APD/GBA (Belgium) - 38/2021: Difference between revisions

From GDPRhub
No edit summary
Line 70: Line 70:


==Comment==
==Comment==
''Share your comments here!''
I wonder what will happen if the SPF (Federal Public Service) does not take any action to the order of the Belgian DPA keeping in mind that the Belgian Data Protection Act does not allow to fine a public authority like the SPF. In other words what are the options for the Belgian DPA to enforce a public service to act?


==Further Resources==
==Further Resources==

Revision as of 06:50, 2 April 2021

APD/GBA - Decision 38/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 17 GDPR
Belgian corporate law
Belgian law establishing the national data protection authority (LCA)
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.03.2021
Published: 25.03.2021
Fine: None
Parties: A company associate (plaintiff)
The federal public service of Belgium "SPF Belgique" (defendant)
National Case Number/Name: Decision 38/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Official website of the Belgian data protection authority (in FR)
Initial Contributor: Maïlys Lemaître

The Belgian DPA reaffirmed the standard conditions for minimization of data (Article 5(1)(c) GDPR) in relation with the lawfulness of the data processing (Article 6 GDPR) and underlines that a data subject's request for erasure of their personal data pursuant to Article 17 GPDR must be granted if the data processing is not lawful to begin with.

English Summary

Facts

The plaintiff, an associate in a limited company, had decided with their co-associate to reduce their company's capital, for which a publication in the Belgian State Journal (Moniteur belge) is an obligation under the Belgian corporate law. The notary mandated by the associates to do the publication in their name not only informed about the reduction of capital but also mistakenly indicated the amount reimbursed to the associates as well as their personal bank account number. The plaintiff asked the notary to proceed to the erasure of these complementary and in their eyes unnecessary information. Following this, the notary requested that the Belgian federal public service (SPF, the defendant), responsible for the journal, erased the plaintiff's data of whom he acted on behalf of. The request was met with a refusal, the SPF mostly arguing that whatever the data published, since they were linked to publication required by the law, they could not be erased. After further exchanges and with the SPF still refusing to erase the concerned data, the plaintiff lodged a complaint with the Belgian DPA, mainly claiming that the SPF had no actual legal basis pursuant to Article 6 GDPR for processing the litigious data.

Dispute

Can a legal obligation under national law justify the processing of data that may be unnecessary for the intended purposes of the processing?

Holding

Before giving its decision on the question in dispute, the Belgian DPA reminded the defendant that the plaintiff's notary's mistake of publishing unnecessary data, was no reason for justifying that the defendant should not be held liable for a possible unlawful processing, as the SPF argued. A data controller always being accountable for the data they process, no matter in what way obtained, the liability of the defendant could indeed also be sought in this case.

Thereupon, the DPA states that even if the publication was an obligation under the applicable corporate law and the data processing herewith found its legal basis in Article 6(1)(c) GDPR, the principle of minimization of data pursuant to Article 5(1)(c) could not be undermined as it had been by the defendant. It is not because a data processing is justified by the law, that its controller can process data within its framework as pleases them. Saying otherwise would mean questioning the very essence of the principle of minimization. Thus, the plaintiff was right in claiming that the processing of the data linked with the publication had no legal basis as per Article 6 GPDR, since the data was not necessary for the defined purposes, and that it meant that the defendant had not been within their right to refuse an erasure of the plaintiff's data pursuant to Article 17 GPDR. The DPA therefore issued a reprimand towards the defendant according to their powers resulting from the Belgian law establishing the national data protection authority and ordered them to grant the plaintiff's request and erase the litigious data.

Comment

I wonder what will happen if the SPF (Federal Public Service) does not take any action to the order of the Belgian DPA keeping in mind that the Belgian Data Protection Act does not allow to fine a public authority like the SPF. In other words what are the options for the Belgian DPA to enforce a public service to act?

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                              Decision as to font 38/2021 - 1/24








                                                                         Litigation Chamber


                                            Decision on the merits 38/2021 of 23 March 2021





File No .: DOS-2020-00404




Subject: Complaint against the Belgian Monitor for basic lack of legality and refusal of erasure

of personal data published in the Annexes to the Belgian Official Gazette



The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke

Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this

composition;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of individuals with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection

data), hereinafter GDPR;

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);


Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20

2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;





Took the following decision regarding:

The complainant: Mr X., represented by his counsel Maître Sari Depreeuw, lawyer, whose law firm

                is established at 1050 Brussels, avenue Louise, 81 (hereinafter the complainant)


The defendant: The FPS Justice established at 1000 Brussels, Boulevard de Waterloo 115, represented


                        by Mr. Jean-Paul Janssens, Chairman of the Management Committee


                        (hereinafter the defendant) Decision on the font 38/2021 - 2/24









    1. Feedback from the procedure


Having regard to the complaint lodged on January 21, 2020 by the complainant with the Data Protection Authority

(APD);



Considering the decision of February 20, 2020 of the Front Line Service (SPL) of the APD declaring the complaint

admissible and its transmission to the Litigation Chamber;



Having regard to the letter of March 5, 2020 from the Litigation Chamber informing the parties of its decision to

consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their

providing a timetable for the exchange of conclusions;


Having regard to the main conclusions of 6 April 2020 from the defendant;


Having regard to the conclusions of the complainant of April 21, 2020;


Having regard to the respondent's submissions of May 6, 2020;


Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on August 20, 2020;


Having regard to the hearing during the session of the Litigation Chamber of October 9, 2020 in the presence of Masters

S. Depreeuw and O. Belflamme, representing the complainant and Mr. A. Hoefmans, director of

the Data Protection Unit of the FPS Justice and Mr. W. Verrezen, Director of the Belgian Monitor

both representing the defendant;


Having regard to the minutes of the hearing and the observations made thereon by the parties who have

been attached to these minutes. The Litigation Chamber notes that in terms of its comments, the

defendant announces that she realized during the hearing that the royal decree of 30

January 2001 repeatedly cited in terms of submissions in support of its defense had been replaced

by a new royal decree of April 29, 2019, (M.B., April 30, 2019) adopted after the entry into force

of the GDPR. The defendant specifies that this new royal decree has not changed the content of Article 11.5
                                                    1
invoked, now replaced by Article 1-9 § 5.




1Article 1-9 § 5: Correction of an error made in an act, an extract of an act, a decision or a document
published in the Annexes to the Belgian Official Gazette is filed and published in accordance with the preceding paragraphs. The
rectification of an error made in a document the filing of which was published by mention in the Annexes of

Belgian Monitor is operated by filing at the registry in accordance with the preceding paragraphs, one or more pages
corrected or additional, bearing the words "rectification", attached to a page with the details provided
in paragraph 2, subparagraph 4 and indicating the document to which the rectification relates. Corrected pages or
additional documents are entered in the file. The submission of corrected or additional pages gives rise to publication by
extracted from the Annexes of the Belgian Official Gazette. Decision as to font 38/2021 - 3/24






         2. Facts and subject of the claim 2


1. The complainant is a shareholder of SPRL Bureau X. The complainant holds the vast majority of

    shares of the SPRL, its partner by holding a very small minority.



