Court of Appeal of Brussels - 2020/AR/1333: Difference between revisions
(→Facts) |
|||
(6 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
|Courtlogo=Courts_logo1.png | |Courtlogo=Courts_logo1.png | ||
|Court_Abbrevation=Cour d'Appel Bruxelles | |Court_Abbrevation=Cour d'Appel Bruxelles | ||
|Court_With_Country= | |Court_With_Country=Court of Appeal of Brussels (Belgium) | ||
|Case_Number_Name=2020/AR/1333 | |Case_Number_Name=2020/AR/1333 | ||
Line 38: | Line 38: | ||
|Party_Name_1=X | |Party_Name_1=X | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2=APD/GBA (Belgium) | ||
|Party_Link_2= | |Party_Link_2= | ||
|Party_Name_3= | |Party_Name_3= | ||
Line 47: | Line 47: | ||
|Party_Link_5= | |Party_Link_5= | ||
|Appeal_From_Body= | |Appeal_From_Body=APD/GBA (Belgium) | ||
|Appeal_From_Case_Number_Name=n ° 53/2020 | |Appeal_From_Case_Number_Name=n ° 53/2020 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
Line 60: | Line 60: | ||
}} | }} | ||
The | The Court of Appeal overruled the DPA's decision to fine €5,000 for mistakenly sending an email to 150 recipients whose email addresses is wrongfully disclosed, because it considered the decision to be disproportionate. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 1 September 2020, [[APD/GBA - 53/2020|the Belgium DPA imposed a fine of €5,000 on a controller]] for sending unsolicited emails for electoral message and disclosure of emails (via CC). The controller did not agree with the fine and filed for appeal. | |||
=== Dispute === | === Dispute === | ||
Proportionality of the administrative | Proportionality of the administrative fee | ||
=== Holding === | === Holding === | ||
The DPA's decision | The Court of Appeal overruled the DPA's decision for lack of justification as required by [[Article 83 GDPR]], and lack of proportionality. The decision was sent back to the authority who is additionally required to pay back legal cost for €1,400, since the Court could not itself reform, or amend the decision. | ||
== Comment == | == Comment == | ||
== Further Resources == | == Further Resources == |
Latest revision as of 11:43, 24 January 2022
Cour d'Appel Bruxelles - 2020/AR/1333 | |
---|---|
Court: | Court of Appeal of Brussels (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 32(1) GDPR Article 32(4) GDPR |
Decided: | 27.01.2021 |
Published: | |
Parties: | X APD/GBA (Belgium) |
National Case Number/Name: | 2020/AR/1333 |
European Case Law Identifier: | |
Appeal from: | APD/GBA (Belgium) n ° 53/2020 |
Appeal to: | |
Original Language(s): | French |
Original Source: | Cour d'Appel des Marchés (in French) |
Initial Contributor: | TaraTb |
The Court of Appeal overruled the DPA's decision to fine €5,000 for mistakenly sending an email to 150 recipients whose email addresses is wrongfully disclosed, because it considered the decision to be disproportionate.
English Summary
Facts
On 1 September 2020, the Belgium DPA imposed a fine of €5,000 on a controller for sending unsolicited emails for electoral message and disclosure of emails (via CC). The controller did not agree with the fine and filed for appeal.
Dispute
Proportionality of the administrative fee
Holding
The Court of Appeal overruled the DPA's decision for lack of justification as required by Article 83 GDPR, and lack of proportionality. The decision was sent back to the authority who is additionally required to pay back legal cost for €1,400, since the Court could not itself reform, or amend the decision.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Court of Appeal Brussels -2020 / AR / 1333 p. 2 X, [...], represented [...], Requiring partner, Against Decision No. 53/2020 pronounced by the Contentious Chamber of the Authority for the Protection of Data as of September 1, 2020 (DOS-2019-02974) Vs: THE DATA PROTECTION AUTHORITY, BCE 0694.679.950, with its registered office at the press35 in 1000 Brussels, represented by Me CROISANT Guillaume (guillaume.croisant@linklaters.com) and Me SERON Carine (carine.seron@linklaters.com) lawyer in BRUSSELS, Defendant, **** 1.The referral to the Market Court. ° The Markets Court is seized by an appeal from X against decision no.53 / 2020 pronounced by the Contentious Chamber of the Data Protection Authority (ei-after the C ontentious chamber ”) in September 2020 which imposes a fine of 5,000 € on him (DOS-2019-02974). Pursuant to article 108 § 1 of the law of 3 December 2017 establishing the Protection Authority data (hereinafter “APD law”), the contentious chamber informs the parties of its decision and of the possibility of appealing to the Procurement Court within thirty days, from the date of notification of the decision. The appeal brought by a request lodged with the registry of the court of appeal de Bruxelles dated September 29, 2020 is therefore admissible. The admissibility of the appeal is not contested. The case was argued at the hearing on January 13, 2021 in the form of a video conference (Webex). By email from the registry of January 3, 2021, the parties were invited to participate in a video conference. By emails of January 11, 2021, counsel for the parties indicated their agreement to replace the face-to-face public hearing with a virtual public hearing. On the date of the hearing, the registry is at the disposal of any litigant and any person wishing to attend the debates, the link and the password allowing him to participate in the videoconference. 