APD/GBA (Belgium) - 87/2024
From GDPRhub
| APD/GBA - 87/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 17 GDPR Article 21 GDPR Article 21(2) GDPR Article 38(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 14.02.2023 |
| Decided: | 03.06.2024 |
| Published: | |
| Fine: | 172,431 EUR |
| Parties: | n/a |
| National Case Number/Name: | 87/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) |
| Initial Contributor: | nzm |
The DPA imposed a €172,431 fine to a controller for, among other things, failing to erase a data subject’s personal data in the context of direct marketing and for the unresponsiveness of the controller to the DPA
English Summary
Facts
On 30 June 2022, the data subject purchased a product from the controller and discovered an unexpected charge of €1,50 relating to an ‘energy contribution’ on his bill of May 2022. The data subject asked to be reimbursed of this surcharge and that all his personal data be deleted. The controller refused to reimburse this surcharge but acknowledged receipt of the deletion request and confirmed it would be dealt with promptly.
The data subject continued to receive advertising communications from the controller. On 18 November 2022, the data subject requested mediation from the Belgian DPA (‘APD’). On 14 February 2023, in the absence of any response from the controller, the Mediation Service of the APD informed the data subject that he could convert his request for mediation into a complaint. The data subject did so on the same day.
During the hearing, the controller explained that regarding the erasure of the data subject’s data, the process took place in several stages: the data subject initially complained about an excessive energy charge but this complaint evolved into an erasure request to terminate the customer relationship. The former DPO misunderstood that this was a GDPR issue. They then ordered their German processor to delete the data subject’s data using ‘code 43’. However, this code was used to restrict the processing rather than delete the personal data. The controller acknowledged this mistake made by the former DPO and also explained that (i) the absence of response to the DPA during the mediation was due to the former DPO, and that neither the current DPO, nor the management were aware of these problems and (ii) the former DPO did not process correspondence with the DPA or the data subject, nor did they share this information internally. They took measures to limit the processing of the data subject’s data without communicating with the latter, or with the DPA.
Despite the use of ‘code 43’ to limit the processing and the cessation of commercial calls to the data subject, newsletters continued to be sent until December 2022. The data subject had consented to receive these newsletters, which were managed by a separate network. In December 2022, the former DPO rectified the situation.
The controller also explained that it took initiatives to improve its responsiveness and comply with the DPA’s decisions, in particular with the hiring of a new DPO who worked full-time with a team of two people, and the current DPO regretted that the former DPO had not informed the data subject of this rectification.
On 11 November 2023, the controller informed the APD that it had received an email from the German processor confirming that the data subject’s data had been deleted, and that it had sent an email to the latter informing him of this deletion.
On 15 March 2024, the APD informed the controller of its intention to impose an administrative fine and the amount of the fine, in order to give the controller, the opportunity to defend itself. On 5 April 2024, the APD received the controller’s response.
Holding
Regarding the breach of Articles 17 and 21 GDPR, Article 17 GDPR establishes the right to erasure which allows data subjects to request deletion of their personal data if certain conditions are met. However, the right to erasure is not absolute: Article 17(3) GDPR provides for certain exceptions in which this right does not apply.
Article 21(2) establishes that the data subject has the right to refuse any processing of their personal data for direct marketing purposes by indicating that they do not consent to receive marketing communications. The APD indicated that when the purpose pursued by the controller is ‘direct marketing’, the right to object is automatic and the controller may no longer process the data for such purposes once the data subject has expressed their objection.
The APD added that Article 21(2) GDPR applies at all times and is not subject to any conditions. The DPA considered that withdrawing consent and objecting to the processing for direct marketing purposes should, in principle, lead to the same end: the immediate cessation of the processing of data for direct marketing purposes and the automatic deletion of those data.
The APD also pointed out that Articles 15 to 22 are intrinsically linked to Article 12 GDPR, particularly with regard to the procedures for exercising the rights of data subjects.
In the present case, the data subject made an erasure request by revoking his consent, under Article 17(1)(b) GDPR. The APD considered that it was clear from reading the data subject’s request that he expressed a firm desire to end all commercial relations with the controller. In addition to requesting the total deletion of his personal data, the data subject firmly objected to his data being processed for the purposes of direct marketing, which was later confirmed during the request for mediation he submitted. First, the APD noted that on the basis of the statements made by the controller at the hearing, the controller had still not taken any concrete steps to respond to the data subject’s request for erasure and objection. The controller sent an email on 11 November 2023 informing the DPA that the data had been deleted, but the APD decided not to take this information into account as the proceedings had already been closed.
Second, the APD held that the application of ‘code 43’ restricted access to the data subject’s data within its system, but did not lead to their deletion. Therefore, certain processing operations such as telephone calls were restricted, however it did not stop the sending of newsletters.
Third, the controller implicitly invoked the exception provided for in Article 17(3)(b) GDPR, namely the retention of personal data in order to comply with legal obligations (‘tax audits’). The APD stated that the controller should have invoked this exception to justify the non-erasure. Nevertheless, the DPA found that this exception could not justify the processing of data for direct marketing purposes, whether by telephone or by email.
Therefore, the APD concluded that the controller failed to comply with Articles 17 and 21 GDPR.
Regarding the breach of Article 5(1)(a) GDPR, the APD indicated that the principle of fairness and transparency laid down in this Article is not limited to the simple information and transparency obligations listed in the GDPR, but is a general principle and philosophy which must be respected for all processing.
First, the APD took into account the fact that the sending of advertising messages and newsletters was based on the data subject’s consent by ticking a box. However, the DPA found that there was a contradiction in the timelines regarding the processing: the data subject exercised his right to erasure and objection in June 2022. Nonetheless, the controller used ‘code 43’ only in April 2023 which suggested that the data subject’s data was processed, even in a limited manner, at least until April 2023. Therefore, the processing of his personal data continued without any legal basis since the data subject withdrew his consent, thus, violating Article 6 GDPR. The APD did not take into account the argument that the consent box ticked by the data subject suggested perpetual consent.
Second, the APD noted that on the day of the hearing the controller had still not informed the data subject of the measures taken in response to his requests. Hence, the controller did not comply with its information and communication obligations under Article 12 GDPR.
Therefore, the APD concluded that the controller breached the principles of lawfulness and transparency set out in Article 5(1)(a) GDPR by failing to comply with the requirements of Articles 6 and 12 GDPR.
Regarding the breach of Articles 5(2) and 24 GDPR, the APD indicated that the controller must implement appropriate technical and organisational measures to ensure that it is able to demonstrate that the processing is carried out in accordance with the GDPR.
First, the APD explained that with regard to Article 38(2) GDPR, which states that the controller shall assist the DPO by providing the resources necessary to carry out their tasks, among other things, the following must be taken into account: (i) the DPO must be involved, where appropriate, in all matters relating to data protection, (ii) the controller must recognize and enhance the DPO’s role by management, (iii) the controller must allocate adequate time for the DPO to carry out its duties, (iv) the controller must communicate the appointment of the DPO to all staff to ensure that their role within the organisation is widely known, (v) the controller must ensure ongoing training to keep the DPO’s knowledge up to date.
Second, the APD considered that in the present case, the inability of the controller to verify or conclusively confirm the actual deletion of the data subject’s data raised concerns about the effectiveness of the technical and organisational measures in place. Additionally, the DPA also took into account the fact that the former DPO worked part-time and was overloaded, which prevented him from responding effectively to the requests and considered that this highlighted the failure to put in place measures to ensure compliance with the GDPR. The APD also noted that the controller’s decision to hire a new full-time DPO was taken in response to the DPA’s investigation. However, such measures should have been put in place prior to the DPA’s intervention.
Therefore, the DPA concluded that the controller failed to comply with Articles 5(2) and 24 GDPR.
Regarding the alleged breach of Article 31 GDPR, which states that the controller must cooperate with the DPA at its request, the DPA noted that the controller did not respond to the APD’s requests. The DPA indicated that this negligence appeared to result mainly from a confusion due to the fact that the controller was also subject to an investigation by another service of the APD. However, the latter held that the controller is obliged to cooperate with all the departments of the DPA. The APD considered that although the controller increased the number of staff and replaced the former DPO, these measures did not appear to be fully effective, in particular with regard to the examination of all the previous requests from the DPA.
Therefore, the DPA held that the controller did not fully cooperate with the DPA during the mediation procedure, but it was not able to determine whether this lack of response was the result of confusion generated by the ongoing inspection or the result of a deliberate intention or gross negligence not to cooperate.
Regarding the imposition of a fine, the DPA indicated that although it was not able to establish that the infringements had an impact on several of the persons concerned, it emphasized that the controller’s negligence justified the imposition of a fine. Therefore, the APD decided to impose a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation which would have devastating consequences for it, namely putting the jobs of 400 people at risk, and even leading to the cessation of activities in Belgium.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/55
Litigation Chamber
Decision on merits 87/2024 of June 3, 2024
File number: DOS-2022-04748
Subject: Complaint for non-compliance with the right to erasure and opposition after the
receipt of commercial messages for direct marketing purposes
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president, and gentlemen Romain Robert and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), (hereinafter “GDPR”);
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter
“LCA”);
Considering the internal regulations as approved by the House of Representatives on
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Has taken the following decision regarding:
The complainant:
The defendant: Company Y, hereinafter “the defendant”. Decision on merits 87/2024 — 2/55
I. Facts and procedure
1. On November 18, 2022, the complainant filed a request for mediation with the Authority of
data protection (hereinafter “DPA”) against the defendant, which is transformed
filed a complaint on February 14, 2023 due to his lack of response.
2. The complaint relates to the receipt of regular, unsolicited commercial messages to
direct marketing purposes on the part of the defendant, despite the exercise by the plaintiff of
its right to erasure and opposition.
3. On June 30, 2022, the plaintiff, having purchased the defendant's products from his
representative, discovers an unexpected charge of €1.50 linked to an “energy contribution”
on his invoice dated May 31, 2022. Faced with the refusal to reimburse this surcharge by the
defendant, the complainant requests the deletion of all of his data
personal. He sends this request by email to the address “…”, indicating that he does not
no longer wishes to be a client of the defendant.
4. On July 1, 2022, the defendant acknowledges receipt of the plaintiff's requests and confirms
rapid processing of these.
Despite the assurance given by the defendant regarding the consideration of requests
made on June 30, 2022, the complainant continues to receive communications
advertising by the defendant.
5. On November 18, 2022, the complainant requests a mediation procedure with the Service
of First Line (hereinafter “SPL”) of the APD. In the request form addressed to
ODA, the complainant reiterates his wish to no longer have commercial relations with the
defendant, explaining: “[...] I therefore requested a reimbursement which I did not have
obtained I then requested, on July 1st, that all my data be erased which I do not
would never order from them again. [...] Today, 4 and a half months later, I receive
always advertising messages. » .
6. On November 24, 2022, the SPL confirms receipt of the request for mediation and declares it
admissible.
7. On December 7, 2022, the SPL informed the defendant of the request for mediation, inviting her to
respond to the complainant's request regarding the exercise of his rights, and to transmit
a copy of his response to the SPL.
8. On January 11, 2023, the complainant requested the status of the request for mediation and
informal SPL that he continues to receive calls and emails from the defendant. THE
January 13, 2023, the SPL responds by indicating that the file is being processed, that a
1Exhibit 1 – The request for mediation and its annexes. Decision on merits 87/2024 — 3/55
letter was sent to the defendant on December 7, 2022, granting it a period of one
months to respond, and that a reminder would be issued to the defendant.
9. On January 17, 2023, the SPL sends a registered letter with acknowledgment of receipt to the
defendant, inviting it to respond to the initial request of December 7, 2022.
10. On February 14, 2023, due to the lack of response from the defendant, the SPL informed the
complainant that he can commute his request for mediation into a complaint in accordance with article
62, §2, paragraph 4 of the LCA. The complainant requests this transformation on the same day.
11. On February 20, 2023, the SPL notified the defendant that the mediation had failed due to
his lack of reaction, then transmits the complainant's complaint to the Litigation Chamber
in accordance with article 62, § 1 of the LCA.
12. On May 15, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and
Article 98 of the LCA, to process the file on its merits. The parties concerned are notified
by registered mail of the provisions as set out in article 95, § 2 as well as in
article 98 of the LCA. They are also informed, under article 99 of the LCA, of the
deadlines for transmitting their conclusions. That same day, the Litigation Chamber clarified
3
that the language of the proceedings would be French, in accordance with the language policy.
On May 15 and 19, 2023, the defendant and the plaintiff respectively acknowledged receipt
some mail.
The deadlines are June 26, 2023 for the submissions in response to the
defendant; by July 17, 2023 for the complainant's reply conclusions; and August 7
2023 for the defendant's reply submissions.
13. On September 29, 2023, in the absence of conclusions filed by the parties, the Chamber
Litigation summons, in accordance with article 52 of the ROI, the parties concerned to a
hearing on October 12, 2023, to allow them to present their arguments orally.
The defendant confirms its presence on October 3, 2023, while the plaintiff expresses
his inability to attend the hearing in an email dated October 11, 2023.
14. On October 12, 2023, the defendant was heard by the Litigation Chamber. During
of this hearing, the defendant presents the following arguments:
a) The responsibility of the data protection officer (hereinafter “DPO”): the
problems with the APD began under the management of the former DPO, Mr. Z1 (hereinafter
after “the former DPO”). Neither the current DPO, Mr. Z2 (hereinafter “the current DPO”) nor the
management were not informed of these problems. The defendant justified the absence
2Art. 95, § 1, 1° and art. 98 of the aforementioned law of December 3, 2017.
3Data Protection Authority, “Note relating to the linguistic policy of the Litigation Chamber”, 01/07/2021,
available at https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-politique-linguistique-de-la-
chamber-contentious.pdf. Decision on merits 87/2024 — 4/55
response from the former DPO due to his work overload, emphasizing that the
management was not informed of this overload.
b) Inadequate management of letters: the former DPO did not process letters from
the APD nor the complainant and did not share this information internally. The former DPO
has taken measures to limit the processing of the complainant's data, without
contact the complainant or the APD.
c) The data erasure process: the defendant described the process
erasure of the complainant's personal data, explained the error of the former
DPO, mentioned the confusion around data localization and “code
43”, and undertook to comply with the GDPR by informing the complainant of
the erasure of its data.
d) Responsibility for data processing: responsibility for processing
data between “Y B ELGIUM” (hereinafter “the defendant”) and “Y LLEMAGNE” (hereinafter
after “the German subcontractor”) was discussed, with reference to a contract of
subcontracting.
e) Organizational improvements: the contract of the old DPO ended, and the DPO
currently works full-time with a team of two people to manage the company
email “privacy@Y.be”. The defendant is committed to taking initiatives to
improve its responsiveness and comply with APD decisions.
15. On October 27, 2023, the Litigation Chamber submits the minutes of the hearing to the
parts.
16. On November 3, 2023, the defendant provided details in the minutes at the
Litigation Chamber, which will be taken into consideration in this
decision. The defendant further requests that, taking into account the circumstances
specific to the case, the Litigation Chamber opts either for a suspension of the
pronounced, as permitted by article 100, § 1, 3° of the LCA, either for a warning or
a reprimand according to article 100, § 1, 5° of the same law.
17. On November 11, 2023, the defendant notifies, after the close of the debates, the Chamber
Litigation having received an email from the German subcontractor, confirming the deletion of
data of the complainant, and having sent an email to the complainant to inform him of this
deletion.