2. The shareholders of the company - including the complainant - decided to reduce the capital by

    the company whose articles of association have, following this operation, been amended by a decision of

    the extraordinary general meeting in early 2019 (article 316 of the Companies Code).



3. In February 2019, an extract from this decision was published in the Annexes to the Belgian Monitor, available

    both in hard copy and in electronic version available on the Internet.



4. The extract published in the Belgian Official Gazette contains the decision to reduce the capital of the company, the amount

    initial capital, the amount of the reduction with mention of the new amount of the share capital and

    of the new text of the statutes. These are in fact the elements required by Article 69 combined with

    Article 74 of the Companies Code.



5. In addition, the extract mentions, among other things, the names of the two partners (including the complainant), the amounts

    that were reimbursed to them as well as their bank account numbers.



6. This part of the extract published in Dutch (point 5 above) is reproduced below:

         (…)

         - aan de heer X, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn

         naam van het bedrag van (..);



         - aan de heer Z, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn

         naam, van het bedrag van (..)


Free translation


         - to Mr X, mentioned above, by payment to account number (..) to his

         name in the amount of (..);


         - to Mr. Z, mentioned above, by payment to account number (..) to his

         name, in the amount of (..)


         (Hereinafter the disputed passage)




2
 Since the capital reduction took place before the entry into force of the new Companies and Companies Code
associations, the Companies Code of May 7, 1999 is applicable to the facts of the case. Decision as to font 38/2021 - 4/24



7. This extract was prepared by the complainant's notary in application of the Companies Code (article 74

     paragraph 1, 1 ° juncto article 69, paragraph 1, 5 °) and then transmitted by the latter to the registry of the court

     of the company within the territorial jurisdiction of the company to be published in the Annexes of the Belgian Monitor. 4




8. Considering that his notary had committed an error by including the disputed passage in the

     request for publication of the extract from the capital reduction decision, the complainant has, by

     the intermediary of his notary and his data protection officer (DPO), initiated

     steps aimed at obtaining the deletion of this contentious passage from the defendant.



9. On March 28, 2019, the DPO of the plaintiff's notary sent an email to the defendant's DPO

     inviting the latter to delete the two paragraphs cited above in execution of the right to

     the erasure of the complainant (art. 17 GDPR). Concretely, the DPO of the complainant's notary has, for

     the account of the latter, requested (a) the deletion of the publication of the extract containing the

     contentious passage and (b) its replacement by the publication of an extract without this contentious passage.




10. On April 10, 2019, the Respondent replied in the negative to the Complainant's request. His refusal

     was based on the exception provided for in Article 17.3 of the GDPR (right to erasure) and its article
       5
     86. The defendant's DPO, instead of the requested erasure, suggested that a

     new publication of the extract - without the disputed passage - be made, the initial publication remaining

     as for it intact.



11. On April 11, 2019, the DPO of the complainant's notary replied to the respondent that his position was

     irrelevant and insisted on deleting the publication of the excerpt containing the passage


     contentious.



12. In an e-mail of April 30, 2019, the defendant's DPO made arguments

     additional to justify its refusal to erase the disputed passage.


3 Article 74: The following are filed and published in accordance with the preceding articles: 1 ° acts bringing about changes

the provisions of which this code prescribes publication.
Article 69 paragraph 1, 5 °: The extract from the deed of incorporation of companies, with the exception of interest groups
economic, contains: 5 ° where applicable the amount of the share capital; the amount of the part released; the amount
authorized capital; for limited partnerships, the amount of securities released or to be released in limited partnership

and for cooperative societies, the amount of the fixed part of the capital.

4The formalities for publication by the Belgian Official Gazette were provided for in the Royal Decree of 30 January 2001 relating to
execution of the Companies and Associations Code, in particular in Article 11, which has replaced it as well as

was specified in the retroacts of the procedure, the Royal Decree of April 29, 2019 implementing the Code of
companies and associations.

5 Article 86 of the GDPR: Processing and public access to official documents:

 Personal data contained in official documents held by a public authority or by
a public body or a private body for the performance of a mission of public interest may be
communicated by that authority or body in accordance with Union or Member State law
to which the public authority or public body is subject, in order to reconcile the public's right of access to documents

officials and the right to the protection of personal data under this Regulation. Decision as to font 38/2021 - 5/24





13. On April 30, 2019, the DPO of the complainant's notary requested an opinion from the APD. On July 5, 2019, the SPL

    of the APD thus recalled in particular (1) that a royal decree (i.e. the royal decree of 30 January 2001

    invoked by the defendant in support of its refusal to erase) cannot take precedence over a

    European regulation (i.e. on the GDPR) as well as (2) the conditions of the right to erasure.



14. Several requests were subsequently made by the complainant's notary on July 8.

    2019, October 25, 2019, November 19, 2019, and January 8, 2020 without success. The disputed extract does not have

    been withdrawn from the Belgian Official Gazette.



15. On January 21, 2020, the complainant filed a complaint with the APD.



16. Pursuant to his complaint, the complainant denounces the following:

    (1) a breach of Article 6 of the GDPR on the part of the defendant for publication of its

         personal data on the Internet without a basis for lawfulness.

    (2) A breach of Article 17 of the GDPR on the part of the defendant for not having

         deleted their personal data following the exercise of their right to erasure.


17. Pursuant to his conclusions of April 21, 2020, the complainant asks the Litigation Chamber

    to say as a right that his complaint is founded and that the legal conditions of the right to erasure

    are met in accordance with Article 17.1. of the GDPR. The complainant requests that it be ordered to

    the defendant to comply with the exercise of its right to erasure and to erase the data to

    personal character concerning him (in particular names, bank account numbers and

    amounts paid both to himself and to his partner) within 10 working days after the

    notification of the DPA's decision under penalty of a fine for each day of delay, the amount of which
                                                                  er
    is to be determined by the DPA under Article 100 § 1, 6, 10 and 12 of the LCA. The complainant y

    also denounces a breach of Article 5.1. c) and Article 5.1. e) of the GDPR.



18. The Litigation Chamber would like to point out from the outset that within the framework of the

    compliance with the GDPR entrusted to the APD (for which it is the administrative litigation body) both by the

    European legislator (article 58 of the GDPR) that by the Belgian legislator (article 4 LCA), it will examine

    the facts reported by the complainant both under the articles of the GDPR referred to in the form

    complaint that he lodged on January 21, 2020 under one of the articles of the GDPR that he referred to in a

    second step by way of its conclusions of April 21, 2020.



