Court of Appeal of Brussels - 2021/AR/163: Difference between revisions
m (RRA moved page Hof van beroep Brussel - 2021/AR/163 to Cour d'appel de Bruxelles - 2021/AR/163) |
m (RRA moved page Cour d'appel de Bruxelles - 2021/AR/163 to Court of Appeal of Brussels - 2021/AR/163) |
||
(One intermediate revision by the same user not shown) | |||
Line 5: | Line 5: | ||
|Courtlogo=Courts_logo1.png | |Courtlogo=Courts_logo1.png | ||
|Court_Abbrevation=CA | |Court_Abbrevation=CA | ||
|Court_With_Country= | |Court_With_Country=Court of Appeal of Brussels (Belgium) | ||
|Case_Number_Name=2021/AR/163 | |Case_Number_Name=2021/AR/163 |
Latest revision as of 08:59, 20 August 2021
CA - 2021/AR/163 | |
---|---|
Court: | Court of Appeal of Brussels (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 83 GDPR |
Decided: | 26.05.2021 |
Published: | |
Parties: | |
National Case Number/Name: | 2021/AR/163 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | French |
Original Source: | autoriteprotectiondonnees.be (in French) |
Initial Contributor: | n/a |
The Court of Appeal of Brussels annulled a fine issued by the Belgian DPA, finding that the DPA should have considered the full range of sanctions at its disposal before issuing a fine. In line with the proportionality principle, the DPA can only impose a fine on organisations/people who do not comply with its injunctions.
English Summary
Facts
A bailiff’s office dealing with debt recovery for parking tickets on behalf of the city requested the driver to fill in a form with personal data. The driver filed a complaint for violation of access right (Article 15), obligation to inform (Article 12), proportionality principle and illegal reuse of their data (Article 5 and 6), and minimisation principle.
The Belgian Data Protection Authority considered that the form did not comply with the GDPR, and therefore issued a decision in which it reprimanded the bailiff’s office, ordered it to change its processes to comply with the GDPR and to pay a fine.
The bailiff’s office, disagreeing with the decision, appealed it before the Court of Appeal.
Holding
The Court confirmed its powers in accordance with Article 78 GPDR: the Court can annul and even adopt a new decision in so far as all facts and legal issues were already discussed in front of the APD. The Court can do so in case of a manifest factual or legal error by the APD.
The Court confirmed the violations already noted by the Belgian DPA.
However, the Court of Appeal annulled the fine (and only the fine) on the grounds that the Litigation Chamber abused its powers when inflicting an administrative fine. According to the Court, the Data Protection Authority should consider the full range of sanctions at its disposal before issuing a fine, and only impose a fine on organisations/people who do not comply with its injunctions.
Inflicting an administrative fine as from the first offence was deemed contrary to the proportionality principle, which implies that the sanction must be proportionate to the infringement. In this regard, the Court noted that the DPA confirmed that the violation was not intentional and that the form with the requested personal data at stake was not sent back by the complainant.
Therefore, the Court of Appeal annuls the fine, and considers that the DPA should have instead used other corrective powers. The remaining parts of the Belgian DPA 's decision were upheld.
Comment
The decision of the Court is quite surprising and at odd with the spirit and the letter of the GDPR. This decision might limit to a large extent the powers of the Belgian DPA to issue fines, since it seems to imply that first time offender should not be subject to fines. This is also not in line with the EDPB guidelines on the Guidelines on the application and setting of administrative fines where it is clearly stated that the fines can be imposed in addition to other corrective measures.
It also seems that the Court of Appel applies its previous case-law in other regulatory cases (competition law, electronic communication) without acknowledging that the APD is dealing with fundamental rights and that the corrective measures adopted by the DPAs should be effective, deterrent and dissuasive.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Court of Appeal Brussels - 2021 / AR / 163 p. 2 BECAUSE OF X1 Requesting Party, Having for advice Master Benjamin Docquir (benjamin.docguir@osborneclarke.com) and Maitre ChloePonsart (chloe.ponsart@osborneclarke.com), lawyers, with an established firm a 1050 B ruxelles, Place du Champ de Mars 5. Cantre: THE DATA PROTECTION AUTHORITY, a public body endowed with the legal, created by the law of 3 December 2017, and whose head office is established at 1000 Brussels, Rue de la Presse 35, and registered the Banque-Carrefour des Entreprises under the number 0694.679.950 (hereinafter, the "lntimee", the Data Protection Authority "or the "APD"), Defendant, Advised by Maitre Etienne Kairis (e.kairis@liedekerke.com), and Maitre Francesca Biebuyck (f.biebuyck@liedekerke.com), lawyers, whose firm is established in 1000 Brussels, Boulevard de l'Empereur 3. ****** Having regard to the procedural documents and in particular the decision 81/2020 rendered by the Contentious Chamber of the Protection Authority data on December 23, 2020 (DOS-2019-02751); the appeal brought by X1 against decision 81/2020 dated 20 January 2021; - the timetable for conclusions taken on the basis of article 747, §1 of the Judicial Code; the summary conclusions of X1 of April 8, 2021; the additional conclusions and summary of the APD of April 29, 2021; the files of exhibits filed by the parties, Court of Appeal Brussels-2021 / AR / 163 p. 3 Heard the advice of the parties at the public hearing of May 5, 2021, held in videoconference of the parties agreement. At the date of the hearing, the registry has my disposal of any litigant and any person wishing to attend the debates, the link and the word of pass allowing to participate in the videoconference. I. The DecisionAttaguee X1 is a study by bailiffs established in [...]. She is notably in charge of recovery of parking fees entrusted by the City of [...] the company X2S.A. X2S.A. and X was the subject of a complaint lodged on May 15, 2019 with the ODA introduced through [...]. (hereinafter "the person concerned"). The APD Litigation Chamber rendered the Attacked Decision on December 23, 2020, at end of which, it has decided, with regard to X1 to: Issue (...) a reprimand on the basis of article 100.1, 5 LCA; Issue an order of compliance in terms of information (policy of confidentiality and information clauses) and basic pleasure of the form attached to the ° formal notice of payment on the basis of article 100.1, 9 LCA. He is at this effect requires the second defendant [X1] to communicate to the APD both its confidentiality policy applicable to the processing operations covered by this decision that its information clause (s) as well as the manner in which it intends respond to breaches related to the above form. The communication of these documents must be received within 3 months from the notification of the present decision via the address litigationchamber@apd-gba.be; Impose (...) an administrative fine in the amount of 15,000 euros in application of articles 100.1, 13 and 101 LCA. II. According to the APD, the facts relevant to the examination of the present case can be summarized as follows: 1. X1 is a study of judicial officers located in Brussels who deals, within the framework of its legal prerogatives defined in article 519 of the Judicial Code, in particular of amicable and judicial recovery of debts from its customers. 3 Brussels Court of Appeal -2021 / AR / 163 p. 4 2. The S .A. X2 (hereinafter "X2"} is a company specializing in parking for street, and as such it controls parking in the municipalities in which it is concessionaire of public interest missions. It is part of the Group [...]