codes and nomenclatures, which resulted in a
                    limitation of processing instead of responding adequately to requests

                    erasure and opposition of the complainant. Furthermore, the fact of not

                    respond to the complainant's requests for more than a year after the exercise

                    of his rights demonstrates an excessively long waiting period for

                    process the requests, but above all, this leads the defendant to process

                    data in contradiction with the fundamental principles of the GDPR
                    set out in Article 5 of the GDPR.


        c) Other aggravating and mitigating circumstances (art. 83.2.k) of the GDPR)

                 i. Regarding the aggravating circumstances, the Chamber

                    Litigation notes that at the time of the hearing, the defendant had not

                    still not responded to the complainant's requests, despite his

                    aware of the obligation to respond within one month to all

                    requests made under articles 15 to 22 of the GDPR,
                    in accordance with Article 12 of the GDPR and the principles of transparency and

                    of loyalty set out in article 5.1.a. of the GDPR. Furthermore, the Chamber

                    Litigation emphasizes that the defendant undertook only to

                    regularize the situation in accordance with article 17 of the GDPR, without

                    mention article 21 of the GDPR, which concerns the right to object to

                    processing of personal data. This omission raises

                    concerns about the defendant's commitment to respect
                    fully the rights of the data subjects, as provided for in the

                    GDPR.


137. The assessment of the elements listed in Article 83.2 of the GDPR – namely the measures
     taken to mitigate the damage suffered by the complainant; the degree of responsibility and all

     other aggravating and mitigating circumstances – are neither likely to increase or

     reduce the amount of the administrative fine.                                                                         Decision on merits 87/2024 — 47/55


                 III.3.2.2.5.    Effective, proportionate and dissuasive


   138. The EDPB guidelines recall that the administrative fine for violations

        of the GDPR referred to in Articles 83.4 to 83.6 must be effective, proportionate and dissuasive in


        each specific case. The supervisory authorities must verify whether the amount meets these

        criteria and adjust if necessary.

   139. Effectiveness – A fine is deemed effective if it achieves the objectives for

        on which it was imposed, such as restoring respect for the rules, sanctioning

                                              52
        illicit behavior or both. In this case, the fine acts as an essential tool

        to restore compliance with GDPR rules, by sanctioning negligent behavior

        and serious of the defendant. Additionally, it aims to deter other violations similar to
                53
        the future . The prolonged violation of the complainant's fundamental rights, despite his

        requests for erasure and opposition, demonstrates the need for a firm response from the

        from the Litigation Chamber. Thus, a fine of 245,000 EUR constitutes a

        effective measure to achieve these objectives, while taking into account the seriousness of the

        breach.


   140. Proportionality – The principle of proportionality, as defined in the GDPR, states that

        the measures adopted must not exceed what is appropriate and necessary to

        achieve the legitimate objectives of the regulation in question. In the case of fines,

        this means that their amount must not be disproportionate to the intended goals, 54

        the seriousness of the violation, as well as the size and financial capacity of the company

        concerned. Therefore, supervisory authorities must ensure that the

        amount of the fine is proportionate to the violation, assessed as a whole, in

        taking into account various factors such as the financial capacity of the company to pay.


   141. In certain exceptional circumstances, a reduction in the fine may be

        considered if its imposition would irremediably endanger the viability

        economics of the company concerned. This possibility is possible when

        objective evidence demonstrates an inability to pay. Furthermore, it is essential

        analyze risks by considering the specific social and economic context.


   142. In the present case, several criteria, such as the financial capacity of the defendant

        and the economic and social context in which it operates, indicate that the fine

        proposed is proportionate 56:





52WP 253 Guidelines, p. 6.
53See the development concerning the “dissuasive nature” of this decision, starting from paragraph 145.
54Case T-704/14, MarineHarvest v Commission, paragraph 580, referring to Case T-332/09, Electrabel v Commission, paragraph 279.
55See, to this effect, Case C-387/97, Commission v Greece, paragraph 90, and Case C-278/01, Commission v Spain, paragraph 41, in

which the fine had to be “on the one hand, adapted to the circumstances and, on the other hand, proportionate to the breach
56nstated as well as the payment capacity of the Member State concerned.
  EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), point 140. Substantive decision 87/2024 — 48/55


            a) Economic viability and financial capacity of the company: With a figure

               consolidated annual business of more than 50,000,000 EUR for the financial year 2023, la7

               defendant has sufficient financial capacity to support

               the proposed fine without compromising its economic viability. Therefore,

               a fine of 245,000 EUR remains proportionate to this capacity

               financial.  This measure therefore remains sufficiently dissuasive without

               compromise the economic integrity of the company.