18. On March 15, 2024, the Litigation Chamber informed the defendant of its intention
to proceed with the imposition of an administrative fine as well as the amount thereof, in order
to give the defendant the opportunity to defend herself before the sanction is
actually inflicted. Decision on merits 87/2024 — 5/55
19. On April 5, 2024, the Litigation Chamber received the defendant's reaction concerning
the intention to impose an administrative fine and the amount thereof. This response is
examined by the Litigation Chamber as part of its deliberations.
II. Motivation
II.1. Introductory points
II.1.1. On the joining of files
20. During the hearing, the defendant emphasized that she was the subject of an investigation
carried out by the Inspection Service (hereinafter “SI”) of the APD as part of a file
distinct. This assertion was reiterated as part of his reaction to the hearing minutes of 3
4
November 2023.
21. On April 5, 2024, as part of its reaction to the sanction form of March 15, 2024, the
defendant requested the joinder of the file (…)(subject of the IS investigation) with the file
currently subject to this decision.
22. Firstly, the defendant should be reminded that the IS is required to maintain secrecy
the investigation, in accordance with article 64§3 of the LCA, which specifies that “the investigation is secret
unless there is a legal exception, until the time of submission of the inspector general's report to
of the Litigation Chamber”.
23. Secondly, the Litigation Chamber emphasizes that it does not have the power to
self-report an ongoing investigation carried out by the IS. It refers the defendant to
Article 92 of the LCA for the conditions of referral. This article specifies that the IS can enter
the Litigation Chamber after the closure of an investigation in accordance with article 91 §2 of
the LCA.
24. Thirdly, the Litigation Chamber recalls that the sanction form aims to
allow the alleged perpetrator of the offense, in this case the defendant, to give
his views on the amount of the proposed fine before its imposition and its
effective execution. This defense process, provided through the sanction form
on the amount of the proposed fine, does not open new debates on the
findings already established by the Litigation Chamber, the latter being closed.
25. In conclusion, the Litigation Chamber rejects the request to join the file (…) with
the current file which is the subject of this decision.
4In its reaction to the hearing minutes of November 3, 2023 and the sanction form of April 5, 2024, the defendant specifies
that the file being inspected corresponds to the referenced file number (…).
5Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 6/55
II.1.2. On the interpretation of article 21.2 of the GDPR
26. In this case, the Litigation Chamber notes that the complainant made his request
erasure (total deletion of their data) on June 30, 2022 by revoking their
consent, in accordance with article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading
of the complainant's request, that the latter expresses a firm desire to put an end to any
commercial relationship with the defendant. To the extent that the complainant exercised his
right to erasure under Article 17.1.b) of the GDPR, by revoking consent,
the defendant should have granted the erasure request, delete all of the
personal data of the complainant and stop direct marketing, since the legal basis
invoked for this data processing is consent.
27. Next, the Litigation Chamber emphasizes that article 21 of the GDPR covers two forms
different from the right of opposition. On the one hand, in article 21.1, a possibility of opposing
processing based on the legitimate interest of the data controller or on a
public interest mission of the data controller (general opposition subject to
weighting of interests).
28. Furthermore, in accordance with article 21.2, the person concerned has the right to refuse
any processing of their data for direct marketing purposes (opposition to marketing
direct), thus indicating that it does not consent to receive marketing communications.
When the purpose pursued by the data controller is direct marketing, the
right of opposition is automatic: the data controller can no longer
process data for such purposes, including profiling, to the extent it is related
for this purpose, when the person concerned has expressed their opposition.
29. The Litigation Chamber takes the position that article 21.2 applies at all times,
since Article 21.2 grants an unconditional right to the data subject to object
“at any time” to the processing of their personal data for the purposes of
prospecting, including profiling to the extent that it is linked to such prospecting.
6
The exercise of the right under Article 21.2 is not subject to any conditions. This item
applies independently of the legal basis of the processing, and without any weighting
interest is required. This position can also be deduced from the distinction between
recitals 69 and 70 of the GDPR.
30. The Litigation Chamber admits that a different reading of article 21.2, according to which
this provision would be limited to the same legal bases for processing as Article 21.1
GDPR [Article 6.1(e) and Article 6.1(f)], is not excluded. However, such a reading
6See WP29, Guidelines for automated individual decision-making and profiling for the purposes of
regulation (EU) 2016/679, WP251, rev.01, p21; Zanfir-Fortuna in The EU General Data Protection Regulation (GDPR): A
Commentary, OUP 2000, p. 518. Decision on merits 87/2024 — 7/55
would change nothing in the defendant's obligations, because the withdrawal of consent under
of article 17.1.b of the GDPR implies that all processing must cease.
31. The preceding points show that the withdrawal of consent (legal basis invoked
by the defendant to justify direct marketing) and the opposition to the processing of
data for direct marketing purposes should in principle lead to the same purpose:
immediate cessation of data processing for direct marketing purposes and the
automatic deletion of this data.
II.2. As for the alleged breaches of the GDPR
II.2.1. Alleged violation of Articles 17 and 21 of the GDPR
II.2.1.1. Position of the defendant
32. The following arguments were raised by the defendant only during the hearing:
a) Regarding the erasure of the complainant's data, the process was
carried out in several stages. Initially, the complainant complained about energy costs
excessive, but this complaint evolved into a request to terminate the relationship
customer and erasure of data. The former DPO misinterpreted the situation, did not
not understanding that this was a GDPR issue.
The former DPO then ordered the German subcontractor to erase the data from
complainant, using “code 43”. However, this code did not result in the removal
complete data. The current DPO admitted that “code 43” was intended to
limit processing rather than deleting data, recognizing an error
of the former DPO.
Despite the implementation of “code 43” to limit the processing of data and
the cessation of commercial calls to the complainant, the sending of newsletters continued
until December 2022. The defendant specified that the plaintiff had consented
to receive these newsletters, which were managed by a separate network.
It was not until December 2022 that the former DPO rectified the situation in response
to SPL mail, making the data inaccessible to the defendant, but
they were always present and accessible to other entities, notably to
purposes of tax audits. The current DPO regretted that the former DPO did not
informed the complainant of this rectification.
On the day of the hearing, the defendant could not guarantee that the data had been
actually deleted, due to lack of written confirmation from the German subcontractor to
this subject. The current DPO offered to contact the German subcontractor to
verify the deletion of the complainant's data. Decision on merits 87/2024 — 8/55
b) Regarding the request made by the current DPO on the obligation
to inform the complainant of the measures taken in response to his request for
deletion of data, the Litigation Chamber recalled the provisions of
Article 12 of the GDPR. In response, the defendant undertook, during the hearing,
to regularize the situation in accordance with article 17 of the GDPR and inform the
complaining about the erasure of his data.
c) With regard to the location of the complainant's data and the identification of the
responsible for the processing, the defendant raised that the IS was investigating these
questions in a separate file. Finally, the defendant indicates that it is
the “sole” controller, according to the information available to it.
33. On November 3, 2023, as part of his reaction to the minutes of the hearing (hereinafter “
reaction to the PV)"), the defendant specified that the former DPO had requested activation
of “code 43” for the complainant’s data from the German subcontractor on April 11
2023, a fact that he recorded in a correspondence addressed to SI on April 18, 2023 in
the context of the current Inspection (see Title II.1.1). However, the former DPO failed to
inform the complainant and the SPL.
II.2.1.2. Position of the ChamberContentious
34. Article 17 of the GDPR establishes the right to erasure which allows data subjects
to request the deletion of their personal data if one of the conditions
following is fulfilled: the data are no longer necessary for the purposes for which they were
have been collected or processed (art. 17.1.a) of the GDPR); the person concerned withdraws their
consent on which the processing was based, and there is no other legal basis
for processing (art. 17.1.b) of the GDPR); the data subject objects to the processing
under article 21.1, and there is no overriding legitimate reason for the processing (art. 17.1.c)
of the GDPR); the data was processed unlawfully (art.17.1.d) of the GDPR); data
must be deleted to comply with a legal obligation (art. 17.1.e) of the GDPR); THE
data has been collected from a child in connection with the company's services
information (art. 17.1.f) of the GDPR).
However, the right to erasure is not absolute. Article 17.3 of the GDPR provides for certain
exceptions in which this right does not apply, in particular when the processing of
data is necessary to guarantee the exercise of the right to freedom of expression and
information (art. 17.3.a) of the GDPR), to comply with a legal obligation or carry out a
mission of public interest (or relating to the exercise of public authority vested in the
responsible for the processing) (art. 17.3.b) of the GDPR), to carry out a mission of interest
7See point 21 of this decision. Decision on merits 87/2024 — 9/55
public in the field of public health (art. 17.3.c) of the GDPR), for archival purposes
(art. 17.3.d) of the GDPR), or to establish, exercise or defend legal rights (art. 17.3.e)
of the GDPR).
35. Pursuant to Article 19 of the GDPR, the data controller is required to notify
each recipient to whom the personal data has been communicated
any rectification or erasure of personal data or any limitation
of the processing carried out in accordance with Articles 16, 17.1 and 18 of the GDPR, unless a
such communication proves impossible or requires disproportionate effort. THE
controller provides the data subject with information about these
recipients if they request it.
36. Article 21 of the GDPR governs the right of opposition of data subjects. When the
personal data are processed for prospecting purposes, the person
concerned “has the right to object at any time to the processing of personal data
personal data concerning it (...)” (art. 21.2 of the GDPR). If the data subject “objects to the
processing for prospecting purposes, personal data is no longer
processed for these purposes. » (art. 21.3 of the GDPR).
When a person objects to the processing of data for prospecting purposes
(opposition to direct marketing), it must not provide any justification for its request
opposition. Consequently, the opposition must immediately result in the cessation of all
processing of personal data for direct marketing purposes for the individual
concerned, without the need for additional examination (see Title II.1.2). 10
37. Articles 15 to 22 of the GDPR are intrinsically linked to article 12 of the GDPR which imposes
obligations of the data controller, particularly with regard to the
transparency of information and communications as well as the methods of exercise
of the rights of the data subjects (art. 17 juncto 12 of the GDPR and art. 21.2 juncto 12 of the
GDPR).
The exercise of these rights, in this case the right to erasure (art. 17 of the GDPR) and the right
opposition to direct marketing by the complainant (art. 21.2 of the GDPR) as well as respect for these
rights by the data controller, who must demonstrate his response to the requests of the
8
In the absence of a legal definition of the notion of prospecting, the APD has defined it as “Any communication, solicited or
unsolicited, aimed at promoting an organization or a person, services, products, whether paid
or free, as well as brands or ideas, sent by an organization or a person acting within a framework
commercial or non-commercial, directly to one or more natural persons in a private or professional context,
by any means, involving the processing of personal data. », see Recommendation No. 1/2020 of
January 17, 2020 relating to the processing of personal data for direct marketing purposes, page 8, available
on the APD website.
9 CJEU, Google Spain and Google, C-131/12, May 13, 2014, ECLI:EU:C:2014:317; CJEU, Manni, C-398/15, March 9, 2017,
ECLI:EU:C:2017:197; CJEU, Google), C‑507/17, September 24, 2019, ECLI:EU:C:2019:772; APD, Litigation Chamber,
Decisions 28/2020 of May 29, 2020, 32/2020 of June 16, 2020, 19/2021 of February 12, 2021, 109/2023 of August 9, 2023, 157/2023
10 November 27, 2023”, available on the APD website.
See Recommendation No. 1/2020 of January 17, 2020 relating to the processing of personal data for the purposes of
direct marketing, page 53,. Decision on merits 87/2024 — 10/55
persons concerned, must be assessed and examined in accordance with the provisions
of article 12 of the GDPR.
38. Article 12 of the GDPR imposes on the data controller the obligation to take
appropriate measures to communicate concisely, transparently,
understandable and easily accessible, in clear and simple terms, all
information relating to data processing to the data subject, in particular
when it comes to responding to the rights set out in articles 15 to 22 of the GDPR (art. 12.1 of the GDPR
GDPR). When a data subject makes a request in accordance with Articles
15 to 22 of the GDPR, the data controller is required to respond within one month,
with the possibility of a two-month extension, while informing the person concerned
the reasons for this extension (art. 12.3 of the GDPR). If no response is provided to the
request of the data subject, the controller must promptly
inform, and at the latest within one month of receipt of the request,
the person concerned of the reasons for his inaction but also of his right to file a
complaint to a supervisory authority or to seek legal recourse (art.
12.4 of the GDPR).
39. In conclusion, non-compliance by the person responsible for processing a request made in
under Articles 15 to 22 of the GDPR, in particular the right of erasure when the
conditions of article 17 of the GDPR are met, or of the right of opposition when the
conditions of article 21.2 of the GDPR are satisfied, may result in a violation not
only Articles 17 and 21 of the GDPR, but also Article 12 of the GDPR due to
non-compliance with communication and information obligations.
40. In the present case, as mentioned above in Title II.1.2. of this decision, the Chamber
Litigation notes that the complainant made his request for erasure (deletion
total of his data) on June 30, 2022 by revoking his consent, in accordance with
Article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading the complainant's request, that
this expresses a firm desire to end any commercial relationship with the
defendant. In addition to requesting the total deletion of their data (art. 17.1.b) of the
GDPR), the complainant strongly objects to his data being processed for the purposes of
direct marketing (art. 21.2 of the GDPR). To dispel any doubt regarding the requests of the
complainant, the request for mediation introduced on November 18, 2022 and communicated on November 7
December 2022 to the defendant clarifies the plaintiff's demands. These requirements
relate both to the erasure of their data under Article 17.1.b) of the GDPR and to
opposition to the processing of their data under articles 21.2 and 21.3 of the GDPR,
1GDPR, art. 12.1. ; This information may be provided in writing or by other means, including, where appropriate, by
electronic. Decision on merits 87/2024 — 11/55
which may lead to the application of articles 17.1 b) of the GDPR, as requested by
complainant.
41. In the present case, firstly, the Litigation Chamber finds, on the basis of the
statements made by the defendant during the hearing which took place on October 12, 2023,
i.e. more than a year after the complainant exercised his rights, the defendant has not
still not taken concrete measures to respond to the erasure request and
opposition of the complainant.
The Litigation Chamber would like to point out that as of November 11, 2023, the defendant has
notified the sending of an email to the complainant informing him of the overpressure of his data, without
provide proof and clearly specify whether the opposition request had been processed.
Litigation Chamber decided not to take this information into account in its
deliberations because the debates had already been closed.
42. Secondly, the Litigation Chamber notes that the application of “code 43” by the
defendant on April 11, 2023 limited access to the plaintiff's data within its
system, but did not lead to their deletion. This measure restricted certain
treatments, including telephone calls, but she did not interrupt the sending of
newsletters, which persisted until December 2022. Finally, the promise made by the
defendant in an email of November 3, 2023, even after the close of the debates,
concerning the erasure of the complainant's data, remains unsatisfactory in relation to
to the complainant's requests. The latter had expressly opposed any treatment
later of its data, in particular for prospecting purposes and had required the deletion
full of its data.
43. Thirdly, the Litigation Chamber notes an inconsistency in the chronology of the
events, as presented during the hearing of October 12, 2023 and in the
email in reaction to the hearing minutes. It seems unlikely that data processing
for direct marketing purposes ended in December 2022 while the defendant
indicates that “code 43”, at the origin of the limitation of data processing, is not
only occurred in April 2023 (see point 33). This suggests that the complainant's data
were accessible at least until April 2023 and not until December 2022.
