APD/GBA (Belgium) - 124/2021: Difference between revisions
(Thank you for the summary! I deleted references to the "litigation chamber" and just replaced them by general references to the Belgian DPA because this is a procedural detail that we usually don't mention. I also made minor corrections (for grammar, syntax).) |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before May | The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before 25 May 2018 (i.e. before the application date of the GDPR). | ||
== English Summary == | == English Summary == |
Revision as of 09:59, 7 December 2021
APD/GBA (Belgium) - 124/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6(3) GDPR Article 13(1)(c) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 10.11.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 124/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 124/2021 (in NL) |
Initial Contributor: | Matthias Smet |
The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before 25 May 2018 (i.e. before the application date of the GDPR).
English Summary
Facts
Complainants X1 and X2 filed a complaint against a controller (the Defendant) regarding the disclosure to third parties of personal data concerning tenants of social housing in the context of an asset investigation. According to the Complainants, the Defendant did not have any valid legal basis to disclose such data (i.e. breach of Article 6 GDPR), and had failed to properly inform the Complainants about the processing activity (i.e. breach of Article 13 GDPR).
After these complaints were declared admissible, the Belgian DPA conducted an investigation at the premises of the Defendant. During the investigation, five additional breaches against data protection principles were discovered.
The Defendant stated that the processing it carried out formed part of the legal framework for social housing and that the legal basis for the processing, namely the consent of the Complainants, was expressly included in the Flemish regulations governing the social housing system.
Holding
Dismissal of the complaints
The processing operations in casu all took place before the GDPR became applicable, except for the period that was granted to the Complainants to leave the house. This period expired on 31 October 2021.
In previous decisions, the Belgian DPA had already stated that it can only be competent for data processing operations which, although having started before 25 May 2018, still continued after that date, but not for one-off or multiple processing operations which exclusively took place before 25 May 2018.
On the basis of these considerations, the Belgian DPA considers itself incompetent ratione temporis to review the merits of the complaints, given that the contested processing operations had been carried out before the GDPR had become applicable. Therefore, the Belgian DPA decided to dismiss the Complaints in accordance with the terms of the its dismissal policy.
'Legal obligation' or 'fulfillment of a task in the public interest' as a legal basis
Despite the complaints being dismissed, the Belgian DPA provided guidance on the legal basis of the processing operations. The Belgian DPA stated in particular that if processing operations are carried out because the controller is legally obliged to do so, or because they are necessary for the performance of a task carried out in the public interest, the processing must be based on Union or Member State law. Article 6(3) GDPR specifies that the purpose of the processing must be found in that legal basis. In other words, a legislative standard must normally be sufficiently clear and precise so that the essential characteristics (including the precise purposes) of a processing operation are known when the above legal bases are relied on. The Belgian DPA noted however that, in practice, processing is often carried out on the basis of a general regulatory power, rather than on the basis of detailed provisions specifically allowing for such processing. Therefore, the Belgian DPA considered that when using general legal grounds, a balancing test is necessary between the necessity of the processing and the interests of the data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12 Dispute room Decision on the merits 124/2021 of 10 November 2021 File number : DOS-2018-05039en DOS-2018-05524 Subject : Sharing of personal data concerning tenants of social housing in the framework of an asset investigation The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Frank De Smet and Romain Robert; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: The complainants: Mrs and Mr X1, represented by Mr. Özgür Balci (hereinafter: 'complainant 1'), and Mrs. X2, represented by Mr. Özgür Balci (hereinafter "complainant 2"), hereinafter collectively referred to as 'the complainants'. The defendant: Y, represented by mr. Kris De Sager, hereinafter “the defendant”. Decision on the merits 124/2021 - 2/12 I. Facts procedure 1. On September 17, 2018 and September 26, 2018, respectively, Complainant 1 and Complainant 2 filed a lodge a complaint with the Data Protection Authority against the defendant. The object of the complaints concerns the communication to third parties of personal data concerning tenants of social housing in the context of an asset survey. 2. On October 5, 2018 and October 15, 2018 respectively, the complaints will be First-line service has been declared admissible on the basis of Articles 58 and 60 WOG and the complaints pursuant to art. 62, §1 WOG transferred to the Disputes Chamber. The Dispute Room deals with both cases in a single decision as the subject matter of the complaint is fully is parallel. 