2.The Attagged Decision. The Contested Decision states the following: "PARCES REASONS, LACHAMBRE LITIGATION, Decides, after deliberation, to impose a fine of 5000EUR on the data controller on the basis of articles 100, 13t 101 of the LCA as well as 83 of the GDPR, for / 'all breaches identified, namely for breach of Article 5, 1., b) of the GDPR, and 1 PAGE □ 1- □ valid farfetched 1942078-0002-0025- □ 5- □ 1-i; -J L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 3 breach of articles 5.1.a} and 5.1.b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the GDPR read together. This decision may be appealed against within thirty days, from notification, to the Procurement Court15 (Article 108, § 1 of the LCA), with the Authority data protection as a defendant. " 3. The parties' demands. In summary conclusions filed on December 15, 2020, X requests: "PRINCIPLE / PAL Declare the appeal admissible and well founded, Reform the decision appealed from, In doing so, pronounce the suspension of the pronouncement. IN THE ALTERNATIVE Dec / arer / 'appelrecevab / eet founded, Reform the decision appealed from, In doing so, considerably reduce the fine imposed by the contentious chamber of the Data Protection Authority. INFINITELY SUBSIDIARY Declare / 'appelrecevab / eet founded, Reform the decision appealed from, In doing so, refer the complaint to the Contentious Chamber so that it adopts a new decision which would take into account the grounds for annulment retained. IN ALL CASES Order the respondent to pay the entire costs and expenses of this liquidated procedure as follows with regard to X: Appeal request fee: 20.00 euros procedural indemnity: 1,440.00 euros Total: 1,460.00 euros ” The Data Protection Authority (APD} requests summary conclusions, filed with Registry of the Brussels Court of Appeal Ie 07/01/2021 "PLAISEÀ THE COURT DESMARCHES OF THE COURT OF APPEAL OF BRUSSELS - As a principal /, to declare the appeal of X unfounded and to condemn it to the entire costs of the proceedings, including the procedural indemnity fixed at the basic amount of € 1,440; -In the alternative, if Your Court were to accept a ground for annulment (quad no), to refer the complaint before the Contentious Chamber so that it adopts a new decision in accordance with the judgment of Your Court. " 4. The means. 4.1. X makes the following arguments: the means: / 'amended inflicted does not respect /' article 83 of the GDPR (a) The nature, gravity and duration of the violation, taking into account the nature, of the scope or purpose of the processing concerned, as well as the number of people affected and the level of damage they have suffered (article 83.2.4 of the GDPR) r PAGE 01-00001942078-0003-0025-05-01-� L _J Brussels-2020 Court of Appeal / AR / 1333 p. 4 b) The fact that the violation was committed willfully or negligently {article 83.2.b of the GDPR) c) Measures taken by the controller and the processor to mitigate the damage suffered by the data subject (art / e83.2.c of the GDPR} d) Any violation committed by the controller or processor (article 83.2.e of the GDPR} e) The degree of cooperation established with the supervisory authority with a view to violation and mitigate any negative effects (article / e83.2.f of the GDPR) f) Any other aggravating or mitigating circumstance applicable to circumstances of the case, you / Ie that the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation (article 83.2.k of the GDPR) 2nd plea: / the fine is disproportionate SUBSCRIBE: REDUCTION OF THE FINE IN AN INFINITE SUBSIDIARY: REFERRAL TO LACHAMBRE LITIGATION 4.2. The ODA, for its part, raises the following means: Means 1: / the fine imposed by the Contested Decision is proportionate and complies with the article 83 of the GDPR. The Litigation Chamber fully complied with article 83.1 of the GDPR and principle of proportionality in its choice to impose an administrative fine on X only in determining the amount thereof. It has taken into consideration the criteria listed in article 83.2 of the GDPR to assess and guarantee the proportionate and dissuasive nature of this fine. On the other hand, she discarded the mitigating circumstances alleged by X, because cel / es-ei were either not relevant or unfounded. In addition, the fine imposed on X is in line with the case law of the Litigation Chamber relating to the il / here processing of personal data to electoral / ins. X's sole plea, having regard to which administrative fine imposed on it by the Decision attacked would be disproportionate, must therefore be rejected for lack of foundation. Means 2: in the alternative, the Court cannot substitute its decision for that of the Chamber Litigation. In the alternative, even if the Court were to annul the Contested Decision (quad no), it cannot substitute its assessment for that of the Contentious Chamber as the solicitX. Indeed, when X so / lawful of the Court that it decides in full jurisdiction by reforming the Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber Litigation, he asks the Court to decide on an aspect that falls within the power of discretionary judgment of / 'APO. A solution cannot be adopted. The courtyard should therefore refer the matter back to the contentious chamber for the latter to adopt a new decision which would take into account the grounds for annulment retained by the Court. r PAGE 01-00 □□ 1942078- □□□ 4- □ 025- □ 5- □ 1-; i L _J Brussels Court of Appeal -2020 / AR / 1333p. 5 5. The facts. The Attacked Decision relates the facts as follows: “On 25 May 2019, the complainant submitted a request for information to the Autorité de protection of data concerning the use by the defendant of his / her e-mail address personal for / 'sending an electoral message received on May 22, 2019, addressed to his / her name by his secretary. The complainant emphasizes that he never gave his consent to have his address be used for this purpose by the defendant. The complainant also denounces the fact that this message was sent to many recipients p / aced in copy, which favored Ja diffusiononsol / icitéedesourelectronicaddress tothispeople. 2. The letter read as follows: “Ladies and Gentlemen, Dear Friends, Dear Friends, I am proud to be the [Xth] candidate of the [Y] list for our borough [list of communes concerned..J. Allow me to ask for your suffrage. A good result to me will allow our team at the College and the Provincial Council to be even more efficient. I wishes to do everything in its power to also support our local representatives and their projects. 