Litigation Chamber adds that the complainant indicated, on January 11, 2023, either
after December 2022, continue to receive calls and emails from the
defendant (see point 8).
44. Fourth, the Litigation Chamber emphasizes that the continuous sending of newsletters,
lasting at least until December 2022, or even until April 2023, despite the
requests for erasure and opposition made by the complainant on June 30, 2022, under
1Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes.
13Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes. Decision on merits 87/2024 — 12/55
pretext of the existence of a separate system for the management of advertising emails, do not
can justify the continued processing of the complainant's data for marketing purposes
direct.
45. Fifthly, the Litigation Chamber understands that the defendant invokes
implicitly the exception provided for in article 17.3.b) of the GDPR, namely the conservation of
data of the complainant in the German IT system to respond to
legal obligations, in this case “tax audit”. The Litigation Chamber
recalls that it was up to the defendant to invoke one of the exceptions under article 17.3
of the GDPR, to justify this invocation, and to inform the complainant of the non-deletion in
precisely reason for this exception (art. 12.1, 12.3 and 12.4 of the GDPR and art. 17.3 of the GDPR),
which she did not do at that time. Nevertheless, the Litigation Chamber notes that
this exception cannot justify the continued processing of the complainant's data
for direct marketing purposes, whether by telephone canvassing or mail
electronic.
46. The above-mentioned information reveals that the processing of the complainant's data
continued for prospecting purposes despite the request for erasure and opposition.
This lawsuit indicates that the defendant not only did not stop all treatment
personal data of the complainant for prospecting purposes, but did not
clearly not deleted the complainant's data as soon as possible nor informed him
of the response given to his requests.
47. In view of the above, the Litigation Chamber concludes that the defendant does not
complied with Articles 17 and 21 of the GDPR, while neglecting to respect the obligations of
prompt, explicit and transparent response and communication as set out in
Articles 12.1, 12.3 and 12.4 of the GDPR.
II.2.2. Alleged violation of article 5.1.a) of the GDPR (principle of lawfulness, fairness and
transparency)
II.2.2.1. Position of the defendant
48. During the hearing, the defendant argued that direct marketing activities and
the sending of newsletters was based on the consent of users, obtained via a
Proactive opt-in mechanism with easy unsubscribe option.
Other types of processing were mainly based on the need to carry out the
CONTRACT.
14See minutes of hearing of October 12, 2023, B.2., p.6. Decision on merits 87/2024 — 13/55
II.2.2.2. Position of the ChamberContentious
49. The principle of lawfulness is one of the key principles of the GDPR and alone conditions the
triggering of the other principles of the GDPR governing the processing of data
personal character. According to this principle, personal data must be processed
lawful, fair and transparent manner with regard to the person concerned. So that a
processing of personal data is recognized as lawful, the processing must
be based on the consent of the data subject or rely on another
basis provided for by the GDPR in its article 6. 15
50. Article 6.1 of the GDPR lists six legitimate grounds for processing: in addition to the
consent (art. 6.1.a) of the GDPR), the processing of personal data may
be necessary for the execution of a contract (art. 6.1.b) of the GDPR), to comply with an obligation
legal (art. 6.1.c) of the GDPR), for the execution of a mission of public interest or relating to
the exercise of public authority (art. 6.1.e) of the GDPR), for the purposes of legitimate interests
pursued by the data controller or by a third party (art. 6.1.f) of the GDPR), or is
necessary to safeguard the vital interests of the person concerned (art. 6.1.d) of the
GDPR). In the absence of an adequate legal basis, the processing of personal data is
prohibited.
51. The continued processing of personal data for prospecting purposes, as
cold calling or sending newsletters, despite a request for erasure
without any exception provided for in article 17.3 of the GDPR being able to be invoked, or
despite a request for opposition in accordance with articles 21.2 and 21.3 of the GDPR, may
lead to a violation of article 6 juncto 5.1.a) of the GDPR when the processing of
data continues without basis of lawfulness. In other words, non-compliance with requests
erasure and/or opposition may go beyond the simple violation of Article 17 and/or 21 of the
GDPR.
52. The principle of loyalty and transparency established in Article 5.1.a) of the GDPR is not limited to
to the simple information and transparency obligations listed in the articles of the
GDPR, but consists of a general principle, the scope and philosophy of which must be
respected for any treatment. This principle, enshrined in particular by article 12 of
15GDPR, art. 5, paragraph 1, a); art. 6 to 9; recital 40.
16See EPDB decision 01/021 in which it is stated: “Based on the above considerations, the EDPB underlines
that the principle of transparency is not circumscribed by the obligations arising from Articles 12 to 14 of the GDPR, although these
The latter are a concretization of the first. Indeed, the principle of transparency is a general principle that only
reinforces other principles (e.g. fairness, accountability), but from which many other provisions flow
of the GDPR. Furthermore, as noted above, Article 83(5) of the GDPR provides for the possibility of establishing a violation of the
transparency obligations regardless of the violation of the principle of transparency. Thus, the GDPR distinguishes the
broader dimension of the principle of more specific obligations. In other words, transparency obligations do not
do not define the full scope of the principle of transparency. ". (Free translation from the Litigation Chamber) EDPB, Binding
decision1/2021onthedisputerisenonthedraftdecisionoftheIrishSupervisoryAuthorityregardingWhatsAppIrelandunder
Article 65(1)(a) GDPR, July 28, 2021, §192. Decision on merits 87/2024 — 14/55
17
GDPR aims to ensure that the people concerned are informed in a concise manner,
transparent, understandable and easily accessible regarding the processing of their
personal data. In addition, it obliges the data controller to take
appropriate measures to respond effectively to requests made by
data subjects pursuant to Articles 15 to 22 of the GDPR. This involves providing
complete information, written in clear and simple language, and presented in a manner
concise, easily accessible and easy to understand, with regard to the treatment of
18
their data. By guaranteeing total transparency in data processing
personal, this principle reinforces confidence in the processing of data and ensures the
respect for fundamental rights regarding data protection.
53. Finally, in accordance with article 5.2 of the GDPR, read in conjunction with article 24 of the GDPR, 19
which enshrines the principle of responsibility (or “accountability”), the person responsible for
processing is responsible for compliance with the principles of data protection
personal, in this case the principle of lawfulness and transparency. He must take
appropriate technical and organizational measures in order to guarantee and be able to
to demonstrate that the processing of personal data complies with the
legal obligations provided for by the GDPR; which implies that it must be able to provide
proof of its compliance in response to any request from the authorities of
control.
54. In the present case, firstly, the Litigation Chamber took into account the
explanations provided by the defendant concerning its direct marketing activities,
including telephone calls and sending newsletters, which were based on the
consent of customers under Article 6.1.a) of the GDPR. Furthermore, the Chamber
Litigation noted that the defendant argued that the plaintiff had initially
given consent by checking the “consent” box to receive messages
advertising, and that the sending of newsletters was the subject of a separate management system.
55. The Litigation Chamber noted that the complainant had exercised his right of erasure
and opposition on June 30, 2022. During the hearing, the defendant confirmed that the
complainant continued to receive commercial messages until December 2022.
paradoxically, the defendant also indicated that the limitation of processing
data using “code 43” was only implemented on April 11, 2023, which
suggests that the complainant's data was processed, even in a limited way, at least
until April 2023, and not December 2022. Thus, the processing of the complainant's data at
17
18See points 38 to 40 of this decision.
Recitals 58 and 60 of the GDPR specify that “the principle of fair and transparent processing requires that the person
concerned is informed of the existence of the processing operation and its purposes" and that "the principle of transparency
requires that any information addressed to the public or the person concerned be concise, easily accessible and easy to follow
understand, and formulated in clear and simple terms (...)”.
19See Title II.2.3. of this decision. Decision on merits 87/2024 — 15/55
direct marketing purposes continued without basis of lawfulness, or withdrawal by the complainant
of his consent. Since this consent has been withdrawn by the complainant (by
the exercise of its right to erasure and opposition), the continued processing of its
data for direct marketing purposes was carried out without basis of lawfulness, violating the
principle of lawfulness set out in article 5.1.a) of the GDPR.
56. Furthermore, the Litigation Chamber does not find the argument put forward by the
defendant according to which the complainant continued to receive messages
commercial due to a so-called “consent box” initially checked,
suggesting perpetual consent. The complainant had clearly revoked his
consent by exercising your rights of erasure and opposition, and by declaring
explicitly no longer purchase the defendant's products. Therefore, the
defendant no longer had a legal basis to justify the processing of the data
for direct marketing purposes, upon exercising your rights of opposition and erasure
by the complainant. Furthermore, the argument put forward by the defendant, according to which the sending of
advertising emails was justified by the existence of a separate management system, cannot
convince the Litigation Chamber, as long as it is up to the person responsible for processing
to organize yourself in such a way as to comply with the obligations of the GDPR.
57. Secondly, the Litigation Chamber notes that on the date of the hearing, the defendant
had still not informed the complainant of the measures taken in response to the exercise of his
rights of erasure and opposition. Furthermore, although she committed on November 3
2023 to regularize the situation in accordance with article 17 of the GDPR, this declaration
confirms the defendant's non-compliance with the principle of transparency set out in article
5.1.a of the GDPR resulting from non-compliance with its obligations to provide information and
communication, as defined in article 12 of the GDPR. Furthermore, the Chamber
Litigation highlights that the opposition request remains unprocessed to this day.
58. Considering the time elapsed between the exercise of rights in June 2022 and the commitment to
inform the plaintiff in November 2023, it is established that the defendant did not take the
appropriate measures to communicate all information relating to the processing
data, including responses to the rights of erasure and opposition, such as
as required by Article 12.1 of the GDPR. Furthermore, the defendant did not provide information on the
actions taken following erasure and opposition requests within the period of a
month prescribed by article 12.3 of the GDPR, nor provided any justification to the complainant
for its inaction contrary to what is required by Article 12.4 of the GDPR.
59. In conclusion, the defendant continued to process the plaintiff's data at
direct marketing purposes, whether via telephone calls or emailing
advertising, without legal basis within the meaning of Article 6 of the GDPR, for a period ranging from
six to ten months after the latter made his request for deletion and opposition, Decision on the merits 87/2024 — 16/55
violation of the principle of lawfulness. Furthermore, the defendant did not comply with the request
deletion and opposition of the complainant, these requests having remained unanswered
for more than one year and five months with regard to the erasure request, and
still remaining unanswered regarding the opposition request.
60. In view of the above, the Litigation Chamber concludes that the defendant violated
the principles of lawfulness and transparency set out in article 5.1.a) of the GDPR by not respecting
not the requirements of Articles 6 and 12 of the GDPR.
II.2.3. Alleged violation of Articles5. 2 and 24 of the GDPR (principle of liability)
II.2.3.1. Position of the defendant
61. The following arguments were raised by the defendant only during the hearing:
a) Regarding the former DPO and his role, the defendant described him as
competent in communication and labor law, but noted gaps in
its management of communications with the IS, the SPL and the Litigation Chamber. These
shortcomings have generated problems and highlighted weaknesses in its
management of internal communications within the defendant, which
ultimately led to his replacement.
b) Regarding the complainant's request for erasure, although the former DPO
has taken internal measures to deal with the complainant's requests, including
using “code 43” and, according to the defendant, informing the IS within the framework
of the inspection to which it was subject (see Title II.1.1), he however failed to
respond to the SPL and inform the complainant. The former DPO thought that the data
placed under the “code 43” category resulted in the deletion of data, and
not a data limitation. The defendant also clarified that it does not
could not verify or confirm the deletion of the complainant's data by the
German subcontractor because no written confirmation had been provided by this
last. The defendant confirmed that it no longer had control of this data.
On November 3, 2023, in reaction to the hearing minutes, the defendant clarified that the
misunderstanding with the German subcontractor regarding the categorization of
data under “code 43” was the result of a mistaken belief by the former DPO
and management who believed that this code resulted in the erasure of data
personal while it actually resulted in their non-accessibility by the front desk
of their system. This situation would be being rectified with the assistance of the
new DPO (current DPO).
c) With regard to the responsibility for data processing between the sub-contractor
dealing with German and herself, the defendant expressed uncertainty as to the merits of the Decision 87/2024 — 17/55
structure of this responsibility, while noting a tendency to consider oneself
as the sole controller.
In reaction to the hearing report, the defendant clarified that it is linked to the sub-
German processor through a subcontracting contract (art. 28 GDPR).
d) Regarding the exclusive access of the former DPO to the “privacy@Y.be” mailbox,
the defendant explained that this created difficulties, particularly during
absences due to illness or leave, affecting its ability to process requests for
efficient manner. She pointed out that the former DPO, being employed part-time
for three days a week, was often overloaded. The defendant announced
the end of the contract of the former DPO following a notice period, specifying that
since July 11, 2023, his successor has operated full time, supported by two
other collaborators, for shared management of the mailbox which contains all
emails, including those from APD. This new organization aims to guarantee
better responsiveness. The defendant undertook to comply with the
decisions of the APD and not to retain customer data unnecessarily.
In reaction to the hearing minutes, the defendant reaffirmed its desire to reduce the
risk of unprocessed correspondence, by taking administrative measures,
namely the establishment of a team of three people, including the new DPO
(current DPO), to manage the email box.
II.2.3.2. Position of the ChamberContentious
62. With regard to the principle of liability (art. 5.2 of the GDPR), the Chamber
Litigation reminds that the data controller must implement measures
appropriate technical and organizational measures to ensure and be able to
demonstrate that the processing is carried out in accordance with the GDPR and other laws of
protection of personal data (art. 24.1 of the GDPR). These measures are reviewed and
updated if necessary. Then, article 24.2 of the GDPR establishes that “when it is
proportionate to the processing activities, the measures [referred to in Article 24.1.
of the GDPR] include the implementation of appropriate policies regarding
protection of data by the data controller” (this is the Litigation Chamber
which underlines).
63. Recital 74 of the GDPR adds that “it is important, in particular, that the person responsible for the
processing is required to implement appropriate and effective measures and is
even demonstrate compliance of processing activities with the [GDPR], including
the effectiveness of the measures. These measures should take into account the nature, scope, and substance of the decision 87/2024 — 18/55
context and purposes of the processing as well as the risk that it presents for the
rights and freedoms of natural persons”.
64. In execution of the principle of responsibility, it is therefore up to the data controller
to develop internal procedures allowing the persons concerned to exercise
effectively their rights, and to integrate respect for GDPR rules into their processing
and procedures, for example, by ensuring the existence and effectiveness of procedures for
processing of requests from data subjects (art. 25 of the GDPR).
65. Measures implemented in accordance with the principle of accountability, read
jointly with the principle of transparency (art.5.1.a) of the GDPR), aim to enable
20
data subjects to control the processing of their data.
66. With regard to the data protection officer (DPO), Chamber 21
Litigation reminds that the GDPR clearly defines the responsibilities of the manager
data processing, in particular Article 38.2 of the GDPR. This article states that “
the data controller and the processor assist the data protection officer
data to carry out the missions referred to in Article 39 by providing the resources
necessary to carry out [its] missions, as well as access to personal data
personnel and processing operations, and allowing it to maintain its
specialized knowledge” (emphasis added by the Litigation Chamber).
