Court of Appeal of Brussels - 2021/AR/163: Difference between revisions

From GDPRhub
 
(One intermediate revision by the same user not shown)
Line 5: Line 5:
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=CA
|Court_Abbrevation=CA
|Court_With_Country=Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium)
|Court_With_Country=Court of Appeal of Brussels (Belgium)


|Case_Number_Name=2021/AR/163
|Case_Number_Name=2021/AR/163

Latest revision as of 08:59, 20 August 2021

CA - 2021/AR/163
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 83 GDPR
Decided: 26.05.2021
Published:
Parties:
National Case Number/Name: 2021/AR/163
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): French
Original Source: autoriteprotectiondonnees.be (in French)
Initial Contributor: n/a

The Court of Appeal of Brussels annulled a fine issued by the Belgian DPA, finding that the DPA should have considered the full range of sanctions at its disposal before issuing a fine. In line with the proportionality principle, the DPA can only impose a fine on organisations/people who do not comply with its injunctions.  

English Summary

Facts

A bailiff’s office dealing with debt recovery for parking tickets on behalf of the city requested the driver to fill in a form with personal data. The driver filed a complaint for violation of access right (Article 15), obligation to inform (Article 12), proportionality principle and illegal reuse of their data (Article 5 and 6), and minimisation principle.

The Belgian Data Protection Authority considered that the form did not comply with the GDPR, and therefore issued a decision in which it reprimanded the bailiff’s office, ordered it to change its processes to comply with the GDPR and to pay a fine.

The bailiff’s office, disagreeing with the decision, appealed it before the Court of Appeal.

Holding

The Court confirmed its powers in accordance with Article 78 GPDR: the Court can annul and even adopt a new decision in so far as all facts and legal issues were already discussed in front of the APD. The Court can do so in case of a manifest factual or legal error by the APD.

The Court confirmed the violations already noted by the Belgian DPA.

However, the Court of Appeal annulled the fine (and only the fine) on the grounds that the Litigation Chamber abused its powers when inflicting an administrative fine. According to the Court, the Data Protection Authority should consider the full range of sanctions at its disposal before issuing a fine, and only impose a fine on organisations/people who do not comply with its injunctions.

Inflicting an administrative fine as from the first offence was deemed contrary to the proportionality principle, which implies that the sanction must be proportionate to the infringement. In this regard, the Court noted that the DPA confirmed that the violation was not intentional and that the form with the requested personal data at stake was not sent back by the complainant.

Therefore, the Court of Appeal annuls the fine, and considers that the DPA should have instead used other corrective powers. The remaining parts of the Belgian DPA 's decision were upheld.

Comment

The decision of the Court is quite surprising and at odd with the spirit and the letter of the GDPR. This decision might limit to a large extent the powers of the Belgian DPA to issue fines, since it seems to imply that first time offender should not be subject to fines. This is also not in line with the EDPB guidelines on the Guidelines on the application and setting of administrative fines where it is clearly stated that the fines can be imposed in addition to other corrective measures.

It also seems that the Court of Appel applies its previous case-law in other regulatory cases (competition law, electronic communication) without acknowledging that the APD is dealing with fundamental rights and that the corrective measures adopted by the DPAs should be effective, deterrent and dissuasive.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Court of Appeal Brussels - 2021 / AR / 163 p. 2



BECAUSE OF

X1

Requesting Party,

Having for advice Master Benjamin Docquir (benjamin.docguir@osborneclarke.com) and
Maitre ChloePonsart (chloe.ponsart@osborneclarke.com), lawyers, with an established firm

a 1050 B ruxelles, Place du Champ de Mars 5.


Cantre:



THE DATA PROTECTION AUTHORITY, a public body endowed with the
legal, created by the law of 3 December 2017, and whose head office is established at 1000
Brussels, Rue de la Presse 35, and registered the Banque-Carrefour des Entreprises under the
number 0694.679.950 (hereinafter, the "lntimee", the Data Protection Authority "or
the "APD"),


Defendant,


Advised by Maitre Etienne Kairis (e.kairis@liedekerke.com), and Maitre Francesca
Biebuyck (f.biebuyck@liedekerke.com), lawyers, whose firm is established in 1000 Brussels,
Boulevard de l'Empereur 3.



                                            ******



Having regard to the procedural documents and in particular




           the decision 81/2020 rendered by the Contentious Chamber of the Protection Authority

           data on December 23, 2020 (DOS-2019-02751);

           the appeal brought by X1 against decision 81/2020 dated 20
           January 2021;
        - the timetable for conclusions taken on the basis of article 747, §1 of the Judicial Code;


           the summary conclusions of X1 of April 8, 2021;

           the additional conclusions and summary of the APD of April 29, 2021;

           the files of exhibits filed by the parties, Court of Appeal Brussels-2021 / AR / 163 p. 3


 Heard the advice of the parties at the public hearing of May 5, 2021, held in
 videoconference of the parties agreement. At the date of the hearing, the registry has my disposal
 of any litigant and any person wishing to attend the debates, the link and the word of
 pass allowing to participate in the videoconference.



    I. The DecisionAttaguee

 X1 is a study by bailiffs established in [...]. She is notably in charge of

 recovery of parking fees entrusted by the City of [...] the company X2S.A.

 X2S.A. and X was the subject of a complaint lodged on May 15, 2019 with the ODA introduced

 through [...]. (hereinafter "the person concerned").


 The APD Litigation Chamber rendered the Attacked Decision on December 23, 2020, at
 end of which, it has decided, with regard to X1 to:



            Issue (...) a reprimand on the basis of article 100.1, 5 LCA;


            Issue an order of compliance in terms of information (policy of
           confidentiality and information clauses) and basic pleasure of the form attached to the
                                                                                  °
            formal notice of payment on the basis of article 100.1, 9 LCA. He is at

            this effect requires the second defendant [X1] to communicate to the APD
            both its confidentiality policy applicable to the processing operations covered by this
            decision that its information clause (s) as well as the manner in which it intends
            respond to breaches related to the above form. The
            communication of these

            documents must be received within 3 months from the notification of the
           present decision via the address litigationchamber@apd-gba.be;


            Impose (...) an administrative fine in the amount of 15,000 euros in
            application of articles 100.1, 13 and 101 LCA.


    II.

According to the APD, the facts relevant to the examination of the present case can be summarized
as follows:

 1.

 X1 is a study of judicial officers located in Brussels who deals, within the framework of its

legal prerogatives defined in article 519 of the Judicial Code, in particular of
amicable and judicial recovery of debts from its customers.



                                                                                              3 Brussels Court of Appeal -2021 / AR / 163 p. 4





2.

The S .A. X2 (hereinafter "X2"} is a company specializing in parking for

street, and as such it controls parking in the municipalities in which it is
concessionaire of public interest missions. It is part of the Group [...].

X2 is one of X1's clients: the latter takes care of the management of the
amicable, and if necessary, judicial recovery of unpaid debts such as
parking fees.

3.

X2 indicates to have place, dated January 2, 2019, an invitation to pay [...] on the barrier
breeze from a vehicle parked in [...] a blue zone without a blue disc affixed or

parking authorization. This amount corresponds to the amount of the "Tariff °
[..] "of the Municipal Regulations of [...] of [...] relating to parking in the blue zone n [...]
(hereinafter the “Municipal Regulations”}.