. X2 is one of X1's clients: the latter takes care of the management of the amicable, and if necessary, judicial recovery of unpaid debts such as parking fees. 3. X2 indicates to have place, dated January 2, 2019, an invitation to pay [...] on the barrier breeze from a vehicle parked in [...] a blue zone without a blue disc affixed or parking authorization. This amount corresponds to the amount of the "Tariff ° [..] "of the Municipal Regulations of [...] of [...] relating to parking in the blue zone n [...] (hereinafter the “Municipal Regulations”}. X2 indicates that it then sent a payment reminder to the person concerned on 24 January 2019, increasing the initial debt by 5 €, in accordance with article [...] of the Regulation Communal. The person concerned denies having found on January 2, 2019 any invitation to pay this fee on their windshield, as well as having received a payment reminder from by X2 4. This payment has not been paid within 15 days of the call of January 24, 2019, X2 transmitted the file of the person concerned to his judicial officer X1, so that he collects the amount claimed. 5. On February 25, 2019, X1 therefore sent the person concerned a formal notice in order to recover the amount claimed (i.e. the amount of the initial fee, plus the delay and bailiff fees, a total of € [..]). The person concerned indicates have received this formal notice on March 1, 2019. This remittance resumes as an annex a form entitled "Form anusreturn "Which specifies in particular" (...) "(Exhibit 1 of the APO file}. 4Brussels-2021 / AR / 163 Court of Appeal p. 5 The form contains fields to be completed with their contact details (surname / first name, date of birth, address, postal code and town, telephone number, mobile phone number, e-mail address mail) and includes three "payment proposals" with, for each of them, a box to hide. 6. The person concerned wrote several times to X2 and X1 to obtain more explanations, indicating never having received an invitation to pay, nor a reminder, and opposing the payment of the royalty. In these writings, she also questioned X1 as to the legal bases allowing him to access the Management of Vehicle registration (the “DIV”) from the SPF Mobilite and the National Register, as well as requests to be able to exercise their right of access to their personal data, in accordance with article 15 of the General Data Protection Regulation (the "GDPR )) 7. on the one hand, and X1, on the other hand, for various breaches of the GDPR (Pieces 1 and 2 last from X2, APD file). On June 6, 2019, she made an addendum to her complaint (Exhibit 3 of the APD). More precisely, under the terms of these complaints, she blamed X1 for being guilty of A breach of his right to information (articles 12 and 14 of the GDPR); A breach of his right of access (article 15 of the GDPR); A breach of Article 28 of the GDPR with regard to its status as a sub treating; A breach of the principles of proportionality and reuse illegal data communicated to it by X2 even though it would not be validly based there (Articles 5 and 6 of the GDPR); and - A breach of the principles of data minimization and the use of enforced consent with regard to the form attached to the formal notice of payment (Articles 5 and 6 of the GDPR). The person concerned also asked the APD that X2 and X1 be condemned to sanction proportionate to the gravity of the facts, taking into account the object and the extent of their professional activity which affects a large number of citizens. She begged in Litigation in order to inform the public of illegal practices in matters of management of parking fees against which he can claim the respect of his rights by data protection matter. 5 Court of Appeal Bruxelles-2021 / AR / 163 p. 6 8. On June 18, 2019, the complaints were declared admissible by the APO and forwarded to the Chamber. APO litigation (Exhibit 4 of the APD file). On July 12, 2019, the Litigation Chamber decided to join the two complaints and to forward to the Inspection Service so that an investigation can be carried out {Exhibit 5 of the ODA). 9. On January 6, 2020, an investigation report is filed by the Inspection Service with the Litigation Chamber (Exhibit 6 of the APD file). The parties were each given the opportunity to submit their observations following the report of the Inspection service. 10. On January 21, 2020, the APD informs the parties of the fact that following the complaint lodged and the findings made by the Inspection Service, it decides to carry out a review of the complaint on the merits (Exhibits 7, 8 and 9 of the APD file). 11. On July 13, 2020, the Litigation Chamber organized a hearing in the presence of the parties, a report was drawn up (Exhibits 10 and 11 of the APD file). 12. Endated on December 23, 2020, the APD issued a decision on the merits (81/2020) against of X1 and X2 (hereinafter the "decision"), in which - it concludes, in the head of X1, has: (i) a breach of its information obligation (Articles 12 and 14 of the GDPR), (ii) a defect in the legal basis with regard to the collection of data under the terms of the form accompanying the formal notice of payment (article 6 of the RGPO) and a breach of the principle of minimization (article 5.1, c) of the GDPR), and (iii) on the basis of the previous breaches ((i) and (ii)), a breach of the obligation to implementation of appropriate technical and organizational measures for the data processing (articles 5.2 and 24.1-2 of the GDPR), - and pronounces the sanctions mentioned above with regard to X1. 13. 6 Brussels Court of Appeal -2021 / AR / 163 p. 7 On January 20, 2021, X1 brought an action before the Marches Court against the decision Attacked. Ill. The legal framework 1. The Attacked Decision of the APD pronounces the sanction of the reprimand with regard to X1 in based on the provisions of Article 100 § 1, 5 LCA, and attaches this claim to a order of settlement in accordance with the form attached to the final payments, and this on the basis of Article 100 § 1, 9 LCA within a period of 3 months from the notification of the decision and an administrative fine in the amount of 15,000.00 euros in application of the Articles 100§1,13 and 101 LCA. 2. Article 100 § 1 LCA is drafted as follows "§1 The contentious chamber has the power to: 1 ° dismiss the complaint; 2 order the dismissal; ° 3 pronounce the suspension of the pronouncement; ° 4 offer a transaction; 5 issue warnings and reprimands; ° 6 order compliance with the requests of the person concerned to exercise these rights; 7 order that the person concerned be informed of the security problem; ° 8 order the freezing, limitation or temporary or definitive prohibition of processing; 7 Brussels Court of Appeal -2021 / AR / 163 p. 8 ° 9 order that the processing be brought into conformity; ° 10 order the rectification, restriction or / 'erasure of data and the notification of these to the data recipients; 11 ° order the withdrawal of accreditation of certification bodies; 12 give on-call penalties; ° 13 issue administrative fines; ° 14 order the suspension of cross-border data flows to another State or to a international body; 15 ° transmit the case to the public prosecutor's office of the Roide Bruxelles, which informs it of the data on file; 16 ° to decide in the event of publication of its decisions on the Internet site of the Protection Authority Datas ° §2. When, after the application of §, 15, the public ministry renounces the initiation of legal proceedings penal, to propose an amicable resolution or penal mediation within the meaning of article 216ter of the Code of Criminal Instruction, or / when the public prosecutor has not taken a decision for a period of six months from the day on which the file is received, the Protection Authority of the data determines whether the administrative procedure should be resumed ”. Article 101 LCA is written as follows: "The contentious chamber may decide to impose an administrative fine on the parties prosecuted in accordance with the general principles referred to a / 'article 83 of Regulation 2016/679 ”. 3. Article 83 of the GDPR is read as follows: "1. Each supervisory authority shall ensure that its administrative fines imposed of this article for violations of these regulations referred to in paragraphs 4, 5 and 6 be, given each cos, effective, proportionate and dissuasive. 