67. In this regard, the Litigation Chamber is of the opinion that the following aspects, in particular,
22
must be taken into consideration:
- The association of the DPO or, where applicable, his team, in all questions relating
to data protection. This includes informing and consulting the DPO as soon as
that a data processing project is envisaged, thus promoting compliance with the
GDPR and encouraging an approach oriented towards data protection from
design (known as “by design”). The DPO must naturally
become a central interlocutor within the organization, for example by participating
to working groups dedicated to data processing activities within
the company;
- Recognition and promotion of the DPO function by management
senior (e.g. board level);
- Adequate time allocation so that the DPO can perform effectively
of its tasks is essential. This aspect is of particular importance when
The DPO carries out his role part-time, whether internal or external to the organization.
20See recital 78 of the GDPR.
21Litigation Chamber, decision 41/2020, paragraphs 87 and 88.
22WP29, “Guidelines for Data Protection Officers (DPDs)”, 16/FR WP, 243 rev.01, April 5, 2017,
p. 16. Decision on merits 87/2024 — 19/55
The lack of time allocated to the DPO to carry out his duties could
cause conflicts of priorities and compromise its ability to accomplish its
missions. To remedy this situation, WP29 recommends determining,
jointly with the DPO, the estimate of the time necessary to exercise its
function (the need is greater when entering the function). He can be
useful to establish a work plan that prioritizes the DPO's tasks to ensure that he
has the time necessary to fully assume his responsibilities. Of
Furthermore, it is essential that the allocation of resources for the DPO be proportional
the size, complexity, structure and risks associated with the activities of
data processing. As a result, the more processing operations are
complex or sensitive, the more resources allocated to the DPO must be
substantial;
- An official communication of the designation of the DPO to all staff
to ensure that its role within the organization is widely known;
- Adequate support in terms of financial resources (including
budget for awareness-raising actions or recruitment of a team
temporary or permanent), and infrastructure (premises, installations,
equipment) and personnel, if applicable;
- Default access to legal documentation related to data processing
personal involving the organization with third parties, in particular partners and
The subcontractors ;
- Access to internal communication tools in the accomplishment of its
missions in order to be able to raise awareness and train on the requirements of the GDPR, including
raising awareness of good practices and managing incidents such as e-
fraudulent emails or data breaches;
- Access to other services, such as human resources, legal department,
IT department, security, etc., to enable the DPO to receive the
support, contributions and essential information from these other services 23;
- Continuing training to maintain the specialized knowledge of the DPO
day ;
- Depending on the size and structure of the organism, it may be necessary to constitute
a team around the DPO. In such cases, it is appropriate to clearly establish the
internal structure of the team as well as the tasks and responsibilities of each
member.Similarly, when the DPO function is outsourced to a service provider
services, a team of people working on behalf of that entity can
23Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number 20 (C.H. Beck 2020, 3rd Edition). Decision on merits 87/2024 — 20/55
assume the missions of the DPO as a group, under the responsibility of a
designated primary contact person for the customer.
68. Ultimately, the DPO function must be exercised effectively to ensure effective management practices.
effective and GDPR-compliant data protection. The data controller is
legally required to put in place the necessary structures and measures to facilitate
the work of the DPO and guarantee the protection of personal data. This involves
provide the DPO with adequate resources depending on the nature of the processing
data carried out and the associated risks, as well as the provision of time and
access necessary to facilitate and support the role within the organization.
69. On the basis of the factual elements present in the file, the Litigation Chamber
notes the following:
a) With regard to the request for deletion and opposition made as of
June 30, 2022:
i. The defendant restricted the processing of data by using the “code
43”, thus making the data inaccessible from the front desk of their
system. However, this measure does not respond to initial requests
of the complainant, who requested the total deletion of his data and
objected to any further processing for prospecting purposes, placing
thus highlighting a clear gap in technical measures and
organizational structures in place.
ii. The complainant's personal data was, in any event
until the date of the closure of the debates, always kept by the deputy
German treatment of the defendant despite his request for deletion and
opposition. The inability to conclusively verify or confirm
the effective deletion of this data raises concerns about
the effectiveness of the internal procedures currently in place, both in
regarding the deletion of data that coordination between
various entities of the defendant to comply with the GDPR.
b) With regard to responses to requests for deletion and
objection of the complainant:
i. Until the date of the close of the proceedings, the defendant had still not
not responded to the complainant's requests for deletion and opposition,
thus revealing a major flaw in the implementation of measures
appropriate technical and organizational measures to ensure compliance with
rights of data subjects under the GDPR. Decision on merits 87/2024 — 21/55
ii. The justification for receiving newsletters based on the
consent of the complainant, even when he has exercised his right
erasure and opposition, reveals a failure in the measures
aimed at guaranteeing transparency, respect for consent, and
deletion and opposition of data, including in entities
distinct within the defendant's network, in contradiction with the
GDPR requirements.
c) With regard to the DPO and the new measures taken by the defendant,
i. The defendant admitted that the former DPO worked part-time and
was in an overload situation, which prevented him from responding
effectively multiple letters. This situation is worrying, because the
DPO plays a vital role in ensuring GDPR compliance.
In accordance with the GDPR, the data controller must
provide the DPO with all the necessary means to enable him to accomplish
its tasks and obligations adequately in accordance with Article 38
of the GDPR (see points 66 to 68). The fact that the former DPO worked on time
partial while being overloaded highlights a failure in the implementation
appropriate organizational measures to ensure the
GDPR compliance.
ii. The Litigation Chamber notes that the defendant's decision
to hire a new full-time DPO was taken following
the inspection carried out by the IS (see Title II.1.1). These corrective measures taken
in reaction to the IS investigation (see Title II.1.1), highlight a
breach of the principle of liability arising from article 5.2 juncto
24 of the GDPR. Such measures should have been put in place
prior to APD intervention to ensure compliance
continues with the GDPR.
iii. Despite the communication problems of the former DPO, the lack of
response to requests from the SP and the investigation carried out by the SI (see Title II.1.1),
the defendant did not adopt a more cautious approach by taking
adequate measures to improve its processes and ensure compliance
to the GDPR, both for past and future requests from individuals
concerned. For example, it would have been wise to ask the new DPO,
engaged since July 11, 2023 and assisted by two administrators,
consult all the emails still present in the mailbox «
24See also points 64 to 70. Decision on merits 87/2024 — 22/55
privacy@Y.be” in order to process unresolved requests. To hide behind
behind an alleged ignorance of the content of the emails
precedentand lay the responsibility on the formerDPWe do not exonerate it in any way
responsibility of the defendant, especially since it was, according to the
declarations of the defendant, the subject of an investigation by the SI and was immediately
aware of the problems of the former DPO. Although the defendant
has taken certain measures to remedy the situation, in particular by
hiring a new full-time DPO and strengthening the team, these
measures remain insufficient in the eyes of the Litigation Chamber.
The defendant, by virtue of the principle of liability, should have taken into account
given the contentious context and the need to respect the provisions of the
GDPR, take proactive measures to improve its processes and
ensure GDPR compliance.
70. Furthermore, the absence of technical or organizational measures, such as the absence of
measures limiting the retention of data beyond what is necessary or the
lack of knowledge of the codes used in requests for deletion of
data or opposition, may compromise the confidentiality and security of the data
personal data of the persons concerned. Consequently, the Litigation Chamber attracts
the defendant's attention to the imperative of respecting the principle of security and
confidentiality set out in Article 5.1.f) of the GDPR, in conjunction with Article 32 of the GDPR.
Finally, the Litigation Chamber strongly encourages the defendant to continue its
efforts in implementing measures to effectively support the function of the DPO.
71. In view of the above, the Litigation Chamber concludes that the defendant does not
complied with articles 5.2 and 24 of the GDPR.
II.2.4. Alleged violation of Article 31 of the GDPR (cooperation with the data protection authority
control)
II.2.4.1. Position of the defendant
72. During the hearing, the defendant raised several arguments:
a) The problems with the APD began under the management of the former DPO. Neither the DPO
nor management were informed of the APD requests (see Title II.2.3)
b) The current DPO discovered the correspondence from the Litigation Chamber
only two weeks before the hearing, and only the former DPO was informed of the
ODA correspondence. Decision on merits 87/2024 — 23/55
c) The defendant clarified that the former DPO had not transmitted internally the
information including the invitation to conclude and the mediation emails sent
by the SPL, thus hindering any appropriate response.
d) The former DPO had not properly processed letters from the APD nor those from the
complainant, and had not shared this information internally, due to his
work overload (see Title II.2.3).
e) Despite measures taken to limit the processing of the complainant's data,
no contact has been made with the complainant or the APD, and the emails from the APD are
remained unprocessed in the “privacy@Y.be” mailbox.
73. In reaction to the minutes, the defendant specified that the former DPO had not responded to the
APD communications due to its workload from December 2022 to March
2023, a justification emanating from the former DPO himself, and not from the defendant. Of
Furthermore, the former DPO would not have informed management of this work overload. This same
argument of non-reaction was also invoked to justify the lack of response to the
IS communications during this period.
II.2.4.2. Position of the ChamberContentious
74. Article 31 of the GDPR states that the controller, the processor, and the case
Where applicable, their representatives must cooperate with the supervisory authority, upon request.
the latter, in the execution of its missions. This cooperation is of crucial importance
to enable the supervisory authority to effectively carry out its functions and missions
in the field of data protection. In this regard, it is appropriate to read article 31 of the
GDPR in conjunction with Articles 57 and 58 of the GDPR, which define the missions and
the investigative powers of the supervisory authority.
75. The general duty of cooperation set out in Article 31 of the GDPR is reinforced by Article
83.4.a) of the GDPR which qualifies this cooperation as “an obligation incumbent on the person responsible for the
treatment and the subcontractor. ". Failure to comply with this obligation of cooperation
furthermore constitutes a full-fledged infringement of the GDPR, as set out in Article 83 of the GDPR.
GDPR:
“Violations of the following provisions are subject, in accordance with paragraph 2,
administrative fines of up to EUR 10,000,000 or, in the case of
company, up to 2% of the total annual worldwide turnover of the preceding financial year, the
the highest amount being retained: a) the obligations incumbent on the person responsible for
processing and the subcontractor under Articles 8, 11, 25 to 39, 42 and 43; […]”.
25Article 57 of the GDPR defines the extended missions assigned to supervisory authorities, while Article 58 of the GDPR
specifies the broad investigative powers conferred on them under the Regulation. Decision on merits 87/2024 — 24/55
76. Article 83 of the GDPR also sets out the criteria used to decide on the imposition
a fine and its amount. Significantly, the degree of cooperation
is explicitly mentioned as one of the eleven criteria influencing the determination of
these sanctions (art. 83.2 of the GDPR).
77. Recital 82 of the GDPR also reinforces this obligation of cooperation by requiring
including the keeping of records of processing activities, as well as the obligation to
make these records available to the supervisory authority upon request. This consideration
aims to enable the supervisory authority to verify and control the operations of
processing, as well as to carry out its missions in accordance with Article 57 of the GDPR.
78. The Litigation Chamber recalls that both those responsible for processing and those responsible for processing
processors report directly to the supervisory authorities under the obligations
to maintain and provide appropriate documents upon request, to cooperate with
investigations and to comply with administrative injunctions. More precisely, the duty
general cooperation 26 implies that the controller and the processor
must :
a) Respond to requests from the supervisory authority: When the supervisory authority,
such as ODA, requests information, data or responses relating to
to the processing of personal data, the controller and the subcontractor
processing party must provide this information completely and on time.
outsourced;
b) Collaborate actively: The controller and the processor must
work closely with the supervisory authority to help it carry out
its missions, in particular by providing information on the practices of
processing of data and taking measures to remedy possible
GDPR violations;
c) Comply with the instructions of the supervisory authority: If the supervisory authority gives
specific instructions for complying with the GDPR, the controller
processing and the subcontractor must follow them appropriately.
It is important to note that this list is not intended to be exhaustive.
79. In summary, the fundamental objective of this general obligation of cooperation imposed on
each controller and processor aims to ensure effective supervision
and scrupulous compliance with data protection rules. THE
controllers and processors must actively cooperate and collaborate
fully with the supervisory authority to ensure compliance with the provisions of the
26CEPD, Guidelines 07/2020 concerning the notions of controller and processor in the GDPR,
Version 2.0, Adopted on July 7, 2021, point 9. Substantive decision 87/2024 — 25/55
GDPR and protecting the data rights of data subjects
personal. This obligation, combined with the principle of responsibility set out in article
5.2 of the GDPR, reinforces the role of the supervisory authority in the exercise of its powers
with a view to effective application of the rules for the protection of personal data.
80. Failure to comply with this obligation exposes you to separate administrative fines.
in accordance with article 83.4.a) of the GDPR. Finally, the violation of this obligation to
cooperation can also be considered a violation of the principle of
liability (art. 5.2 of the GDPR).
81. In this case, the Litigation Chamber notes that the SPL has taken steps
to the defendant with a view to mediation. More specifically, the SPL addressed
two requests dated December 7, 2022 and January 17, 2023, to which the
defendant did not respond. Furthermore, the SPL included the complainant's request in the
request for mediation, thus reminding the defendant of its duty to respect
in particular the right to erasure of the complainant. However, despite these steps, the SPL
had to notify the failure of mediation on February 20, 2023, due to the lack of reaction
of the defendant, both at mediation and at the request of the plaintiff (see points 4 to 11).
82. Concerning the emails and letters from the SPL addressed to the defendant, the Chamber
Litigation notes the absence of technical and organizational measures which
would allow the defendant to have an overview of the issues related to the
GDPR processed by the former DPO and/or to verify the correct processing of requests
addressed to the former DPO, which highlights the negligence of the defendant (see Title II.2.3).
83. On the one hand, the Litigation Chamber notes that this negligence seems to result
mainly from confusion due to the fact that the defendant was subject to a
inspection carried out by the IS (see Title II.1.1), which remains secret in accordance with article
63§3 of the LCA. In this context, the Litigation Chamber emphasizes that the defendant
is required to cooperate with all APD services. Lack of response to a letter
sent by one of the APD services, in this case an invitation to cooperate in mediation
by the SPL, could be interpreted as a refusal of cooperation and potentially
be considered a violation of Article 31 of the GDPR.
84. On the other hand, the Litigation Chamber observes that the defendant is trying to clear its
liability by attributing negligence for not responding to SPL communications,
of the IS, the Litigation Chamber and the complainant to his former DPO. The defendant
maintains that she was not informed of the latter's excessive workload, which
would have hampered its ability to respond favorably to requests for ODA and
complainant. Decision on merits 87/2024 — 26/55
It should be remembered that the GDPR sets out several articles establishing the obligations
of a data controller or a subcontractor, in particular articles 5, 6, 9, 25, 32,
33, 37 or even 38 of the GDPR. By virtue of the principle of responsibility (see Title II.2.3), the
data controller must demonstrate compliance with the provisions of the GDPR by
adopting appropriate technical and organizational measures to protect the
rights and freedoms of natural persons. In the event that the data controller
would appoint a DPO for its litigation department or use an email address
generic like “privacy@Y.be” to respond to people’s requests
concerned, it is our responsibility to ensure that emails are addressed to this address
are regularly consulted and processed, even in the event of resignation of a person having
worked in the department in question and/or the DPO, or in the event of work overload of the DPO.
On this last point, the Litigation Chamber recalls that it is up to the person responsible for
processing to comply with the provisions of Article 38 of the GDPR.