X2 indicates that it then sent a payment reminder to the person concerned on 24
January 2019, increasing the initial debt by 5 €, in accordance with article [...] of the Regulation
Communal.

The person concerned denies having found on January 2, 2019 any invitation to
pay this fee on their windshield, as well as having received a payment reminder from

by X2

4.

This payment has not been paid within 15 days of the call of January 24, 2019, X2
transmitted the file of the person concerned to his judicial officer X1, so that he
collects the amount claimed.



5.

On February 25, 2019, X1 therefore sent the person concerned a formal notice in order to
recover the amount claimed (i.e. the amount of the initial fee, plus the
delay and bailiff fees, a total of € [..]). The person concerned indicates
have received this formal notice on March 1, 2019.

This remittance resumes as an annex a form entitled "Form anusreturn


"Which specifies in particular" (...) "(Exhibit 1 of the APO file}.




                                                                                              4Brussels-2021 / AR / 163 Court of Appeal p. 5


 The form contains fields to be completed with their contact details (surname / first name, date of
birth, address, postal code and town, telephone number, mobile phone number, e-mail address
mail) and includes three "payment proposals" with, for each of them, a box
to hide.



6.

The person concerned wrote several times to X2 and X1 to obtain more
explanations, indicating never having received an invitation to pay, nor a reminder, and
opposing the payment of the royalty. In these writings, she also questioned X1
as to the legal bases allowing him to access the Management of
Vehicle registration (the “DIV”) from the SPF Mobilite and the National Register, as well as
requests to be able to exercise their right of access to their personal data,
in accordance with article 15 of the General Data Protection Regulation (the "GDPR
))

7.

on the one hand, and X1, on the other hand, for various breaches of the GDPR (Pieces 1 and 2 last from X2,

APD file). On June 6, 2019, she made an addendum to her complaint (Exhibit 3 of the
APD).
More precisely, under the terms of these complaints, she blamed X1 for being guilty
of

                   A breach of his right to information (articles 12 and 14 of the GDPR);

                   A breach of his right of access (article 15 of the GDPR);

                   A breach of Article 28 of the GDPR with regard to its status as a sub
               treating;
                   A breach of the principles of proportionality and reuse

                   illegal data communicated to it by X2 even though it
                   would not be validly based there (Articles 5 and 6 of the GDPR); and
               - A breach of the principles of data minimization and the use of
                  enforced consent with regard to the form attached to the formal notice of
                  payment (Articles 5 and 6 of the GDPR).

The person concerned also asked the APD that X2 and X1 be condemned to
sanction proportionate to the gravity of the facts, taking into account the object and the extent of their
professional activity which affects a large number of citizens. She begged in

Litigation in order to inform the public of illegal practices in matters of management of

parking fees against which he can claim the respect of his rights by
data protection matter.

                                                                                             5 Court of Appeal Bruxelles-2021 / AR / 163 p. 6


8.

On June 18, 2019, the complaints were declared admissible by the APO and forwarded to the Chamber.
APO litigation (Exhibit 4 of the APD file).

On July 12, 2019, the Litigation Chamber decided to join the two complaints and to
forward to the Inspection Service so that an investigation can be carried out {Exhibit 5 of the

ODA).



9.


On January 6, 2020, an investigation report is filed by the Inspection Service with the
Litigation Chamber (Exhibit 6 of the APD file).

The parties were each given the opportunity to submit their observations following the report of the

Inspection service.

10.

On January 21, 2020, the APD informs the parties of the fact that following the complaint lodged and the
findings made by the Inspection Service, it decides to carry out a review of the
complaint on the merits (Exhibits 7, 8 and 9 of the APD file).

11.

On July 13, 2020, the Litigation Chamber organized a hearing in the presence of the parties,
a report was drawn up (Exhibits 10 and 11 of the APD file).

12.

Endated on December 23, 2020, the APD issued a decision on the merits (81/2020) against

of X1 and X2 (hereinafter the "decision"), in which
        -
            it concludes, in the head of X1, has:

(i) a breach of its information obligation (Articles 12 and 14 of the GDPR),
(ii) a defect in the legal basis with regard to the collection of data under the terms of the
        form accompanying the formal notice of payment (article 6 of the RGPO) and a
        breach of the principle of minimization (article 5.1, c) of the GDPR), and
(iii) on the basis of the previous breaches ((i) and (ii)), a breach of the obligation to

        implementation of appropriate technical and organizational measures for the
        data processing (articles 5.2 and 24.1-2 of the GDPR),

        - and pronounces the sanctions mentioned above with regard to X1.

13.


                                                                                                  6 Brussels Court of Appeal -2021 / AR / 163 p. 7


On January 20, 2021, X1 brought an action before the Marches Court against the
decision Attacked.
















    Ill. The legal framework


1.

The Attacked Decision of the APD pronounces the sanction of the reprimand with regard to X1 in
based on the provisions of Article 100 § 1, 5 LCA, and attaches this claim to a

order of settlement in accordance with the form attached to the final payments, and this
on the basis of Article 100 § 1, 9 LCA within a period of 3 months from the notification of the

decision and an administrative fine in the amount of 15,000.00 euros in application of the
Articles 100§1,13 and 101 LCA.

2.

Article 100 § 1 LCA is drafted as follows

"§1 The contentious chamber has the power to:

 1 ° dismiss the complaint;

 2 order the dismissal;

  °
 3 pronounce the suspension of the pronouncement;
  °
 4 offer a transaction;


 5 issue warnings and reprimands;


   °
 6 order compliance with the requests of the person concerned to exercise these rights;


 7 order that the person concerned be informed of the security problem;


   °
 8 order the freezing, limitation or temporary or definitive prohibition of processing;

                                                                                                           7 Brussels Court of Appeal -2021 / AR / 163 p. 8


   °
  9 order that the processing be brought into conformity;

     °
  10 order the rectification, restriction or / 'erasure of data and the notification of
 these to the data recipients;


  11 ° order the withdrawal of accreditation of certification bodies;


  12 give on-call penalties;


     °
  13 issue administrative fines;

     °
  14 order the suspension of cross-border data flows to another State or to a
international body;


  15 ° transmit the case to the public prosecutor's office of the Roide Bruxelles, which informs it of the
data on file;


  16 ° to decide in the event of publication of its decisions on the Internet site of the Protection Authority

Datas
                                           °
 §2. When, after the application of §, 15, the public ministry renounces the initiation of legal proceedings
penal, to propose an amicable resolution or penal mediation within the meaning of article
216ter of the Code of Criminal Instruction, or / when the public prosecutor has not taken a decision
for a period of six months from the day on which the file is received, the Protection Authority

of the data determines whether the administrative procedure should be resumed ”.
 Article 101 LCA is written as follows: "The contentious chamber may decide

to impose an administrative fine on the parties prosecuted in accordance with the general principles referred to
a / 'article 83 of Regulation 2016/679 ”.

3.