19. Indeed, the Contentious Chamber decides here, as it had already done in its Decision 19/2020,

    that the complainant cannot be required to identify clearly, precisely and exhaustively the

    legal provisions in support of which he files his complaint. This work of qualification of the facts - Decision as to the font 38/2021 - 6/24



    constituting breaches of current data protection regulations

    if necessary - returns to the Inspection and the Litigation Chamber. 6



20. After nearly two years of operation, the Litigation Chamber notes that the

    complainants who file a complaint with the DPA are not necessarily familiar with the provisions

    of the GDPR or other specific legislation that would apply to the facts they

    report and which they believe are contrary to the applicable regulations on

    protection of personal data. The Litigation Chamber is of the opinion in this regard that it

    cannot be required of them to have this knowledge in order to make a complaint.



21. If the Contentious Chamber were to refuse to examine grievances brought by the complainant in

    during the proceedings relating to the facts denounced in his complaint, it would considerably reduce, or even

    would seriously jeopardize the effectiveness of the exercise of the right to lodge a complaint recognized in Article

    77 of the GDPR. To assert the contrary would amount to requiring the complainant to identify, under its

    complaint, all grievances relating to the facts he denounces. This would erode, the Litigation Chamber holds

    to underline it, in an unacceptable way the right to lodge a complaint and more generally, the right

    fundamental to data protection which, in order to be effective, must be able to be controlled by

    supervisory authorities, in particular through the complaints it receives. Control of the law

    fundamental to the protection of data by an independent authority participates in

    the essence of this right and is enshrined in Article 8.3. of the Charter of Fundamental Rights. Once

    again, to affirm the contrary would also come back, de facto (and starting from the observations that can

    make the Litigation Chamber over its almost two years of operation), to be required of the complainant


    whether he is assisted by a lawyer or any other legal advisor (as soon as he lodges his complaint),

    which cannot condition the exercise of a fundamental right with the authority for the protection of

    data. The Litigation Chamber is also of the opinion that as far as possible, the right to bring

    complaint must, like the exercise of other rights recognized by the GDPR (Chapter III), be free

    (article 12.5 of the GDPR). Finally, the supervisory authorities must also facilitate the exercise by

    data subjects of their rights, including the right to lodge a complaint (article 57.2. of

    GDPR).



22. In the present case, the facts not being in dispute and not requiring clarification

    complementary, the Litigation Chamber has not, as permitted by Article 94.3 ° LCA,

    recourse to the Inspection. The lack of recourse to the Inspection once the facts are clearly

    established cannot have the consequence of depriving the Litigation Chamber of examining the facts

    denounced by the complaint with regard to all the relevant complaints as far as they are




6 See. in this regard, the note on the role of the complainant available on the APD website:

https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-plaignant-dans-la-
procedure-within-the-litigation-chamber.pdf Decision as to the case 38/2021 - 7/24



    legal arguments related to the facts reported in the complaint and respecting the debate

    contradictory as it pointed out in its Decision 17/2020 (points 20-28).



23. In the present case, the complaints alleging non-compliance with Article 5.1. c) (principle of minimization) and article

    5.1.e) (principle of limited retention) of the GDPR brought by the complainant by way of conclusions

    are, moreover, without prejudice to the foregoing, intrinsically linked to the question of the existence

    or not on a basis of legitimacy (Article 6 of the GDPR) raised from the outset by the terms of the complaint.

    Indeed, in the absence of a basis of legitimacy (article 6 of the GDPR) authorizing the processing of data, the

    controller does not respect the principle of minimization either, which requires that only

    adequate, relevant and limited data to what is necessary for the achievement of the purpose

    pursued are processed. By refraining from following the complainant's right to erasure

    (raised from the outset by the complaint), the data controller (potentially) infringes

    also to the principle of the limited retention period of the processed data.



24. Accordingly, any argument according to which the defendant was not, in this case, warned as soon as

    the initiation of the proceedings for what was alleged against him must be ruled out here.


25. The defendant asks the Litigation Chamber to dismiss the complainant's complaint,

    according to her, no breach of the GDPR can be noted.




        3. The hearing of October 16, 2020


26. At the hearing on October 16, 2020, the parties had the opportunity to present their point of view,

    referring very broadly to their previously communicated conclusions.



27. More specifically, the following elements emerged from that hearing:

        - The complainant's counsel clarified that personal data directly

                 relating to his partner should also be considered as personal data.

                 personal character concerning him and that therefore his request for erasure involved

                 also on these (see point 17 above).


        - The parties have indicated that they agree that the publication of the data

                 personal data of the complainant appearing in the disputed passage were not covered by

                 the disclosure obligation provided for in the Companies Code.


        - The defendant confirmed its status as data controller.


        - The defendant indicated that it was not authorized to sort between the data whose

                 publication is required by the Companies Code and those whose publication is

                 regularly desired. Indeed, it is not uncommon for natural persons or Decision to make 38/2021 - 8/24



                 legal entities wish to add data to the publication, data whose publication

                 is not legally required by the Companies Code for example. The defendant has

                 added that in practice, this sorting is also impossible to carry out given the number

                 extracts of documents to be marginally checked daily (only the presence of

                 certain mentions and format are verified). 7


         - Via a request for rectification, the rectified publication necessarily refers to the


                 publication that it corrects (and in this case, the one looking for the publication can

                 find via the date mentioned on the rectification notice).


28. Full minutes of this hearing were drawn up and communicated to the parties as

    specified in the retroacts of the procedure.




PLACE


    4. As to the breaches on the part of the defendant


As a preliminary


29. The Contentious Chamber notes that the defendant qualifies itself as data controller. In
                                                                                               8
    within the framework of its own discretion with regard to this qualification, the Chamber

    Litigation also retains this qualification considering that in view of the disputed passage from

    the extract published, the defendant did indeed act in that capacity, by defining both the purpose

    than the means (article 4.2 of the GDPR).



30. The Contentious Chamber notes that the defendant repeatedly emphasizes that the error

    generator of all the procedure leading to this decision was committed by the notary

    of the complainant when sending the document to be published in the Annexes to the Belgian Monitor.








7 Extract from the hearing report:

The file is processed by the Company Court before being sent for publication in the Moniteur. By "treat", it is necessary

here hear that the company court registry scans the document, adds the necessary references
(number,…) and operates a purely formal check of the document submitted (is it dated?, signed? etc.). Circular
specifies that the registry must limit itself to this formal control without being able to modify the content of the document. This content

is the responsibility of the notary who made the deposit. The registry processes 800 to 900 acts per day. He has 24 hours
to accept the file and 48 hours to send it to the Belgian Monitor.