85. Taking into account the particular context surrounding the current inspection (see Title II.1.1) and
the overload of work observed at the former DPO, the Litigation Chamber notes that
the defendant did not properly verify the processing of requests addressed to
the former DPO. Although measures were taken, such as increasing the workforce
and the replacement of the old DPO, they did not seem fully effective, in
particular regarding the review of all previous ODA requests, including
including those of the complainant, which remained unanswered, as well as potentially
other previous requests. To remedy this situation, the defendant could have
consider taking additional measures, such as upgrading with the
new data protection team, emphasizing the need
to examine the contents of the aforementioned email address, with the aim of correcting
possible breaches of the former DPO and to guarantee an adequate response to all
the requests of the people concerned. In any case, compliance with the GDPR
is the responsibility of the data controller, and not the skills and responsibilities of a DPO.
86. Concerning the absence of submission of conclusions, the Litigation Chamber considers that the
defendant has the freedom to choose whether she wishes to defend herself, present her arguments
and support its position in a formal and structured manner. In the absence of such
approach, the Litigation Chamber could be forced to render a decision by
default. In this case, the defendant had the opportunity to orally present its
arguments when summoned to the hearing.
87. In view of the above, the defendant did not fully cooperate with the APD, in
particularly with the SPL, during the mediation procedure. However, the Chamber
Litigation was not able to determine whether this lack of response was the
result of confusion generated by the inspection in progress (see Title II.1.1), or the result Decision on merits 87/2024 — 27/55
a deliberate intention or gross negligence not to cooperate, which leads to
conclude that there is no violation of Article 31 of the GDPR.
III. As for corrective measures and sanctions
III.1. Corrective measures and sanctions
88. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:
1° close the complaint without further action;
2° order the dismissal of the case;
3° pronounce a suspension of the sentence;
4° propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the requests of the person concerned to exercise these rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or definitive ban on processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of the approval of certification bodies;
12° give fines;
13° issue administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the
follow-up given to the case;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection.
89. The aforementioned article 100 specifies the list of sanctions in article 58.2 of the GDPR.
90. As for the administrative fine which may be imposed in execution of article 83 of the
GDPR and articles 100, 13° and 101 LCA, article 83 of the GDPR provides: Decision on the merits 87/2024 — 28/55
"1. Each supervisory authority shall ensure that administrative fines imposed in
under this article for violations of this regulation, referred to in paragraphs 4,
5 and 6 are, in each case, effective, proportionate and dissuasive;
2. Depending on the specific characteristics of each case, administrative fines are
imposed in addition to or in place of the measures referred to in Article 58(2),
points a) to h), and j). To decide whether to impose an administrative fine and to
decide the amount of the administrative fine, it is duly taken into account, in each case
of species, of the following elements:
(a) the nature, seriousness and duration of the violation, taking into account the nature, scope or
the purpose of the processing concerned, as well as the number of data subjects affected
and the level of damage they suffered;
(b) the fact that the violation was committed deliberately or negligently;
(c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
(d) the degree of responsibility of the controller or processor, taking into account
technical and organizational measures that they have implemented under the
articles 25 and 32;
(e) any relevant breach previously committed by the controller or
the subcontractor ;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation
and to mitigate possible negative effects;
g) the categories of personal data affected by the violation;
(h) the manner in which the supervisory authority became aware of the violation, in particular whether, and
to what extent the controller or processor has notified the violation;
(i) where measures referred to in Article 58(2) have been previously ordered
against the controller or subcontractor concerned for the same purpose,
compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation.” Decision on merits 87/2024 — 29/55
III.2. Violations noted
91. The Litigation Chamber notes that there are, in this case, serious violations of the rights
fundamentals of the persons concerned (see Title II.2). More specifically, the Chamber
Litigation notes the violations of the following provisions of the GDPR, all attributable
27
to a single behavior of the defendant giving rise to several violations described
below :
a) Violation of articles 17 and 21 of the GDPR (see Titles II.1.2 and II.2.1)
The defendant violated Articles 17 and 21 of the GDPR by failing to respond within
deadlines for a request for erasure of personal data and
opposition to the processing of this data for direct marketing purposes, 28
more than a year after the complainant exercised his rights. Note that these data
were still present on the defendant's servers at the time of
hearing, including those processed for direct marketing purposes.
b) Violation of Article 5, paragraph 1, point a) of the GDPR (see Title II.2.2)
The defendant did not inform the plaintiff of the measures taken in response to his
requests for erasure and opposition, as required by its obligations
information and communication set out in Article 12 of the GDPR, violating the
principle of transparency set out in article 5.1.a) of the GDPR. Furthermore, the pursuit
processing data for direct marketing purposes in the absence of a basis
legal, as required by GDPR, constitutes a violation of the principle of
lawfulness established in article 5.1.a) of the GDPR. In this case, the defendant invoked
consent as a legal basis. However, since this consent has
been removed by the complainant (by exercising his or her right of opposition and erasure),
the continued processing of their data for direct marketing purposes is unlawful,
violating the principle of lawfulness set out in Article 5.1.a) of the GDPR.
c) Violation of articles 5.2 juncto 24 of the GDPR (see Titles II.2.3 and II.2.4)
27EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), available on the website https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-
calculation-administrative-fines-under fr.
28See points 5 and 40 of this decision.
29
Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 1, 7 or 54;
These Article 29 Working Group (G29) Guidelines provide practical guidance and assistance
to the interpretation concerning the new obligation of transparency applicable to the processing of personal data
personnel under the General Data Protection Regulation (hereinafter “GDPR”). Transparency is an obligation
global within the meaning of the GDPR which applies to three central areas: 1) communication to data subjects
information relating to the fair processing of their data; 2) the way in which data controllers
communicate with data subjects about their rights under the GDPR; and 3) the way in which those responsible for
treatment facilitates the exercise by the persons concerned of their rights. These guidelines set out the general principles
relating to the exercise of the rights of the persons concerned rather than dealing with specific modalities for each of the rights
of these people under the GDPR. In other words, they provide guidance on the concepts and principles
underlying rules to be respected when exercising the rights of data subjects, rather than providing instructions
details on how to exercise each specific right in a practical manner. Decision on merits 87/2024 — 30/55
To the extent that the defendant did not respond within the prescribed time limits to the
requests for erasure of personal data and opposition to processing
of this data for direct marketing purposes, this resulted in the maintenance of the
processing of the complainant's personal data without respecting the
data protection principles set out in article 5.1 of the GDPR (see above). This
failure highlights faulty management of requests from
data subjects, in particular with regard to the right of erasure and
opposition of the complainant. In addition, this gap in the management of requests from
persons concerned is reinforced by the inadequacy of the measures taken by the
defendant, such as the use of “code 43” to restrict processing
data, deemed inadequate to respond to the initial requests of the
complainant. This situation also highlights a lack of control over possible
codes used to respond to requests from data subjects. By
elsewhere, the persistence of data in the defendant's servers as well as
the problems linked to the DPO highlight a defect in the implementation of
technical and organizational measures necessary for compliance with the GDPR,
thus revealing an additional gap in technical procedures and
organizational. Consequently, the defendant violated Article 5.2 juncto 24
of the GDPR.
III.3. Corrective measures and sanctions imposed by the Litigation Chamber.
92. As an independent administrative authority, the Litigation Chamber has the power
exclusive right to determine appropriate corrective measures and sanctions
in accordance with the relevant provisions of the GDPR and the ACL. This skill
arises specifically from Articles 58 and 83 of the GDPR, as confirmed by the
jurisprudence of the Court of Markets in its judgments of July 7, 2021, September 6, 2023
30
or even December 20, 2023, which clearly highlighted the extent of power
discretion of the Litigation Chamber concerning the choice and scope of sanctions.
93. In this perspective, the Litigation Chamber will take into consideration all the
relevant circumstances of the case, including – within the limits set out below in
Title III.3.2. – the reaction of the defendant dated April 5, 2024 to the sanctions
envisaged which were communicated to him via the sanction form of March 15
31
2024.
However, the Litigation Chamber recalls that the sanction form aims to
allow the alleged perpetrator of the offense, in this case the defendant, to
30Cour des Marchés, 2021/AR/320, p. 37-47; 2020/AR/1160, p. 34; 2023/AR/817, p. 57, 61 and 62.
31Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 31/55
defend against the amount of the proposed fine before its imposition and execution
effective. The defense process provided for through the sanction form on the
amount of the proposed fine does not open new debates on the findings already
established by the Litigation Chamber, the latter being closed. In addition, the mail
accompanied by the sanction form does not constitute a decision likely to
appeal before the Market Court under article 108 of the law of December 3, 2017
establishing the Data Protection Authority.
94. Continuing this explanation, the Litigation Chamber invites the defendant to
consult section “Title II.1.1” of this decision for further explanations
detailed and recalls that it rejects the request to join the file (…) with the file
subject to this decision. Likewise, the Litigation Chamber rejects
the considerations set out in points 2.2.1 to 2.2.4 of the reaction to the sanction form
submitted on April 5 by the defendant, arguing that the debates are closed; and that the
corrective measures envisaged and pronounced are compliant in concreto. However,
these considerations will be taken into account when calculating the fine, because the fine form
sanction aims to allow the defendant to contest the amount of the fine
proposed.
III.3.1. Corrective measures
95. In reaction to the sanction form, the defendant claims to have carried out the erasure
data and have notified the recipients concerned, in particular the subcontractor
German ; it also supports setting up processing operations in
compliance with the provisions of the GDPR. Consequently, it requests the deletion of
the warning issued. However, the Litigation Chamber reminds the defendant that
these notifications were received on November 11, 2024 or April 5, 2024, after the closing
debates. Consequently, the Litigation Chamber is not able to verify the
veracity of the arguments put forward by the defendant and is forced to reject these
arguments, the debates being closed.
96. The Litigation Chamber adopts the following corrective measures:
a) In accordance with article 58.2. c) of the GDPR and article 100, § 1, 6° of the LCA,
order the defendant, due to the violation of articles 17 and 21 of the
GDPR, to satisfy the complainant's requests for erasure and opposition, and this
within 30 days from notification of this decision.
32Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 32/55
b) In accordance with article 58.2.g) of the GDPR and article 100, §1, 10° of the ACL,
to order the defendant to erase the data and notify them
here to the recipients of the data, in accordance with article 19 of the GDPR.
c) In accordance with article 58.2. d) of the GDPR and article 100, § 1, 9° of the LCA,
order the defendant, due to the violation of Article 5.1 a) as well
that of articles 5.2 juncto 24 of the GDPR, to put the processing operations in
compliance with the provisions of the GDPR.
d) In accordance with article 58.2. a) of the GDPR and article 100, § 1, 5° of the LCA,
issue a warning to the defendant party, due to the violation of the
articles17,21,5.1. a), 5.2 juncto24 of the GDPR, aiming to improve the management of future
processing of requests from data subjects made under the
articles 15 to 22 of the GDPR.
III.3.2. Administrative fines
97. According to Article 83 of the GDPR, the supervisory authority has the discretionary power to impose a
fine. This power is explained in the EDPB guidelines. 33
98. In accordance with recital 148 of the GDPR, sanctions, including fines
administrative measures, may be imposed in addition to or in place of measures
appropriate in the event of a serious breach, even when it is a first
finding of a breach. Thus, the fact that this is a first observation of a
infringement does not prevent the Litigation Chamber from being able to impose a fine
administrative, in accordance with article 58.2. i) GDPR. The administrative fine does not aim
33EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), points 15, 20, 69, 84,
144. See also the judgment of 7 December 2023, SCHUFA Holding C-26/22 and C-64/22, ECLI:EU:C:2023:958), conclusions
of Advocate General Pikamae in the TR case (C-768/21, EU:C:2024:291), as well as “Guidelines on the application and
setting administrative fines for the purposes of the [GDPR]” of the Article 29 Data Protection Working Group,
adopted on October 3, 2017, p.5 (hereinafter the “guidelines on the application and setting of administrative fines to
purposes of the GDPR).
34Recital 148 of the GDPR states that: “In order to strengthen the application of the rules of this regulation, sanctions,
including administrative fines, should be imposed for any violation of the Regulation, in addition to or instead of
appropriate measures imposed by supervisory authorities under this Regulation. When the offense is minor
or that the likely fine would impose a disproportionate burden on a natural person, blame may be preferred to
fine. However, it is appropriate to take into account the nature, seriousness and duration of the violation, and the intentional nature
the violation, harm reduction measures, degree of liability or relevant prior violations,
the manner in which the violation was brought to the attention of the supervisory authority, compliance with the measures taken
against the controller or subcontractor, compliance with a code of conduct and any other circumstances
aggravating or mitigating. The imposition of sanctions, including administrative fines, should be subject to
appropriate procedural guarantees in accordance with the general principles of Union law and the Charter, including a
effective remedy and due process” (emphasis added).
35CJEU, December 5, 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 38: “[…] the principles, prohibitions and
The obligations set out in the GDPR are aimed in particular at "data controllers" who, as highlighted in the
recital 74 of the GDPR, are responsible for any processing of personal data carried out by them or for
their account and who must therefore not only implement appropriate and effective measures, but also be in
able to demonstrate that their processing activities comply with the GDPR, which includes the effectiveness of the measures they
have taken to ensure this compliance. Where an infringement referred to in Article 83(4) to (6) of this Regulation has
been committed, this responsibility constitutes the basis for the imposition of an administrative fine on the controller
in accordance with this article 83. » Decision on the merits 87/2024 — 33/55
36
in no way to put an end to the offenses, but above all aims to guarantee rigorous respect
rules set out in the GDPR.
99. The GDPR requires each supervisory authority to ensure that fines
administrative measures imposed are effective, proportionate and dissuasive in each
case in point (art. 83.1 of the GDPR). In addition, when determining the amount of the fine,
the supervisory authority must take due account, for each specific case, of several
specific elements, such as the nature, seriousness and duration of the violation, taking into account
the nature, scope or purpose of the processing concerned, as well as the number of
data subjects affected and the level of damage they suffered (art. 83.2. a) of the
GDPR); as well as the intentional or negligent nature of the violation (art.83.2.b) of the GDPR)
; and the categories of personal data affected by the violation (art. 83.2.
g) GDPR). Consequently, article 83.2 provides that in order to decide whether it is appropriate to impose
an administrative fine and to decide the amount of the administrative fine, a
authority must take into account all the factors set out in Article 83.2(a)
to k), without exceeding the legal maximum amount set in article 83.4 to 83.6 of the
37
GDPR.
III.3.2.1. Grounds for imposing a fine
100. The Guidelines on the application and setting of administrative fines for the purposes
38
of Regulation (EU) 2016/679 emphasize that, to ensure a harmonized approach to
sanctions, supervisory authorities must assess the appropriateness of imposing a fine in
based on a set of criteria specified in article 83.2 of the GDPR. These lines
guidelines specify that administrative fines are “remedial measures”
whose objective may be “to restore respect for the rules or to sanction a
unlawful conduct (or both).”
101. As the CJEU highlighted in its judgment in case C-311/18 (Facebook Ireland and
Schrems), “the choice of the appropriate and necessary means falls to the supervisory authority”, which
must make this choice taking into account all the circumstances of the concrete case, which
the Litigation Chamber makes throughout its development in Title III.3 of the
this decision.
102. In its Deutsche Wohnen judgment, the CJEU ruled as follows:
36
To this end, the GDPR and the LCA provide for several corrective measures, including the orders mentioned in article 100, §
37 5°, 6° and 9° of the LCA.