3. On October 18, 2018, in accordance with art. 96, §1 WOG the request of the Dispute Chamber sent to the Inspectorate to carry out an investigation, together with the complaints and the inventory of the pieces. 4. The inspection will be completed by the Inspectorate on 21 October 2019, the report will be the file is added and the file is transferred by the Inspector General to the Chairman of the Disputes Chamber (art. 91, §1 and §2 WOG). The report contains findings with regard to the subject matter of the complaint and concludes that defendant: • has not complied with the obligations imposed by Articles 5 and 6 of the GDPR; (Principles on processing of personal data and lawfulness of the processing) • the obligations imposed by Article 12(1) of the GDPR and by Articles 13 and 14 of the GDPR; (provision of transparent information, communication and further rules for the exercise of the rights of data subjects, and regarding to provide information) • the obligations imposed by Article 44 of the GDPR and Article 49 of the GDPR has not complied with. (General principle on transfers and on derogations for specific situations) 5. The report also contains findings outside the subject matter of the complaint and concludes that defendant: Judgment on the merits 124/2021 - 3/12 • has not complied with the obligations imposed by Article 30(1) of the GDPR; (register of processing activities) • has not complied with the obligations imposed by Article 31 of the GDPR; (cooperation with the supervisory authority) • the obligations imposed by Article 37(5) and (7) of the GDPR and Article 38, paragraph 1 of the GDPR has not been complied with. (designation of the data protection officer and his position) 6. In its report, the Inspectorate formulates an additional consideration of the temporal application of the GDPR to the aforementioned facts. In this regard, she refers to the fact that the Defendant has requested the complainants by letter dated April 11, 2018 for “no later than 31” October 2018 […] to leave the house and garage and make it available to Y”. The Inspectorate indicates that the GDPR applies to the aforementioned facts, in view of the fact that the period to vacate the house and garage expires on October 31, 2018, and thus after the become applicable of the GDPR on 25 May 2018 . 1 7. In addition, the Inspectorate states that the GDPR has already entered into force on 24 May 2016 pursuant to Article 99(1) of the GDPR, whereby the defendant had already taken the necessary steps must take to ensure that the processing of personal data is in accordance with the GDPR bring. 8. On January 14, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it file is ready for processing on the merits. 9. The Disputes Chamber decides on the basis of the report of the Inspectorate to divide the file in two separate parts. 10. On January 14, 2020, the concerned parties will be notified by registered letter of the provisions as stated in article 95, §2, as well as those in art. 98 WOG. They will also be pursuant to art. 99 WOG of the time limits for submitting their defences. With regard to the findings with regard to the subject-matter of the complaint, the date for receipt of the statement of reply from the complainants on 28 January 2020 and this before the statement of the defendant's reply on February 11, 2020. With regard to the findings going beyond the subject of the complaint, the deadline for receipt of the statement of defense of the defendant recorded on January 28, 2020. 1 Article 99(2) of the GDPR Decision on the merits 124/2021 - 4/12 11. At the request of the defendant, the Disputes Chamber decided to exceptionally grant an extension of the claim periods. With regard to the findings with regard to the subject of the complaint (art. 98, 1° WOG), the time limit for the complainants' conclusion was determined on January 31, 2020 and this for the statement of reply of the defendant on February 14, 2020 . With regard to the findings that go beyond the object of the complaint, the extreme date for receipt of the defendant's claims set at January 31, 2020 12. On January 14, 2020, the defendant requests a copy of the file (art. 95, §2, 3° WOG), which it was transferred on January 22, 2020. 13. On 29 January 2020, the complainants lodged their statement of defense in which three pleas were raised: quoted: • In the first ground of appeal, the complainants allege an infringement of Articles 5 and 6 of the GDPR. Defendant does not justify on what legal basis it communicated the complainants' details to Z. There is no evidence that complainants have consented to the communication of the personal data to Z. • In the second ground of appeal, the complainants allege an infringement of Articles 12, 13 and 14 of the GDPR. The information provided on the Defendant's website is not transparent, incoherent and incomprehensible to those involved. • In the third plea, the complainants allege an infringement of Articles 44 and 49 of the GDPR. Referring to the Inspection Report, the conditions of Article 49 not complied with. 14. On January 31, 2020, the Disputes Chamber will receive the statement of defense from the defendant with regard to findings outside the subject matter of the complaint. In this she wishes her to assert defenses in the file with regard to the findings made by the Inspection service was performed outside the scope of the complaint (art. 92.3° WOG) and the infringements that it believes it must conclude from these