Article 83 of the GDPR is read as follows:
"1. Each supervisory authority shall ensure that its administrative fines imposed

of this article for violations of these regulations referred to in paragraphs 4, 5 and 6
be, given each cos, effective, proportionate and dissuasive.
2. Based on the specific characteristics of each cos, administrative fines are imposed

in addition to or instead of the measures referred to in Article 58 (2) (a) to (h), and
j). To decide whether to impose an administrative fine and to decide on the amount


                                                                                                 8 Court of Appeal Bruxelles-2021 / AR / 163 p. 9

of / 'administrative amendment, it is taken into account, in each case, of the elements

following:
a) the nature, gravity and duration of the breach, taking into account the nature, extent to
  the purpose of the treatment concerned, as well as the number of affected persons and

  the level of damage they suffered;
(b) the fact that the violation was committed willfully or negligently;

c) any measure taken by the controller to the processor to mitigate the
  damage suffered by the persons concerned;

d) the degree of responsibility of those responsible for the processing of the subcontractor,
  technical and organizational measures that i / s implemented pursuant to Articles25
  and 32;

e) any relevant breach previously committed by the controller on
  subcontractor;

f) the degree of cooperation established with the control authority with a view to remedying the breach and
  to mitigate any negative effects;

(g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the violation, including whether, and
  to what extent the data controller has notified the breach;

(i) where measures referred to in Article 58 (2) have previously been ordered to
 / 'against the controller or the processor concerns for the same purpose, the
 compliance with these measures;

j) the application of codes of conduct approved in accordance with article 40 of the mechanisms
  decertification approved in application of article 42; and

k) any other circumstantial aggravating factor applicable to the circumstances of the case,
  such as the financial benefits obtained at the losses avoided, directly at the
  indirectly, as a result of the violation. "

4.

X1 claims other avers of its various means than the Decision Attackeviole

    •! Article 14 §5 c) of the GDPR on the concept of exemption from the obligation to inform the
        controller (first method),

    • the concept of the free nature of the consent of the person concerned within the meaning of
        ! 'Article 4 (11) of the GDPR (second means),

    • the rules for applying the principle of data minimization established by Article 5
        § 1, c) of the GDPR (3rd means),

    • Articles 5 §2 and 24 §§ 1- 2 of the GDPR insofar as they aim at the implementation of measures

        appropriate technical and organizational principles and the principle of formal motivation
        (4 medium),

                                                                                               9Brussels-2021 / AR / 163 Court of Appeal p. 10


    • Article 83 of the GDPR relating to the justification and proportion of the fine and the
        principle of formal motivation obligation (average seme).

























    IV. The subject of the appeal

1.

At the end of its summary conclusions, X1 asks the Marches Court to:


     "- Declare the appeal of X1 admissible and found;

    -  Therefore;

 Mainly,


    - Annul decision 81/2020 rendered by the Data Protection Authority on 23
        December 2020 (decision a quo) against the APE / ante, in that it notes a

        breach of the obligation to inform, a basic defect that concerns
        the collection of data under the form accompanying the formal notice
        payment and a breach of the minimization principle, as well as a breach
        Articles 5.2. and 24.1-2 of the GDPR;


    - Order the Data Protection Authority to reimburse the fine
        administration of an amount of € 15,000.00 paid by X1; and Brussels Court of Appeal - 2021 / AR / 163 p. 11


     -
        Confirm the decision a quo for the rest.




     In the alternative,

     -
       If the Court were to consider that the complaint filed on May 15, 2019 by the
        person concerned with the Data Protection Authority was founded in
        part with regard to X1, in any case pronounce a simple
        reprimand and not a fine.


 In any case,

     - Order the lntimee to pay the full costs, including procedural compensation,
        liquids a1.860,00 € as follows:


            o Role rights € 400.00
            o Contribution to the budget fund € 20.00
            o procedural indemnity (basic amount) € 1,440.00 ”.






2.

At the end of its summary conclusions, the APD asks the Marches Court to



"- Declare X1's requests to annul the decision rendered in that it finds
    a legal base defect for data collection and a breach of the principle of
    minimization (2nd and 3rd grievances) inadmissible or in the alternative, unfounded;

    Declare / s requests by X1 to quash the decision rendered in so far as he / she finds a

    breach of the information obligation, a breach of Articles 5em and 2 of
    RGPD, and in that it imposes an administrative fine on X1 {1st, 4th and 5th grievances)
    unfounded;
- Order X1 to pay the full costs of the proceedings, including the procedural indemnity

    fixed at the basic amount (€ 1,440.00) ”.


    V. Means invoked by X1


                                                                                            11 Brussels Court of Appeal -2021 / AR / 163 p. 12

X1 develops an introductory argument relating to the jurisdiction of the Marches Court and

the admissibility of his complaints and five pleas.
They are worded as follows:

   A. AT A GLANCE: AS REGARDS THE JURISDICTION OF THE COURT OF MARKETS AND
      GRIEVANCES FROM X1



   B. FIRST MEANS: X1 HAS NOT FAILED IN ITS OBLIGATION
   INFORMATION FOR THE PERSONS CONCERNED


   C. SECOND MEANS: USE OF THE PAYMENT REQUEST FORM BY
   X1 STANDS ON A LEGAL BASIS AND ALLOWS A FREE CONSENT FROM THE
   CONCERNED PERSON

   D. THIRD SUBMISSION: X1 DID NOT BREACH ARTICLE 5 (1) (() OF THE

   RGPD (PRINCIPLE OF "DATA MINIMIZATION") IN THE CONTEXT OF
   USE OF THE PAYMENT REQUEST FORM

   E. FOURTH SUBMISSION: X1 DID NO BREACH OF ITEMS
   5 (2) AND 24 (1) - (2) GDPR


   F. FIFTH SUBMISSION: THE ADMINISTRATIVE FINE IMPOSED ON THE APPELLANT IS
   INJUSTIFIED AND DISPROPORTED





   VI. Means invoked in support of the defense

The APD arguments are titled as follows:


CLIMINALLY: AS TO THE JURISDICTION OF THE LITIGATION CHAMBER OF THE APO AND
OF THE COUR DES MARCHES

FIRST SUBMISSION: AS REGARDS THE BREACH OF THE OBLIGATION TO INFORM
DATA SUBJECT (ARTICLES 12 AND 14 OF THE GDPR)

SECOND MEAN: AS TO OBTAINING A FORCE PERSON'S CONSENT
CONCERNED AND THE VIOLATION OF THE PRINCIPLE OF DATA MINIMIZATION IN THE FRAMEWORK
THE USE OF THE PAYMENT REQUEST FORM (ARTICLES 6.1, A) AND 5.1, C)
GDPR)

THIRD SUBMISSION: AS REGARDS COMPLIANCE WITH ARTICLES 5.2 AND 24 OF THE GDPR


FOURTH SUBMISSION: AS TO THE ADMINISTRATIVE FINE IMPOSED BY ODA

                                                                                   12 Brussels Court of Appeal - 2021 / AR / 163 p. 13



    VII. Admissibility


The Attacked Decision was taken by the ODA on December 23, 2020 and was notified by
e-mail to X1 the same day.


It is not disputed that the petition was filed with the court registry within 30 days.
                          er
referred to in article 108 § 1 of the law of 3 December 2017 establishing the Authority
Data protection.

The appeal is admissible.


    VIII. Discussion

    A. As to the scope of the jurisdiction of the Marches Court and the admissibility of
        certain grievances of the requesting party

1.
The parties develop in terms of conclusions of theses in disagreement on the scope of the
jurisdiction / jurisdiction of the Marches Court, in particular the question of the scope of

full jurisdiction of the Marches Court and its impact on the admissibility of complaints
of the requesting party.