In two judgments of December 5, 2023, the CJEU answers these questions by specifying the conditions allowing
national supervisory authorities to impose an administrative fine on one or more controllers: Deutsche
Wohnen, C-807/21, ECLI:EU:C:2023:950, and Nacionalinis visuomenės sveikatos centras, C-683/21, ECLI:EU:C:2023:949.
38WP29, “Guidelines Guidelines on the application and setting of administrative fines for the purposes of
Regulation (EU) 2016/679), 17/FR, WP 253, October 3, 2017 (hereinafter “WP253 Guidelines”), p.6. Decision on merits 87/2024 — 34/55
“The existence of a system of sanctions making it possible to impose, when circumstances
specific to each specific case justify it, an administrative fine in application
of article 83 of the GDPR creates, for data controllers and subcontractors, a
incentive to comply with this regulation. Through their dissuasive effect, fines
administrative measures contribute to strengthening the protection of individuals
with regard to the processing of personal data and therefore constitute an element
key to guaranteeing respect for the rights of these people, in accordance with the purpose of this
regulation to ensure a high level of protection of such persons with regard to the
39
processing of personal data. »
103. In the same judgment, the CJEU notes “that Article 83 of the GDPR does not allow the imposition of
an administrative fine for a violation referred to in paragraphs 4 to 6 thereof, without it being
established that this violation was committed deliberately or negligently speaking responsibly
of the processing, and that, therefore, a culpable violation constitutes a condition for the imposition
40
of such a fine. »
104. In his conclusions in the Land Hessen case, Advocate General Pikamae explains that the
GDPR allows supervisory authorities to impose sometimes very high fines,
constituting an effective element of their arsenal for enforcing regulations, in
in addition to the other corrective measures provided for in Article 58.2 of the GDPR. So,
the supervisory authority enjoys a margin of maneuver and is free to choose among these
measures to remedy the violation noted. 41
105. Although the Litigation Chamber was unable to note that the offenses impact
several people concerned, she emphasizes that the negligence of the defendant
justifies the imposition of a fine.
106. In accordance with the obligation of Article 83.2 of the GDPR, the Litigation Chamber examined
all the factors set out in Article 83.2, points a) to k), to justify both the fine
that its amount. This detailed examination is presented in Title III.3.2.2 of this decision.
For the sake of clarity and readability, the Litigation Chamber refers the defendant to this
39CJEU, 5 December 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 73.
40Paragraph 75 of the judgment.
41Conclusions of Advocate General Pikamäe in the Land Hessen case, C-768/21, ECLI:EU:C:2024:291. The general advocate
underlines that when a supervisory authority finds a personal data breach when examining a
complaint, it is obliged to intervene to respect the principle of legality and define appropriate corrective measures
to remedy the violation. This obligation is in accordance with article 57.1 a) of the GDPR, which tasks the authority with controlling
application of the regulations and ensuring compliance. Ignoring an established offense would be inconsistent with this mandate. He
also recalls that the supervisory authority acts in the interest of the person or entity whose rights have been infringed
(§41). To effectively deal with infringements, article 58.2 of the GDPR provides for a “catalogue of corrective measures”
which the authority must use to re-establish a situation consistent with Union law, regardless of the seriousness of the offense (§42).
The Advocate General specifies that Article 58.2 of the GDPR must be interpreted in the light of recital 129 of this regulation, according to
which “any measure[must][...]be appropriate, necessary and proportionate in order to guarantee compliance with this Regulation,
taking into account the circumstances of the case.” In other words, the power conferred on the supervisory authority to use
corrective measures is subject to the condition that the measure is “appropriate”, that is to say that it must be able to restore
a situation consistent with Union law (§45). The Advocate General also indicates that Article 58.2 of the GDPR is limited to
state that each supervisory authority “has the power” to adopt all of the corrective measures listed. Decision on merits 87/2024 — 35/55
title, specifying that the results of this examination not only justify the amount of
the fine, but also the decision to impose a fine on the defendant. Bedroom
Litigation summarizes below the reasons why it decides on the imposition
of a fine and refers the defendant to Titles II.2 and III.3.2.2 of this decision.
a) Nature, seriousness and duration of the violation (art.83.2.a) of the GDPR): The case subject to the
Litigation Chamber concerns a prolonged violation of the provisions
essential elements of the GDPR, affecting the fundamental rights of the complainant in matters
data protection.
i. The request for erasure and opposition was still not respected
more than a year after the exercise of the rights by the complainant, thus violating the
articles 17 and 21 of the GDPR.
ii. The lack of response to these requests led the defendant to process the
data of the complainant to send promotional emails during
a period of at least six months.
iii. Despite the absence of conclusions filed by the defendant, the Chamber
Contentieuse summoned the latter to a hearing where she confirmed
Her presence. The defendant was informed of the matter and could not
ignore the complainant's requests recalled by the invitation to the hearing
sent by the Litigation Chamber. Upon receipt of this summons,
the defendant should have been proactive in consulting her
email containing all exchanges, check the status of requests and
respond.The Litigation Chamber recalls that the defendant indicated
during the hearing that she had access to the electronic mailbox of the former DPO,
managed since then by the new DPO, and that she held all the emails
sent by ODA. However, today at the hearing, the defendant still had not
did not respond to the complainant's requests and even questioned the
need to respond to it, ultimately promising to do so as soon as possible.
promptly. This approach is interpreted by the Litigation Chamber
as a demonstration of flagrant negligence, in violation of the
articles 17 and 21 of the GDPR. The defendant had, thanks to this
summons, an additional period to respond to requests from the
complainant, and attempt to demonstrate, even belatedly, compliance with the
provisions of the GDPR.
b) Negligence or intentional nature of the violation (art. 83.2. b) of the GDPR):
Several elements demonstrate manifest negligence on the part of the
defendant in the management of requests from data subjects. This
negligence is aggravated by prolonged non-compliance with erasure requests Substantive decision 87/2024 — 36/55
and opposition of the complainant, the inappropriate use of “code 43” to limit the
processing of data and the prolonged maintenance of processing of data of the
complainant for direct marketing purposes, even after their erasure requests
and opposition. During the hearing, the defendant had still not taken any
appropriate measures to remedy the situation, indicating the seriousness and
persistence of the violation. This manifest negligence results from procedures
inadequate internal systems and ignorance of GDPR obligations, particularly in
blaming his former DPO.
c) Degree of responsibility of the defendant taking into account the measures
technical and organizational measures implemented in accordance with Articles 25
(art. 83.2. d) of the GDPR): The defendant is entirely responsible for the
management of requests from data subjects, including requests
erasure and opposition of the complainant.
i. The defendant places responsibility on the former DPO, which does not justify
under no circumstances prolonged non-compliance with an erasure request and
opposition, nor non-compliance with the provisions of the GDPR in a more
general. This attitude raises serious questions about the management
responsibilities and internal governance of the defendant.
ii. The Litigation Chamber recalls that a data controller cannot
can evade its obligations by invoking the responsibility of the DPO
to justify breaches of the GDPR. Even if the House
Litigation had to follow the defendant's argument, it
recalls that the defendant had been alerted of the situation on two occasions
: on the one hand, by being the subject of an investigation by the IS (as part of a
other file), and on the other hand, by the invitation to the hearing sent by the
Litigation Chamber. In such a context, continuing to claim that the
DPO is responsible raises serious doubts about the management by the
defending its obligations under the GDPR and calls into question its
ability to meet these obligations.
iii. By using “code 43”, the defendant demonstrated a lack of
mastery of its own codes and nomenclatures, which led to
limitation of processing instead of responding adequately to requests
erasure and opposition of the complainant. Such a lack of control is
concerning. Furthermore, the defendant was unable to determine the existing link
between it and the German subcontractor before concluding that there was a
subcontracting contract. This confusion over the role of the subcontractor and
inability to determine whether data has been erased raises merits Decision 87/2024 — 37/55
doubts about the management of future requests from data subjects and
compliance with articles 15 to 22 of the GDPR.
d) Other aggravating and mitigating circumstances (art. 83.2. k) of the GDPR):
time of the hearing, the defendant had still not responded to the
requests from the complainant, despite the obligation to respond within one month.
For the remainder, in particular the categories of personal data concerned
by the violation (art. 83.2. g) of the GDPR) or the measures taken to mitigate the damage suffered
by the complainant (art. 83.2. c) of the GDPR), the Litigation Chamber refers the defendant
in Titles II.2 and III.3.2.2 of this decision, as well as the summary in section
III.3.2.2.7. All the factors set out in Article 83.2, points a) to k), were examined there,
and it appears that the result of this examination ultimately applies, in the present case, to
justify the imposition of the fine as well as its amount.
107. The defendant thus adopted behavior giving rise to several violations of the
provisions of the GDPR (art. 83.3 of the GDPR), these violations being precisely identified in
42
Article 83.5 of the GDPR: Non-compliance with requests for a significant period
erasure and opposition of the complainant, leading to continued processing of his
personal data for direct marketing purposes, even after its requests
erasure and opposition; and highlighting the absence of guarantees allowing
to ensure compliance with the fundamental principles of the GDPR.
108. These elements fully justify the imposition of an administrative fine to guarantee
respect for the rights of the people concerned and strengthen the dissuasive effect of sanctions
provided for by the GDPR.
III.3.2.2. Starting amount of calculation
109. To determine the amount of the fine in the case submitted to it, the Chamber
Litigation recalls that it takes into account the EDPB guidelines on the calculation of
43
administrative fines.
110. In order to impose an effective, proportionate and dissuasive fine in all circumstances
cause, the supervisory authorities, of which the Litigation Chamber is a part, are supposed to
adjust administrative fines while remaining within the range provided for in the
EDPB guidelines up to the legal maximum amount. This can lead to
significant increases or reductions in the fine, depending on the circumstances of the case
of species.
42CJEU, Judgment of December 5, 2023, Deutsche Wohnen, C-807/21, ECLI:EU:C:2023:950, points 61 to 79.
43EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), in particular points 49 and 50. Decision on the merits 87/2024 — 38/55
III.3.2.2.1. Classification of violations under Article 83.4 and 83.5 of the
GDPR
111. The GDPR distinguishes two categories of violations: those punishable according to article 83.4 of the
GDPR, on the one hand, and those punishable under Article 83.5 and 83.6 of the GDPR, on the other
go. The first category of violations carries a maximum fine of 10 million
EUR or 2% of the company's annual turnover, whichever is higher.
retained. As for the second category, it can give rise to a maximum fine of 20
million EUR or 4% of the company’s annual turnover, the highest amount
also being retained.
112. In this case and based on the violations set out in Title III.2 of this decision,
the Litigation Chamber notes that the highest fine applies in accordance with
in article 83.5 of the GDPR. Indeed, in the event of violation of the basic principles of processing
under article 5 of the GDPR as well as the rights of the persons concerned in accordance with
Articles 17 and 21 of the GDPR, the Litigation Chamber may impose a fine
administrative tax of up to EUR 20,000,000 or, in the case of a company, up to 4%
of its total global annual turnover for the previous financial year, the highest amount
high being retained, as provided for in the provisions of section 83.5. a) and b) of the GDPR.
III.3.2.2.2. Seriousness of the violation in the present case
113. Nature, seriousness and duration of the violation (art. 83.2.a) of the GDPR) – The case subject to the
Litigation Chamber concerns a prolonged violation of the essential provisions of the
GDPR, which aim to protect the fundamental rights of individuals with regard to
concerns the processing of their personal data. The GDPR establishes a solid framework for
responsibility for data controllers, in particular in Chapter III, which is
dedicated to the rights of data subjects. These rights, set out in articles 15 to 22,
give individuals direct control over their personal data, ensuring
thus effective protection of their privacy. Thus, violations of articles 17 and 21 of the
GDPR are particularly serious because they infringe fundamental rights
of individuals regarding the protection of personal data.
114. Despite the rights exercised by the complainant, who expressly requested the deletion of
his personal data and objected to the processing for direct marketing purposes, the
defendant did not respond to these requests for more than a year, lacking this
manner to its obligations established by the GDPR. This behavior resulted in the maintenance
the processing of the complainant's data for direct marketing purposes, whether via
telephone calls or sending advertising emails, over a period of six to ten
months, even after his requests for erasure and opposition, thus violating the principles
set out in article 5.1.a) of the GDPR. Decision on merits 87/2024 — 39/55
115. In reaction to the sanction form and therefore after the closure of the debates, the defendant
underlines that the complainant did not “explicitly mention Article 21 of the GDPR in his
request ". On this point, the Litigation Chamber, on the one hand, refers the defendant to
paragraph 34 of its present decision, and on the other hand, adds that it would be excessive to
ask a concerned person to explicitly mention the articles of the GDPR because
this could make the exercise of rights more difficult for individuals who are not
familiar with legal terminology. The main thing is that the request is formulated
in a clear and understandable manner, what a data controller, or his DPO, should
be able to clarify in case of doubt, and thus treat it in accordance with the
provisions of the GDPR.
Next, the defendant emphasizes that after following up on the erasure request
based on Article 17(a), (b) and (c) of the GDPR, there is no additional obligation to
notification to the data subject of the further use of the data for purposes
direct marketing. Unfortunately, as noted by the Litigation Chamber, the
defendant was late in responding to the plaintiff's erasure request, which allowed
the continuation of the processing of data for direct marketing purposes for a period
significant, in contradiction with his request for opposition.
Even following the defendant's reasoning, according to which the plaintiff would not have
formulated as a request for erasure without explicit mention of Article 21 of the GDPR,
concerning the right to object to the processing of data for prospecting purposes, the
Chambre Litigation underlines that the right of erasure has been ignored for more than a
year, thus resulting in a continued violation of the complainant's rights. This finding is crucial, because
even in the absence of an explicit mention of Article 21, the processing of data for
prospecting purposes – as for other purposes – should have been interrupted as soon as
receipt of the erasure request. Consequently, maintaining the processing of
data of the complainant for direct marketing purposes – even following the arguments of
the defendant according to which this period would have only been 2 weeks (see point 118)
– violates the rights of the complainant. For the remainder, the Litigation Chamber returns the
defendant in paragraph 36 of its decision.
116. The Litigation Chamber emphasizes that direct marketing is crucial for the activities
of the defendant, which sells its products nationally. The treatment
data for direct marketing purposes therefore represents an essential component
of its commercial model, directly affecting its customer relations and therefore its turnover
business. Failure to respect the rights enshrined in the GDPR, such as the rights
erasure and opposition, can lead to harmful consequences for life
privacy of the persons concerned. This results in exposure to advertisements Decision on merits 87/2024 — 40/55
targeted and intrusive, as well as by disruptions in their daily lives caused by
unsolicited telephone calls or emails.
117. It appears from the hearing that the use of incorrect codes was systematic and does not appear
be limited to the complainant. However, the number of people whose data would have been
processed in violation of the aforementioned provisions (see Title II.2) remains unknown. By
Consequently, the Litigation Chamber cannot determine the exact number of people
concerned, which could have confirmed the systemic nature of the violations
mentioned above and increase their severity. Thus, the Litigation Chamber is limited to
examine the case of the complainant, the only person concerned identified as being affected
by violation of the provisions in question.
In response to the sanction form, the defendant confirms that the violation did not affect
only one person concerned and that they are limited to a single territory, in this case
Belgium.
118. Concerning the duration of the violation (see Title II, as well as paragraph 61 of this
decision) the Litigation Chamber notes that the latter continued for a
significant period, which increases the seriousness of the infringement.