findings. • With regard to the findings regarding the register of processing activities, defendant that she has in any case always been transparent in all her communication to the Inspectorate and that it has complied with all its obligations. Defendant argues that the foregoing shows that it is impossible to conclude that it committed an infringement against Article 30(1) of the GDPR. • Concerning the determination of cooperation with the supervisory authority Defendant believes that it never fulfills its obligations under Article of the GDPR would have intentionally failed to comply and thus did not infringe Article 31 of the GDPR. Decision on the merits 124/2021 - 5/12 • What the findings regarding the appointment of the data protection officer and its position, the defendant is of the opinion that all requirements are always met, and that the professional qualities and expertise in data protection beyond question to stand. According to the defendant, no infringement was committed with regard to Articles 37 and 38 of the GDPR. 15. On 14 February 2020, the Disputes Chamber received the statement of reply from the defendant with regard to the findings within the subject matter of the complaint. In her first In its plea, the defendant argues that only acts performed from the date on which the AVG regulation applies can withstand the test of the AVG. There would be no actions have been made from 25 May 2018 that would be the subject of discussion. In its second plea, the defendant states that the obligations imposed by Articles 5 and 6 were complied with. In this regard, the defendant argues that this is a document issued by the Flemish Government and the Flemish Housing Company is a recognized social housing company with as specific aim to improve living conditions (of the most deprived and single people) by ensuring an adequate supply of social rental or owner-occupied housing. She acts and is bound by the legal framework on social rent. Defendant further argues that the processing of the personal data must be in accordance with the AVG, but that this processing is is based on the consent of the complainants, which is also provided for in the decision of the Flemish Government of 12 October 2007 to regulate the social rental system in implementation of Title VII of the Flemish Housing Code to regulate the social housing system for the implementation of Title VII of the Flemish Housing Code (hereinafter referred to as the "Social Rent Framework Decree") . In addition, the defendant refers to Legal Consideration 47 of the GDPR, which states that the processing of personal data that are strictly necessary for fraud prevention is also a legitimate interest for the controller. Furthermore, the defendant argues that the lack of a detailed procedure concerning the control of the property condition abroad and the exchanges of this information by no means means that information cannot be sought and obtained in any other way. With regard to Articles 13 and 14 of the GDPR, the defendant maintains that the GDPR has not yet was applicable. With regard to the privacy statement, the respondent, referring to its reply letter of 1 October 2019, that this was established on the advice of its official for data protection and that it is still subject to revision and reworking. As far as the wording is concerned, the defendant argues that the text is clear and that the abbreviations also clear when read in context. Decision on the merits 124/2021 - 6/12 II. Justification II.1. Jurisdiction of the Dispute Chamber 16. On the basis of the information currently available to the Disputes Chamber, and in particular on the fact that the contested processing operations were carried out on a date before the applicable of the GDPR, the Disputes Chamber considers itself ratione temporis to be incompetent to process this complaint to treat and therefore decide to dismiss this on the basis of Article 95, §1, 3° WOG. 17. In order for the Disputes Chamber to be competent, it is necessary that the GDPR applies to the processing of personal data that are the subject of the complaint. According to art. 4, paragraph 2 GDPR is the processing of personal data: “any operation or set of operations with relating to personal data or a set of personal data, whether or not carried out via automated procedures, such as collecting, recording, organizing, structuring, storing, update or modify, request, consult, use, provide by transmission, distribute or otherwise make available, align or combine, shield, erasure or destruction of data”. The processing operations in this case and their timing can be summarized as follows: the order to verification investigation at the Dutch company Z dates from March 7, 2018. The investigation by the firm Z was completed and a report was submitted on March 28, 2018. Subsequently, with a letter dated 11 April 2018 an end to the lease and the defendants are requested to vacate the house and the garage by 31 October 2018 at the latest. In the defendant's letter, the complainants are given a period of time to to leave the garage. This period ends on October 31, 2018, so after the application of the GDPR on 25 May 2018. 