            b) Proof of loss of value: No indication suggests that the imposition

               of the fine would endanger the viability of the company, leading to a loss

               significant to the value of its assets or threatening its ability to continue its

               activities in a viable manner. There must be a direct link between the fine and this loss

               of value, and it is not automatically accepted that bankruptcy or insolvency

               lead to such a loss. In the absence of such tangible evidence demonstrating

               this correlation, a reduction in the fine may not be justified.

            c) Economic and social context: The defendant operates in the sector of

               products “..” in Belgium. In addition, the defendant distributes its products through

               the whole country, which suggests that it is not solely dependent on the situation

               local economy. This national presence also reduces its dependence on

               respect for the local workforce. Therefore, it is unlikely that the

               payment of the fine has a significant impact on the economy or social fabric,

               given that the defendant operates on a national scale and is not

               entirely linked to a specific region.

   143. In response to the sanction form, the defendant requests a reduction in the amount

        of the fine due to the exceptional circumstances she encountered during

        of the last five years, attributable to external factors over which it had no control

        control. These conditions affected its turnover, costs and profitability.

   144. The defendant then presents its financial development from 2019 to 2022, marked by a

        negative growth in turnover and losses in 2019, an increase in 2020

        despite increasing costs, reduced turnover and losses in 2021, and

        further deterioration in 2022 due to the economic crisis, leading to a

        further reduction in turnover and financial losses. For the current financial year

        2023-2024, the defendant still anticipates a significant financial loss, with

        prospects of a difficult financial recovery until 2026-2027. Faced with this


57As a reminder, the annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a
turnover increasing: [.. EUR] on February 29, 2020, [.. EUR] on February 28, 2021 and [.. EUR] on February 28, 2022. With a
turnover always greater than 50 million euros over this period, it is obvious that the defendant had the
financial resources necessary to set up a team or department (including several employees
and/or DPO) dedicated to managing requests from data subjects and data protection issues. ;
Annual account available on the website: https://consult.cbso.nbb.be/consult-enterprise.                                                                      Decision on merits 87/2024 — 49/55


        difficult financial situation, a fine of 245,000 EUR would have consequences

        devastating for the defendant. This would compromise the implementation of the measures

        reorganization necessary to guarantee its future viability, putting jobs at risk

        of 400 people and even risking leading to the cessation of activities in Belgium.


   145. Taking into account all these circumstances, the Litigation Chamber agrees that a

        reduction in the amount of the fine appears appropriate to support the defendant and
        prevent endangering the jobs of 400 people as well as the continuity of

        activities in Belgium.


   146. To reach this conclusion, it seems relevant for the Litigation Chamber to

        take into account two essential elements: on the one hand, the use of the contribution of

        shareholders; on the other hand, the evaluation of cumulative losses over a period of three years

        (2023-2024, 2024-2025, 2025-2026) to reduce the amount of the initial fine. This
        approach aims to adequately consider the real financial capacity of the

        defendant to bear this administrative sanction.


   147. The Litigation Chamber notes that the shareholders injected a cash contribution of

        more than 3,000,000 EUR, a sum established taking into account past losses,

        present and future, as well as other financial commitments to which the defendant
                                                                                                 58
        will have to respond, with the aim of ensuring the financial recovery planned for 2026-2027.
        Furthermore, the Litigation Chamber emphasizes that the defendant seems to have anticipated the

        risk of a possible fine, as indicated by the Statutory Auditor in the

        following terms: “we draw attention to note VOL - inb 6. 19 of the financial statements

        (“risks”) which describes the uncertainty associated with the resolution of the GBA investigation. The result of

        This investigation could have a significant impact on the financial situation of the company. ".


   148. Next, the Litigation Chamber considers it relevant to assess the cumulative losses over a

        period of three years (2023-2024, 2024-2025, 2025-2026) since the shareholders have
        paid a cash contribution of more than 3,000,000 EUR based on planning

        multiannual strategy presented in October 2023 (see paragraph 147), aimed at guaranteeing

        financial recovery planned for 2026-2027. It is important to note that losses

        projected for the years 2024-2025 and 2025-2026 are hypothetical, and that the year

        2024-2025 saw the highest loss since 2019 (…EUR).


   149. In this context, the Litigation Chamber, as previously mentioned in its
        paragraph 145, considers it appropriate to reduce the amount of the fine by applying the

        remaining percentage of the more than 3,000,000 EUR contributed by the shareholders, after having

        excluded cumulative losses over a period of three years in relation to this contribution, periods



5The defendant mentions in its email of April 5, 2024 that a multi-year strategic plan was presented
to shareholders in October 2023, resulting in a cash contribution of more than EUR3,000,000 from shareholders
in February 2024. ; page 5 of the email sent by their Council in reaction to the sanction form.                                                                 Decision on merits 87/2024 — 50/55


     for the most part hypothetical. This approach aims to align the reduction of the initial fine

     with the financial situation of the defendant. Thus, the Litigation Chamber considers

     have correctly assessed the financial impact of the fine in relation to the funds provided

     by the shareholders, and considers that the reduction of at least 30% of the initial fine
     takes into account the actual financial capacity of the defendant to bear the fine

     administrative.