2.
However, in certain laws which confer jurisdiction on the Marches Court, it is

explicitly indicates that the Court will rule in full jurisdiction, this delimitation of
jurisdiction is not explicitly mentioned in this case. Article 108 § 1 of the APD law
only provides that an appeal against the decisions of the contentious chamber may be
form in front of the Marches Court.
An appeal to the Marches Court differs from an "ordinary" appeal such as one that can
be brought before a court of appeal 1.

Article 6 § 1 of the ECHR provides that “Everyone has the right to have his cause heard
fairly, publicly and within a reasonable timeframe, by an independent tribunal and
impartial, established by the Joi, which will decide, either of the disputes on its rights and obligations of
civil character, [... »]
With regard to the right to an effective remedy and to a fair trial, article 47 of the charter

of the fundamental rights of the European Union provides that "everyone whose rights are
and freedoms guaranteed by Union law have been violated has the right to an effective remedy before a
court in compliance with the conditions provided for in this article. Everyone has the right to
that its cause be heard fairly, publicly and within a reasonable timeframe by a
independent and impartial tribunal, established previously by the Joi. [...] "




1Comp. Cour des marches February 19, 2020, 2019 AR 1600.
                                                                                                  13 Brussels-2021 / AR / 163 Court of Appeal p. 17

judicial order, he considers it imperative that a legal remedy be instituted by the legislator in order to

to guarantee the litigant a remedy before a court forming part of the judicial order.
It follows that the Marches Court cannot therefore substitute its decision for that of the
administrative only when the Court finds that this decision is illegal or irregular (for
example when any principle of good administration would be violated by the decision
administrative attack).

A manifest error "may" lead to the annulment of the decision. It follows that it belongs
the applicant to prove the manifest error of assessment which would have been committed by the
contentious chamber of the APD, the illegality of the Attacked Decision or the disregard of the
general principles of good administrative management 9 •


The motivation required by the law of July 29, 1991 on the explicit motivation of acts
administrative matters must include the statement of the legal and factual considerations which constitute the
basis of the decision. It follows from these provisions that, in the hypothesis or legality
of an administrative decision is based on the taking into account of a certain number of

considerations, compliance with the motivation requirement that they provide for
to only have to state those on which the decision he has taken is based.

7.
This being recalled, the APD is wrong to conclude that certain grievances developed by the

claimant party would not be admissible on the ground that the latter would not report
proof of a manifest irregularity or illegality but would be content to invoke a
error of appreciation on the part of the APD.
Article 108 § 1 of the APD law does not contain any provision relating to the admissibility of
complaints raised by the complainant. The only admissibility test to which the Court of

markets should engage in that of the course introduced. The fact that certain grievances raised by
the requesting party are possibly lacking in law or in fact will only lead to
on an appreciation of their (non-) foundation.















    B. As to the first plea of the reguerante party




9Cour des marchesJune 12, 2019, 2019 AR113.
                                                                                                    17 Court of Appeal Bruxelles-2021 / AR / 163 p. 18


    a) Return of the reguerante party



The appellant's thesis can be summarized as follows:

"The Data Protection Authority made a first error of law when it
decides that X1 could not avail itself of the exception to the information obligation provided for
a / 'article 14, §5, (c) of the GDPR. (...)


Pursuant to article 14, §5, (c) of the GDPR, the responsibility for processing is exempt from
/ 'obligation to inform the persons concerned about the processing of their data
personal / s when and in the measurement or obtaining or communication of information
are expressly provided for by Union law or the law of the Member State to which the
controller is subject to and provides for appropriate measures to protect

The legitimate interests of the person concerned "(...)

Recital 62 of the GDPR leaves no doubt as to the intention of the legislator of the Union of
make an exception to / 'information obligation' when recording or communicating
data of a personal nature is expressly provided for by the Law "(...)


 (...) the exemption from information provided for / 'article 14, § 5, (c), of the GDPR, does not create
controller a kind of obligation of result with regard to the existence of
appropriate guarantees: the definition of the nature, content and extent of these guarantees
is left to the national legislator, which necessarily implies that there is a margin
of appreciation in the headingsponsab / treatment, quiditsandquedersilecadrelegal
is sufficient to justify the exemption.
It follows that the Data Protection Authority had to assess quite differently

/ 'existence of the exemption from information with regard to the applicable legal framework. She had to be
ask whether, in the light of the concrete circumstances, it was or was not reasonable for the
controller to consider that he could benefit from the exemption of information referred

a / 'article 14, 5, (c), of the GDPR. However, she did not make such an assessment, without
will in no way justify this regard ”.












    b) These ODA
                                                                                             18 Court of Appeal Bruxelles-2021 / AR / 163 p. 19


1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality
committed by APD.
2.
In the alternative, the APD concludes that the exception invoked by the applicant
had to be interpreted restrictively and was not applicable in the present case, his complaint
being unfounded.


    c) Decision of the Court

1.

The Court refers to the foregoing considerations relating to the extent of its jurisdiction
APD accepted the complaints in order to set aside the argument of inadmissibility of the complaint raised by
2.

The Court further notes that, in the Attacked Decision, at the end of a statement of reasons

consequente {see. points 97 to 104 of the decision), the APD came to the conclusion
that the exception to the information obligation invoked by X1 was not applicable in
the species.

The APD indicated the reasons which led it to conclude that X1 could not avail itself of this
exemption: the municipal regulations do not include information on the
data processing {"obtaining or communicating information is
expressly provided for "), and not providing for" appropriate measures to protect
legitimate interests of the person concerned ”, it does not meet, according to the DPA, the criteria
provided for by the GDPR for the application of this exception.

3.

It is correct that the municipal regulations do not provide information on the processing of data operated
in execution of it.

X1 does not dispute, moreover, the fact that the municipal regulations concerned do not contain
not "appropriate measures to protect the legitimate interests of the person

concerned ”, but invokes the fact that these would be implemented by the“ numerous
reg / es Jega / es and deontologies framing the profession of bailiff ”which she quotes on pages 18
and 19 of its synthesis conclusions.

4.

The interpretation adopted by the APD is based on the fact that in the presence of an exception to a
obligation provided for by the RGPD (in this case! the information obligation), it is necessary to interpret
this exemption in a restrictive manner. The purpose of the text is to grant a dispensation
when the person concerned already has, through national law, the information
in question.

In the present case, the APD noted that the legal rules invoked by X1 were not, for the most part,
by relevant because they had no connection with the processing of the data
personal character.
                                                                                               19Brussels-2021 / AR / 163 Court of Appeal p. 20


The APD retained only two laws cited by the applicant as being a priori
relevant (! Article 519 of the Judicial Code and Articles 71 and 72 of the Code of Ethics of
bailiffs), because they prescribe the necessary guarantees in terms of information to

with regard to the litigant in their text, but she then noted that X1 did not demonstrate
not have applied in concreto what these texts provide.

5.

As has already been recalled, the principle of full jurisdiction should not be interpreted as
whether the Cour des Marches offered "a second chance" for the party or parties concerned and
as if that the Marches Court could "reexamine the file by making a clean sweep of the

departure and reassess the file ”.