2. Based on the specific characteristics of each cos, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h), and j). To decide whether to impose an administrative fine and to decide on the amount 8 Court of Appeal Bruxelles-2021 / AR / 163 p. 9 of / 'administrative amendment, it is taken into account, in each case, of the elements following: a) the nature, gravity and duration of the breach, taking into account the nature, extent to the purpose of the treatment concerned, as well as the number of affected persons and the level of damage they suffered; (b) the fact that the violation was committed willfully or negligently; c) any measure taken by the controller to the processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of those responsible for the processing of the subcontractor, technical and organizational measures that i / s implemented pursuant to Articles25 and 32; e) any relevant breach previously committed by the controller on subcontractor; f) the degree of cooperation established with the control authority with a view to remedying the breach and to mitigate any negative effects; (g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the violation, including whether, and to what extent the data controller has notified the breach; (i) where measures referred to in Article 58 (2) have previously been ordered to / 'against the controller or the processor concerns for the same purpose, the compliance with these measures; j) the application of codes of conduct approved in accordance with article 40 of the mechanisms decertification approved in application of article 42; and k) any other circumstantial aggravating factor applicable to the circumstances of the case, such as the financial benefits obtained at the losses avoided, directly at the indirectly, as a result of the violation. " 4. X1 claims other avers of its various means than the Decision Attackeviole •! Article 14 §5 c) of the GDPR on the concept of exemption from the obligation to inform the controller (first method), • the concept of the free nature of the consent of the person concerned within the meaning of ! 'Article 4 (11) of the GDPR (second means), • the rules for applying the principle of data minimization established by Article 5 § 1, c) of the GDPR (3rd means), • Articles 5 §2 and 24 §§ 1- 2 of the GDPR insofar as they aim at the implementation of measures appropriate technical and organizational principles and the principle of formal motivation (4 medium), 9Brussels-2021 / AR / 163 Court of Appeal p. 10 • Article 83 of the GDPR relating to the justification and proportion of the fine and the principle of formal motivation obligation (average seme). IV. The subject of the appeal 1. At the end of its summary conclusions, X1 asks the Marches Court to: "- Declare the appeal of X1 admissible and found; - Therefore; Mainly, - Annul decision 81/2020 rendered by the Data Protection Authority on 23 December 2020 (decision a quo) against the APE / ante, in that it notes a breach of the obligation to inform, a basic defect that concerns the collection of data under the form accompanying the formal notice payment and a breach of the minimization principle, as well as a breach Articles 5.2. and 24.1-2 of the GDPR; - Order the Data Protection Authority to reimburse the fine administration of an amount of € 15,000.00 paid by X1; and Brussels Court of Appeal - 2021 / AR / 163 p. 11 - Confirm the decision a quo for the rest. In the alternative, - If the Court were to consider that the complaint filed on May 15, 2019 by the person concerned with the Data Protection Authority was founded in part with regard to X1, in any case pronounce a simple reprimand and not a fine. In any case, - Order the lntimee to pay the full costs, including procedural compensation, liquids a1.860,00 € as follows: o Role rights € 400.00 o Contribution to the budget fund € 20.00 o procedural indemnity (basic amount) € 1,440.00 ”. 2. At the end of its summary conclusions, the APD asks the Marches Court to "- Declare X1's requests to annul the decision rendered in that it finds a legal base defect for data collection and a breach of the principle of minimization (2nd and 3rd grievances) inadmissible or in the alternative, unfounded; Declare / s requests by X1 to quash the decision rendered in so far as he / she finds a breach of the information obligation, a breach of Articles 5em and 2 of RGPD, and in that it imposes an administrative fine on X1 {1st, 4th and 5th grievances) unfounded; - Order X1 to pay the full costs of the proceedings, including the procedural indemnity fixed at the basic amount (€ 1,440.00) ”. V. Means invoked by X1 11 Brussels Court of Appeal -2021 / AR / 163 p. 12 X1 develops an introductory argument relating to the jurisdiction of the Marches Court and the admissibility of his complaints and five pleas. They are worded as follows: A. AT A GLANCE: AS REGARDS THE JURISDICTION OF THE COURT OF MARKETS AND GRIEVANCES FROM X1 B. FIRST MEANS: X1 HAS NOT FAILED IN ITS OBLIGATION INFORMATION FOR THE PERSONS CONCERNED C. SECOND MEANS: USE OF THE PAYMENT REQUEST FORM BY X1 STANDS ON A LEGAL BASIS AND ALLOWS A FREE CONSENT FROM THE CONCERNED PERSON D. THIRD SUBMISSION: X1 DID NOT BREACH ARTICLE 5 (1) (() OF THE RGPD (PRINCIPLE OF "DATA MINIMIZATION") IN THE CONTEXT OF USE OF THE PAYMENT REQUEST FORM E. FOURTH SUBMISSION: X1 DID NO BREACH OF ITEMS 5 (2) AND 24 (1) - (2) GDPR F. FIFTH SUBMISSION: THE ADMINISTRATIVE FINE IMPOSED ON THE APPELLANT IS INJUSTIFIED AND DISPROPORTED VI. Means invoked in support of the defense The APD arguments are titled as follows: CLIMINALLY: AS TO THE JURISDICTION OF THE LITIGATION CHAMBER OF THE APO AND OF THE COUR DES MARCHES FIRST SUBMISSION: AS REGARDS THE BREACH OF THE OBLIGATION TO INFORM DATA SUBJECT (ARTICLES 12 AND 14 OF THE GDPR) SECOND MEAN: AS TO OBTAINING A FORCE PERSON'S CONSENT CONCERNED AND THE VIOLATION OF THE PRINCIPLE OF DATA MINIMIZATION IN THE FRAMEWORK THE USE OF THE PAYMENT REQUEST FORM (ARTICLES 6.1, A) AND 5.1, C) GDPR) THIRD SUBMISSION: AS REGARDS COMPLIANCE WITH ARTICLES 5.2 AND 24 OF THE GDPR FOURTH SUBMISSION: AS TO THE ADMINISTRATIVE FINE IMPOSED BY ODA 12 Brussels Court of Appeal - 2021 / AR / 163 p. 13 VII. Admissibility The Attacked Decision was taken by the ODA on December 23, 2020 and was notified by e-mail to X1 the same day. It is not disputed that the petition was filed with the court registry within 30 days. er referred to in article 108 § 1 of the law of 3 December 2017 establishing the Authority Data protection. The appeal is admissible. VIII. Discussion A. As to the scope of the jurisdiction of the Marches Court and the admissibility of certain grievances of the requesting party 1. The parties develop in terms of conclusions of theses in disagreement on the scope of the jurisdiction / jurisdiction of the Marches Court, in particular the question of the scope of full jurisdiction of the Marches Court and its impact on the admissibility of complaints of the requesting party. 2. However, in certain laws which confer jurisdiction on the Marches Court, it is explicitly indicates that the Court will rule in full jurisdiction, this delimitation of jurisdiction is not explicitly mentioned in this case. Article 108 § 1 of the APD law only provides that an appeal against the decisions of the contentious chamber may be form in front of the Marches Court. An appeal to the Marches Court differs from an "ordinary" appeal such as one that can be brought before a court of appeal 1. Article 6 § 1 of the ECHR provides that “Everyone has the right to have his cause heard fairly, publicly and within a reasonable timeframe, by an independent tribunal and impartial, established by the Joi, which will decide, either of the disputes on its rights and obligations of civil character, [... »] With regard to the right to an effective remedy and to a fair trial, article 47 of the charter of the fundamental rights of the European Union provides that "everyone whose rights are and freedoms guaranteed by Union law have been violated has the right to an effective remedy before a court in compliance with the conditions provided for in this article. Everyone has the right to that its cause be heard fairly, publicly and within a reasonable timeframe by a independent and impartial tribunal, established previously by the Joi. [...] " 1Comp. Cour des marches February 19, 2020, 2019 AR 1600. 