In reaction to the sanction form, the defendant emphasizes that the impact on the
person concerned during this period was very limited since the complainant would not have
received only a few advertising messages by e-mail and a limited number of attempts
of telephone contacts, i.e. “+/- 5 during a very limited period of 2 weeks at
more (24.11.2022 – 7.12.2022) » . The Litigation Chamber refers the defendant to
points 8, 21, 30, 31, 33 and 42 of this decision, emphasizing that the defendant has
made a promise to respond to the complainant's requests dated June 30, 2022
only on November 3, 2023. This period of silence is undeniably long and does not
does not respect the one-month time limit provided for in Article 12 of the GDPR. Finally, the Litigation Chamber
notes that the defendant has not implemented “code 43” to delete data from the
complainant until April 11, 2023 (see paragraph 33). This suggests that the complainant's data
were not deleted but remained accessible and were processed, even
limited manner, at least until April 2023, and not until December 2022 (see points
32, 33, 40, 43, 42). In this context, the question of the duration of the violation remains
factually objective, allowing the Litigation Chamber to conclude that the period
infringement is significant.
119. Negligence or intentional nature of the violation (art. 83.2.b) of the GDPR) – Several
elements testify to manifest negligence on the part of the defendant in the
management of requests from the people concerned. On the one hand, the prolonged non-compliance with
44Reaction of the defendant to the sanction form dated April 5, 2024, p.7. Decision on merits 87/2024 — 41/55
requests for erasure and opposition by the complainant, in particular by not responding
within the prescribed deadlines; as well as the inappropriate use of “code 43” which resulted in
a limitation of processing, not only reveal the unsuitable nature of the
internal procedures, but also ignorance of the rights set out in articles 15 to 22
of the GDPR and the obligations incumbent on the data controller.
120. This negligence is aggravated by the prolonged continuation of the processing of the data of the
complainant for direct marketing purposes, even after their requests for erasure and
opposition. At the time of the hearing, the defendant had still not taken the
appropriate measures to remedy the situation and respond to the request
of erasure and opposition of the complainant which demonstrates the serious and persistent nature
of the violation.
121. All of these elements illustrate serious negligence in the management of requests from
complainant, indicating that the violation of articles 17, 21, 5.1.a) and 5.2 juncto 24 of the GDPR
actually arises from negligence on the part of the defendant.
122. In reaction to the sanction form, the defendant emphasizes that she was not
negligent because she trusted her DPO, who did not inform her of her problems
resources. Furthermore, given that only the DPO had access to the mailbox and that the
defendant was not the recipient of the initial correspondence sent by mail
electronic to the former DPO, she considers that she cannot be accused of negligence.
However, the Litigation Chamber reminds the defendant that she received a letter
recommended dated January 17, 2023 (see point 9). Then, the Litigation Chamber
refers the defendant to points 54 to 57 of this decision before adding that,
in accordance with article 38.b) of the GDPR which states that “The data protection delegate
data reports directly to the highest level of manager management
treatment or subcontractor", the defendant could have identified the problem(s) and the
resolve rather than placing blind trust in the DPO. Consequently, the
Litigation Chamber cannot agree with the arguments put forward by the defendant for
the aforementioned reasons (Title II.I.3, in particular points 55 and 57.c) of this
decision). The Litigation Chamber confirms that serious negligence in the management of
claims of the complainant are established, which indicates that the violation of articles 17, 21, 5.1.a)
and 5.2 juncto 24 of the GDPR does indeed arise from the negligence of the defendant.
123. Categories of personal data affected by the violation (article 83,
paragraph 2 (g) GDPR) – The data in question concerns contact details
of the complainant, including his or her last name, first name, postal address, telephone number and
email address. Although this information is not considered “data
sensitive” within the meaning of article 9 of the GDPR, they make it possible to identify or contact a
specific person. Decision on merits 87/2024 — 42/55
124. Classification of the seriousness of the violation and setting the appropriate starting amount –
The assessment of the above elements – namely the nature, seriousness and duration of the violation,
as well as the deliberate or negligent nature of the violation and the categories of data to be
personal nature concerned – helps determine the degree of seriousness of the violation
in its entirety. According to this assessment, the seriousness of the violation can be described as “
low”, “medium” or “high”.
a) For violations of low severity, when calculating the administrative fine,
the supervisory authority sets a starting amount for the subsequent calculation including
between 0 and 10% of the applicable legal maximum amount.
b) For violations of medium severity, when calculating the administrative fine,
the supervisory authority sets a starting amount for the subsequent calculation including
between 10 and 20% of the applicable legal maximum amount.
c) For violations of high severity, when calculating the administrative fine,
the supervisory authority sets a starting amount for the subsequent calculation including
between 20 and 100% of the applicable legal maximum amount.
125. In this case, the seriousness of the violation is considered “medium”, for the
reasons summarized below: the complainant's rights of erasure and opposition do not have
been respected; the principle set out in article 5.1.a) of the GDPR was not respected; the violation
46
has lasted for a prolonged period of at least one year; several elements reveal
manifest negligence on the part of the defendant, which aggravates the seriousness of
the offense; although the data in question is not considered sensitive,
they constitute identification or contact information.
126. In this context, it is difficult to maintain that the degree of the violation is “low”, but
rather that it is “medium” or “strong”. It should also be taken into account that
that only one person is affected by this violation. This circumstance allows the
Chamber Contentious to deduce that the violation is of “medium” seriousness.
127. In response to the sanction form, the defendant requests that the violations be
reclassified as “low” rather than “medium”. Furthermore, it underlines that the former DPO
took measures and communicated with the APD in April 2023: apparently, the former DPO
was wrongly convinced that her communication in the context of the inspection she was carrying out
the subject (see Title II.1.1) would be inserted in the file currently processed by the Chamber
Contentious. The Litigation Chamber cannot accept the argument according to which a
response to the SI could be interpreted as a response to requests made in
under Articles 15 to 22 of the GDPR, as prescribed by Article 12 of the GDPR, which mentions
45EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), fn. 60.
46See in particular Title III.3.2.2.2 of this decision. Decision on merits 87/2024 — 43/55
a direct response to the people concerned. Otherwise, a violation
could be repaired while waiting for a supervisory authority to be informed of a potential
violation by complaint or on its own initiative. This conclusion is not only
erroneous in law but would void the exercise of rights by the persons concerned of their
substance. In this context, it is difficult for the Litigation Chamber to qualify the
violation of “low”, thus once again confirming the “medium” character of the
breach.
128. Consequently, the Litigation Chamber should apply, for violations arising
of the unique behavior of the defendant (falling under article 83.5 of the GDPR, with a
medium severity), a theoretical starting amount for the subsequent calculation of the fine
administrative costs of between €2,000,000 and €4,000,000.
129. Taking into account the circumstances assessed in light of Article 83.2 a), b) and g) of the GDPR,
the Litigation Chamber decides to consider a theoretical starting amount of
2,000,000 EUR.
III.3.2.2.3. Turnover of the controller and considerations
additional factors taken into account by the Litigation Chamber for
determine the amount of the fine
130. The GDPR requires each supervisory authority to ensure that fines
administrative measures imposed are effective, proportionate and dissuasive in each
case in point (art. 83.1 of the GDPR).
131. To achieve this, supervisory authorities should apply the definition of the concept
as adopted by the Court of Justice of the European Union (hereinafter “CJEU
") for the purposes of Articles 101 and 102 of the TFEU, namely that the concept of enterprise means
as an economic unit which can be constituted by the parent company and all
subsidiaries concerned. In accordance with EU law and case law, a company must
therefore be considered as an economic unit carrying out activities
commercial/economic, whatever its legal form 47. The objective is to ensure
that the sanctions are adapted to the size and economic power of the company
132. Supervisory authorities are expected to adjust administrative fines based on
the seriousness of the violation, while respecting the range provided in the guidelines
47Recital 150 of the GDPR; WP Guidelines 253, pp. 6-7. The case law of the CJEU gives the following definition: “the
concept of enterprise covers any entity carrying out an economic activity, regardless of its legal status and its
method of financing" (case C-41/90, Höfneret Elser/Macrotron, ECLI:EU:C:1991:161, point 21). The notion of business" must
be understood as designating an economic unit, even if this economic unit is constituted, from a point of view
legal, by different natural or legal persons" (case C-217/05, Confederación Española de Empresarios de
Estaciones de Servicio, ECLI:EU:C:2006:784, paragraph 40). ; CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t.
Commission, ECLI:EU:C:2009:536), points 60-61. Decision on merits 87/2024 — 44/55
of the EDPB up to the legal maximum amount. This may lead to surcharges or
significant reductions in the fine, depending on the circumstances of the specific case
133. In addition, Articles 83.4, 83.5 and 83.6 of the GDPR provide that the annual turnover
global total for the previous financial year must be used to calculate the fine
administrative. In this regard, the term “precedent” must be interpreted in accordance with the
jurisprudence of the CJEU in matters of competition law, so that the event
relevant for the calculation of the fine is the decision of the supervisory authority relating to
the fine, and not the time of the sanctioned offense.48
134. Consequently, as an extension of the above, the Litigation Chamber
considers that it can be based on the consolidated turnover figures for the 2023 financial year of the
defendant is more than 50,000,000 EUR 49to determine the amount of the fine
administrative burden that it intends to impose on the defendant. The Litigation Chamber
hereby refers to the annual accounts of the defendant (company Y) as
deposited with the National Bank of Belgium (BNB) on September 25, 2023, making
appear a turnover of more than 50,000,000 EUR for the financial year 2023.
135. Taking into account the minimum and maximum amounts per level set in the directives,
on the one hand, and the annual turnover of the controller, on the other hand, the
Litigation Chamber decides concretely to lower the final starting amount for the
category of offenses (falling under article 83.5 of the GDPR, with a degree of seriousness
average) to a starting amount adjusted to 245,000 EUR.
III.3.2.2.4. Aggravating and mitigating circumstances
50
136. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons
the imposition of an administrative fine and its amount in concrete terms, taking into account
take into account other aggravating or mitigating circumstances listed in article 83.2 of the
GDPR:
a) Measures taken to mitigate the damage suffered by the complainant (art. 83.2.c) of the
GDPR)
i. With regard to the measures taken to mitigate the damage suffered by
the complainant, the Litigation Chamber recognizes the efforts undertaken by the
defendant to remedy the problems encountered with the former DPO,
in particular by reacting to its inaction or incompetence. This happened
materialized by the establishment of a new team dedicated to the management
48EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023),
paragraph 131.
49Annual account for the 2023 financial year available on the website: https://consult.cbso.nbb.be/consult-enterprise.
50Cour des Marchés 2020/1471 of February 19, 2020. Decision on the merits 87/2024 — 45/55
requests from the people concerned but also to any questions
relating to data protection. The objective of this initiative is to
strengthen the responsiveness of the defendant in matters of protection of
data and guarantee its compliance with the GDPR.
ii. However, it should be noted that the Litigation Chamber emphasizes that the
defendant had an annual turnover of more than
51
50,000,000 EUR for the financial year 2023, which illustrates that it had the
financial means necessary to establish and set up a team
dedicated to managing requests from data subjects as well as
any questions relating to data protection, consisting of more
of somebody. Likewise, these financial resources could have
allow a quicker reaction to the incompetence of one's former
DPO.
iii. In addition, the Litigation Chamber takes into consideration the commitment
taken by the defendant during the hearing, where they undertook to regularize
the situation in accordance with Article 17 of the GDPR and to inform the complainant
the erasure of its data. The Litigation Chamber emphasizes that
this commitment only covered part of the complainant's requests (for
recall, a request for erasure and opposition), which gives rise to
concerns about the defendant's total commitment to respect
fully the rights of the persons concerned.
iv. Although steps have been taken to remedy the problems
previous agreements with the former DPO and to regularize the situation, there are still
gaps in the defendant's response to the plaintiff's requests.
b) Degree of responsibility of the defendant taking into account the measures
technical and organizational measures implemented in accordance with Articles 25
(art. 83.2.d) of the GDPR)
i. The Litigation Chamber, assessing the level of responsibility of the
defendant, notes that it is entirely responsible for the management
requests from data subjects, including requests
erasure and opposition of the complainant.
5The annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a turnover
increasing: ([.. EUR] EUR on February 29, 2020, [.. EUR] on February 28, 2021 [.. EUR] on February 28, 2022. With a turnover
always exceeded 50 million euros over this period, it is obvious that the defendant had the resources
financial necessary to set up a team or department (including several employees and/or DPO)
dedicated to managing requests from data subjects and data protection issues. ; Account
annual available on the site: https://consult.cbso.nbb.be/consult-enterprise. Decision on merits 87/2024 — 46/55
ii. This responsibility encompasses various aspects, including the effectiveness of
execution of requests, definition of specific codes for
respond appropriately to requests made under the
articles 15 to 22 of the GDPR, as well as the understanding and implementation
clear and effective procedures by all staff,
directors to internal staff.
iii. The defendant, by using “code 43”, demonstrated a lack of
mastery of its own codes and nomenclatures, which resulted in a
limitation of processing instead of responding adequately to requests
erasure and opposition of the complainant. Furthermore, the fact of not
respond to the complainant's requests for more than a year after the exercise
of his rights demonstrates an excessively long waiting period for
process the requests, but above all, this leads the defendant to process
data in contradiction with the fundamental principles of the GDPR
set out in Article 5 of the GDPR.
c) Other aggravating and mitigating circumstances (art. 83.2.k) of the GDPR)
i. Regarding the aggravating circumstances, the Chamber
Litigation notes that at the time of the hearing, the defendant had not
still not responded to the complainant's requests, despite his
aware of the obligation to respond within one month to all
requests made under articles 15 to 22 of the GDPR,
in accordance with Article 12 of the GDPR and the principles of transparency and
of loyalty set out in article 5.1.a. of the GDPR. Furthermore, the Chamber
Litigation emphasizes that the defendant undertook only to
regularize the situation in accordance with article 17 of the GDPR, without
mention article 21 of the GDPR, which concerns the right to object to
processing of personal data. This omission raises
concerns about the defendant's commitment to respect
fully the rights of the data subjects, as provided for in the
GDPR.
137. The assessment of the elements listed in Article 83.2 of the GDPR – namely the measures
taken to mitigate the damage suffered by the complainant; the degree of responsibility and all
other aggravating and mitigating circumstances – are neither likely to increase or
reduce the amount of the administrative fine. Decision on merits 87/2024 — 47/55
III.3.2.2.5. Effective, proportionate and dissuasive
138. The EDPB guidelines recall that the administrative fine for violations
of the GDPR referred to in Articles 83.4 to 83.6 must be effective, proportionate and dissuasive in
each specific case. The supervisory authorities must verify whether the amount meets these
criteria and adjust if necessary.
139. Effectiveness – A fine is deemed effective if it achieves the objectives for
on which it was imposed, such as restoring respect for the rules, sanctioning
52
illicit behavior or both. In this case, the fine acts as an essential tool
to restore compliance with GDPR rules, by sanctioning negligent behavior
and serious of the defendant. Additionally, it aims to deter other violations similar to
53
the future . The prolonged violation of the complainant's fundamental rights, despite his
requests for erasure and opposition, demonstrates the need for a firm response from the
from the Litigation Chamber. Thus, a fine of 245,000 EUR constitutes a
effective measure to achieve these objectives, while taking into account the seriousness of the
breach.