The Marches Court notes that in this case it has not been demonstrated that by basing its decision
on the foregoing analysis, the Litigation Chamber of the APD committed an illegality or error
of right or of manifest fact.

The appellant's first plea is unfounded.


    C. As to the second maven of the complainant




    a) These by the requesting party

The appellant's thesis can be summarized as follows:
"The Data Protection Authority has a second legal error when it analyzes
the free character of consent of the persons concerned about the treatment of gamers given by
X1 in the context of / 'use of the form accompanying the formal notice sent

to debtors.

The formal notice {Exhibit n 3}, of which this form constitutes an annex, puts c / airement in
evidence the objective and the optional nature of the latter, indicating that any consultation

of the file or request for an audit plan can be made via the study site or by e-mail
and that if the person liable for payment wishes to obtain additional information, he can
use the form in question.



The Data Protection Authority, for its part, considered that this mention does not allow
not to overturn its conclusion. However, it should be remembered that the main part (namely the

concerned person at the origin of the complaint against X1 before the Authority
data protection) had not completed this form 35 We can therefore

                                                                               •
reasonably consider that she understood the optional nature of the form and had

decides not to complete it despite the wording used on the form and the fact that it emanates
of a judicial officer study.


                                                                                               20 Brussels Court of Appeal -2021 / AR / 163 p. 21


 The GDPR does not define what is meant by a "manifestation of will fiber" in the sense
 of its article4 (11). The European legislator has only specified that for the purpose of determining whether
 consent is given freely, the utmost account should be taken of
 to know, among other things, whether the execution of a contract, including the provision of a service, is

subject to consent to the processing of personal data which is not
 necessary for the execution of the said contract ".


 In accordance with the 5/2020 guidelines of the European Committee for data protection
on consent, the adjective "fiber" implies that the person concerned has the choice of
to consent or not to the processing of their data. Consent will therefore not be considered
as freely given if the person concerned is not in a position to refuse or
withdraw consent without being prejudiced.

The decision of the Data Protection Authority to consider that X1 could not be
prevailing consent as the legal basis for processing is therefore based on a
incorrect legal qualification of the facts. In other words, the Data Protection Authority,
based on the factual evidence in the file, could not infer that
debtors were not in a position to freely consent to the processing of data
staff / es by X1 ”.-


    b) These ODA

1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the grounds that it does not demonstrate the existence of an irregularity or unequal equality
committed by APD.

2.
In the alternative, the APD concludes that the use of the
payment by X1 is not based on a legal basis and does not allow obtaining a
free consent of the person concerned.


    c) Decision of the Court

1.

The Court refers to the foregoing considerations relating to the extent of its jurisdiction
and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by
ODA.
2.
As regards the basis of the applicant's complaint, the Cour des marches raised
that Article 4.11 of the GDPR defines consent as "any manifestation of will,

free, specific, enlightened and unambiguous by which the person concerned accepts, by a
declaration or by a positive act c / air, that personal data concerning him

/ assent subject to processing ”.



                                                                                            21 Court of Appeal Bruxelles-2021 / AR / 163 p. 22








3.

According to APD, “The adjective 'fiber' implies real choice and control over people.
concerned. Now in this case, as underlined by the APO in its decision, the combination of
following items

                 ! the terms used on the form header ("only the form", "duly
                 complete ”) in bold, underlined;


                 the title of the form (“Return form”);

                 the fact that it emanates from a study of judicial officers;

                 the fact that the form is attached to a formal notice; and

                 the fact that the formal notice specifies that payment default in the de / ai,
                 an increase in the amount to be paid will be applied;

suggest that there is no alternative to the debtor's supplying the information

requested on / edit form. Consent cannot therefore be qualified as "fiber" and is
therefore not in accordance with the requirements of article 4.11 of the RGPO. Commesoulignepar / 'APO,
It is also necessary to take into account, when determining whether consent is given

freely, of the existence of a balance of power relations between the person concerned and
the data controller3 4 •
The fact that the formal notice sent to the person concerned specifies, at the end of the letter and

in smaller type than those shown on the form, "if you wish to obtain
additional information, we invite you to use the attached form »ne
Obviously not sufficient to characterize the consent of "fiber", in view of the elements mentioned above.

before ”.

4.

It is not demonstrated by the requesting party that the Attacked Decision, in that it accepts

of t these considerations would be based on an illegality, an irregularity or an error
manifest.

The fact that the person concerned by the decision is a lawyer and that he has not completed

and return the said form is irrelevant in this regard, as long as it is not disputed

that the disputed form is the one used by X1 in the context of its activities of
Debt recovery.

Once again, it is not up to the Court of Marches to give to the justiciable, as in a

“classic” call, a “second chance” to present one's basic arguments.

                                                                                                22 Brussels Court of Appeal -2021 / AR / 163 p. 23


The appellant's second plea is unfounded.









    D. As to the third plea of the reguerante part



    a} These of the reguerante part


The argument of the requesting party can be summarized as follows:

"The Data Protection Authority has made a third deciding legal error

the collection of data through the payment request form, under "Your
coordinates ", constitutes a breach of the principle of data minimization (art. 5, §1,
(c) of the GDPR) on the sole ground that no asterisk or other mention indicated that the person
concerned was free to choose one of the modes of communication proposed by the form and

that the provision of certain data was therefore optional.

The Data Protection Authority has thus focused all its analysis on / 'the absence

asterisks or another statement explicitly indicating the optional nature of
some data.

However, it is all the specific circumstances which must be assessed in order to
determine whether the use of this form ultimately results in excessive data collection

personnel by X1 with regard to the purposes of the processing ”.


    b) These from the APO


1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality
committed by APD.

2.
In the alternative, the APD concludes that the use of the
payment by X1 suggests that all the details of the person being prosecuted
should be communicated when not all are necessary.

    c) Decision of the Court

1.

                                                                                               23 Court of Appeal Bruxelles-2021 / AR / 163 p. 24


The Court refers to the foregoing considerations relating to the extent of its jurisdiction
and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by
ODA.









2.
As regards the basis of the complainant's complaint, the principle of minimization
data is defined in article 5.1 (c) of the GDPR:

               "1. Data of a personal nature must be:

               (...)

               c) adequate, relevant and limited to what is necessary for the purposes of
               [inalities for which they are processed (data minimization) ”.

3.
The Contentious Chamber considered the results of its analysis of the form that the presentation
of the data requested under the "coordinates" and the wording used in the
form suggest that all the headings must be completed and that there is no
no alternative to collecting all the information requested in the table, while

considering that all the data included on this form is not necessary for
the purpose pursued by X1.

According to the APD, it would be enough to provide the postal address, the telephone number, the GSM number
or the e-mail address, "all of this cumulative contact data is not required".

4.
Once again, it does not appear that this analysis of the contentious chamber would constitute
illegality, irregularity or manifest error.


The appellant's third plea is unfounded.

    E. As to the fourth plea of the partiereguerante

    a) These of the reguerante part

The appellant's thesis can be summarized as follows:

"The Data Protection Authority has failed in its obligation to formally motivate

contenting himself with referring "to the shortcomings retained above {8.2.1. and 8.2.4.}" for
                                                                                              24 Brussels Court of Appeal -2021 / AR / 163 p. 25


conclude that X1 was in default "of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data processing which it operates are, in particular taking into account their nature,
the context and the purposes I / s pursue, carried out in accordance with the RGPO ".