8
 See. in this regard, European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of
controller and processor in the GDPR, version 1.0. September 2, 2020.
These guidelines have been submitted for public consultation and are subject to change
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf. Voy
also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 9/24



31. The defendant admittedly intervened following the complainant's notary, who prepared the deed for

    publish which contains the disputed passage and forwarded it to him. There was no less intervention

    successive of two separate data controllers, the notary first, the defendant

    then, operating a separate process. 9



32. Even if the initial error was made by the complainant's notary, compliance with the GDPR is required

    for each treatment operated. Therefore, the error made by a first controller

    does not cover a breach of the GDPR for which the "subsequent" data controller (for

    to use the words invoked by the defendant) would be guilty. This notion of

    responsible for "subsequent" processing is also not enshrined in the GDPR. In this case

    Litigation Chamber simply notes a successive intervention by two officials of

    treatment. It is true that the defendant was initially the recipient of the data within the meaning of Article 4.9.

    of the GDPR, but this quality does not exclude that in turn, it has intervened in the capacity of

    treatment.



    4.1. As regards the breach of article 6 of the GDPR (lawfulness of the processing) and article 5.1. c) (principle

        minimization)


33. The Litigation Chamber recalls that pursuant to Article 6 of the GDPR, the processing of data

    of a personal nature is only lawful if, and to the extent that, it is based on one of the bases of

    lawfulness listed in Article 6 of the GDPR.



34. It is not disputed that the extract published in the Annexes to the Belgian Monitor includes data from

    personal character relating to the complainant within the meaning of Article 4.1. of the GDPR and therefore this

    publication must be based on one of the lawful bases of Article 6 of the GDPR. Bedroom

    Litigation specifies in this regard that, as the complainant alleges, the personal data

    personnel relating to the latter include both their identity, account number and

    the amount paid to him as the same information relating to his partner. All


    this information should be considered as personal data relating to

    to the complainant.



Defendant's position

35. The defendant states that the complainant does not specify when he considers that he has observed a


    breach of Article 6 of the GDPR. The defendant argues for its part that both

    concerns the publication in the Annexes of the Belgian Official Gazette in February 2019 that with regard to the





9
 See. also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 10/24



    period following the complainant's subsequent erasure request, it is the basis for processing

    data of the latter on a valid legal basis in compliance with Article 6 of the GDPR.



36. Regarding the publication in February 2019, the defendant declares, in terms of its first

    conclusions at the very least, be able to rely on three bases of lawfulness: (1) the consent of the

                                                                                                        10
    complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in

    that the publication results on the part of the defendant from the necessary execution of a

    legal obligation arising from article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29

    2019 implementing the Companies and Associations Code and finally, (3) Article 6.1 e) of
          11
    GDPR in that the publication of information transmitted by the complainant's notary falls under

    the public interest mission of official documentary source carried out by the Belgian Official Gazette in

    application of the Law of February 28, 1845 prescribing a new method of sanction and promulgation

    of the laws and of the Law of May 18, 1873 containing Title IX, Book I, of the Commercial Code relating to

    companies. The defendant also specifies that the exercise of this public interest mission falls within

    in the context of the aforementioned article 86 of the GDPR relating to public access to official documents.



37. It was recalled in Title 3 above, that during the hearing, the representatives of the Respondent

    explained that the defendant was, according to instructions received by way of circular, not

    authorized to sort the data required by the Companies Code on the one hand

    or any other text whose publication is requested and on the other hand, those, additional, that


    some would like to see it published despite the fact that their publication is not legally

    required. They also indicated that in addition, in practice, this sorting is not possible given the

    number of excerpts from deeds to be published daily.



38. Regarding the maintenance of the publication after the request for erasure of the complainant, the

    the defendant considers that it can continue to rely on Article 6.1 c) of the GDPR. She invokes the article

    1-9 § 5 of the Royal Decree of April 29, 2019 implementing the Companies and Associations Code

    which provides for a rectification procedure in the event of an error made in a document published in

    Annexes to the Belgian Official Gazette, excluding any possibility of outright erasure of an act

    published. The absence of any legal prescription obliging (even authorizing) the Belgian Monitor, in its capacity as

    controller, to erase the document or the data relating to the complainant contained therein, do not

    therefore does not compromise, again according to the defendant, the legality of the continued publication of

    data of the disputed extract after the erasure request.



10 Article 6 § 1 c) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions
following is fulfilled: (…) c) the processing is necessary for compliance with a legal obligation to which the
controller is submitted.


11 Article 6 § 1 e) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions
following is fulfilled: (...) e) the processing is necessary for the performance of a task of public interest or relevant
the exercise of public authority vested in the controller. Decision as to font 38/2021 - 11/24





39. As to the principle of minimization (article 5.1.c) of the GDPR), the defendant emphasizes that this

    violation relates to the processing carried out by the notary and not to that which he carried out in application

    of its legal obligation recalled above (point 35) which does not allow it to modify the content

    of what is transmitted to him by the notary.



Complainant's position


40. The complainant, for his part, considers that the publication of the disputed passage in the Annexes to the Monitor

    Belgian contravenes Article 6 of the GDPR in that no basis of lawfulness can validly be

    invoked by the defendant to justify the publication of the personal data of the passage

    litigation that appear therein, regardless of the moment at which one places oneself to establish the existence of
    this basis of legality.



41. The Complainant argues in this regard that, contrary to what the Respondent argues, there is no

    of his consent to the publication of the disputed data (article 6.1 a) of the GDPR),

    this publication resulting from an error. The defendant cannot either, always according to the

    complainant, rely on Article 6.1 c) of the GDPR which authorizes the processing of data only

    necessary to comply with a legal obligation, whereas in this case, the publication of data

    litigation goes beyond what is required by the relevant articles of the Companies Code following

    a capital reduction. In this regard, the defendant highlights the ratio legis of the

    publication in the Belgian Official Gazette. This serves a dual purpose of informing and protecting

    third parties in relation to the company with which they interact on the one hand and to protect the company

    itself, which can thus make its internal decisions enforceable against third parties on the other hand. The goal

    protection of third parties is particularly important in the event of a capital reduction when the

    society is impoverished and creditors' guarantees weakened. The publication of the reduction in

    capital, marks in this regard the starting point of a period of 2 months from which the creditors

    may, under certain conditions, require security for their previous claims. The

    publication of data relating to shareholders, such as the complainant, which reveals how the

    repayment of the principal amount has been made and to which bank accounts the amounts

    have been paid is irrelevant with regard to this advertising objective (not required by the Code

    companies). The complainant also disputes that the defendant can, like the latter

    invokes it, rely on Article 6.1 e) of the GDPR, the condition of "necessity" for the execution of

    its mission of public interest not being met in this case.



42. Finally, the complainant considers that since the personal data contained in the passage

    disputed were neither relevant nor necessary for the advertising purpose required by the Code of

    companies, (i.e., as stated above, informing third parties and protecting creditors), there is a Decision as to font 38/2021 - 12/24



    breach of the principle of minimization enshrined in Article 5.1.c) of the GDPR in the area of

    defendant.



