Court of Appeal of Brussels - 2019/AR/1600: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(17 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{COURTdecisionBOX
! colspan="2" |Hof van beroep Brussel - 2019/AR/1600
|-
|
|-
|Court:||[[:Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)|Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]
[[Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]
|-
|Jurisdiction:||[[Data Protection in Belgium|Belgium]]
[[Category:Belgium]]
|-
|Relevant Law:||[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]
[[Category: Article 5(1)(c) GDPR]]


[[Article 6 GDPR#1|Article 6(1) GDPR]]
|Jurisdiction=Belgium
[[Category: Article 6(1) GDPR]]
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Court of Appeal of Brussels
|Court_With_Country=Court of Appeal of Brussels (Belgium)


[[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]
|Case_Number_Name=
[[Category: Article 13(1)(c) GDPR]]
|ECLI=


[[Article 13 GDPR#1e|Article 13(1)(e) GDPR]]
|Original_Source_Name_1=Hof van beroep Brussel
[[Category: Article 13(1)(e) GDPR]]
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/arret-du-19-fevrier-2020-de-la-cour-des-marches-disponible-en-neerlandais.pdf
|Original_Source_Language_1=Dutch
|Original_Source_Language__Code_1=NL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=


[[Article 13 GDPR#2a|Article 13(2)(a) GDPR]]
|Date_Decided=19.02.2020
[[Category: Article 13(2)(a) GDPR]]
|Date_Published=
|-
|Year=2020
|Decided:||19. 2. 2020
[[category:2020]]
|-
|Published:||n/a
|-
|Parties:||Liquor store v. [https://www.gegevensbeschermingsautoriteit.be/ Belgian DPA]
|-
|Case Number:||2019/AR/1600
|-
|European Case Law Identifier:||<small>n/a</small>
|-
|Language:||[[Category:Dutch]]Dutch
|-
|Original Source:||[https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Arrest_190220.pdf Hof van beroep Brussels (in EN)]
|}


The Court of Appeal of Brussels annulled Belgian DPA's decision which had lead to a 10,000 EUR fine against a liquor store. The Court ruled that the DPA's decision was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint. The DPA was ordered to pay back the fine.
|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=Article 13(1)(c) GDPR
|GDPR_Article_Link_3=Article 13 GDPR#1c
|GDPR_Article_4=Article 13(1)(e) GDPR
|GDPR_Article_Link_4=Article 13 GDPR#1e
|GDPR_Article_5=Article 13(2)(a) GDPR
|GDPR_Article_Link_5=Article 13 GDPR#2a
|GDPR_Article_6=
|GDPR_Article_Link_6=
|GDPR_Article_7=
|GDPR_Article_Link_7=
 
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=Liquor store
|Party_Link_1=
|Party_Name_2=Belgian DPA
|Party_Link_2=https://www.gegevensbeschermingsautoriteit.be/
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
 
|Appeal_From_Body=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}
 
The Court of Appeal of Brussels annulled the DPA's decision to impose a €10,000 fine on a liquor store because it was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint.  


==English Summary==
==English Summary==


===Facts===  
===Facts===  
In August 2018, the DPA received a complaint from a customer of a liquor store. According to the complaint, the store had required this person to let them scan her electronic ID in order to issue a customer card. The investigated the complaint and concluded that the complainant had breached the GDPR. More specifically, according to the DPA the liquor store:
In August 2018, the DPA received a complaint from a customer (the data subject) regarding a liquor store (the controller). According to the complaint, the store had required this person to let them scan their electronic ID in order to issue a customer card. After an investigation, the DPA concluded that the controller had breached the GDPR. More specifically, according to the DPA the controller:
1. Did not have a valid legal basis for processing: consent was not freely given because no alternative was offered to the complainant (Article 6(1) GDPR);
 
2. Did not provide the complainant with enough information prior to the processing (Article 13 GDPR);
1. Did not have a valid legal basis for processing. Consent was not freely given because no alternative was offered to the complainant, in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]];  
3. Processed more personal data than necessary, including national ID number, date of birth and gender (Article 5(1)(c) GDPR).
 
2. Did not provide the complainant with enough information prior to the processing, in violation of [[Article 13 GDPR]];
 
3. Processed more personal data than necessary, including national ID number, date of birth and gender, in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].  