13 Brussels-2021 / AR / 163 Court of Appeal p. 17 judicial order, he considers it imperative that a legal remedy be instituted by the legislator in order to to guarantee the litigant a remedy before a court forming part of the judicial order. It follows that the Marches Court cannot therefore substitute its decision for that of the administrative only when the Court finds that this decision is illegal or irregular (for example when any principle of good administration would be violated by the decision administrative attack). A manifest error "may" lead to the annulment of the decision. It follows that it belongs the applicant to prove the manifest error of assessment which would have been committed by the contentious chamber of the APD, the illegality of the Attacked Decision or the disregard of the general principles of good administrative management 9 • The motivation required by the law of July 29, 1991 on the explicit motivation of acts administrative matters must include the statement of the legal and factual considerations which constitute the basis of the decision. It follows from these provisions that, in the hypothesis or legality of an administrative decision is based on the taking into account of a certain number of considerations, compliance with the motivation requirement that they provide for to only have to state those on which the decision he has taken is based. 7. This being recalled, the APD is wrong to conclude that certain grievances developed by the claimant party would not be admissible on the ground that the latter would not report proof of a manifest irregularity or illegality but would be content to invoke a error of appreciation on the part of the APD. Article 108 § 1 of the APD law does not contain any provision relating to the admissibility of complaints raised by the complainant. The only admissibility test to which the Court of markets should engage in that of the course introduced. The fact that certain grievances raised by the requesting party are possibly lacking in law or in fact will only lead to on an appreciation of their (non-) foundation. B. As to the first plea of the reguerante party 9Cour des marchesJune 12, 2019, 2019 AR113. 17 Court of Appeal Bruxelles-2021 / AR / 163 p. 18 a) Return of the reguerante party The appellant's thesis can be summarized as follows: "The Data Protection Authority made a first error of law when it decides that X1 could not avail itself of the exception to the information obligation provided for a / 'article 14, §5, (c) of the GDPR. (...) Pursuant to article 14, §5, (c) of the GDPR, the responsibility for processing is exempt from / 'obligation to inform the persons concerned about the processing of their data personal / s when and in the measurement or obtaining or communication of information are expressly provided for by Union law or the law of the Member State to which the controller is subject to and provides for appropriate measures to protect The legitimate interests of the person concerned "(...) Recital 62 of the GDPR leaves no doubt as to the intention of the legislator of the Union of make an exception to / 'information obligation' when recording or communicating data of a personal nature is expressly provided for by the Law "(...) (...) the exemption from information provided for / 'article 14, § 5, (c), of the GDPR, does not create controller a kind of obligation of result with regard to the existence of appropriate guarantees: the definition of the nature, content and extent of these guarantees is left to the national legislator, which necessarily implies that there is a margin of appreciation in the headingsponsab / treatment, quiditsandquedersilecadrelegal is sufficient to justify the exemption. It follows that the Data Protection Authority had to assess quite differently / 'existence of the exemption from information with regard to the applicable legal framework. She had to be ask whether, in the light of the concrete circumstances, it was or was not reasonable for the controller to consider that he could benefit from the exemption of information referred a / 'article 14, 5, (c), of the GDPR. However, she did not make such an assessment, without will in no way justify this regard ”. b) These ODA 18 Court of Appeal Bruxelles-2021 / AR / 163 p. 19 1. The APD mainly concludes that the complaint formulated by the requesting party is inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality committed by APD. 2. In the alternative, the APD concludes that the exception invoked by the applicant had to be interpreted restrictively and was not applicable in the present case, his complaint being unfounded. c) Decision of the Court 1. The Court refers to the foregoing considerations relating to the extent of its jurisdiction APD accepted the complaints in order to set aside the argument of inadmissibility of the complaint raised by 2. The Court further notes that, in the Attacked Decision, at the end of a statement of reasons consequente {see. points 97 to 104 of the decision), the APD came to the conclusion that the exception to the information obligation invoked by X1 was not applicable in the species. The APD indicated the reasons which led it to conclude that X1 could not avail itself of this exemption: the municipal regulations do not include information on the data processing {"obtaining or communicating information is expressly provided for "), and not providing for" appropriate measures to protect legitimate interests of the person concerned ”, it does not meet, according to the DPA, the criteria provided for by the GDPR for the application of this exception. 3. It is correct that the municipal regulations do not provide information on the processing of data operated in execution of it. X1 does not dispute, moreover, the fact that the municipal regulations concerned do not contain not "appropriate measures to protect the legitimate interests of the person concerned ”, but invokes the fact that these would be implemented by the“ numerous reg / es Jega / es and deontologies framing the profession of bailiff ”which she quotes on pages 18 and 19 of its synthesis conclusions. 4. The interpretation adopted by the APD is based on the fact that in the presence of an exception to a obligation provided for by the RGPD (in this case! the information obligation), it is necessary to interpret this exemption in a restrictive manner. The purpose of the text is to grant a dispensation when the person concerned already has, through national law, the information in question. In the present case, the APD noted that the legal rules invoked by X1 were not, for the most part, by relevant because they had no connection with the processing of the data personal character. 19Brussels-2021 / AR / 163 Court of Appeal p. 20 The APD retained only two laws cited by the applicant as being a priori relevant (! Article 519 of the Judicial Code and Articles 71 and 72 of the Code of Ethics of bailiffs), because they prescribe the necessary guarantees in terms of information to with regard to the litigant in their text, but she then noted that X1 did not demonstrate not have applied in concreto what these texts provide. 5. As has already been recalled, the principle of full jurisdiction should not be interpreted as whether the Cour des Marches offered "a second chance" for the party or parties concerned and as if that the Marches Court could "reexamine the file by making a clean sweep of the departure and reassess the file ”. The Marches Court notes that in this case it has not been demonstrated that by basing its decision on the foregoing analysis, the Litigation Chamber of the APD committed an illegality or error of right or of manifest fact. The appellant's first plea is unfounded. C. As to the second maven of the complainant a) These by the requesting party The appellant's thesis can be summarized as follows: "The Data Protection Authority has a second legal error when it analyzes the free character of consent of the persons concerned about the treatment of gamers given by X1 in the context of / 'use of the form accompanying the formal notice sent to debtors. The formal notice {Exhibit n 3}, of which this form constitutes an annex, puts c / airement in evidence the objective and the optional nature of the latter, indicating that any consultation of the file or request for an audit plan can be made via the study site or by e-mail and that if the person liable for payment wishes to obtain additional information, he can use the form in question. The Data Protection Authority, for its part, considered that this mention does not allow not to overturn its conclusion. However, it should be remembered that the main part (namely the concerned person at the origin of the complaint against X1 before the Authority data protection) had not completed this form 35 We can therefore • reasonably consider that she understood the optional nature of the form and had decides not to complete it despite the wording used on the form and the fact that it emanates of a judicial officer study. 