Position of the Litigation Chamber


43. The Contentious Chamber recalls, as already mentioned in points 33 and 34 above, that all

    data processing must be based on one of the lawful bases provided for in Article 6 of the GDPR and

                                                                       12
    that a basis of lawfulness must exist as long as the processing lasts.



44. The Litigation Chamber also recalls that it is the responsibility of the controller to identify

    a single legal basis on which it bases its processing. This requirement is also part of the

    principles of loyalty and transparency which it is responsible for implementing (Article 5.1.a) of
                                                      13
    GDPR - explained in recital 39 of the GDPR). Different consequences arising from one

    or the other basis of lawfulness, in particular in terms of rights for the persons concerned, it is not

    not allowed that the controller invokes one or the other depending on the circumstances. AT

    by way of illustration, the controller cannot, as in this case, both consider

    that it bases the processing on the consent of the data subject (Article 6.1.a) of the GDPR) and

    on its legal obligation (article 6.1.c) of the GDPR). Consent can in fact be withdrawn at any

    time and if it does not have the effect of compromising the validity of the processing carried out before the withdrawal

    consent (article 7.3. of the GDPR), it no longer allows, a priori, the person responsible for

    processing to continue processing for the future (Article 17.1.b) of the GDPR). By declaring to found

    processing based on its legal obligation (article 6.1.c) of the GDPR), the person responsible for


    processing excludes in principle any possibility of opposition to processing, withdrawal of consent

    cannot be invoked nor the right of opposition reserved for the cases of Article 21.1. of the GDPR

    either to the processing of personal data based on Article 6 (1), point

    e) or f) and not on Article 6.1.c) of the GDPR. By also invoking Article 6.1.e) of the GDPR as

    possible basis - which in turn precisely allows the exercise of a right of opposition to the

    data subject -, alongside article 6.1.c) of the GDPR which does not allow it, the person responsible

    treatment is causing great confusion. In general, by invoking grounds of lawfulness

    distinct, the controller who acts in this way creates a certain vagueness in terms of exercise

    the rights of data subjects.



45. Without prejudice to the foregoing, since the Respondent considers that it can rely on no

    less than 3 bases of lawfulness on which to base the data processing at the time of publication in February




12
  If a data controller should be required to modify its basis of legitimacy during the processing, it does not
could do so only on the condition of respecting all the conditions of application of this base and should also
inform the data subject and comply with all other applicable GDPR provisions as if, in
sort of starting from scratch with regard to that treatment.

13
  See. in this regard, articles 13.1.c) of the RGPD and 14.1.c) of the RGPD. Decision as to font 38/2021 - 13/24



    2019, the Contentious Chamber will examine below whether one of them can actually validly

    found the publication of the disputed passage.



46. As to article 6.1.c) of the GDPR also invoked by the defendant, the Litigation Chamber

    recalls that it can only be used when it grounds "a processing (of personal data)

    necessary to comply with a legal obligation ", each word of this assumption being important.



47. In the course of its defense, the defendant drew the attention of the Litigation Chamber to the

    makes no mistake about the application of Article 6.1.c) of the GDPR in this case.

    The legal obligation to be taken into account is that of publication to which the Belgian Official Gazette is bound

    pursuant to Article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29, 2019 already

    cited and which, specifies the defendant, required him to publish as is what the notary had transmitted to him

    without the services of the Belgian Official Gazette being authorized to sort out what is

    actually required to publish in application of the Companies Code and what would go beyond (see.

    points 27 and 37 above). This is, according to the defendant, the legal obligation to which it is

    outfit. Therefore, the fact that the published data is not required by the Companies Code is

    according to the defendant indifferent: their publication in the Annexes of the Belgian Monitor is the result of

    the legal obligation of the defendant.



48. The Litigation Chamber cannot subscribe to this reasoning which it considers contrary to the condition

    of necessity set out in Article 6.1.c) of the GDPR and which, according to it, also amounts to denying any

    implementation of the principle of data minimization in violation of Article 5.1 c) of the GDPR which


    requires that only adequate, relevant and limited to what is

    necessary for the purposes pursued.



49. This condition of necessity of the processing is found again formulated in all the bases of lawfulness (to

    except that of consent), from littera b) to littera f) of article 6 of the GDPR.



50. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of this

    condition of necessity, specified:

         that "having regard to the objective of ensuring an equivalent level of protection in all
                                                                                            14
         Member States, the concept of necessity as it results from Article 7 (e) of Directive

         95/46, which aims to delimit precisely one of the hypotheses in which the processing of

         personal data is lawful, cannot have a variable content depending on the

         Member States. Therefore, it is an autonomous concept of Community law which must



14 Member States provide that the processing of personal data can only be carried out if:
(...) e) it is necessary for the performance of a mission of public interest or falling within the exercise of public authority

with which the data controller or the third party to whom the data is communicated is invested. Decision as to font 38/2021 - 14/24




         receive an interpretation that fully responds to the purpose of this directive, such as
                            st 15
         defined in Article 1, paragraph 1, thereof "(Emphasis is placed on the Litigation Chamber).

                                    16
51. According to the conclusions he filed in this case, the Advocate General explains to this

     considering that "the concept of necessity has a long history in Community law and it is

     established as part of the proportionality test. It means that the authority which adopts

     a measure which infringes a fundamental right in order to achieve a justified objective must

     demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise,

     whether the processing of personal data may be likely to infringe the fundamental right to

     respect for private life, Article 8 of the European Convention for the Protection of Human Rights


     and fundamental freedoms (ECHR) which guarantees respect for private and family life, becomes

     also relevant. As the Court stated in Österreichischer Rundfunk and others, if a

     national measure is incompatible with Article 8 of the ECHR, this measure cannot satisfy

     the requirement of Article 7 (e) of the Directive. Article 8 (2) of the ECHR provides

     that an interference with privacy can be justified if it pursues one of the objectives therein

     listed and "in a democratic society, is necessary" for any of these purposes. The courtyard

     European Human Rights Council has ruled that the notion of "necessity" implies that a "need


     imperative social "is in question".



52. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to

     all the bases of lawfulness which retain this condition of necessity. She remains today

     relevant even though Directive 95/46 was repealed since this condition of necessity

     is maintained under Article 6.1 b) to f) of the GDPR. Article 6.1 of the GDPR in fact reiterates

     the terms of Article 7 of Directive 95/46 / EC, of which it is the equivalent. 17




53. The Article 29 Group also referred to the case law of the European Court of
                                                                                      18
     human rights (Eur. D.H. Court) to identify the requirement of necessity and concludes that the adjective






15
  CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52.

16
  Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before
the CJU resulting in the judgment cited in footnote 15 above (C-524/06).

17
  Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another
natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which
the data is communicated ", the mission of public interest or falling within the exercise of public authority before

be that of the sole controller. In addition, a slight wording difference exists between the article
7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision.
All these modifications do not affect the condition of necessity.