2 In its conclusion, the defendant argues that the data processing in question took place before May 25, 2018, as a result of which the GDPR does not apply in this case. The Inspectorate argues in its report that the GDPR does apply is applicable because the aforementioned term expires on October 31, 2018, i.e. after the applicable become of the GDPR. Moreover, according to the Inspectorate, the GDPR has already entered into force on 24 May 2016, pursuant to Article 99(1) of the GDPR, whereby the defendant already has the necessary should have taken steps to ensure that the processing operations are in accordance with would be with the GDPR. 18. The Disputes Chamber establishes that the aforementioned processing of personal data has occurred before the GDPR came into effect on May 25, 2018. Although the deadline which was granted to the complainants to vacate the home and garage does indeed expire on 31 October 2021, the processing operations that are the subject of this case have not occurred during this period. The Disputes Chamber is therefore not authorized to take cognizance of 2 Article 99(2) GDPR Decision on the merits 124/2021 - 7/12 to take. The Disputes Chamber finds the legal basis of its competence in the law of 3 December 2017 establishing the Data Protection Authority (WOG) whose entry into force was established, subject to exceptions, on 25 May 2018 (Article 110 of the WOG). Although the Disputes Chamber is competent for data processing that, although before 25 May 2018 but still continuing after that, she is not authorized for one-off processing operations that would have taken place before 25 May 2018 or multiple processing operations 4 the before May 25, 2018. The Disputes Chamber cannot determine that after 25 May 2018 processing operations to which this case relates have taken place. 5 19. In view of the foregoing, the Dispute Chamber proceeds to a technical dismissal through which this complaint is not followed up further as there is no infringement of the GDPR. II.2. Legislative framework : Relationship between the processing of personal data and the admission requirements in the context of social rent 20. For the sake of completeness, the Disputes Chamber wishes to draw attention to the broader issue related to the complaint, namely the processing of personal data in function of the control of the registration and admission conditions in the context of social rent. 21. In this context, the Disputes Chamber first of all points out that pursuant to Article 13.1c) of the GDPR, the controller already when collecting personal data concerning a data subject, this data subject must inform about, among other things, the processing purposes 6 for which the personal data is intended, as well as the legal basis of the processing. The The controller must therefore establish the legal basis for the processing prior to the processing transparent manner. No cascade system is possible in determining the applicable legal basis for the processing, where the controller designates alternative legal bases, as each legal base has different obligations associated with the controller. 22. At the time of the facts in question, the registration and admission requirements in the framework of social rent determined by the Social Rent Framework Decree. Article 3, 1 of the Framework Decision states that a natural person can be registered in the register referred to in Article 7, if he meets several conditions, including the following: ”3° [the (prospect) tenant], together with his family members, has no house or plot that 3 See point 3.1.A.4 of the Disputes Chamber's Dismissal Policy, published on its website on June 16, 2021, (https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf). 4Decision on the merits 19/2020 of 29 April 2020 (https://www.dataprotectionauthority.be/publications/besluit-ten- ground no.-19-2020.pdf) 5 See point 3.1.A4 of the Disputes Chamber's Dismissal Policy, published on its website on June 16, 2021, (https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf). 6See art. 13, 1 c of the GDPR. 7 “Each landlord keeps a register in which, according to the order in which the application for registration is submitted, the candidate tenants are registered, stating any priority rules […]” (Art. 7 of the Social Rent Framework Decree) Decision on the merits 124/2021 - 8/12 is intended for residential construction wholly in full ownership or wholly in usufruct in domestic or abroad, unless it concerns a camping stay located in the Flemish Region” 23. Pursuant to Article 52, §1 of the Framework Decree, the tenant gives the landlord, by means of his application to registration in the register, his registration as a prospective tenant or his tenantship, the permission to submit to the competent authorities and institutions and to the local authorities the necessary documents or information regarding the conditions laid down in this decree and to obtain obligations. These competent authorities and institutions are in§2 of the same article listed in a non-exhaustive manner as follows 9: 1° the National Register of Natural Persons, mentioned in the law of 8 August 1983 arranging a national register of natural persons; 2° the social security institutions, mentioned in Articles 1 and 2, first paragraph, 2°, of the law of 15 January 1990 establishing and organizing a Crossroads Bank for the Social Security and the persons to whom the social security network with application of Article 18 of the same law was extended; 3° the Federal Public Service Finance; 4° the Civic Integration Crossroads Bank; 5° the Houses of Dutch; 6° the reception offices; 7° the Flemish E-government coordination cell; 8° the organizations and institutions referred to in Article 4, first paragraph, including the policy area Education and Training of the Flemish Community. 24. These sources can be easily consulted for real estate properties in Belgium. However, investigations into real estate in EU countries or non-EU countries are less 8 art. 52.