20 Brussels Court of Appeal -2021 / AR / 163 p. 21 The GDPR does not define what is meant by a "manifestation of will fiber" in the sense of its article4 (11). The European legislator has only specified that for the purpose of determining whether consent is given freely, the utmost account should be taken of to know, among other things, whether the execution of a contract, including the provision of a service, is subject to consent to the processing of personal data which is not necessary for the execution of the said contract ". In accordance with the 5/2020 guidelines of the European Committee for data protection on consent, the adjective "fiber" implies that the person concerned has the choice of to consent or not to the processing of their data. Consent will therefore not be considered as freely given if the person concerned is not in a position to refuse or withdraw consent without being prejudiced. The decision of the Data Protection Authority to consider that X1 could not be prevailing consent as the legal basis for processing is therefore based on a incorrect legal qualification of the facts. In other words, the Data Protection Authority, based on the factual evidence in the file, could not infer that debtors were not in a position to freely consent to the processing of data staff / es by X1 ”.- b) These ODA 1. The APD mainly concludes that the complaint formulated by the requesting party is inadmissible on the grounds that it does not demonstrate the existence of an irregularity or unequal equality committed by APD. 2. In the alternative, the APD concludes that the use of the payment by X1 is not based on a legal basis and does not allow obtaining a free consent of the person concerned. c) Decision of the Court 1. The Court refers to the foregoing considerations relating to the extent of its jurisdiction and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by ODA. 2. As regards the basis of the applicant's complaint, the Cour des marches raised that Article 4.11 of the GDPR defines consent as "any manifestation of will, free, specific, enlightened and unambiguous by which the person concerned accepts, by a declaration or by a positive act c / air, that personal data concerning him / assent subject to processing ”. 21 Court of Appeal Bruxelles-2021 / AR / 163 p. 22 3. According to APD, “The adjective 'fiber' implies real choice and control over people. concerned. Now in this case, as underlined by the APO in its decision, the combination of following items ! the terms used on the form header ("only the form", "duly complete ”) in bold, underlined; the title of the form (“Return form”); the fact that it emanates from a study of judicial officers; the fact that the form is attached to a formal notice; and the fact that the formal notice specifies that payment default in the de / ai, an increase in the amount to be paid will be applied; suggest that there is no alternative to the debtor's supplying the information requested on / edit form. Consent cannot therefore be qualified as "fiber" and is therefore not in accordance with the requirements of article 4.11 of the RGPO. Commesoulignepar / 'APO, It is also necessary to take into account, when determining whether consent is given freely, of the existence of a balance of power relations between the person concerned and the data controller3 4 • The fact that the formal notice sent to the person concerned specifies, at the end of the letter and in smaller type than those shown on the form, "if you wish to obtain additional information, we invite you to use the attached form »ne Obviously not sufficient to characterize the consent of "fiber", in view of the elements mentioned above. before ”. 4. It is not demonstrated by the requesting party that the Attacked Decision, in that it accepts of t these considerations would be based on an illegality, an irregularity or an error manifest. The fact that the person concerned by the decision is a lawyer and that he has not completed and return the said form is irrelevant in this regard, as long as it is not disputed that the disputed form is the one used by X1 in the context of its activities of Debt recovery. Once again, it is not up to the Court of Marches to give to the justiciable, as in a “classic” call, a “second chance” to present one's basic arguments. 22 Brussels Court of Appeal -2021 / AR / 163 p. 23 The appellant's second plea is unfounded. D. As to the third plea of the reguerante part a} These of the reguerante part The argument of the requesting party can be summarized as follows: "The Data Protection Authority has made a third deciding legal error the collection of data through the payment request form, under "Your coordinates ", constitutes a breach of the principle of data minimization (art. 5, §1, (c) of the GDPR) on the sole ground that no asterisk or other mention indicated that the person concerned was free to choose one of the modes of communication proposed by the form and that the provision of certain data was therefore optional. The Data Protection Authority has thus focused all its analysis on / 'the absence asterisks or another statement explicitly indicating the optional nature of some data. However, it is all the specific circumstances which must be assessed in order to determine whether the use of this form ultimately results in excessive data collection personnel by X1 with regard to the purposes of the processing ”. b) These from the APO 1. The APD mainly concludes that the complaint formulated by the requesting party is inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality committed by APD. 2. In the alternative, the APD concludes that the use of the payment by X1 suggests that all the details of the person being prosecuted should be communicated when not all are necessary. c) Decision of the Court 1. 23 Court of Appeal Bruxelles-2021 / AR / 163 p. 24 The Court refers to the foregoing considerations relating to the extent of its jurisdiction and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by ODA. 2. As regards the basis of the complainant's complaint, the principle of minimization data is defined in article 5.1 (c) of the GDPR: "1. Data of a personal nature must be: (...) c) adequate, relevant and limited to what is necessary for the purposes of [inalities for which they are processed (data minimization) ”. 3. The Contentious Chamber considered the results of its analysis of the form that the presentation of the data requested under the "coordinates" and the wording used in the form suggest that all the headings must be completed and that there is no no alternative to collecting all the information requested in the table, while considering that all the data included on this form is not necessary for the purpose pursued by X1. According to the APD, it would be enough to provide the postal address, the telephone number, the GSM number or the e-mail address, "all of this cumulative contact data is not required". 4. Once again, it does not appear that this analysis of the contentious chamber would constitute illegality, irregularity or manifest error. The appellant's third plea is unfounded. E. As to the fourth plea of the partiereguerante a) These of the reguerante part The appellant's thesis can be summarized as follows: "The Data Protection Authority has failed in its obligation to formally motivate contenting himself with referring "to the shortcomings retained above {8.2.1. and 8.2.4.