3. By letter of July 2, 2019, the Frontline Service of the Protection Authority of the data invited the complainant to exercise his rights with the defendant, in this case, his right to object to the processing of his personal data. At the same time, by letter On July 2, 2019, the Frontline Service contacted the defendant for him ask in particular how he / she had obtained the duplicating e-mail address, if he had lodged a data breach notification with / 'APO and that / the measures been taken so that this type of incident does not happen again. 4. Responses that the Respondent addressed to the complainant and to the Primary Care Service. sign, it appears that the complainant's email address was collected on the occasion of a request for information sent in March 2014 by the p / aignant to the secretariat of the bourgmestre of the city of X., to sign a public cleanliness problem. more particularly an e-mail addressed to "secretariat.bourgmestre@X.be" concerning an illegal dump near the old city walls which the parent requested cleaning. On July 4, and in fact, in his letter to at the front line service, co-signed by the defendant, the defendant's secretary writes the following explanation regarding the collection of the e-mail address reads "g come from a "hotlines" file organized by the defendant when he was »Bourgmestre of the city. The p / aignant therefore appears in this / ui to have, at a time or another, had contact with the defendant ”The Litigation Chamber cannot therefore follow the defendant in his subsequent explanations (July 2020) which / 'disputed email address (and others) would have been collected via emails to him being addressed personally and not via an administrative or other service of the municipal administration The contentious chamber understands as soon as the collected by the burgomaster are not only the result of contacts with citizens with the city administration but also, according to the statements of the defendant, emails to him having been addressed personally, which was not the case with regard to e-mail of the complainant who was indeed collected via the bourgmestre's secretariat. 5. With regard to the modus operandi for sending the disputed email, the Respondent replied to questions from the Data Protection Authority by co-signing the following exp / ication provided by the municipal employee who was his secretary when he was mayor: IPAGE 01-00001942078-0005-0025-05-01- � L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 8 personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation general data protection or GDPR) "1. Each supervisory authority shall ensure that the administrative fines imposed in under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. 2. Based on the characteristics of each case, the administrative fines imposed in addition to instead of the measures referred to in Article 58 (2) (a) to (h), and j). To decide whether to impose an administrative fine and to decide on the amount administrative fine, due account shall be taken, in each individual case, of the following items a) the nature, severity and duration of the viofation, taking into account the nature, of the scope of the purpose of the processing concerned, as well as the number of people affected parties and the level of damage they suffered; (b) the fact that the violation was committed willfully or negatively; c) any action taken by the controller to the processor to to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller to the processor, taking into account the technical and organizational measures they have implemented by virtue of Articles 25 and 32; e) any relevant violation previously committed by the responsible processing to the subcontractor; f) the degree of cooperation established with the supervisory authority in order to remedy violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the violation, in particular if, and to the extent that the processor is responsible for the processing notified the violation; i) / where measures referred to in Article 58 (2) have been previously ordered against the controller at the treating concerned for the same oj and, the respect of these measures; } the application of codes of conduct approved in application of / 'article 40 to the certification mechanisms approved in application of article / e42; and k) any other aggravating or mitigating circumstance applicable to circumstances of the case, you / Ie that the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation ”(underlined by us). 7. Motivation. 7.1. The infractions. X does not dispute the infractions. There is therefore no need to examine the merits of the Decision. Attacked in that it declares the infringements as proven. 7.2. The scope of the jurisdiction of the Market Court. The parties disagree on the scope of the jurisdiction / jurisdiction of the Market Court, in particularly the question of the extent of the full jurisdiction of the Market Court, or more concretely on the question of whether the Court - after having set aside a decision - can substitute its own decision to the decision of the APD and can therefore impose a sanction "different" from that 1 PAGE 01- □ 0 □□ 1942078-0008-0025- □ 5- □ 1-; i L _J Brussels Court of Appeal -2020 / AR / 1333 p. 14 decisions, some of which have a scope equivalent to that of the courts and tribunals of the order judicial process, it is imperative that a judicial remedy be instituted by the legislator in order to guarantee aujusticiable an appeal before a court forming part of the judicial order. It follows that the Market Court cannot therefore substitute its decision for that of the authority administrative only when the Court finds that this decision is illegal or irregular (for example when any principle of good administration would be violated by the decision administrative attack). A manifest error "may" result in the decision being overturned. It follows that it belongs to the applicant to prove the manifest error of assessment allegedly committed by the board litigation of the APO, the