150. Following the preceding reasoning, the Litigation Chamber reduces the fine by

     245,000 EUR to 172,431 EUR objectively: The loss for the year 2023-2024
     amounts to [-..EUR], while that forecast for the year 2024-2025 is [-..EUR], and that

     foreseeable for the year 2025-2026 is [-..EUR]. By adding these losses, the loss

     cumulative for the year 2023-2024 as well as those planned for the years 2024-2025 and

     2025-2026 represents a total of more than 1,000,000 EUR [(-.. EUR)] + [(-.. EUR)] + [(-.. EUR)]

     = more than 1,000,000 EUR. The contribution of shareholders to ensure viability is more than

     3,000,000 EUR The percentage of the cumulative loss over a period of three years, i.e.
     2023-2024, 2024-2025 and 2025-2026 (the last two years being hypothetical)

     compared to the shareholders' contribution amounts to +-30% [(more than 1,000,000 EUR / more than

     3,000,000EUR)*100=+-30%].After withdrawing the cumulative loss over a period of three

     years, it is established that the defendant still holds +-70% of the more than 3,000,000 EUR

     contributed by the shareholders.

151. Consequently, the Litigation Chamber decides to apply the percentage of the loss

     cumulative over a period of three years (2023-2024, 2024-2025 and 2025-2026, both

     recent years being hypothetical) as a percentage reduction to the amount

     initial amount of the fine in order to determine the new amount.

     Taking into account all specific circumstances surrounding viability

     economic and financial capacity of the defendant, this represents +- 30% of the

     245,000 EUR, a reduction of more than 70,000 EUR. Thus, the new amount of

     the fine amounts to EUR 172,431, which corresponds to a reduction of approximately 30% per

     compared to the initial amount. Furthermore, the Litigation Chamber emphasizes that the impact of this
     fine on a shareholder contribution established on forecasts until 2026-2027 (see

     point 148) is minimal, representing only 4%.


     Considering these factors, the Litigation Chamber considers that the reduction of
     the fine of 245,000 EUR to 172,431 EUR is a proportionate measure to sanction

     the violations noted in this specific case


152. Dissuasive nature – The dissuasive nature of fines is crucial to guarantee the

     compliance with the rules established by Union law, in particular in the GDPR. This character
     deterrent can manifest itself in two ways: general deterrence, which aims to

     discourage other controllers from committing the same violation in the future, Decision on merits 87/2024 — 51/55



        and specific deterrence, which aims to dissuade the data controllers concerned
        by the fine for breaking the rules again in the future. A fine must be

        sufficiently dissuasive for data controllers to fear that

        Supervisory authorities do apply fines for GDPR violations.


   153. Several factors determine the dissuasive nature of a fine: the nature and

        amount of the fine, as well as the probability of its imposition, are elements

        determining factors in this regard. A fine must be high enough to have an impact

        significant financial impact on the offending company, while remaining proportionate to the seriousness of the

        breach. In other words, the criterion of deterrence overlaps with that of effectiveness.

   154. If a supervisory authority considers that a fine is not sufficiently dissuasive, it

        may consider increasing it. In some cases, it may even apply a multiplier

        deterrence to strengthen its deterrent effect. This multiplier can be adjusted to the

        discretion of the supervisory authority to ensure that deterrence objectives are

        fully achieved.

   155. In this case, the fine of EUR 172,431 imposed on the defendant aims to deter the

        defendant to repeat the violation of the rules of the GDPR. Furthermore, she seeks

        also to deter other companies from committing similar violations. This

        fine, proportionate to the seriousness of the violation 59 and taking into account the turnover

        of the defendant, is designed to have both a specific and general deterrent effect.


   156. Considering all of these aforementioned factors, the fine of EUR 172,431
        seems to meet the dissuasive nature necessary to ensure compliance with the GDPR.



                III.3.2.2.6.    In summary


   157. Firstly, the Litigation Chamber notes that the defendant whose figure

        of business amounts to more than 50,000,000 EUR has not complied for a period

        significant of a complainant's erasure and opposition requests, resulting in a

        continuous processing of personal data for direct marketing purposes, and putting

        highlights the absence of guarantees to ensure compliance with the principles

        fundamentals of the GDPR, thus violating articles 17, 21, 5.1.a), and 5.2 juncto 24 of the GDPR.