}" for 24 Brussels Court of Appeal -2021 / AR / 163 p. 25 conclude that X1 was in default "of having implemented the technical measures and appropriate organizational structure to ensure and be able to demonstrate that data processing which it operates are, in particular taking into account their nature, the context and the purposes I / s pursue, carried out in accordance with the RGPO ". The simple reference to the breaches referred to in sections 8.2.1. and 8.2.4. of the decision Attack does not allow X1 to understand the reasons on which the Protection Authority data was based in order to conc! uure that other infringements (in this case, a breach of Articles 5, §2, and 24, §§1-2 of the RGPO} would have been committed by X1. The Data Protection Authority even contradicted itself since it indicated, given the same decision, that "from May 25, 2018, the second defendant [X1] had a clear and detailed privacy policy and has endeavored to comply with all its obligations under the RGPO, in particular the designation of a OPO "(emphasis added). These two conclusions are for the most part contradictory and required more reasoning. detail from the Data Protection Authority so that X1 can understand! the reasons behind this change of position ”. b) These ODA The APD concludes by the fact that it "made it clear in its decision that it was in support of the arguments provided in this very decision ("donations / 'act"), for / es relative breaches (i) a / the obligation to inform the persons concerned, and (ii) concerning the request for payment and the consent of the person concerned, that they have entered into a breacha / 'article 14.1-2 combined' article 12.3, article 6, article 5.1, c) and articles 5.2 and 24.1-2 of the RGPO. It is therefore not a question of an autonomous failure, but of the consequence other breaches identified by / 'APO. The motivation developed by / 'APO in this regard is based on information and developments already known from X1, to which express reference is made in the text. It certainly allows X1 to understand the factual and legal reasons which led to a / 'adoption of such a decision'. c) Decision of the Court 1. The requirement to state reasons for the administrative act in dispute requires (see article 3 of the law of 29 July 1991 on the explicit motivation of administrative acts) than the motivation as it 25 Court of Appeal Bruxelles-2021 / AR / 163 p. 27 The sufficiency of the motivation means that the motivation must be relevant, i.e. say that it must be clearly linked to the decision, and that it must be substantial, that is to say that the reasons must be sufficient to support the decision. The reasoning must be based on clear and concrete elements these elements must be all the more concrete and precise that the decision deviates from a proposal or an opinion, even if it is not binding. In in such a case, the administrative authority should not limit itself to contradicting the proposition or opinion, but should instead explain why it considers that it cannot follow the arguments on which the body which proposes or advises is based. 17. 4. The main reason for the obligation to state reasons is that the person concerned must be able to find, in the decision concerning itself, the reasons on the basis of which it has been taken in such a way that it appears or at least can be verified whether the authority was based on information which is factually correct, if it has correctly evaluations given and whether it was reasonable to make a decision on the basis of them, so that the person concerned can determine with full knowledge of the cause whether there is place to challenge the decision by appealing for annulment 18 . 5. In application of these principles, it appears that the Attacked Decision is adequately motivated, the requesting party not showing how the motivation should have been "Strengthened" in this case. Indeed, it is the title that the APD concludes with the fact that "in its conclusions, X1 invokes, ace subject, situations like this l / e of a change in attitude of authority. She leans also on a judgment of the Marches Court in which the decision deviated from a proposal or opinion ". However, none of these cases is encountered in this case: it has not been shown that ODA would have made a "turnaround" or "would have departed from a proposal or opinion". Secondly, the Applicant is also wrong to raise an alleged contradiction on the part of the APD, which mentioned in the decision the efforts made by X1 to comply with the obligations arising from the GDPR which it incumbent, while having concluded a breach of Articles 5.2 and 24 of the GDPR. The finding that X1 has complied with the GDPR during the procedure logically follows from the finding of a prior situation of non-compliance. The ODA did not contradict itself by taking into account these efforts, in a second step, in order to assess the height of the sanction which it was incumbent on him to retain against X1. It has not been demonstrated by the applicant that the considerations adopted by the APD would constitute an illegality, an irregularity or a manifest error. The appellant's fourth plea is unfounded. 17 18Conseil d'Et ° t (9th c188.152, November 24, 2008, CDPK 2009, 535; http://www.raadvst-consetat.be. Council of State n 153.326, January 9, 2006, CDPK 2006, 183 and 207; http://www.raadvst-consetat.be. 27 Court of Appeal Bruxelles-2021 / AR / 163 p. 28 F. As to the average fifth of the reguerante part a) These of the reguerante part The appellant's thesis can be summarized as follows: "The Data Protection Authority has failed in its obligation to formally motivate not indicating, in a transparent and substantiated manner, in the Attacked Decision, why a simple reprimand or, at the very least, a fine of less than 15,000 euros would not have sufficient to put an end to the shortcomings observed. The Data Protection Authority has certainly detailed the various elements it has taken into account. account in its decision to impose an administrative fine but has not given reasons why a less / hateful sanction, such as a simple reprimand or, at the very least, a a fine of less than 15,000 euros, would not have been such as to put an end to the offenses. This motivation was all the more necessary as the discounted deterrent effect of the fine no longer had a reason to be. X1 had in fact already committed to providing modifications to its official documents (such as the formal notice or the life policy privee) in order to meet the criticisms addressed by the Data Protection Authority. In addition, the Marches Court has already had the opportunity to point out that it was not bound by the decision of the Data Protection Authority regarding the fine or its amount may substitute its power of appreciation to that of the Data Protection Authority in this which concerns the appropriateness of the sanction a / 'infringement. In the present case, in addition to being inadequately reasoned, it should be noted that the fine imposed by the Data Protection Authority is a / disproportionate in relation to: at. The seriousness of the offense with regard to the non-sensitive nature of the data col / ected through the contested form, reg / es (lega / es et deontological) surrounding the profession of bailiff and the processing of data that they can and / or must achieve in the context of their activities and of the many steps taken by X1 in order to compliance with / 'all the obligations arising from the RGPD Jui incumbent (as / are, and as / 'has re / eve the Data Protection Authority, the update provision of a "clear and detailed confidentiality policy"); b. To the purely theoretical damage because the complainant did not replace contested form; vs. To the financial situation of X1 strongly impacted by the health crisis current. For the foregoing reasons, if the Court were not to set aside the decision under appeal, ii at the very least, to substitute for the financial sanction the simple pronouncement of a reprimanded for / 'all the breaches established judges'. b) These ODA 28 Brussels Court of Appeal -2021 / AR / 163 p. 29 The analysis of ODA can be synthesized as follows: "X1 reproached the APO for having, as for the imposition of a fine, breached his obligation to formal motivation. This means is devoid of any foundation. It should be remembered that article 58.2, i) of the RGPO stipulates that any supervisory authority, such as the APO, has the power to impose an administrative fine under / 'Article 83, "in addition to or instead of the measures referred to in this paragraph, in depending on the characteristics specific to each case ”. Article 83.1 of the RGPO provides that each supervisory authority ensures that fines administrative measures imposed for violations of the RGPO are "effective, proportionate and dissuasive (...). It is indisputable that APO in this case properly gave the reasons for its decision as to / 'Imposition of an administrative fine. It is in effect at the end of long developments (i.e. more than three pages), offering a clear and detailed account of the the Contentious Chamber came to the conclusion that an administrative fine was, in view of of / all the circumstances of the cause, justified in the completion of the reprimand and the order compliance, in accordance with the criteria retained by article 83.2 of the RGPO (see Jes points 167a 181 of the decision). It may also be emphasized that in that it indicates that "if the Court were not to annul in all its provisions the decision undertaken, it is appropriate for all hands to substitute the financial sanction the simple pronouncement of a reprimand for / 'all the breaches judges etab / is ", X1 visibly ignored the scope of the mission and the powers conferred on the Court. Failing to note that the decision would be illegal or irregular, quad not in In this case, the Court is in fact unable to modify the sanction retained ”. c) Decision of the Court 1. The Cour des Marches is referring to what has been set out above as to the requirement of motivation formal. 