The simple reference to the breaches referred to in sections 8.2.1. and 8.2.4. of the decision
Attack does not allow X1 to understand the reasons on which the Protection Authority
data was based in order to conc! uure that other infringements (in this case, a

breach of Articles 5, §2, and 24, §§1-2 of the RGPO} would have been committed by X1.






The Data Protection Authority even contradicted itself since it indicated, given the

same decision, that "from May 25, 2018, the second defendant [X1] had a
clear and detailed privacy policy and has endeavored to comply with all
its obligations under the RGPO, in particular the designation of a
OPO "(emphasis added).


These two conclusions are for the most part contradictory and required more reasoning.
detail from the Data Protection Authority so that X1 can
understand! the reasons behind this change of position ”.


    b) These ODA

The APD concludes by the fact that it "made it clear in its decision that it was in support of the
arguments provided in this very decision ("donations / 'act"), for / es relative breaches (i)
a / the obligation to inform the persons concerned, and (ii) concerning the

request for payment and the consent of the person concerned, that they have entered into a
breacha / 'article 14.1-2 combined' article 12.3, article 6, article 5.1, c) and articles 5.2
and 24.1-2 of the RGPO. It is therefore not a question of an autonomous failure, but of the consequence
other breaches identified by / 'APO.

The motivation developed by / 'APO in this regard is based on information and

developments already known from X1, to which express reference is made in the text.
It certainly allows X1 to understand the factual and legal reasons which led to
a / 'adoption of such a decision'.



    c) Decision of the Court
1.
The requirement to state reasons for the administrative act in dispute requires (see article 3 of the law of 29

July 1991 on the explicit motivation of administrative acts) than the motivation as it


                                                                                             25 Court of Appeal Bruxelles-2021 / AR / 163 p. 27


The sufficiency of the motivation means that the motivation must be relevant, i.e.
say that it must be clearly linked to the decision, and that it must be substantial, that is to say
that the reasons must be sufficient to support the decision. The reasoning must be based

on clear and concrete elements these elements must be all the more concrete and precise
that the decision deviates from a proposal or an opinion, even if it is not binding. In
in such a case, the administrative authority should not limit itself to contradicting the proposition or

opinion, but should instead explain why it considers that it cannot follow the
arguments on which the body which proposes or advises is based. 17.
4.

The main reason for the obligation to state reasons is that the person concerned must
be able to find, in the decision concerning itself, the reasons on the basis of which
it has been taken in such a way that it appears or at least can be verified whether the authority

was based on information which is factually correct, if it has correctly
evaluations given and whether it was reasonable to make a decision on the basis of them,
so that the person concerned can determine with full knowledge of the cause whether there is
place to challenge the decision by appealing for annulment 18
                                                                         .

5.
In application of these principles, it appears that the Attacked Decision is adequately

motivated, the requesting party not showing how the motivation should have been
"Strengthened" in this case.

Indeed, it is the title that the APD concludes with the fact that "in its conclusions, X1 invokes, ace
subject, situations like this l / e of a change in attitude of authority. She leans

also on a judgment of the Marches Court in which the decision deviated from a
proposal or opinion ".

However, none of these cases is encountered in this case: it has not been shown that ODA
would have made a "turnaround" or "would have departed from a proposal or opinion".


Secondly, the Applicant is also wrong to raise an alleged
contradiction on the part of the APD, which mentioned in the decision the efforts made
by X1 to comply with the obligations arising from the GDPR which it
incumbent, while having concluded a breach of Articles 5.2 and 24 of the GDPR.

The finding that X1 has complied with the GDPR during the procedure

logically follows from the finding of a prior situation of non-compliance.
The ODA did not contradict itself by taking into account these efforts, in a second step,
in order to assess the height of the sanction which it was incumbent on him to retain against X1.


It has not been demonstrated by the applicant that the considerations adopted by the APD
would constitute an illegality, an irregularity or a manifest error.
The appellant's fourth plea is unfounded.



17
18Conseil d'Et ° t (9th c188.152, November 24, 2008, CDPK 2009, 535; http://www.raadvst-consetat.be.
  Council of State n 153.326, January 9, 2006, CDPK 2006, 183 and 207; http://www.raadvst-consetat.be.

                                                                                                   27 Court of Appeal Bruxelles-2021 / AR / 163 p. 28


    F. As to the average fifth of the reguerante part

    a) These of the reguerante part



The appellant's thesis can be summarized as follows:
"The Data Protection Authority has failed in its obligation to formally motivate
not indicating, in a transparent and substantiated manner, in the Attacked Decision, why a
simple reprimand or, at the very least, a fine of less than 15,000 euros would not have

sufficient to put an end to the shortcomings observed.

The Data Protection Authority has certainly detailed the various elements it has taken into account.
account in its decision to impose an administrative fine but has not given reasons

why a less / hateful sanction, such as a simple reprimand or, at the very least, a
a fine of less than 15,000 euros, would not have been such as to put an end to the offenses.

This motivation was all the more necessary as the discounted deterrent effect of the fine

no longer had a reason to be. X1 had in fact already committed to providing
modifications to its official documents (such as the formal notice or the life policy
privee) in order to meet the criticisms addressed by the Data Protection Authority.
In addition, the Marches Court has already had the opportunity to point out that it was not bound by the

decision of the Data Protection Authority regarding the fine or its amount
may substitute its power of appreciation to that of the Data Protection Authority in this
which concerns the appropriateness of the sanction a / 'infringement.
In the present case, in addition to being inadequately reasoned, it should be noted that the fine
imposed by the Data Protection Authority is a / disproportionate in relation to:

            at. The seriousness of the offense with regard to the non-sensitive nature of the data
                col / ected through the contested form, reg / es (lega / es et
                deontological) surrounding the profession of bailiff and the processing of
                data that they can and / or must achieve in the context of their activities and

                of the many steps taken by X1 in order to
                compliance with / 'all the obligations arising from the RGPD Jui incumbent
                (as / are, and as / 'has re / eve the Data Protection Authority, the update
                provision of a "clear and detailed confidentiality policy");

            b. To the purely theoretical damage because the complainant did not replace
                contested form;
            vs. To the financial situation of X1 strongly impacted by the health crisis
                current.


 For the foregoing reasons, if the Court were not to set aside the decision under appeal, ii
 at the very least, to substitute for the financial sanction the simple pronouncement of a
 reprimanded for / 'all the breaches established judges'.



    b) These ODA

                                                                                            28 Brussels Court of Appeal -2021 / AR / 163 p. 29


  The analysis of ODA can be synthesized as follows:

  "X1 reproached the APO for having, as for the imposition of a fine, breached his obligation to
  formal motivation.

  This means is devoid of any foundation.

 It should be remembered that article 58.2, i) of the RGPO stipulates that any supervisory authority,
 such as the APO, has the power to impose an administrative fine under
 / 'Article 83, "in addition to or instead of the measures referred to in this paragraph, in
 depending on the characteristics specific to each case ”.