===Dispute===  
===Dispute===  
The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated Articles 52(1), 54(2) and 82(2) of the GDPR (independence of the DPA, professional secrecy and damage liability for controllers). Most importantly, the appellant challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.
The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated [[Article 52 GDPR#1|Article 52(1)]], [[Article 54 GDPR#2|Article 54(2)]] and [[Article 82 GDPR#2|Article 82(2) GDPR]]. Most importantly, the controller challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.


===Holding===
===Holding===
The Court annulled the DPA’s decision as insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. Tee DPA was ordered to pay back the fine.
The Court annulled the DPA’s decision as it was insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. The Court did not have the power to order the DPA to pay back the fine, as that falls outside of its jurisdiction, but it did quash the decision imposing the fine.


As for the breach of the data minimization principle:
The Court held that, first, the DPA had no evidence to support the finding that the controller was actually processing the national ID number of the data subject. Second, the controller was not obliged to give the data subject an alternative way of creating a discount card because the relevant provision of the e-ID law was not applicable at the time. Thirdly, the Court found that no personal data processing took place because the complainant had refused to have her e-ID scanned. Fourth, the Court considered that the DPA’s finding that the data subject’s date of birth was not used to verify their age, was a mere assumption. Fifth, the DPA should not have assumed that the data subject would have suffered an undeniable disadvantage by missing out on discounts available via the client card. The Court found that this is not a disadvantage because only potential benefit was lost in this case.
1. The DPA had no evidence to support the finding that the Appellant was actually processing the national ID number of the complainant;
2. The appellant was not obliged to give the complainant an alternative way of creating a discount card: the relevant provision of the e-ID law was not applicable at the time;
3. No personal data processing took place because the complainant had refused to have her e-ID scanned;
4. The DPA’s finding that the complainant’s birth date was not used to verify her age is a mere assumption;
5. The DPA should not have assumed that the complainant would suffer an undeniable disadvantage by missing out on discounts available via the client card. This is not a disadvantage because only potential benefit was lost in this case.


The Court upheld the appeal against the DPA’s decision also as regards the absence of legal basis for processing: the legislation that requires giving people alternatives to the processing of the e-ID was not applicable at the time of complaint.
Hence, the Court upheld the appeal against and annulled the DPA's decision.


==Comment==
==Comment==
''Share your comment here!''
Analyses of the judgment:
 
*[https://www.nautadutilh.com/en/information-centre/news/your-id-for-a-loyalty-card-no-data-protection-fine-in-the-end Your ID for a loyalty card: no data protection fine in the end?] (5 March 2020)
*[https://www.timelex.eu/en/blog/loyalty-cards-and-schemes-can-eid-be-used-belgium Loyalty cards and schemes: can the eID be used in Belgium?] (11 March 2020)


==Further Resources==
==Further Resources==
Line 77: Line 107:


<pre>
<pre>
Brussels Court of Appeal -2019/1 600-p. 2
ABOUT
APPELLANT, represented by its director Mr _____________ with KBO no.
_______________, having its registered office at ______________________________, below
"appelant",
appellant,
represented by its counsel Mr. VANDENDRIESSCHE Gerrit and Mr. CLINC:K Jan,
lawyers, both with offices at ________________________________
against a decision6/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection;
AGAINST
The DATA PROTECTION AUTHORITY, independent public body (supervisory authority)
authority) with legal personality, with CDE No 04694.67 having its registered office at
1000BRUSSEL, rue de la Pression 35, hereinafter referred to as "GBA".
intimate,
represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETSJoos,
advocaten, alien kantoorhoudende te 2018 ANTWERPEN, Oostenstraat 38bus 201
1.    Court of Justice.
The Court's jurisdiction is derived from an appeal lodged by the appellant on 18 December 2010.
October 2019 was deposited at the Registry of the Court of Appeal, and a
redress pursuant to Article 108 § 1 of the Law of 3 December 2017 establishing it
of the Data Protection Authority (hereinafter referred to as the "GBA Act") is brought against the decision on
ground 6/9 of 17 September 2019 (notification dated 19 September 2019) adopted
by the Disputes Chamber of the Data Protection Authority (hereinafter "GBA").
2.    Disputed decisions the facts.
The Chamber of Disputes ruled:
      to impose sanctions in connection with the violation of article/and 5.1. c); 6.1.; 13.1.
      (c);13.1(e) and13.2(a)AVG:
            r PAGE 01-00001582885-0002-0033-01- □1-� r
            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 3
          - • °
              on grand art. 100, Si, 9 WOG, order the defendant to order that the processing in
              be brought into line with Articles 5(1)(c), 6(1); 13(1)(c), 13(1)(e).
              and 13.2. a)AVG
          - on the grand of art. 101 of the WOG, an administrative fee of 10,000.
              EUR as a result of the infringement of°art.5.1. c)and art. 6.1.AVG.
          - on grand of art. 100, 51, 16 WOG, to publish this decision on the
              website of the Data Protection Authority, albeit after anonymisation.
The appellant gives the following factual account:
        1.    The Appellant, the applicant, is a beverage company established at __________. It is a
      family business with more than 40 years of experience. It has offices at ______, _____ and
      _____.
        2.    In the past, the Apellant used paper loyalty cards in order to obtain benefits.
      know to customers. Recently, the appellant has switched to an electronic
      Cash register software system that also allows the electronic identity card (elD card}
      of a customer to be read electronically using the barcode and on this basis
      granting advantages on purchases.
      The present case concerns the administrative procedure launched by the GBA.
      against the appellant following the complaint of a (1} client of the appellant. The name of
      this customer is otherwise irrelevant and is therefore not mentioned. The customer is hereinafter referred to as
      referred to as 'person concerned'.
      3.    On 28 August 2018, the party concerned lodged a complaint with the
      Data protection authority because she did not want her elD card to be read in
      to grant discounts on its purchases (section A.1}. The complaint was as follows:
              Presentation of the facts
              On Friday 8 June, I went to buy drinks from the appellant,___________.
              __________________________. With a few bottles of spirits it was a high
              amount. At the checkout - arrived they asked me if I would not like a loyalty card.
              I wish. I''ia "They asked my identity card to read it in. l
              replied that I didn't want to give my identity card, but that I would feel free to give the
              the data needed to create a loyalty card on paper for a short while
              wanted to put. I was refused the loyalty card - they only make
              customer cards by reading the identity card.
              This/this scenario happened again on Saturday 30 June - this time in the shop
              of drinks trade appellant at ________________________. Because that day we
              having a BBQ with a grate group, the bill for booze was again a hefty
              amount. When I arrived at the checkout they asked me if I would not like a loyalty card.
                                                              �
            I PAGE 01-00001582885-0003-0033-01-01-
            L _JCourt of Appeal Brussels -2019/AR/1600- p. 4
              I said 'yes'. They asked me to read my identity card and I answered.
              dot I didn't want to give my identity card, but dot I feel free to give the data that I need
              wanted to put the goods on paper before creating a loyalty card. The
              customer card was refused to me - one creates enke/ k/anten cards by
              of reading the identity card. At dot moment there were
              different people at the deck mass. One of them also made the remark
              dot it cannot dot for a customer's card the identity card must be read in/receive
              warden. The lady at the checkout said dot she had nothing to do with this and now dot this
              was a mani�on of work.
              Maybe a k/eine remark: I'm 51 years old and I really don't look like a/s anyone
              of 16 years of age:)