2. The Court notes that the sanctions imposed on X1 are reasoned as follows in the DecisionAttacke: “165. The Litigation Chamber noted a breach of article 14.1-2 combined with / 'article 12.3a /'article6,a/'article5.1 c) and articles 5.2. and24. 1-2 of the RGPOin the head of the second-defendant [X1] (point 137 above). 166. In view of these shortcomings, the Contentious Chamber addresses ° to the second defendant [X1] a reprimand on the basis of / 'article 100. 1, 5 LCA. 167. The Contentious Chamber also takes action that the second defendant [X1] has, in the terms of its conclusions and / ors / 'hearing, proposed to provide certain modifications 29 Court of Appeal Brussels-2021 / AR / 163 p. 30 in his practice. The Litigation Chamber is in fact of the opinion that a certain number of modifications and measures must in fact be introduced as quickly as possible. the second defendant [X1] to comply with its obligations under the GDPR. P artantly, the Jui Litigation Chamber imposes an order of compliance details to the device in application of article 100. 1, 9 LCA (see in this respect the precision in point 141 above). 168. In addition to this reprimand25 and this order of compliance, the Litigation Chamber is of the opinion that in addition, an administrative fine is justified in this case for reasons below. 169. As to the nature of the violation, the Contentious Chamber finds that with regard to the breach of article 6 of the GDPR (absence of a legal basis) and of article 5.1 c) of the GDPR, ifs constitute breaches of the founding principles of the GDPR (and of the data protection law in general}, or to the principles of / iceity and minimization devoted to Chapter II "Principles" of the GDPR. Certainly the data collected at the end of the form are primarily identification data and do not constitute data sensitive within the meaning of Articles 9 and 10 of the GDPR. Their treatment intervenes, however, as ii will be mentioned in point 176 below, in an “infringement” context. Contentious will take this double consideration into account. 170. As for the infringement of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a violation of the rights of the persons concerned - notwithstanding the existence of a confidentiality, moreover, which the Litigation Chamber is aware of and of which it holds account (point 179}. The right to / "information has been strengthened under the terms of the GDPR, which testifies to its particular importance. The Data Protection Authority has, in this perspective, inscribes respect for the rights of the persons concerned with the priority authority in its strategic plan 2020-202526. Appropriate corrective action / sanction is not hands determined on a case-by-case basis. 171. Finally, as regards the breach of article 5.2. and 24. 1-2 of the GDPR, it is also constitutive a breach of the key principle of accountability, introduced by the GDPR. 172. Pursuant to article 83.5 a) of the GDPR, violations of all these provisions may up to 20,000,000 euros or in the case of a company, up to 4% of the turnover total worldwide annual business of the previous year. The maximum fine amounts that may be applicable in the event of violation of these provisions are greater than those provided for for other types of breaches listed in article 83.4. of the GDPR. is about breach of a fundamental right, enshrined in Article 8 of the Charter of Rights fundamentals of the European Union, / 'appreciation of their severity will be, such as the Litigation Chamber has already had the opportunity to submit it, in support of Article 83.2.a) of GDPR, autonomously. 173. According to the reaction that she / he sent to the Contentious Chamber in response to the form of the envisaged fine, the second defendant [X1] states that the crisis health related to the covid-19 virus pandemic hit extremely hard the profession of judicial officer. The forced suspension of the p / upart of the activities of bailiffs (whose execution measures) led the second defendant [X1] to have put some of its staff on technical unemployment. The second defendant [X1] estimates that its future turnover for 2020 and 2021 will, moreover, be disproportionate with that of the past years. 30 Court of Appeal Brussels 2021 / AR / 163p. 31 174. As to the number of affected persons affected by the violations, the Chamber Litigation re / eve that the breaches noted concern, beyond complainant, a large number of people. the second defendant [X1] is not assuredly a multinational company but a beige SME. the second defendant [X1] is not not hands a study of benchmark bailiffs in Belgium, with strong experience [...] years and which has [...] deco / laborers. 175. In view of the fact that / these shortcomings are part of the practice of the second defendant [X1], the number of people potentially concerned is at the height of number of persons whose second defendant [X1] processes data within the framework of the exercise of its amicable collection missions, i.e. a large number, even if the Amicable debt collection does not constitute, which the Litigation Chamber is aware of, part of the activities of the second defendant. 176. As to the quality of the second defendant [X1], the Litigation Chamber recalls that in previous decisions, it has retained the status of public representative of the responsible treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR28. the second defendant [X1] is in particular a ministerial official with a public authority, which can exercise so-called "monopolistic" powers, which are conferred by the Joi. As a liberal profession, the judicial officer exercises a number of extrajudicial activities including amicable debt collection. the function is regulated and the bailiffs are appointed by the King. their number is limited. With regard to this status, the second defendant [X1] must adopt an exemplary attitude whatever the cap with / with which she carries out her missions. the "infringement" context within the framework of which the data processing that it operates also requires, having regard to for their purpose, a particularly rigorous respect for the rights of individuals concerned. data processing is a substantial part of the business of the second defendant. 177. As to the criterion of duration, the Non-Competent Chamber notes that these shortcomings last as long as they are part of the practices of the second defendant (article 83. 1 a} of the RGPD) at all hands since January 2019 ”. 2. Article 83 of the GDPR provides in its first point that each supervisory authority ensures that that the administrative fines imposed for breaches of the rules are, within each case, effective, proportionate and dissuasive. In its article 100, the law of 3 December 2017 establishing the Authority for the protection of data (APD law) lists the possible sanctions. The contentious chamber has the power to classify the complaint without further action; to order the non-place; to pronounce the suspension of the pronouncement; to propose a transaction; to formulate warnings and reprimands; to order to comply with the person's requests concerns exercising these rights; to order that the interested party be informed of the security; order the freezing, limitation or temporary or definitive prohibition of treatment; to order that the processing be brought into conformity; to order the rectification, restriction or erasure of data and notification thereof to recipients of data; order the withdrawal of accreditation of certification bodies; to give 31 Brussels Court of Appeal 21 / AR / 163 p. 32 has streinte; to issue administrative fines; order the suspension of flows data transborder to another or an international organization; to transmit the file to the public prosecutor's office of Brussels, who informs them of the follow-up given to the folder; decide on a case-by-case basis to publish its decisions on the website of the Authority Data protection. The faculty to impose an administrative fine is only the thirteenth sanction in ! 