illegality of the Contested Decision or the disregard of the principles general matters of good administrative management The motivation required by the law of July 29, 1991 on the explicit motivation of administrative acts must include a statement of the legal and factual considerations which form the basis of the decision. It follows from these provisions that, in the event that a decision is legal administrative process is based on the taking into account of a certain number of considerations, the respect of the requirement of motivation which they foresee only leads its author to have to state only those on which is the basis for the decision he has taken. It follows from this that the plea alleging insufficient motivation of the Attacked Decision which did not have to rule on all the criteria provided for in Article 83 of the aforementioned GDPR and the error of law that this insufficient reasoning would reveal, should be discarded. 7.4. Does the fine imposed comply with Article 83 of the GDPR? (first plea of the applicant and the APD) Insofar as the applicant criticizes the content of the answers provided by the Chamber APO litigation, the plea cannot be accepted. The applicant claims: "4.1.3. In this case, the Contentious Chamber of the Data Protection Authority imposed a fine in the amount of 5,000.00 euros without taking into account all the elements thus invoked by / 'artic / e83 of the GDPR Regulation. a) The nature, severity and duration of the viofation, taking into account the nature, of fa scope or purpose of the processing concerned, as well as the number of people affected and the level of damage the elves suffered (article 83.2.4 of the GDPR) 4.1.4. The Data Protection Authority should have taken into account the nature, the seriousness and the duration of the breach as well as the number of affected persons affected and The level of damage that the elves suffered (article 83.2 a) In this case, X sent a single courrief to the complainant, Z, and immediately excused for this handling error so that there was only one person affected and the GDPR violation has not lasted. 18Cour des marchés June 12, 2019, 2019 AR 113. r PAGE □ 1- □ valid fares 1942 □ 78- □ valid 14-0025-05- □ 1-� L _J Brussels-2020 Court of Appeal / AR / 1333 p. 15 This handling error did not, moreover, cause significant damage to Z, which that the contentious chamber did not take into account in the assessment of / 'fine inflicted on X. 4.1.5. In terms of main conclusions, the Data Protection Authority recognizes that a only elitigious email but indicates that it is wrong to consider that only one person has was affected as soon as the email in question was sent to 150 people. This does not mean, however, that these 150 people are "affected people" in the meaning of section 83.2. of the GDPR as soon as it is not established that X did not have authorization to use the personal data of some of these people. Moreover, apart from Z, no one has issued any p / aints, neither to X, nor to the Protection Authority. Datas. b) The fact that the violation was committed willfully or negligently (article 83.2.b of the GDPR) 4.1.6. The Data Protection Authority should also have taken into account that the violation was not willful and took place, on the contrary, by neg / igence (article 83.2 b). As X was able to explain through his secretary, the latter sent election advertising from his private mailbox, omitting to hide the list of recipients. There was therefore no intention to misuse these addresses, nor to harm anyone else. either.This is a simple handling error for the excused. 4.1.7. In its decision, the Litigation Chamber recognizes "that no element of the file attests that the infringement was committed deliberately, on the instructions of the defendant ”(page 11 of the decision). The Contentious Chamber thus agreed to retain the unintentional nature of the under mitigating circumstances. However, at the level of the sanction, the Contentious Chamber did not, in reality, take any consideration of this attenuating circumstance as soon as, and as will be explained below below, the sanction imposed on X is a very severe sanction compared to the sanctions usually applied by the contentious chamber. 4.1.8. In terms of main conclusions, the Data Protection Authority alleges that “Ie unintentional nature of the infringement which was retained by the Litigation Chamber as attenuating circumstance (Contested Decision paragraph 35} concerns only the third violation (article 32.1 of the GDPR) ”(page 15 of the main conclusions of the Data Protection Authority). In other words, the Data Protection Authority estimates, in terms of conclusions principa / es, that this mitigating circumstance was not retained for the violations of articles 5.1.a, 5.1.b, 6.1 as well as articles 25.1 and 25.2 of the GDPR. It is clear that this statement is in total contradiction with the decision rendered by the Contentious Chamber of the Data Protection Authority. 1 PAGE 01-00001942078-0015-0025-05-01-� � L __J Brussels Court of Appeal -2020 / AR / 1333 p. 16 The latter admitted, under Title 3 of its 'Corrective Measure' decision, that mitigating circumstance without making any distinction and without specifying that it only applied either violation. Point 35 of the contested decision is, in fact, worded as follows: "In its response to the reaction form to I meet a proposed fine, I the defendant is mainly going to believe that the sending of this mail results from his point of view of a handling error. In this regard, the Litigation Chamber notes / Ie that a handling error, I if applicable, constitutes a security breach and as such a data breach within the meaning of J'artic / e 4.10 of the GDPR which results in Ja responsibility of the defendant with regard to the prior implementation of adequate security measures to avoid such errors. Bedroom litigation notes, however, that nothing in the file attests that the infringement was allegedly committed on the instruction