      In other words, the person concerned agreed to the processing of her personal data
      information by the appellant to receive a loyalty card. However, it did not wish these
      Processing took place by means of reading her elD card.
      4.    On 26 September 2018 Mr. Willem De Beuckelaere of
      the GBA the message that its complaint was declared "admissible/complainant" and for further action
      treatment has been referred to the competent service which will inform you about
      the vrderever/oop of your k/acht" (piece)B.2
      The first-line service apparently decided not to initiate mediation.
      5.    On 29 October 2018 Mr Van Der l<elen, in his capacity of
      President of the GBA Dispute Settlement Chamber, the Inspector General of the
      ln section of the GBA as follows:
              Pursuant to Article 96, §1 of the Law of 3 December 2017 establishing the
              Data Protection Authority, you hereby become the request of the Dispute Chamber
              from today to the conduct of an investigation, together with the k/eacht
              and the judgment of the court or tribunal. (document B.3)
      De Geschillenkamerveprovided no further details on what aspects of the processing
      the lnspectorate had to investigate.
      On the same day, Mr van der Kelen also informed the person concerned of the decision of the
      Disputes Chamber to have the lnspection Service carry out further investigation of the complaint
      (stuB.4).
      6.    On 7 February 2019, the appellant received a letter from Mr Frank
      Schuermans, Inspector General of the Inspectorate of the GBA (stu k B.6). The
      lnspection Service requested the appellant to provide information and documents in order to
      "to gain a better understanding of your practice for the acquisition of personal data from your
            I PAGE □ 1-00001582885- □ 4-0033- □1-□ 1-;i
            L _JCourt of Appeal Brussels - 2019/AR/1600-p. 5
      customers, the internal use of this personal information in your company and the possible use of this personal information in your company.
      distribution of these obtained personal data to third parties in accordance with the terms of the agreement.
      AVG obligations (...)".
      7.    On 12 April 2019, the appellant's counsel d: replied to the
      questionnaire of the lnspection Service, together with additional documents (document B.7).
      8.    On 10 May 2019, the Inspector General of the GBA's Inspectorate,
      in the meantime, Mr van den Eynde, his report of the enquiry to the chairman of the
      Dispute Chamber, meanwhile Mr. Hielke Hijmans (piece B.8). This report contained the following,
      on the one hand, "findings (within the scope of the k/eight seriousness indications)" and,
      on the other hand, 'additional findings (outside the scope of the k/eight or serious
      indications'.
      9.    On 28 May 2019, the Disputes Chamber decided to hear the substance of the case.
      (part B.9).
      10. On 3 June 2019, the Disputes Chamber informed the appellant of the decision to withdraw the
      deal with the substance of the case (document 8.10). The Appellant was also informed
      on its possibilities such as requesting a copy of the file as well as the
      submission of defences. It was only at this point that the appellant was given the opportunity to
      to take note of the content of the Complainant's complaint against the processing of
      personal data by the appellant.
      On the same day, the GBA Oak sent a registered letter to the person concerned. This
      immediately received a copy of the inspection report (document B.11).
      On 27 July 2011, the appellant submitted her defences (documents C.1 and C.2).
      On 17 September 2019, the Disputes Chamber took a decision on the merits, hereinafter referred to as the
      "Contested Decision" (document D.1).
      For its part, the Data Protection Authority (hereinafter "GBA") shall explain the facts as .
      follows:
      1.    On _28 August 2018, the GBA received a complaint from a person ('the
      person concerned' or 'the complainant') who is a customer of the appellant, a beverage business with
      Various branches at _____________________. In the complaint form, the person concerned stated that they were,
      in order to be able to obtain a loyalty card from the beverage trade, it was obliged to offer its
      to have an electronic identity card read into the computer system of the beverage trade.
      However, the person concerned did not wish her identity card to be read electronically. -Herring
      propose, as an alternative, that the personal data needed to establish a
            I PAGE 01-00001582885-0005-0033-01-01-�
            L _JCourt of Appeal Brussels - 2019/AR/1600-p. 6
        to create a loyalty card in any other way was rejected. As a result,
        the person concerned was refused a loyalty card from the beverage trade, although they would like to
        wished for a loyalty card. This was done on two occasions, both in the branch at the
        _________ (on 8 June 2018) as in the establishment at ____ (on 30 June 2018).
        In particular, the person concerned described the facts as follows in the complaint form which she submitted to
        submitted the GBA (part 1):
              On Friday 8 June, I went to buy drinks from the drinks trade appellant,___________ __________________________________--appella,t
              appellant's address: ________. With a few bottles of spirits it was a high amount.