'legal enumeration. The fundamental aim of European legislation is not to sanction in the form in imposing fines for the breach of the prescribed, the goal is protection Datas. The aim is therefore to protect data, not to punish at all costs. the least offense. 3. The fact that the shortcomings observed concern fundamental principles for which higher fines are not an argument to adjust the proportionality. The nature of the activities of the requesting party is certainly an element which it can be held account to appreciate the height of the action, but do so in previous decisions the Litigation Chamber took into account the status of "public representative" of the responsible for treatment as an "aggravating factor" cannot be that it cannot be admitted that this "case law" apparently relating to elected officials is applied in parallel to the holder of a judicial officer charge. The contentious chamber is an organ of an administrative authority which is not based on establish some binding "case law", but must take its Caucasian decisions by case, the publication of the decisions on the APO website should be sufficient to ensure informing "public officials" of the need to comply with the provisions legal data protection. It is not admissible that a "tariff" of sanctions are applicable to certain professions, each litigant having the right to personalize elements specific to his file, without any elements of appreciation drawn other files interfere in the treatment of his case. The argument drawn by the Litigation Chamber from the "duration of the breaches observed" also lack of relevance to justify the amount of the fine retained. The Court recalls that the complaint against the complaining party concerns a single fact, circumscribed in time. The failure noted in the processing of the data is also theoretical since it is not contested that any person concerned has not returned the form contentious is referred to by its complaint. It cannot be argued in this context of considerations general linked to the fact that the requesting party has been active for many years and employs a large number of employees to justify the proportionality of the fine. 4. The Court further raises the following points from the Attacked Decision, again with regard to the motivation for the chosen action (La Coursouligne and accentuates) "178. As to the question of knowing whether the breaches were committed deliberately or by negligence (art. 83.2.b} of the GDPR), the Contentious Chamber considers that they have not been released. It also accepts the fact that from May 25, 2018, the second defendant [X1 a 32Court of Appeal Brussels -2021 / AR / 163p. 33 c / ary and detailed privacy policy and has endeavored to comply with all its obligations under the GDPR, in particular the appointment of a DPO. She contacted specialized consultants for this purpose, notwithstanding the announcements. made by the National Chamber of Judicial Officers which indicated that he / she has put in in place of concrete measures to accompany and help studies which, in fine, was not the case. 179. Finally, the second defendant [X1] was cooperative and concerned with modify his practices during the proceedings (in terms of its conclusions and / or the hearing). The Litigation Chamber in taking note. (see in this respect the precision in point 141 above) ”. 5. The Cour des Marches does not criticize the policy of the ODA contentious chamber, but the the fact that it did not consider the possibilities of achieving the aim pursued by the legislation European (as implemented in beige law) by another decision (provided for explicitly in article 100 points 3 to 12 of the APD law and especially points 5 and 9 of which it also applied in this case) when it had observed a series of elements which demonstrate that the applicant has in no way manifested its intention to ignore the principles of protection of personal data but that, on the contrary, the violation that it committed is the result of negligence or rather a simple inadvertence, when the requesting party had made arrangements in 2018, noted by the Chamber contentious, hoping to comply with the legislation, and that it quickly rectified the situation during the procedure. 6. The foregoing observation cannot be interpreted otherwise than as a misappropriation of power, that is to say, the use by an administrative authority of its power for another purpose than that for which it was granted, in the head of the contentious chamber of the APD. An attitude tending to impose a fine on the first offense committed by inadvertently, does not correspond to the principles that govern the matter, insofar as the litigation chamber of the APD has a complete repressive chain allowing it to carry out checks, the consequences of which (if the infringement is established) may the warning has the financial penalty or not. Violations should be punished gradually and according to their gravity. For exemple: • Step 1: Warning or formal notice from the offending company with a reminder of the duty to ensure compliance of processing of sensitive data with the GDPR • Step 2: injunction to cease the violation • Step 3 (in certain cases): Limitation or temporary suspension of treatment data • Step 4: Administrative sanctions in the event of non-compliance with the rules of the GDPR. 33 Brussels Court of Appeal -2021 / AR / 163 p. 34 The penalties provided for in the GDPR should therefore in fact only be the ultimate to which those prosecuted are exposed if they do not follow the instructions of the ODA. The DPA must also ensure that the administrative sanctions provided for in the event of GDPR breaches are effective, proportional and dissuasive. inflict first offense, an administrative fine violated the principle of proportionality of the sanction in relation to the infringement. The contentious chamber, while it is in its motivation! the absence of deliberate character of the breaches observed and the real concern of requesting party to modify its practices to bring them into compliance with the GDPR, omits obviously to take into account the need for proportionality which includes in particular the taking into account the presumption of good faith which must be enjoyed by the requesting party. 7. In this case, it is by no means demonstrated that the reprimand and the order of compliance inflicted elsewhere on X1 would not have been sufficient to ensure the finality of the proceedings. By inflicting immediately, in this case, an administrative fine - the amount of 15,000.00 euros is in itself very consistent in the head of an SME - in addition to the two measures already cited, the Contentious Chamber disregarded the fundamental principles of proportionality of the sanction. 8. The object of the appeal brought by the applicant is, in the alternative, to: "If the Court were to consider that the complaint filed on May 15, 2019 by the person concerned was founded in part with regard to X1, pronounce in any case a simple reprimand and not a fine ”. Taking into account the foregoing reasons, the Attacked Decision will be annulled, but only in that it imposes a fine of 15,000.00 euros on X1. IX. The costs In accordance with article 1017, paragraph 1, of the Judicial Code, the APD is ordered to pay the costs, liquid at 1,440 € (compensation for procedure-case not assessable in money). 34 Brussels Court of Appeal -2021 / AR / 163 p. 35 FOR THESE REASONS, THE COURTYARD, Having regard to the provisions of the law of June 15, 1935 on the use of languages in judicial matters, Ruling contradictorily, Receives the appeal, and says it grounds to the following extent: Annuls Decision n ° 81/2020 pronounced by the Contentious Chamber of the Authority of Data Protection on December 23, 2020 (DOS-2019-02751) insofar as it imposes a fine of 15,000.00 euros at X1 on the basis of articles 100, 13 and 101 of the law of 3 December 2 017 establishing the Data Protection Authority ("LCA") as well that! 'article 83 of the GDPR. Orders the Data Protection Authority to pay the costs, including compensation for procedure of 1.440 euros. Orders the Data Protection Authority to pay the filing fee before the court of appeal (€ 400.00) to the FPS FINANCES, in accordance with article 269 2 § 1, of the French registration, mortgage and graft fees. ***** 35