of the defendant. Bedroom contentious therefore retains the unintentional nature of the infringement as a mitigating circumstance ”(page 11 of the contested decision). In addition, to the extent that the Litigation Chamber of the Data Protection Authority imposed a global fine for the various violations, the mitigating circumstance recognized by the latter had to be taken into consideration with regard to the assessment of Ja sanction and this even though this mitigating circumstance has been recognized only for rune violations, quad no. c) Measures taken by the controller or the processor to mitigate Damage suffered by the data subject (article 83.2.c of the GDPR) 4.1.9. In addition, the Data Protection Authority should still have taken into consideration of the measures taken by X to mitigate the damage suffered by the persons concerned (article 83.2 c). In his letter of October 14, 2019, X informed the Contentious Chamber that he had "solicited / 'opinion of a specialist in the news / aegis" to help him to supervise his team "in order to avoid any new errors of the kind in the future". Protection Authority data are refused to take these elements into consideration. d) Any violation committed previously by the controller or The subcontractor (article 83.2.e of the RGPG) 4.1.10. In estimating the fine imposed on X, the Contentious Chamber also did not judge useful to take into account / 'total absence of previous viofation in the head of X and this in annoyance with article 83.2. e). 4.1.11. In terms of main conclusions, the Data Protection Authority claims that the GDPR considers recidivism to be an aggravating circumstance. Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance. mitigating. This does not detract from the fact that in determining the sanction to be imposed on X, the Data Protection should have taken into consideration I made that the latter was not customary for GDPR violations and that no sanction had ever been applied to it previously. 1 PAGE □ 1-00001942078- □ 016-0025- □ 5- □ 1-� L __J Brussels Court of Appeal -2020 / AR / 1333 p. 17 If the absence of previous violations does not constitute a mitigating circumstance, quod no, this constitutes an objective criterion at all times which must be taken into account in the determination of the sanction. e) The degree of cooperation established with the supervisory authority in order to remedy violation and mitigate any negative effects (article 83.2.f of the GDPR) 4.1.12. Likewise, the Contentious Chamber did not take into consideration the cooperation of X (article 83.2 f). From October 14, 2019, X indicated to the Litigation Chamber that he was in his available to be heard if she so wished. This perfectly demonstrates that X wanted to cooperate in this case, which the Chmbrecontentieu did not take it into account. f) Any other aggravating or mitigating circumstance applicable to the circumstances of the species, you / Ie that the financial advantages obtained or the losses avoided, directly or indirectly, due to the violation (article 83.2.k of the GDPR} 4.1.13. Finally, the Contentious Chamber did not consider it useful to take into account other extenuating circumstances such as the fact that X did not derive any benefit from this violation. In terms of main designs, the Data Protection Authority considers that there is no no reason to uphold this argument on the grounds that X does not add any element which would make it possible to determine whether or not the use of the permanent file influenced favorably the result of the elections. It is impossible for X to prove this negative fact. Nevertheless, it is not unreasonable to admit that the 150 people allegedly targeted by the email litigation alone could not influence the final outcome of the elections. In addition, there a / ieu to note that the fines imposed by the Data Protection Authority constitute penalties of a criminal nature. Indeed, since the judgment of the European Court of Rights of Hamme Engel v. Netherlands from 8 June 1976, it is accepted that the concept of "criminal charge" referred to in Article 6 of the Convention is an “autonomous concept”, endowed with a European meaning potentially distinct from that attributed to homonymous terms in national High Contracting Porties. To determine whether an administrative sanction is of a criminal nature, it is necessary that three criteria are met: the qualification of the sanction in domestic law, the nature of the repressed behavior and, finally, the nature and degree of severity of the sanction concerned. The second and third criteria are alternative and not necessarily cumulative. For that Article 6 of the ECHR applies, it is sufficient that the offense in question is of a criminal nature with regard to the Convention, or has exposed the person concerned to a sanction which, by its nature and degree of seriousness, generally pertains to criminal matters. In this case, it must be noted that the sanction applied by the Authority for the Protection of Data does indeed constitute an administrative sanction of a criminal nature: The fine thus imposed is qualified as an administrative sanction; - The GDPR protects / 'general / societal interest and the fines imposed due to a violation of the GDPR have both a deterrent and a repressive purpose; The fine imposed is of undeniable severity. rPAGE 01-00001942078-0017-0025-05-01-� L _J Brussels-2020 Court of Appeal / AR / 1333 p. 18 This is all the more true as the European Court of Human Rights has already had the opportunity to apply the "Engel criteria" to an administrative fine pronounced by the authority of control of the Italian financial markets and to recognize its criminal character. The Court of Justice of the European Union, after having endorsed the development of the "criteria d'Engel ”, also applied this reasoning to administrative fines. The criminal nature of the administrative sanctions provided for by the GDPR must therefore clearly recognized, in particular with regard