18 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible
of data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217. Decision on policy 38/2021 - 15/24



    "Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful",

    "Reasonable" or "expedient". 19




54. In support of the foregoing, the Contentious Chamber concludes that the assessment by the defendant

    of what is "necessary for the performance of its legal obligation" cannot be disembodied from the
                                                                             20
    purpose pursued by the publicity required by the Companies Code. In its Manni judgment, the CJEU

    specifies in this sense that in order to determine whether Member States are required to provide for

    data subjects the right to request from the authority responsible for maintaining an official register

    (Commercial register - mention of bankruptcies in this case), to erase or lock the data

    entered in this register or to restrict access to it, the purpose of

    registration in the said register.



55. To assert the contrary, as the defendant defends, would amount to agreeing to exempt it from

    any examination of the relevance of the data it publishes even though, on the contrary, the setting


    implementation of this founding principle of data protection provided for in Article 5.1.c) of the GDPR

    returns to him in his capacity as data controller.



56. Abundantly, the Contentious Chamber draws attention to the fact that in this case, the data

    published have a relatively direct link with the operation to reduce the capital (which

    could give their publication an "appearance of legitimacy" or at the very least induce a

    some understanding for the defendant's position). However, the Litigation Chamber

    wishes to alert its readers to the fact that the Respondent's conception of what it is

    should be understood by "processing necessary for a legal obligation", could, to follow the

    defendant, to be invoked with regard to the publication of any superfluous data, also harmless,

    delicate or sensitive (including within the meaning of Articles 9 and 10 of the GDPR) whatever it is.




57. In conclusion on this point of Article 6.1.c) of the GDPR, the Litigation Chamber is of the opinion that the

    only useful interpretation capable of giving full effect to the notion of necessity such as

    imposed by the CJEU case law is that which consists in qualifying as "necessary for the obligation

    of the defendant "the only data necessary for the purpose of the publicity measure

    pursued by the Companies Code (articles 69 and 74) which requires publication in the Belgian Official Gazette




19Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97.


20 See. also Opinion 06/2014 of the Article 29 Group on the notion of legitimate interest pursued by the person responsible
data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217 of April 9, 2014 (page 21):
"For Article 7 (c) to apply, the obligation must be imposed by law (and not, for example, by

a contractual cause). The law must fulfill all the conditions required to make the obligation valid and
binding, and must also comply with applicable data protection law, in particular
to the principles of necessity, proportionality and delimitation of finality ”.

21
  CJEU, March 9, 2017, Camera di Comercio v. S. Manni, C-398/15, para 48. Decision on the font 38/2021 - 16/24



    by the defendant. Amounts paid to partners and their account number not being

    part of the data listed in these articles and not likely to participate in the advertising objective

    prosecuted, they are not necessary to comply with the legal obligation of the defendant. Leaving,

    the Contentious Chamber concludes that the defendant cannot rely on Article 6.1. c) under

    basis of lawfulness for their treatment in this case.



58. As to article 6.1.e) of the GDPR also invoked by the defendant, the Litigation Chamber

    considers that it cannot be accepted in this case either. As in the case of Article 6 .1.c),

    the necessity test must be met. It must certainly be appreciated here in the light of the mission of

    source of official documentation of the defendant. In this regard, the defendant relies on two

    legal texts, i.e. the Law of February 28, 1845 prescribing a new method of sanction and

    promulgation of the laws and the Law of 18 May 1873 containing Title IX, Book I, of the Code of

    trade relating to companies. The Litigation Chamber does not dispute that the mission of

    publication continued by the defendant through the publications (in the Annexes) of the Monitor

    Belgian law constitutes a public interest mission within the meaning of Article 6.1.e) of the GDPR. However, as

    this has just been recalled with regard to Article 6.1.c) of the GDPR above, only the processing of

    data necessary for the realization of this public interest can be qualified as lawful in support of

    Article 6.1.e) of the GDPR. In this case, the publication of the personal data of the complainant contained

    in the disputed passage is no more necessary for this interest than for the fulfillment of the obligation

    of the defendant and this for the reasons already set out (see point 56 in particular).



59. As to article 86 of the GDPR, also invoked by the defendant in support of its mission of interest


    public, the Litigation Chamber shares the complainant's analysis that the relevance of this

    reference is not obvious. Likewise, it is of the opinion that, given this access, it is all the more

    more essential that the defendant ensure that only the necessary personal data are

    published.



60. The application of Articles 6.1. c) and 6.1.e) being excluded, it remains for the Litigation Chamber to

    examine whether the processing of personal data relating to the complainant could, as defended

    the defendant, to rely in this case on the consent of the complainant.



61. It is certain, as pointed out in recital 43 of the GDPR as well as the European County of the
                                                                      22
    data protection in its Guidelines 05/2020, that it is not likely that

    public authorities can rely on consent for the processing of personal data

    personal character. Indeed, when the controller is a public authority, he

    there is often a clear imbalance in the balance of power between the controller


22 European Data Protection Committee (EDPS), Guidelines 5/2020 on consent within

of Regulation (EU) 2016/679, adopted on May 4, 2020:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on font 38/2021 - 17/24



    and the person concerned who does not meet the condition of freedom of consent.

    However, without prejudice to these general considerations, the legal framework of the GDPR does not exclude

    fully the use of consent as a legal basis for data processing by

    public authorities.



62. In the present case, the Contentious Chamber is of the opinion that consent cannot be the basis for publication

    of the contentious extract. In accordance with article 7.1. of the GDPR, it is in fact the responsibility of the

    treatment, or the defendant, to demonstrate that it has obtained from the data subject a

    valid consent, i.e. consent that meets all the conditions of Article 4.11 of

    GDPR. The Contentious Chamber is of the opinion that the defendant does not demonstrate that it has obtained a

    such consent on the part of the complainant. Even assuming that the defendant had obtained a

    consent valid at the time of publication of February 2019, and to follow, quod not always,

    the defendant according to which the complainant had withdrawn his consent without consequence on the

    validity of the February 2019 publication, the Contentious Chamber is of the opinion that the defendant

    does not have any legal basis for it from the moment this consent has been withdrawn,

    Articles 6.1.c) and 6.1.e) cannot be invoked.


63. As to the defendant's argument that some wish to publish more than this

    that is not prescribed by the applicable regulations, the Litigation Chamber is of the opinion that in this case,

    the publication of such data - accepted and carried out by the defendant as responsible

    of processing - would be based on a basis other than that of the fulfillment of its legal obligation

    or the performance of its public interest mission, which could be consent (Article 6.1.a)

    of the GDPR) (see point 61 above). This must meet all the required qualities (see his

    definition in Article 4.11 of the GDPR). It is therefore also for the defendant to draw

    all the consequences in terms of rights for the data subjects and the collection of evidence

    obtaining consent.