§1.: The reference person gives the landlord, by means of his application for registration in the register, his registration as prospective tenant or his tenantship, the permission to apply to the competent authorities and institutions and to the local authorities administer the necessary documents or data regarding the conditions and obligations set out in this Decree obtain, while preserving the application of the provisions of the law of December 8, 1992 on the protection of the privacy in relation to the processing of personal data, its implementing decrees and any other provision for the protection of privacy, established by or pursuant to a law, decree or decision. 9Art. 52.§2: For the implementation of the provisions of this Decree, the lessor relies on information provided by the competent authorities governments or institutions or other landlords can deliver it electronically. If in this way no or insufficient data are obtained, the candidate-tenant or tenant is requested to provide the necessary data. information from the competent authorities or institutions or other landlords shows that the prospective tenant or tenant does not or does not more meets the conditions and obligations of this Decree, this determination will be communicated to the prospective tenant or tenant who can respond within one week after the notification. Among the competent authorities and institutions, mentioned in §1 and §2, first paragraph, includes :1° the National Register of Natural Persons, mentioned in the law of 8 August 1983 arranging a national register of natural persons; 2° the social security institutions referred to in Articles 1 and 2, first paragraph, 2°, of the law of 15 January 1990 establishing and organizing a Crossroads Bank for Social Security and the persons to whom the social security network was extended under Article 18 of the same law; 3° the Federal Public Service Finance;4°the Crossroads Bank for Civic Integration;5°the Houses of Dutch;6°the reception offices;7°de Flemish E-government coordination cell;8° the organizations and the institutions referred to in Article 4, first paragraph, including the policy area Education and Training of the Flemish Community. Decision on the merits 124/2021 - 9/12 naturally. The defendant notes that no procedure with regard to investigations in non-EU countries was available at the time of the facts, but that this does not exclude the possibility that there can be called upon to private investigative agencies to comply with the obligation to check with with regard to the aforementioned condition of ownership. 25. The Social Rent Framework Decree was repealed by the Decree of the Flemish Government of 11 September 2020 to implement the Flemish Housing Codex. The aforementioned article 52, §§1 and 2 of the Social Rent Framework Decree has been incorporated in full in Article 5.246, §1 of the the aforementioned decision of the Flemish Government of 11 September 2020. Social landlords can therefore still conducting research via the same non-exhaustive sources listed above to real estate. To address the lack of an effective procedure for investigations into foreign real estate, the Flemish The Social Housing Company (hereinafter: “VMSW”) has concluded a framework agreement with private investigative agencies specializing in real estate investigations in Abroad. Social landlords can call on these research bureaus when there is a risk of the presence of foreign immovable property at their (candidate) tenants. 26. In its claims, the defendant refers to the fact that it has received a letter from the Flemish Government and Flemish Housing Company is a recognized housing company whose aim is to rental or sale of social housing the housing conditions of the person in need of housing improve families and singles, especially the most deprived families and single persons, by ensuring an adequate supply of social housing or social housing owner-occupied houses. It does this, among other things, by checking the registration conditions (such as: set out above). 27. If the processing is carried out because the controller is legally required to do so mandatory10 or if the processing is necessary for the fulfillment of a task of general interest or for a task in the exercise of public authority, the 1 processing has a basis in Union or Member State law. 12 28. However, in accordance with Article 6.3 of the GDPR, “the purpose of the processing must be that legal basis” [to be] determined whether in relation to the processing referred to in point (e) of paragraph 1 is necessary [to be] for the performance of a task in the public interest or for the exercise of public authority conferred on the controller”. Furthermore, according to article 6.3 GDPR, the legal basis also includes “specific provisions to regulate the application of the rules” of this Regulation, including the general conditions on the 10Art. 6, 1, (c) of the GDPR. 11 art. 6, 1, (e) of the GDPR 12Art. 6.3 of the AVG. Decision on the merits 124/2021 - 10/12 lawfulness of processing by the controller; the types processed data; The involved; the entities to which and the purposes for which the personal data may be provided; the target limitation; the storage periods; and the processing activities and procedures (…)”. 