140. Proportionality – The principle of proportionality, as defined in the GDPR, states that
the measures adopted must not exceed what is appropriate and necessary to
achieve the legitimate objectives of the regulation in question. In the case of fines,
this means that their amount must not be disproportionate to the intended goals, 54
the seriousness of the violation, as well as the size and financial capacity of the company
concerned. Therefore, supervisory authorities must ensure that the
amount of the fine is proportionate to the violation, assessed as a whole, in
taking into account various factors such as the financial capacity of the company to pay.
141. In certain exceptional circumstances, a reduction in the fine may be
considered if its imposition would irremediably endanger the viability
economics of the company concerned. This possibility is possible when
objective evidence demonstrates an inability to pay. Furthermore, it is essential
analyze risks by considering the specific social and economic context.
142. In the present case, several criteria, such as the financial capacity of the defendant
and the economic and social context in which it operates, indicate that the fine
proposed is proportionate 56:
52WP 253 Guidelines, p. 6.
53See the development concerning the “dissuasive nature” of this decision, starting from paragraph 145.
54Case T-704/14, MarineHarvest v Commission, paragraph 580, referring to Case T-332/09, Electrabel v Commission, paragraph 279.
55See, to this effect, Case C-387/97, Commission v Greece, paragraph 90, and Case C-278/01, Commission v Spain, paragraph 41, in
which the fine had to be “on the one hand, adapted to the circumstances and, on the other hand, proportionate to the breach
56nstated as well as the payment capacity of the Member State concerned.
EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), point 140. Substantive decision 87/2024 — 48/55
a) Economic viability and financial capacity of the company: With a figure
consolidated annual business of more than 50,000,000 EUR for the financial year 2023, la7
defendant has sufficient financial capacity to support
the proposed fine without compromising its economic viability. Therefore,
a fine of 245,000 EUR remains proportionate to this capacity
financial. This measure therefore remains sufficiently dissuasive without
compromise the economic integrity of the company.
b) Proof of loss of value: No indication suggests that the imposition
of the fine would endanger the viability of the company, leading to a loss
significant to the value of its assets or threatening its ability to continue its
activities in a viable manner. There must be a direct link between the fine and this loss
of value, and it is not automatically accepted that bankruptcy or insolvency
lead to such a loss. In the absence of such tangible evidence demonstrating
this correlation, a reduction in the fine may not be justified.
c) Economic and social context: The defendant operates in the sector of
products “..” in Belgium. In addition, the defendant distributes its products through
the whole country, which suggests that it is not solely dependent on the situation
local economy. This national presence also reduces its dependence on
respect for the local workforce. Therefore, it is unlikely that the
payment of the fine has a significant impact on the economy or social fabric,
given that the defendant operates on a national scale and is not
entirely linked to a specific region.
143. In response to the sanction form, the defendant requests a reduction in the amount
of the fine due to the exceptional circumstances she encountered during
of the last five years, attributable to external factors over which it had no control
control. These conditions affected its turnover, costs and profitability.
144. The defendant then presents its financial development from 2019 to 2022, marked by a
negative growth in turnover and losses in 2019, an increase in 2020
despite increasing costs, reduced turnover and losses in 2021, and
further deterioration in 2022 due to the economic crisis, leading to a
further reduction in turnover and financial losses. For the current financial year
2023-2024, the defendant still anticipates a significant financial loss, with
prospects of a difficult financial recovery until 2026-2027. Faced with this
57As a reminder, the annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a
turnover increasing: [.. EUR] on February 29, 2020, [.. EUR] on February 28, 2021 and [.. EUR] on February 28, 2022. With a
turnover always greater than 50 million euros over this period, it is obvious that the defendant had the
financial resources necessary to set up a team or department (including several employees
and/or DPO) dedicated to managing requests from data subjects and data protection issues. ;
Annual account available on the website: https://consult.cbso.nbb.be/consult-enterprise. Decision on merits 87/2024 — 49/55
difficult financial situation, a fine of 245,000 EUR would have consequences
devastating for the defendant. This would compromise the implementation of the measures
reorganization necessary to guarantee its future viability, putting jobs at risk
of 400 people and even risking leading to the cessation of activities in Belgium.
145. Taking into account all these circumstances, the Litigation Chamber agrees that a
reduction in the amount of the fine appears appropriate to support the defendant and
prevent endangering the jobs of 400 people as well as the continuity of
activities in Belgium.
146. To reach this conclusion, it seems relevant for the Litigation Chamber to
take into account two essential elements: on the one hand, the use of the contribution of
shareholders; on the other hand, the evaluation of cumulative losses over a period of three years
(2023-2024, 2024-2025, 2025-2026) to reduce the amount of the initial fine. This
approach aims to adequately consider the real financial capacity of the
defendant to bear this administrative sanction.
147. The Litigation Chamber notes that the shareholders injected a cash contribution of
more than 3,000,000 EUR, a sum established taking into account past losses,
present and future, as well as other financial commitments to which the defendant
58
will have to respond, with the aim of ensuring the financial recovery planned for 2026-2027.
Furthermore, the Litigation Chamber emphasizes that the defendant seems to have anticipated the
risk of a possible fine, as indicated by the Statutory Auditor in the
following terms: “we draw attention to note VOL - inb 6. 19 of the financial statements
(“risks”) which describes the uncertainty associated with the resolution of the GBA investigation. The result of
This investigation could have a significant impact on the financial situation of the company. ".
148. Next, the Litigation Chamber considers it relevant to assess the cumulative losses over a
period of three years (2023-2024, 2024-2025, 2025-2026) since the shareholders have
paid a cash contribution of more than 3,000,000 EUR based on planning
multiannual strategy presented in October 2023 (see paragraph 147), aimed at guaranteeing
financial recovery planned for 2026-2027. It is important to note that losses
projected for the years 2024-2025 and 2025-2026 are hypothetical, and that the year
2024-2025 saw the highest loss since 2019 (…EUR).
149. In this context, the Litigation Chamber, as previously mentioned in its
paragraph 145, considers it appropriate to reduce the amount of the fine by applying the
remaining percentage of the more than 3,000,000 EUR contributed by the shareholders, after having
excluded cumulative losses over a period of three years in relation to this contribution, periods
5The defendant mentions in its email of April 5, 2024 that a multi-year strategic plan was presented
to shareholders in October 2023, resulting in a cash contribution of more than EUR3,000,000 from shareholders
in February 2024. ; page 5 of the email sent by their Council in reaction to the sanction form. Decision on merits 87/2024 — 50/55
for the most part hypothetical. This approach aims to align the reduction of the initial fine
with the financial situation of the defendant. Thus, the Litigation Chamber considers
have correctly assessed the financial impact of the fine in relation to the funds provided
by the shareholders, and considers that the reduction of at least 30% of the initial fine
takes into account the actual financial capacity of the defendant to bear the fine
administrative.
150. Following the preceding reasoning, the Litigation Chamber reduces the fine by
245,000 EUR to 172,431 EUR objectively: The loss for the year 2023-2024
amounts to [-..EUR], while that forecast for the year 2024-2025 is [-..EUR], and that
foreseeable for the year 2025-2026 is [-..EUR]. By adding these losses, the loss
cumulative for the year 2023-2024 as well as those planned for the years 2024-2025 and
2025-2026 represents a total of more than 1,000,000 EUR [(-.. EUR)] + [(-.. EUR)] + [(-.. EUR)]
= more than 1,000,000 EUR. The contribution of shareholders to ensure viability is more than
3,000,000 EUR The percentage of the cumulative loss over a period of three years, i.e.
2023-2024, 2024-2025 and 2025-2026 (the last two years being hypothetical)
compared to the shareholders' contribution amounts to +-30% [(more than 1,000,000 EUR / more than
3,000,000EUR)*100=+-30%].After withdrawing the cumulative loss over a period of three
years, it is established that the defendant still holds +-70% of the more than 3,000,000 EUR
contributed by the shareholders.
151. Consequently, the Litigation Chamber decides to apply the percentage of the loss
cumulative over a period of three years (2023-2024, 2024-2025 and 2025-2026, both
recent years being hypothetical) as a percentage reduction to the amount
initial amount of the fine in order to determine the new amount.
Taking into account all specific circumstances surrounding viability
economic and financial capacity of the defendant, this represents +- 30% of the
245,000 EUR, a reduction of more than 70,000 EUR. Thus, the new amount of
the fine amounts to EUR 172,431, which corresponds to a reduction of approximately 30% per
compared to the initial amount. Furthermore, the Litigation Chamber emphasizes that the impact of this
fine on a shareholder contribution established on forecasts until 2026-2027 (see
point 148) is minimal, representing only 4%.
Considering these factors, the Litigation Chamber considers that the reduction of
the fine of 245,000 EUR to 172,431 EUR is a proportionate measure to sanction
the violations noted in this specific case
152. Dissuasive nature – The dissuasive nature of fines is crucial to guarantee the
compliance with the rules established by Union law, in particular in the GDPR. This character
deterrent can manifest itself in two ways: general deterrence, which aims to
discourage other controllers from committing the same violation in the future, Decision on merits 87/2024 — 51/55
and specific deterrence, which aims to dissuade the data controllers concerned
by the fine for breaking the rules again in the future. A fine must be
sufficiently dissuasive for data controllers to fear that
Supervisory authorities do apply fines for GDPR violations.
153. Several factors determine the dissuasive nature of a fine: the nature and
amount of the fine, as well as the probability of its imposition, are elements
determining factors in this regard. A fine must be high enough to have an impact
significant financial impact on the offending company, while remaining proportionate to the seriousness of the
breach. In other words, the criterion of deterrence overlaps with that of effectiveness.
154. If a supervisory authority considers that a fine is not sufficiently dissuasive, it
may consider increasing it. In some cases, it may even apply a multiplier
deterrence to strengthen its deterrent effect. This multiplier can be adjusted to the
discretion of the supervisory authority to ensure that deterrence objectives are
fully achieved.
155. In this case, the fine of EUR 172,431 imposed on the defendant aims to deter the
defendant to repeat the violation of the rules of the GDPR. Furthermore, she seeks
also to deter other companies from committing similar violations. This
fine, proportionate to the seriousness of the violation 59 and taking into account the turnover
of the defendant, is designed to have both a specific and general deterrent effect.
156. Considering all of these aforementioned factors, the fine of EUR 172,431
seems to meet the dissuasive nature necessary to ensure compliance with the GDPR.
III.3.2.2.6. In summary
157. Firstly, the Litigation Chamber notes that the defendant whose figure
of business amounts to more than 50,000,000 EUR has not complied for a period
significant of a complainant's erasure and opposition requests, resulting in a
continuous processing of personal data for direct marketing purposes, and putting
highlights the absence of guarantees to ensure compliance with the principles
fundamentals of the GDPR, thus violating articles 17, 21, 5.1.a), and 5.2 juncto 24 of the GDPR.
158. Then, after analyzing all the relevant circumstances of the case in question under
of Article 83.2, a), b) and g) of the GDPR, the Litigation Chamber considered that the violation was
of “medium” severity. To determine the starting amount, the violation of articles 5,
17 and 21 of the GDPR is listed in Article 83.5, a) and b) of the GDPR, which provides that the
maximum legal amount is 20 million EUR (20,000,000 EUR) or 4% of the figure
59See in particular Title III.3.2.2.2. of this decision.
60See in particular Title III.3.2.2.2. of this decision. Decision on merits 87/2024 — 52/55
total global annual sales for the previous financial year. In this case, the turnover of
the defendant being less than EUR 500 million, the maximum amount and the range
Fixed prices apply. Therefore, a starting amount of between 10 and 20% of the amount
maximum applicable legal amount, i.e. between EUR 2 and 4 million, is envisaged. Since the
violation is considered average, the Litigation Chamber decides that the amount
The starting price set according to the seriousness of the violation will be 2,000,000 EUR (2 million EUR).
159. Then, the starting amount set in step 1 is adjusted according to the size of the company.
The defendant achieves an annual turnover of more than EUR 50,000,000 for
financial year 2023, falling in the range of EUR 50 to 100 million. That
results in an adjustment of the starting amount to an amount between 8% and 20%.
Given that the defendant's turnover is high within this
range, the Litigation Chamber decides that an adjustment of up to 12.25% of the amount
starting amount set in step 1 is justified, thus bringing the starting amount after adjustment to
245,000 EUR in this case.
160. To ensure that this starting amount after adjustment complies with the lines
guidelines, it is compared with the ranges in the applicable table
available in the EDPB guidelines. Since article 83.5 of the GDPR is
applicable, that the defendant achieves a turnover of between 50 and 100
million EUR and the severity is medium, the starting amount should be
between 160,000 and 800,000 EUR. The Litigation Chamber concludes that an amount of
starting of 245,000 EUR is within this range, and therefore it is in line with the lines
guidelines.
161. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons
the imposition of an administrative fine in concrete terms, taking into account other
aggravating or mitigating circumstances listed in Article 83.2 of the GDPR. However,
the assessment of these elements does not justify either an increase or a decrease in the amount
of the administrative fine. Furthermore, the Litigation Chamber must also justify
the imposition of this administrative fine in accordance with the guidelines of
the EDPB, which emphasize that fines for GDPR violations must be effective,
proportionate and dissuasive in each specific case, in accordance with Articles
83.4 to 83.6 of the GDPR. The assessment of these elements justifies a reduction between the fine
initial and the new amount of approximately 30%. Considering all the factors
61EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24
2023 (v2.1), see the appendices (p.52).
62Cour des Marchés), 2020/1471 of February 19, 2020.
63See in particular Title 3.2.2.4. of this decision. Decision on merits 87/2024 — 53/55
mentioned above, the reduction of the fine from EUR 245,000 to EUR 172,431 is a measure
effective, proportionate and dissuasive necessary to ensure compliance with the GDPR.64
III.3.2.2.7. The decision to impose an administrative fine
162. All of the above elements justify an effective, proportionate and
dissuasive under Article 83 of the GDPR, taking into account the assessment criteria therein
are set out.The Litigation Chamber underlines that the other criteria set out in article
83.2 of the GDPR are not likely, in this case, to result in an administrative fine
other than that determined by the Litigation Chamber within the framework of this
decision.
163. The Litigation Chamber considers that it is justified to impose an administrative fine,
taking into account the specific circumstances as well as the position taken by the
defendant regarding the manner in which the plaintiff's requests were handled, in order to
to sanction this behavior appropriately and to encourage the defendant
to refrain from responding to requests to exercise the rights granted under the GDPR
in this way in the future.
164. In view of the aforementioned assessment as well as the circumstances specific to this case, the
Litigation Chamber therefore considers that it is appropriate to impose a fine
administrative order of EUR 172,431 to the defendant, pursuant to article 58.2. i) of the GDPR as well
as well as articles 100, § 1, 13° and 101 of the LCA, in accordance with article 83.2 of the GDPR.
165. The Litigation Chamber considers that the amount of this fine, which otherwise remains
well below the maximum amount of the authorized range, is proportionate to the severity
violations noted in the behavior in question.
IV. Publication of the decision
166. Given the importance of transparency regarding the decision-making process of the Chamber
Contentious, this decision is published on the website of the Authority of
Data protection. However, it is not necessary for this purpose that the data
identification of the parties are directly communicated.
64See in particular Title 3.2.2.5 of this decision. Decision on merits 87/2024 — 55/55
66
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).
(sé). Hielke H IJMANS
President of the Litigation Chamber
the signature of the applicant or his lawyer.
66The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.