64. In conclusion, it follows from the foregoing that in the present case, no basis of legitimacy is of a nature

    to found the publication by the defendant of the disputed extract containing the data of a nature

    personnel relating to the complainant. The Litigation Chamber therefore finds a breach of

    Article 6 of the GDPR in its turn. This breach is combined with a breach of Article 5.1.c)

    of the GDPR. Indeed, in the absence of a legal basis on which to rely, the publication of this data

    also ignored the principle of minimization.



    4.2. As regards the breach of the right to erasure of the complainant by the defendant (article 17.1

        of the GDPR) Decision on the font 38/2021 - 18/24



65. The Litigation Chamber recalls that Article 17.1 of the GDPR provides that the data subject has

    the right to obtain from the controller the erasure, as soon as possible, of data

    of a personal nature concerning him and that the controller has the obligation to erase these

    personal data as soon as possible, when one of the reasons listed in Article 17.1.

    of the GDPR applies, the following reason for which:

- d) the personal data have been subject to unlawful processing.


Complainant's position


66. In support of Article 17.1 d) of the GDPR, the complainant considers that the respondent should have given

    following his right to erasure on the grounds that the processing of his data under the terms of the passage

    litigation is unlawful when it has no legal basis (Article 6 of the GDPR) and the

    publication of said data violates Article 5.1.c) of the GDPR. The complainant considers that by

    elsewhere, even assuming that the defendant is justified in invoking Article 6.1 e), quod non

    according to the complainant, it is under the conditions of Article 17.1 c) of the GDPR. Moreover, in

    refusing to erase said data, the defendant also violates Article 5.1.e) of the GDPR which

    requires that the retention of personal data be limited to a period not exceeding that

    necessary for the achievement of the objective pursued.



Defendant's position


67. The defendant does not dispute that it did not respond to the complainant's request for erasure.

    She is of the opinion that no assumption of Article 17.1. of the GDPR does not apply in this case and

    that it is justified in relying on the exception in Article 17.3. b) of the GDPR taking into account

    the legal obligation incumbent on it, in particular the aforementioned Royal Decree of 29 April 2019 which provides

    a rectification procedure excluding any possibility of erasure (article 1-9 § 5). She

    adds that since the legislator does not empower him to erase the data of an act published in all

    or in part, no breach of Article 5.1.e) of the GDPR can be attributed to it.



Position of the Litigation Chamber


68. The Litigation Chamber is of the opinion that in support of the breach of Article 6 of the GDPR combined with

    Article 5.1.c) of the GDPR which it found against the defendant (see point 64 above),

    the complainant is effectively in the conditions of Article 17.1. d) of the GDPR which requires

    controller to erase personal data unlawfully processed in the

    as fast as we can.








23
  The data subject objects to the processing under Article 21.1. and there is no legitimate reason
compelling for the processing or the data subject objects to the processing pursuant to Article 21.2. Decision as to font 38/2021 - 19/24



69. However, the right to erasure enshrined in Article 17.1. of the GDPR being subject to exceptions, it

    It is up to the Contentious Chamber to verify whether one of the exceptions provided for in Article 17.3. of

    GDPR is applicable in this case, more specifically Article 17.3. b) of the GDPR invoked by the

    defendant.



70. The Contentious Chamber considers that for the following reasons, the defendant cannot

    rely on Article 17.3 b) of the GDPR as an exception to the complainant's right to erasure.



71. This exception provides that the right of the data subject to obtain from the data controller

    processing the erasure of personal data concerning him does not apply in the

    to the extent that this data processing is necessary to comply with a legal obligation which requires

    the processing provided for by Union law or the law of the Member State to which the data controller

    processing is subject to or to perform a task of public interest or within the exercise of

    the public authority vested in the controller ".



72. As mentioned above, the defendant relies in this regard on the rectification procedure provided for
    by the Royal Decree of April 29, 2019 from which, according to her, it must be deduced that it is not authorized by the

    national legislator to erase data from official publications. In this, the defendant would be

    authorized to invoke Article 17.3. b) of the GDPR to refuse to respond to any request

    erasure given its legal obligation which would prohibit any erasure. The treatment

    of all published data would therefore, here too, be necessary for the legal obligation incumbent on it to

    respect. The Litigation Chamber is of the opinion that it is not because a royal decree does not provide

    that a rectification procedure which must necessarily be deduced that any erasure is

    prohibited. This prohibition, if it were to exist, should be provided for by law in compliance with the

    conditions of Article 23 of the GDPR and cannot be deduced from an absence of reference to this right in

    a royal decree. Since the GDPR is directly applicable, it is, failing the exception provided for in the

    compliance with the conditions it imposes, of application. The Litigation Chamber therefore notes a

    absence of a legal obligation that would allow the defendant to invoke Article 17.3.b) of the GDPR.



73. It has also been shown above that the legal obligation to publish in the Annexes of

    Belgian Monitor to which the defendant is admittedly subject, does not require the processing of

    data contained in the disputed passage and that therefore the processing of this data is not

    necessary to comply with the legal obligation of the defendant (paragraph 57). This treatment is not

    more necessary for the performance of its public interest mission (paragraph 58). The conditions of the article

    17.3.b) of the GDPR invoked by the defendant are therefore not met in this case.



74. To even follow the reasoning of the defendant which consists in assessing the condition of necessity

    at different times, either at the time of the initial publication on the one hand and at the time of the

    request for erasure on the other hand, the conclusion of the Contentious Chamber would not remain Decision as to the case 38/2021 - 20/24



    less identical. A fortiori, if we look at the time of the complainant's erasure request,

    the (practical) inability already mentioned to sort prior to publication between what it is

    legally required to publish and what results from the will of those concerned falls. In

    Indeed, the complainant points precisely when requesting erasure to the superfluous data

    published.




75. The Contentious Chamber also considers that the arguments based on the nature of the Monitor

    Belgian authorities are not likely to oppose the exercise of the complainant's right to erasure. The

    in this regard, the defendant emphasizes the immutability of the publications in the Belgian Official Gazette and of its

    Annexes after their publication and the fact that the legal certainty of official publications would be

    compromised by the application of a right to erasure exercised with regard to the data they

    contain.



76. Once again, the Contentious Chamber considers that therefore, in this case, the data would not have

    never had to be published, their erasure is not likely to compromise legal certainty

    of the publication, the data whose publicity must be ensured following the reduction of

    capital remaining intact. There is no such thing as the opinion of the Litigation Chamber, the immutability of

    principle of official publications. The Contentious Chamber recalls here that in terms of its

    Manni judgment, the CJEU accepts that the national legislator could introduce a time limit beyond which

    the data contained in a public database such as the Trade Register (in


    this was the information that the trader had gone bankrupt) would be
             24
    erased. In the Huber judgment, cited above, the CJEU stated the principle that public registers should not

    contain only the data necessary for the purpose they pursue and this, in application of the

    condition of necessity contained in the basis of lawfulness on which they rely. The CJEU adds
                                                                                    25
    that these registers must be updated and superfluous data erased.