to the content of article 83 of the GDPR providing that the administrative fines provided for by the supervisory authorities must be effective, proportionate and dissuasive, and setting particularly high thresholds. Being of a criminal nature, the administrative fines applied by the Protection Authority Data must apply the procedural guarantees specific to the "matter criminal law ”that owing to the right to a fair trial, the legality of the incriminations and penalties and The principle non bis in idem. These procedural guarantees in criminal matters lead, in particular, to a reversal of the burden of proof, which means that it is the prosecution, in this case the Authority of Data Protection, which must bear the burden of proof. Thus, the Data Protection Authority cannot content itself with invoking that X would have gained an advantage from the GDPR violation but must prove it, quad no. 4.1.14. Likewise, the Litigation Chamber did not consider it useful to take the situation into account. financial situation of X a / ors that the latter had informed the Chamber of this and had added that a fine of 5,000.00 euros would result in to worsen this already de / icate financial situation. Indeed, X has to face important debts which prevent him from assuming a fine in the amount of 5,000.00 euros. For example, X is being claimed for nearly 16,000.00 euros per administration fiscal. In addition, the building he owns and in which he resides is having problems. stability. X therefore has no choice but to carry out large-scale work to that / s his home insurance refuses to intervene, which / 'obliges to assume some alone cost. Finally, X was the subject of criminal proceedings in the context of the so-called "..." case. This procedure, initiated on November 3, 1999, lasted thirteen years and was completed by a judgment of the 6th chamber of the Court of Appeal of [...] of [...] in which the Court of Appeal / a confirmed in all respects the judgment of the Criminal Court of [...], of [...] by virtue of from which X was acquitted of all charges. The counsel who assisted X in this procedure have recently returned to him, as costs and fees, the total sum of 465,488.82 euros. These amounts were the subject of disputes by X, which led to a legal proceedings before the Court of First Instance of [...] (Exhibit 13 of the file inventoried of the conc / uant). This procedure is currently still in progress so that no final judgment has been made. could be returned. g) Design IPAGE 01-00001942078-0018-0025-05-01- � �� L � ..J Court of Appeal Brussels - 2020 / AR / 1333 p. 19 4.1.15. The Contentious Chamber of the Data Protection Authority did not take into consideration / 'all the elements that must be taken into account to determine the amount of the penalty prescribed by article 83 of the GDPR Regulation. " All of these criticisms relate to the factual assessment that the APD's contentious chamber carried out in this case. As it is not for the Market Court to "re-examine" the facts of the case, and that the plea does not claim that there was a manifest error of assessment, it cannot be welcomed. 7.5. Is the fine imposed disproportionate? (second plea of the applicant, first plea of the DPA) Article 83 of the GDPR provides in its first point that each supervisory authority ensures that administrative fines imposed for breaches of the rules are, in each case, effective, proportionate and dissuasive. In its article 100, the law of 3 December 2017 establishing the Authority for the protection of data (APD law) lists the possible penalties. The contentious chamber has the power to dismiss the complaint; to order the dismissal; of pronounce the suspension of the pronouncement; to propose a transaction; to issue warnings and reprimands; to order compliance with the requests of the data subject to exercise these rights; to order that the person concerned be informed of the safety problem; to order the freezing, temporary or permanent limitation or prohibition of processing; to order a setting compliance of processing; to order the rectification, restriction or erasure of data and the notification of these to data recipients; order the withdrawal of the accreditation of certification bodies; to give periodic penalty payments; to issue administrative fines; order the suspension of transborder data flows to another State or an organization international; to send the file to the public prosecutor's office in Brussels, who informs them follow-up given to the case; decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. The ability to impose an administrative fine is only the thirteenth sanction in the list legal. The fundamental aim of European legislation is not to sanction in the form of inflicting fines for the slightest breach of regulations, the real goal is data protection. The the aim is therefore to protect data, not to punish the slightest infringement at all costs. In this case: “On May 22, 2019, X sent a letter / on his behalf, through / 'adress emails from his secretary, [...], to these terms: "Ladies and Gentlemen, Dear friends, Dear friends, I am proud to be the 10th candidate on the list [...] for our borough of [...]. May I be allowed to sol / icite your suf / anger. A good result will allow me with our team at the College and the Provincial Council to be even more effective. I want to do everything in my power to also support our 1 PAGE □ 1- □ validated 01942078- □□ 19- □regon 25- □ 5- □ 1-; i L __J Brussels Court of Appeal -2020 / AR / 1333 p. 20 local representatives and their projects. My warmest regards ”(Exhibit 1 of the dossier inventory of the appellant). On May 23, 2019, Z sent an email to X's secretary in order to to indicate that he had not given his consent for the use of his personal data and that the e-mail mentioned above should not have been sent to him from then on. From the next day, that is May 24, 2019, X, through his secretary, presented his apologies to Z in these terms: "We know the law on the RGPD: we apologize for this mistake. We realized this at the time of / 'sending but it was trap late We therefore ask you not to lodge a complaint for a gesture totally beyond our control. Our apologies again. Best regards ”(Exhibit 2 of appellant's inventory). On May 25, 2019, Z submitted a request for information to the Autorité de protection of data concerning the use by X of his e-mail address personal. He also denounced the fact that this message was sent to many addressees placed in copy (Exhibit 3 of the inventoried file of the appellant). " "From July 4/2019, the secretary of X, [...] answered this question in these and: terms: "The addresses come from a" permanence "file organized by X / orsqu'il was Mayor of [...]