 Article 83.1 of the RGPO provides that each supervisory authority ensures that fines
 administrative measures imposed for violations of the RGPO are "effective, proportionate and

 dissuasive (...).
 It is indisputable that APO in this case properly gave the reasons for its decision as to
 / 'Imposition of an administrative fine. It is in effect at the end of long developments (i.e.
 more than three pages), offering a clear and detailed account of the
 the Contentious Chamber came to the conclusion that an administrative fine was, in view of
 of / all the circumstances of the cause, justified in the completion of the reprimand and the order

 compliance, in accordance with the criteria retained by article 83.2 of the RGPO (see Jes
 points 167a 181 of the decision).
 It may also be emphasized that in that it indicates that "if the Court were not to annul in
 all its provisions the decision undertaken, it is appropriate for all hands to substitute the
 financial sanction the simple pronouncement of a reprimand for / 'all the breaches

 judges etab / is ", X1 visibly ignored the scope of the mission and the powers conferred on the
 Court. Failing to note that the decision would be illegal or irregular, quad not in
 In this case, the Court is in fact unable to modify the sanction retained ”.


 c) Decision of the Court

 1.

 The Cour des Marches is referring to what has been set out above as to the requirement of motivation

 formal.

 2.

              The Court notes that the sanctions imposed on X1 are reasoned as follows in the
 DecisionAttacke:

 “165. The Litigation Chamber noted a breach of article 14.1-2 combined with
 / 'article 12.3a /'article6,a/'article5.1 c) and articles 5.2. and24. 1-2 of the RGPOin the head of

 the second-defendant [X1] (point 137 above).
166. In view of these shortcomings, the Contentious Chamber addresses ° to the second
defendant [X1] a reprimand on the basis of / 'article 100. 1, 5 LCA.
167. The Contentious Chamber also takes action that the second defendant [X1]
has, in the terms of its conclusions and / ors / 'hearing, proposed to provide certain
modifications 29 Court of Appeal Brussels-2021 / AR / 163 p. 30

in his practice. The Litigation Chamber is in fact of the opinion that a certain number of

modifications and measures must in fact be introduced as quickly as possible.
the second defendant [X1] to comply with its obligations under the
GDPR. P artantly, the Jui Litigation Chamber imposes an order of compliance
details to the device in application of article 100. 1, 9 LCA (see in this respect the precision in

point 141 above).
168. In addition to this reprimand25 and this order of compliance, the Litigation Chamber
is of the opinion that in addition, an administrative fine is justified in this case for
reasons below.

169. As to the nature of the violation, the Contentious Chamber finds that with regard to the
breach of article 6 of the GDPR (absence of a legal basis) and of article
5.1 c) of the GDPR, ifs constitute breaches of the founding principles of the GDPR (and of the
data protection law in general}, or to the principles of / iceity and minimization

devoted to Chapter II "Principles" of the GDPR. Certainly the data collected at the end of the
form are primarily identification data and do not constitute data
sensitive within the meaning of Articles 9 and 10 of the GDPR. Their treatment intervenes, however, as ii
will be mentioned in point 176 below, in an “infringement” context.
Contentious will take this double consideration into account.

170. As for the infringement of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes
a violation of the rights of the persons concerned - notwithstanding the existence of a
confidentiality, moreover, which the Litigation Chamber is aware of and of which it holds
account (point 179}. The right to / "information has been strengthened under the terms of the GDPR, which

testifies to its particular importance. The Data Protection Authority has, in
this perspective, inscribes respect for the rights of the persons concerned with the priority authority in
its strategic plan 2020-202526. Appropriate corrective action / sanction is not
hands determined on a case-by-case basis.

171. Finally, as regards the breach of article 5.2. and 24. 1-2 of the GDPR, it is also constitutive
a breach of the key principle of accountability, introduced by the GDPR.
172. Pursuant to article 83.5 a) of the GDPR, violations of all these provisions may
up to 20,000,000 euros or in the case of a company, up to 4% of the turnover

total worldwide annual business of the previous year. The maximum fine amounts
that may be applicable in the event of violation of these provisions are greater than those provided for
for other types of breaches listed in article 83.4. of the GDPR. is about
breach of a fundamental right, enshrined in Article 8 of the Charter of Rights

fundamentals of the European Union, / 'appreciation of their severity will be, such as the
Litigation Chamber has already had the opportunity to submit it, in support of Article 83.2.a) of
GDPR, autonomously.
173. According to the reaction that she / he sent to the Contentious Chamber in response to the

form of the envisaged fine, the second defendant [X1] states that the crisis
health related to the covid-19 virus pandemic hit extremely hard the
profession of judicial officer. The forced suspension of the p / upart of the activities of
bailiffs (whose execution measures) led the second defendant [X1] to have
put some of its staff on technical unemployment. The second defendant [X1]

estimates that its future turnover for 2020 and 2021 will, moreover, be disproportionate
with that of the past years.

                                                                                          30 Court of Appeal Brussels 2021 / AR / 163p. 31


 174. As to the number of affected persons affected by the violations, the Chamber
Litigation re / eve that the breaches noted concern, beyond

complainant, a large number of people. the second defendant [X1] is not assuredly
a multinational company but a beige SME. the second defendant [X1] is not
not hands a study of benchmark bailiffs in Belgium, with strong experience [...]
years and which has [...] deco / laborers.

 175. In view of the fact that / these shortcomings are part of the practice of the second
defendant [X1], the number of people potentially concerned is at the height of
number
of persons whose second defendant [X1] processes data within the framework of the exercise of
its amicable collection missions, i.e. a large number, even if the
Amicable debt collection does not constitute, which the Litigation Chamber is aware of,
part of the activities of the second defendant.
 176. As to the quality of the second defendant [X1], the Litigation Chamber recalls that

in previous decisions, it has retained the status of public representative of the responsible
treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR28. the
second defendant [X1] is in particular a ministerial official with a
public authority, which can exercise so-called "monopolistic" powers, which are
conferred by the Joi. As a liberal profession, the judicial officer exercises a number of
extrajudicial activities including amicable debt collection. the function is regulated
and the bailiffs are appointed by the King. their number is limited. With regard to this status,

the second defendant [X1] must adopt an exemplary attitude whatever the
cap with / with which she carries out her missions. the "infringement" context within the framework
of which the data processing that it operates also requires, having regard to
for their purpose, a particularly rigorous respect for the rights of individuals
concerned. data processing is a substantial part of the business
of the second defendant.

 177. As to the criterion of duration, the Non-Competent Chamber notes that these
shortcomings last as long as they are part of the practices
of the second defendant
(article 83. 1 a} of the RGPD) at all hands since January 2019 ”.


 2.
 Article 83 of the GDPR provides in its first point that each supervisory authority ensures that

that the administrative fines imposed for breaches of the rules are, within
each case, effective, proportionate and dissuasive.
 In its article 100, the law of 3 December 2017 establishing the Authority for the protection of
data (APD law) lists the possible sanctions.