              At the checkout - arrived they asked me if I didn't want a loyalty card. I said
              ''ia''. I was asked to read my identity card and I replied that
              I did not want to give my identity card, but that I would feel free to give the data that I needed
              wanted to put the goods on paper before creating a loyalty card. The
              loyalty card was refused to me - one only creates loyalty cards by means of
              of reading the identity card.
              This/this scenario happened again on Saturday 30 June - this time in the shop of
              beverage trade appellant in _____ address address address address address address address address . Because we
              day had a BBQ with a grate group, the bill for booze was again a
              considerable amount. When I arrived at the checkout they asked me if I would not like a loyalty card.
              I said 'la'. They asked me to read my identity card. Yk
              replied that I did not want to give my identity card, but that I would be happy to give the
              data needed to create a loyalty card on
              wanted to make paper. The loyalty card was refused to me - they only make
              customer cards by reading the identity card. On that
              moment ston_ den er different/ende people behind me at the checkout. A v them
              made the comment that it is not possible for a loyalty card to have the
              Identity card must be read in. The lady at the checkout said that she was here
              had nothing to do with it and that this was their way of doing things.
              Perhaps a small remark: I am 51 years old and I really do not look like someone
              of 16 years @."
      2.      On 26 September 2018, the GBA declared the complaint admissible on grand of the
      Articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter referred to as 'the Act'):
                  1
      "GBA Act") (document 2). The complaint was subsequently submitted to the Disputes Chamber of
      the GBA, in accordance with Article 62(1) of the GBA Act. The admissibility decision was
      also notified to the complainant on 26 September 2018, in accordance with Article
      61 GBA Act (document3).
                                                                                        °
      3.      On 23 October 2018, the Chamber of Disputes ruled on grand of article 63(2) , and
      article94, °,GBA law honor:, investigated questions to the lnspectiedienst van de GBA (document4).
      4.      On 29 October 2018, the request of the Disputes Chamber to carry out
      submitted an investigation to the lnspectorate, in accordance with Article 96(1) of the GBA-
1
Law 3 December 2017 establishing the Data Protection AuthorityB.S.10 January 2018.
              I PAGE 01-00001582885-0006-0033-01-01-�
              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 7
      law. The complaint and the minutes of the decision of the Dispute Chamber of 23
      October 2018 was attached to this request. The person concerned was referred to the Dispute Chamber
      informed cle by letter dated 29 October 2018 of the transfer to the
      lnspection service (document 5).
      5.    In order to examine the file, the lnspection Service sent an
      written questioning of the person responsible for processing (document 6). As he or she is
      written questioning was not initially answered, sent by the lnspectorate on 4 April
      2019 a reminder by registered letter (piece 7). On 12 April 2019, the
      The appellant, through her counsel, finally gave an answer to the
      lnspection service (document 8).
      6.    On 10 May 2019, following the completion of its investigation, the lnspection's Office issued an
      report and attach it to the dossier in accordance with Article 91 § 1 GBA Act (document 9).
      The inspection report mentioned in particular the following findings (p. 1-2):
              "The k/acht [...] concerns the automatic /healing of the e/D for the creation of an
              loyalty card at a drinkshande/. At the consecutive/ordinary visits of the k/side
              the barcode is linked to the customer's data [...].
              - The customer data stored in this way are: name, first names, address,
              date of birth, date of birth/eight, from which the person concerned is a customer, amount of purchases.
              - The dispute/en-su Chamber did not provide any additional indications that should have been given.
              examined by the inspectorate [...], soa/s concerning an examination of the
              privacy statement of the processing responsible/ijke.
              - The Commission has previously accepted that some traders may disclose to their customers
              identify these customers if they register in a strictly personal
              fidelity system allowing the c/anten to benefit from a price reduction or for the/and
              received in the gout of purchases made (marginal 17 recommendation
              03/2011).
              -However, the Commission also considered it belong dot the consent of the client.
              is obtained at the /reading of the e / D in the framework of a loyalty system,
              and dot the customer 'an a/ternative for the use of his identity card'.
              proposed' (recommendation 6 at the end of recommendation 03/2011).
              -The e-D legislation has been adapted by article 27 of the law of 25 November 2018.