77. The Contentious Chamber concludes from the above that Article 17.3. b) RGOD is not

    applicable in the present case and that no other exemption from erasure can validly be invoked

    by the defendant.



78. Accordingly, in view of the breaches noted in point 64, the Contentious Chamber finds

    a breach of Article 17.1. d) of the GDPR on behalf of the defendant. This failure is

    combined with a breach of Article 5.1.e) of the GDPR since failing to have been erased on

    the basis of Article 17. 1 d) of the GDPR, the retention of this data did not comply with the principle






24CJUE, judgment of 9 March 2017, Camera di Comercio v. S. Manni, C-398/15, paras 32-35 and 58 et seq.

25 See. points 59 to 60 of the Huber judgment, cited in footnote 15 above. Decision as to font 38/2021 - 21/24



    according to which the data cannot be processed for a period longer than that necessary

    to achieve the purpose of the processing.



4. Regarding corrective measures and sanctions


79. Under Article 100 LCA, the Litigation Chamber has the power to:

1 ° dismiss the complaint;

2 ° order the dismissal;


3 ° pronounce a suspension of the pronouncement;


4 ° propose a transaction;


5 ° issue warnings or reprimands;


6 ° order compliance with the requests of the person concerned to exercise these rights;


7 ° order that the person concerned be informed of the security problem;


8 ° order the freezing, limitation or temporary or definitive prohibition of processing;

9 ° order that the processing be brought into conformity;


10 ° order the rectification, restriction or erasure of the data and the notification thereof

data recipients;


11 ° order the withdrawal of accreditation of certification bodies;


12 ° give periodic penalty payments;


13 ° issue administrative fines;


14 ° order the suspension of transborder data flows to another State or an organization

international;


15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences
data on file;


16 ° decide on a case-by-case basis to publish its decisions on the website of the

data.


80. It is important to contextualize the breaches for which the defendant has been held responsible with a view to

    to identify the most appropriate corrective measures and sanctions.



81. The Litigation Chamber recalls in this regard that it is sovereignly in its capacity

    independent administrative authority - in compliance with the relevant articles of the GDPR and the

    LCA - determine the appropriate corrective measure (s) and sanction (s). Decision as to font 38/2021 - 22/24





82. The Litigation Chamber notes that on several occasions already, the APD Knowledge Center has

    highlighted gaps in the implementation of the GDPR with regard to data processing

    operated by the Belgian Monitor. For example, in a recent 99/20 opinion, the APD, referring to

    Article 1250 of the Judicial Code which refers to an obligation of official publication in the Moniteur

    Belgian, raises the following. "As it has already done in Opinion No. 141/2019, the Authority [read the PDA]

    here again draws attention to the fact that this publication, as in general

    publication in the Belgian Official Gazette, is not subject to any data retention period

    of a personal nature appearing therein. In this regard, the Authority [read the ODA] reiterates that the article

    23 of the GDPR allows the legislator to make not only limitations on the rights referred to in

    Articles 12 to 22 inclusive of the GDPR but also within the scope of Article 5 of the GDPR and therefore, in this

    including, in Article 5.1.e) of the GDPR. However, such limitations cannot be made without ensuring the

    compliance with the conditions stipulated by Article 23 § 2 of the GDPR, starting with the fact that such

    limitation must be provided for by the law of the Member State in question. However, to the knowledge of

    the Authority [read the DPA], there is still no such standard for publications at

    Belgian instructor. The Authority [ODA] therefore once again insists that this
    situation. "



83. The Litigation Chamber is of the opinion that in the present case, given the shortcomings noted, the

    the most appropriate corrective measure is to issue a reprimand to the defendant (Article

    100.1., 5 ° LCA) accompanied by an order to follow up on the complainant's exercise of the right to erasure

    based on article 100.1., 6 ° LCA and this, as soon as possible but not later than within a

    30 days from the notification of this decision to the parties. The costs that

    the implementation of this erasure order cannot be attributed to the complainant, the exercise of

    rights of data subjects being, as required by Article 12.5. of the GDPR, free.



84. The Contentious Chamber does not comment on the advisability of a possible fine

    administrative action against the defendant. Taking into account the quality of "public authority" of

    the latter within the meaning of Article 5 of the Law of 30 July 2018 on the protection of persons

    physical with regard to the processing of personal data, read in conjunction with the

    article 83.7. of the GDPR and 221 § 2 of the aforementioned law of July 30, 2018, the Litigation Chamber is not

    indeed not authorized to impose such a fine on him.



85. The Litigation Chamber also invites the legislator to work towards bringing the

    data processing operated by the Belgian Official Gazette with the GDPR, in particular with regard to

    the identification of the basis of lawfulness of the data processing operations carried out, the implementation of the principle

    minimization devoted to Article 5.1.c) of the GDPR and the exercise of the right to erase

    persons concerned. Decision as to the font 38/2021 - 23/24







        6. As for transparency


86. In view of the importance of transparency with regard to the decision-making process and

    decisions of the Litigation Chamber, this decision will be published on the website of the APD

    by deleting the direct identification data of the complainant and the persons cited,

    whether physical or legal, with the exception, however, of the Belgian Monitor and the SPF Justice.



87. When it decided to publish its decisions mentioning the identity of the defendants, the

    Litigation Chamber justified its decision by the fact that this advertisement would guarantee a

    rapid compliance, would help decrease the risk of repetitions and aim to inform the

    public taking into account the data controller involved. In addition, any pseudonymization

    the name of the defendant would have been in these few cases illusory. 26



88. In the present case, the Contentious Chamber is of the opinion that in support of the above reasons, the publication of

    the identity of the defendant is justified. The deletion of the identification of the FPS Justice / Monitor

    Belgian is, given the unique nature of the Belgian Monitor, moreover illusory. The maintenance of


    this identification is also essential for the understanding of the decision and therefore,

    the objective of transparency pursued by the Litigation Chamber.



FOR THESE REASONS


THE LITIGATION CHAMBER


After having deliberated,


    - Decides to issue a reprimand to the defendant on the basis of Article 100.1, 5 ° LCA;


    - Decides, on the basis of Article 100.1., 6 ° LCA to order the defendant to act on

    the exercise of the right to erasure of the complainant as soon as possible and at the latest within

    within 30 days of notification of this decision. The defendant will inform the

    Litigation Chamber, supporting documents, within the same time limit at the address

    litigationchamber@apd-gba.be.












26
  See. decision 37/2020 of the Contentious Chamber (point
183) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf Decision on the font 38/2021 - 24/24



Under Article 108.1 LCA, this decision can be appealed to the Court of

contracts (Brussels Court of Appeal) within 30 days of notification, with

the Data Protection Authority as respondent.






(se.) Hielke Hijmans


President of the Litigation Chamber