 The contentious chamber has the power to classify the complaint without further action; to order the non-place;
to pronounce the suspension of the pronouncement; to propose a transaction; to formulate
warnings and reprimands; to order to comply with the person's requests
concerns exercising these rights; to order that the interested party be informed of the
security; order the freezing, limitation or temporary or definitive prohibition of

treatment; to order that the processing be brought into conformity; to order the rectification,
restriction or erasure of data and notification thereof to recipients of
data; order the withdrawal of accreditation of certification bodies; to give

                                                                                           31 Brussels Court of Appeal 21 / AR / 163 p. 32


has streinte; to issue administrative fines; order the suspension of flows
data transborder to another or an international organization; to transmit
the file to the public prosecutor's office of Brussels, who informs them of the follow-up given to the

folder; decide on a case-by-case basis to publish its decisions on the website of the Authority
Data protection.
The faculty to impose an administrative fine is only the thirteenth sanction in
! 'legal enumeration.
The fundamental aim of European legislation is not to sanction in the form in

imposing fines for the breach of the prescribed, the goal is protection
Datas. The aim is therefore to protect data, not to punish at all costs.
the least offense.

3.
The fact that the shortcomings observed concern fundamental principles for which

higher fines are not an argument to adjust the proportionality.
The nature of the activities of the requesting party is certainly an element which it can be held
account to appreciate the height of the action, but do so in previous decisions
the Litigation Chamber took into account the status of "public representative" of the
responsible for treatment as an "aggravating factor" cannot be

that it cannot be admitted that this "case law" apparently relating to elected officials is
applied in parallel to the holder of a judicial officer charge.
The contentious chamber is an organ of an administrative authority which is not based on

establish some binding "case law", but must take its Caucasian decisions by
case, the publication of the decisions on the APO website should be sufficient to ensure
informing "public officials" of the need to comply with the provisions
legal data protection. It is not admissible that a "tariff" of

sanctions are applicable to certain professions, each litigant having the right to
personalize elements specific to his file, without any elements of appreciation drawn

other files interfere in the treatment of his case.
The argument drawn by the Litigation Chamber from the "duration of the breaches observed"
also lack of relevance to justify the amount of the fine retained.
 The Court recalls that the complaint against the complaining party concerns a single fact, circumscribed
in time. The failure noted in the processing of the data is also
theoretical since it is not contested that any person concerned has not returned the form
contentious is referred to by its complaint. It cannot be argued in this context of considerations
general linked to the fact that the requesting party has been active for many years and
employs a large number of employees to justify the proportionality of the fine.


 4.
The Court further raises the following points from the Attacked Decision, again with regard to the
motivation for the chosen action (La Coursouligne and accentuates)

"178. As to the question of knowing whether the breaches were committed deliberately or by

negligence (art. 83.2.b} of the GDPR), the Contentious Chamber considers that they have not been released.
It also accepts the fact that from May 25, 2018, the second defendant [X1
a 32Court of Appeal Brussels -2021 / AR / 163p. 33



c / ary and detailed privacy policy and has endeavored to comply with all
its obligations under the GDPR, in particular the appointment of a DPO.

She contacted specialized consultants for this purpose, notwithstanding the announcements.
made by the National Chamber of Judicial Officers which indicated that he / she has put in

in place of concrete measures to accompany and help studies which, in fine, was not the

case.

179. Finally, the second defendant [X1] was cooperative and concerned with
modify his

practices during the proceedings (in terms of its conclusions and / or the hearing). The

Litigation Chamber in taking note. (see in this respect the precision in point 141 above) ”.

5.

The Cour des Marches does not criticize the policy of the ODA contentious chamber, but the

the fact that it did not consider the possibilities of achieving the aim pursued by the legislation
European (as implemented in beige law) by another decision (provided for
explicitly in article 100 points 3 to 12 of the APD law and especially points 5 and 9 of which

it also applied in this case) when it had observed a series of elements which
demonstrate that the applicant has in no way manifested its intention to ignore the
principles of protection of personal data but that, on the contrary, the violation
that it committed is the result of negligence or rather a simple inadvertence,

when the requesting party had made arrangements in 2018, noted by the Chamber
contentious, hoping to comply with the legislation, and that it quickly rectified the
situation during the procedure.


6.
The foregoing observation cannot be interpreted otherwise than as a misappropriation of

power, that is to say, the use by an administrative authority of its power for another purpose
than that for which it was granted, in the head of the contentious chamber of the APD.
An attitude tending to impose a fine on the first offense committed by

inadvertently, does not correspond to the principles that govern the matter, insofar as
the litigation chamber of the APD has a complete repressive chain allowing it
to carry out checks, the consequences of which (if the infringement is established) may

the warning has the financial penalty or not. Violations should be punished
gradually and according to their gravity. For exemple:


 • Step 1: Warning or formal notice from the offending company with a reminder of the

     duty to ensure compliance of processing of sensitive data with the GDPR
 • Step 2: injunction to cease the violation
 • Step 3 (in certain cases): Limitation or temporary suspension of treatment

     data
 • Step 4: Administrative sanctions in the event of non-compliance with the rules of the GDPR.

                                                                                             33 Brussels Court of Appeal -2021 / AR / 163 p. 34


The penalties provided for in the GDPR should therefore in fact only be the ultimate
to which those prosecuted are exposed if they do not follow the instructions of the ODA.

The DPA must also ensure that the administrative sanctions provided for in the event of
GDPR breaches are effective, proportional and dissuasive. inflict
first offense, an administrative fine violated the principle of proportionality
of the sanction in relation to the infringement. The contentious chamber, while it is in its
motivation! the absence of deliberate character of the breaches observed and the real concern of

requesting party to modify its practices to bring them into compliance with the GDPR, omits
obviously to take into account the need for proportionality which includes in particular the
taking into account the presumption of good faith which must be enjoyed by the requesting party.


7.
In this case, it is by no means demonstrated that the reprimand and the order of compliance
inflicted elsewhere on X1 would not have been sufficient to ensure the finality of the proceedings. By inflicting
immediately, in this case, an administrative fine - the amount of
15,000.00 euros is in itself very consistent in the head of an SME - in addition to the two

measures already cited, the Contentious Chamber disregarded the fundamental principles of
proportionality of the sanction.
8.
The object of the appeal brought by the applicant is, in the alternative, to:

"If the Court were to consider that the complaint filed on May 15, 2019 by the person
concerned was founded in part with regard to X1, pronounce in any case a
simple reprimand and not a fine ”.
Taking into account the foregoing reasons, the Attacked Decision will be annulled, but only
in that it imposes a fine of 15,000.00 euros on X1.



    IX. The costs


In accordance with article 1017, paragraph 1, of the Judicial Code, the APD is ordered to pay the costs,
liquid at 1,440 € (compensation for procedure-case not assessable in money).


















                                                                                              34 Brussels Court of Appeal -2021 / AR / 163 p. 35


FOR THESE REASONS,
THE COURTYARD,


Having regard to the provisions of the law of June 15, 1935 on the use of languages in judicial matters,

Ruling contradictorily,


Receives the appeal, and says it grounds to the following extent:
Annuls Decision n ° 81/2020 pronounced by the Contentious Chamber of the Authority of

Data Protection on December 23, 2020 (DOS-2019-02751) insofar as it imposes a
fine of 15,000.00 euros at X1 on the basis of articles 100, 13 and 101 of the law of 3
December 2 017 establishing the Data Protection Authority ("LCA") as well
that! 'article 83 of the GDPR.



Orders the Data Protection Authority to pay the costs, including compensation for
procedure of 1.440 euros.


Orders the Data Protection Authority to pay the filing fee before
the court of appeal (€ 400.00) to the FPS FINANCES, in accordance with article 269 2 § 1, of the French

registration, mortgage and graft fees.
                                             *****































                                                                                              35