. Z is therefore in this one to have, at one time or another, had contact with X ”. The secretary added: “In fact, from my private messaging system, I sent a election advertising for X, in order to prevent him from using his personal messaging system in his capacity of provincial deputy (...). And this email was sent spontaneously, omitting to put in CC / the recipients. There is therefore no intention to misuse these addresses, nor to harm anyone. It is just a mishandling that we regret. We apologized to Z as you may have read it ”. On August 6, 2019, the Frontline Service of the Data Protection Authority declared Z's complaint admissible and forwarded it to the Litigation Chamber. By registered letter of September 25, 2019, the President of the Litigation Chamber informed X and Z that the case was ready for treatment on the merits and invited the parties to introduce their conclusions according to the fixed timetable. By letter of October 14, 2019, X indicated to the Litigation Chamber: “I have received your new e-mail concerning the distribution of e-mail addresses to a series of contacts during the last election campaign. If you wish, I am at your disposal to be heard on this. I already want to confirm or "reconfirm" that file to / 'all people was a simple handling error at the time of / 'sending of the document which had to be individualized. I myself solicited / 'opinion of a specialist in the new legislation to help me supervise my team in order to avoid the future any new error of the genre. The question still being analyzed with the resource person I have chosen is to know that the health precautions for take with e-mail addresses that people did not send spontaneously. For r PAGE 01-00001942078-0 □ 20-0025- □ 5- □ 1- � _JBrussels-2020 Court of Appeal / AR / 1333 p. 22 citizen, has the right to be treated individually and according to the elements of his file and without elements from other files may interfere. When a decision has to be taken on a case-by-case basis, based on the principle of good faith, ! 'absence of a prior warning, in the absence of any precedent and confronted with immediate apology (the day after the date on which the applicant was informed of the problem which he was not aware), the sanction of immediately imposing an administrative fine in addition to the fact of fixing it from the outset at a large sum of 5,000 euros, is of a disproportionate. In addition, the following grounds: "34. The defendant did not follow the procedure communicated to him by mail recommended and by email. His answer is laced, he would not have been informed of the obstruction to send conclusions to the complainant is contrary to the facts. The contentious chamber considers that by this omission and erroneous denials of the facts, the Respondent has not provided all its cooperation in the procedure, which constitutes an aggravating circumstance " show a manifest error of assessment in the head of the contentious chamber of the APD. There is no binding procedure and in any event, a breach of the rules of procedure may result in the authority disregarding writings or documents which are used in violation of the rules of procedure, but such a fact - even if it is established quad not in ! the absence of binding rules which are enforceable against litigants - can never constitute an aggravating circumstance. reason for the litigation chamber mixes form and substance and is perfectly illegal and invalidates the decision by this fact alone. The Cour des marchés does not criticize the policy of the contentious chamber of the APD but the fact of not to consider the possibilities of achieving the goal pursued by European legislation (such as implemented in Belgian law) by another decision (explicitly provided for in Article 100 points 3 to 12 of the APD Act) while noting a series of elements which show that the applicant did not in no way expressed his intention to disregard the principles of data protection personal but on the contrary the violation he committed was the result of negligence or inadvertently and immediately rectified the situation while apologizing (see above) cannot be interpreted other than as a misuse of powers, the use by an administrative authority within its power for a purpose other than that for which it was granted, in the head of the contentious chamber of the APD. An attitude, tending to impose fines from the first inadvertent offense, does not correspond to the principles that govern matter. As far as the room AD litigation has a complete repressive chain enabling it to carry out controls, the consequences of which (if the infringement is established) can range from a warning to a sanction financial or not. In some cases, an advertisement can even be decided based on the severity cases. The Procurement Court wonders whether in X's case a warning might not have been sufficient. The disputed chamber fails to take into account the presumption of good faith. By inflicting immediately an administrative fine - very substantial against an individual who has sent e-mails mentioning the e-mail address of all the persons to whom the e-mail was addressed - the litigation chamber disregards the fundamental principles of the proportionality of the sanction. 