29. The Disputes Chamber points out in this regard that, in accordance with the aforementioned Article 6.3 of the GDPR, read in conjunction with Article 22 of the Constitution and in the light of Articles 7 and 8 of the European Charter of Fundamental Rights, a legislative standard defines the essential features of a must record data processing that is necessary for the performance of a task of public interest or for the exercise of official authority vested in the 13 controller is entrusted. The Disputes Chamber emphasizes that the parties involved processing should be framed by a standard that is sufficiently clear and precise the application of which is foreseeable to the persons concerned. In accordance with article 6.3 GDPR, the precise purpose(s) of the processing should be specified in the legal standard itself included. Furthermore, the following elements must be foreseeable: the identity of the controller(s), the categories of data processed, on the understanding that they must be in accordance with Article 5.1 of the GDPR, "adequate, relevant and limited to what is necessary for the purposes for which they are processed", the categories of data subjects whose data will be processed, the retention period of the data, the recipients or categories of recipients to whom their data is sent communicated, the circumstances in which and the reasons for which they will be communicated and any limitation of the obligations and/or rights referred to in Articles 5, 12 to with 22 and 34 GDPR. 30. The Disputes Chamber points out in this regard, however, that tasks of general interest or public authority with which controllers are entrusted are often not based on precisely defined obligations or legislative standards that meet the requirements stated under marginal 28, in particular the recording of the essential characteristics of the data processing. Rather, processing takes place on the basis of a more general authorization to act as is necessary for the performance of the task. This leads to the relevant legal basis in practice often no concretely defined provisions contains about the necessary data processing. Data controllers who on If you wish to invoke Article 6.1 e) GDPR on such a legal basis, you must then make a trade-off between the necessity of the processing for the task of general interests and the interests of those involved. 13See also the advice of the Knowledge Center of the GBA 36/2020, 42/2020, 44/2020, 46/2020, 52/2020 and 64/2020 (https://www.dataprotectionauthority.be/burger/zoeken?q=&search_category%5B%5D=taxonomy%3Apublications&sear ch_type%5B%5D=advice&s=recent&l=25) Decision on the merits 124/2021 - 11/12 31. The defendant also refers to Legal Consideration 47 of the GDPR which states that the processing of personal data that are strictly necessary for fraud prevention also a legitimate interest for the controller. The Disputes Chamber points out that the legal basis 'legitimate interest' as provided for in Article 6.1, f) of the GDPR does not apply applies to processing by bodies with a public law function in the context of the performance of their duties.14 32. Finally, the defendant argues that the processing in question is based on the consent of the complainants and that the processing is therefore lawful under Article 6, 1, a) of the GDPR. This consent would result from the signing of a declaration of honor in which the tenant confirms that he does not own immovable property. More specifically, it mentions statement, which was prepared by the VMSW, the following: This declaration on honor serves to verify whether the imposed property value has been met met. The declaration made will be checked with the competent government department. 33. The Disputes Chamber states that although consent may constitute a lawful ground for processing, as stipulated in Article 6, 1, a) of the GDPR, but adds that at the time processing is based on the consent of the data subject, there are several conditions this permission applies. Consent must be freely given, specific and informed and finally unambiguous.15In this context, Recital 43 of the GDPR states that there is no free consent in the case of a clear disproportion between the parties or if the failure to give consent to the data subjects obvious disadvantage. In this case there is a clear mismatch between the person concerned and the social housing company with a specific status under public law as controller. Moreover, the (candidate) social tenant does not have the actual choice to refuse without negative consequences to the refusal be connected. After all, in the event of refusal, he is no longer eligible for social security benefits home. The Disputes Chamber emphasizes that a legally required consent is not a lawful processing ground in accordance with Article 6(1)(a) of the GDPR as it is not free may have been given by the person concerned. 34. In view of the above, the Disputes Chamber determines that the consent does not may constitute a legal ground for the present processing operations 35. In this decision, the Disputes Chamber limits itself to these general considerations about the legal basis. The Disputes Chamber has observed these social problems and will investigate further when further proceedings in this regard are brought before it turn into. 14Recital 47 of the GDPR. 15EDPB Guidelines 05/2020 on consent underRegulation 2016/679, p. 7-8. Decision on the merits 124/2021 - 12/12 III. Publication of the decision 36. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is not necessary, however, that the identification data of the parties be made public directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decided, after deliberation, to of Article 100, §1, 1° WOG to dismiss the present complaint. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (get). Hielke Hijmans Chairman of the Disputes Chamber