   158. Then, after analyzing all the relevant circumstances of the case in question under

        of Article 83.2, a), b) and g) of the GDPR, the Litigation Chamber considered that the violation was

        of “medium” severity. To determine the starting amount, the violation of articles 5,

        17 and 21 of the GDPR is listed in Article 83.5, a) and b) of the GDPR, which provides that the

        maximum legal amount is 20 million EUR (20,000,000 EUR) or 4% of the figure



59See in particular Title III.3.2.2.2. of this decision.
60See in particular Title III.3.2.2.2. of this decision.                                                                      Decision on merits 87/2024 — 52/55



        total global annual sales for the previous financial year. In this case, the turnover of

        the defendant being less than EUR 500 million, the maximum amount and the range

        Fixed prices apply. Therefore, a starting amount of between 10 and 20% of the amount

        maximum applicable legal amount, i.e. between EUR 2 and 4 million, is envisaged. Since the

        violation is considered average, the Litigation Chamber decides that the amount

        The starting price set according to the seriousness of the violation will be 2,000,000 EUR (2 million EUR).

   159. Then, the starting amount set in step 1 is adjusted according to the size of the company.

        The defendant achieves an annual turnover of more than EUR 50,000,000 for

        financial year 2023, falling in the range of EUR 50 to 100 million. That

        results in an adjustment of the starting amount to an amount between 8% and 20%.

        Given that the defendant's turnover is high within this

        range, the Litigation Chamber decides that an adjustment of up to 12.25% of the amount

        starting amount set in step 1 is justified, thus bringing the starting amount after adjustment to

        245,000 EUR in this case.


   160. To ensure that this starting amount after adjustment complies with the lines

        guidelines, it is compared with the ranges in the applicable table

        available in the EDPB guidelines. Since article 83.5 of the GDPR is

        applicable, that the defendant achieves a turnover of between 50 and 100

        million EUR and the severity is medium, the starting amount should be

        between 160,000 and 800,000 EUR. The Litigation Chamber concludes that an amount of

        starting of 245,000 EUR is within this range, and therefore it is in line with the lines

        guidelines.

   161. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons

        the imposition of an administrative fine in concrete terms, taking into account other

        aggravating or mitigating circumstances listed in Article 83.2 of the GDPR. However,

        the assessment of these elements does not justify either an increase or a decrease in the amount

        of the administrative fine. Furthermore, the Litigation Chamber must also justify

        the imposition of this administrative fine in accordance with the guidelines of

        the EDPB, which emphasize that fines for GDPR violations must be effective,

        proportionate and dissuasive in each specific case, in accordance with Articles

        83.4 to 83.6 of the GDPR. The assessment of these elements justifies a reduction between the fine

        initial and the new amount of approximately 30%. Considering all the factors








61EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), see the appendices (p.52).
62Cour des Marchés), 2020/1471 of February 19, 2020.
63See in particular Title 3.2.2.4. of this decision.                                                                     Decision on merits 87/2024 — 53/55


        mentioned above, the reduction of the fine from EUR 245,000 to EUR 172,431 is a measure

        effective, proportionate and dissuasive necessary to ensure compliance with the GDPR.64



               III.3.2.2.7.    The decision to impose an administrative fine


   162. All of the above elements justify an effective, proportionate and

        dissuasive under Article 83 of the GDPR, taking into account the assessment criteria therein

        are set out.The Litigation Chamber underlines that the other criteria set out in article

        83.2 of the GDPR are not likely, in this case, to result in an administrative fine

        other than that determined by the Litigation Chamber within the framework of this

        decision.

   163. The Litigation Chamber considers that it is justified to impose an administrative fine,

        taking into account the specific circumstances as well as the position taken by the

        defendant regarding the manner in which the plaintiff's requests were handled, in order to

        to sanction this behavior appropriately and to encourage the defendant

        to refrain from responding to requests to exercise the rights granted under the GDPR

        in this way in the future.

   164. In view of the aforementioned assessment as well as the circumstances specific to this case, the

        Litigation Chamber therefore considers that it is appropriate to impose a fine

        administrative order of EUR 172,431 to the defendant, pursuant to article 58.2. i) of the GDPR as well

        as well as articles 100, § 1, 13° and 101 of the LCA, in accordance with article 83.2 of the GDPR.

   165. The Litigation Chamber considers that the amount of this fine, which otherwise remains

        well below the maximum amount of the authorized range, is proportionate to the severity

        violations noted in the behavior in question.



IV. Publication of the decision


   166. Given the importance of transparency regarding the decision-making process of the Chamber

        Contentious, this decision is published on the website of the Authority of

        Data protection. However, it is not necessary for this purpose that the data

        identification of the parties are directly communicated.













64See in particular Title 3.2.2.5 of this decision.                                                                                    Decision on merits 87/2024 — 55/55


                                                                                                                 66
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).







(sé). Hielke H IJMANS

President of the Litigation Chamber




































































the signature of the applicant or his lawyer.
66The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.