1 PAGE □ 1-00 □□ 1942078- □□ 22- □regon 25- □ 5- □ 1-� L _JCourt of AppealBrussels-2020 AR / 1333p. 23 7.6. Punishment. (second means of ODA) The applicant requests the "reformation" of the decision so that the sanction of inflicting a a fine of € 5,000.00 would be reformed into a stay of proceedings. The APD argues on this subject “78. In the alternative, even if Your Court were to set aside the Contested Decision (quod no}, it cannot substitute its assessment for that of the contentious Chamber as the asks X. Indeed, when X asks Your Court to rule in full jurisdiction by reforming the Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber Litigation, he asks Your Court to decide on an aspect that falls within the power of discretionary judgment of / 'APO. A solution cannot be adopted. Your Court should therefore refer the complaint to the Contentious Chamber so that it adopt a new decision which would take into account the grounds for cancellation retained by Your Court. " The Markets Court cannot "reform" a decision as an appellate judge could. The Market Court can only annul or not the contested decision. To the extent that a decision is quashed, the Markets Court may - on the basis of the full jurisdiction - make a new decision that will replace the annulled decision. The "reformation factual ”of the Contested Decision is therefore carried out in two phases, first the annulment of the decision and then the replacement of the annulled decision by a new decision. The Markets Court therefore considers that when the applicant requests the "reform" of a Contested Decision, which he ultimately requests that the Procurement Court annul the Contested Decision and replaces this decision with a new decision. 19 The Court endorses the following considerations of the judgment of 28 September 2012 Court of cassation: "The judge is bound to settle the dispute in accordance with the rules of law which are applicable to him. applicable. He is required to examine the legal nature of the facts and acts referred to by the porties and may, whatever the legal qualification given to them by the porties, complete ex officio the reasons they invoked on the condition that it does not raise any dispute of which the porties have exc / u the existence in their conclusions, that it relies exclusively on elements which have been regularly submitted to him, which he does not modify / 'subject of the request and that it does not violate the rights of defense of the porties. " In the present case, the applicant requests that the decision be replaced and the DPA defended himself on this request (see the extract from the conclusions cited above). When the Market Court interprets the request of the applicant to "reform" the Contested Decision into a request to annul the decision and replace it with a new decision on the extent of which the parties have taken conclusions, the Markets Court does not rule ultra petita. In the present case, the Impugned Decision must be annulled for misuse of power, the use by the contentious chamber of the APD of its power to sanction by imposing a fine administrative without considering that the other sanctions of article 100 of the ODA law may reach 19Cass. September 28, 2012, http://www.cass.be at its date, judgment n C.12.0049.N; J.T. 2013, 497; J.L.M.B. 2013, 1297, note VAN DROOGHENBROECK, J. 1 PAGE 01-00001942078-0023-0025-05-01-� � L �� _J Brussels Court of Appeal -2020 / AR / 1333 p. 24 The result envisaged by the legislator0and on the ground that in this case the contentious chamber did not taken into account the presumption of good faith, nor the attitude of the applicant as soon as he was informed of the offense, and that it took into account aggravating circumstances in an unlawful manner, violating thus the principle of proportionality of the sanction. Since the applicant does not dispute the infringements and has never done so, it is appropriate to consider the offenses as established and reconsidering - by virtue of the full jurisdiction of which provides the Procurement Court - the proportionality of the sanction, the applicant should be imposed sanction of the suspension of the pronouncement. 8. Decision and costs The appeal is admissible and well founded. Decision No. 53/2020 pronounced by the contentious chamber of the Authority for the Protection of Data Ie September 1, 2020 which imposes a fine of 5,000 € (DOS-2019-02974) on X is canceled, the sanction is that of the suspension of the pronouncement. The Data Protection Authority is ordered to pay the costs, liquidated at 1,440 € in compensation procedure for X. FOR THESE REASONS, THE COURTYARD, Having regard to articles 24 and 43 bis § 3 in fine of the law of June 15, 1935 on the use of languages in judicial, Ruling contradictorily, Holds X's appeal admissible and well founded; ° Annuls Decree no.53 / 2020 pronounced by the contentious chamber of the Authority for the Protection of Data September 1, 2020 (DOS-2019-02974) in which it imposes a fine of 5,000 euros on X on the basis of articles 100, 13 and 101 of the law of 3 December 2017 on the creation of the Data Protection Authority (“LCA”) as well as article 83 of the GDPR; Deciding with full jurisdiction, pronounces the sanction of suspension of the pronouncement on the basis of Articles 100 and 101 of the LCA as well as Article 83 of the GDPR; Orders the Data Protection Authority to pay the costs, liquidate to .... right to roll and € 1,440 in procedural compensation for X. Pursuant to article 2692 of the Code of registration, mortgage and graft rights, condemns the Data Protection Authority to pay to the Belgian State, SPF Finances, the right to on the call roll (400 €}. 20 namely to modernize the European regulations on the protection of personal data due to of the advancement of new technologies and to ensure that personal data is processed in a new way and that all citizens benefit from high-quality protection when processing their data of a personal nature. rPAGE 01-00 □primer 1942078- □ 024-0025-05- □ 1-i: -i L ... J