              containing various provisions relating to the National Register and the
              humidification/registers. Artike/ 6 § 4 of the law of 19 July 1991 provides a new framework.
              for the use of the e/D dot data as from 23 December 2018
              must have been checked/checked by the person responsible for processing. This article ste/t o.a.
              The electronic identity card may only be read or used with the free one,
              specific and informed consent of the holder of the electronic
              identity card'.
              When a benefit or service is offered to a citizen through his
              electronic identity card in the context of an IT application, must
              also an alternative that the use of the electronic identity card does not
              required, be introduced to the person concerned'.
            r PAGE □ 1-□□□□ 1582885-0007-0033- □1-i;-i
            L _J Hof van beroep Brussel - 2019/AR/1600- p. 11
        The Chamber of Disputes took note that the defendant admitted that this method of proceeding was inconsistent.
        with the AVG and indicated that additional measures would be taken in the short term in order to strengthen the
      bring data processing in line with the AVG.
        15. In accordance with Article 100, § 1, 9 , GBA Act, the Dispute Settlement Chamber ordered the
      Respondent to bring the data processing in conformity with Article 5.1(c),
      article 6.1 and article 13 AVG. In addition, the Disputes Chamber decided the following sanctions on
      to be laid:
              - an administrative fine of EUR 10 000 as a result of the infringement of an article
              5.1.c) and Article 6.1 AVG (on the basis of Article 101 of the GBA Act);
                  the publication of the decision on the website of d°
              Data protection authority, after rendering anonymous (on the basis of Article 100(1)(a), 16)
              GBA Act).
      In order to justify its decision to impose an administrative fine of that amount on
      the Chamber of Disputes referred in particular to the seriousness and nature of the
      infringements of Article 5.1.c) and Article 6.1 AVG. In particular, the Disputes Chamber found that
      relevant that:
      - the infringed Article 5.1.c) AVG contains a fundamental principle;
              - the infringement of Article 6.1 of the AVG is such that there is no valid legal basis at all
              is for data processing.
      Non-compliance with the relevant provisions of the GCG must, in accordance with the
      Litigation chamber was considered to be "grossly negligent with a far-reaching impact
      not all/one on the data processing of the k/ager, but on that of a/le customers of the
      defendant''.
      16. On 19 September 2019, the Chamber of Disputes informed the parties of its
      decision and of the possibility of applying for reprimand within a time limit of thirty days
      days, as from the notification, before the Market Court (Article 108(1)(1) of the GBA Act) (doc.
      18).
      17. By petition of 18 October 2019, the appellant made the following amendments
      Your Court appealed against the decision of the Dispute Chamber of 17 September.
      2019. That decision is hereinafter referred to as the 'contested decision'.
3.    The claims before the Court.
3.1.
By Summary Conclusion lodged at the Court Registry on 20 December 2019, the
appellant:
      "to declare the appellant's appeal admissible and well-founded,
              I PAGE 01-00001582885-0011-0033-01-01-�
              L _JCourt of Appeal Brussels -2019/AR/1600- p. 12
      the decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
      Destroy the data protection authority and the data protection authority to
      recommend the administrative fine of EUR 10 000 already paid by the appellant
      appellantterugte beta/en,
      do justice again:
      o in main order, that is to say, before entitlement to dot the complaint of the person concerned dated 28 August 2018 by
          the data protection authority was unfounded in relation to the appellant, and
          to dismiss this k/eight, or
      o subordinate, if your court is of the opinion that the Complainant's complaint dated 28 August
          2018 at the Data Protection Authority in respect of the appellant's breach of
          constitutes a reprimand on the appellant's right to data protection.
          formulate.
      In each case, order the data protection authority to pay a/le
      court costs to the appellant, including the procedural indemnity for the appellant
      of EUR 1,440.00.
3.2.
The GBA concludes as follows by conclusion deposited on January 1, 2020:
              Declare that the appellant's claim is/is outside the jurisdiction of
              Your Court is falling;
              Declare the appellant/ante's claim to be unfounded;
              In any event, order the appellant to pay the costs, including the costs of the proceedings.
              basic amount of the legal claim/legal allowance.
3.3.
All these conclusions have been laid down in accordance with the final calendar.
4.    The legal framework.
The appellant's claim is based on the following articles:
- Art. 5 AVG
      Principles governing the processing of personal data.
      Personal data must be:
      [...]
3 Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data and repealing
Directive 95/46/EC (general data protection regulation).
            IPAGE 01-00001582885-0012-0033-01- �
            L _Jourt of Appeal Brussels - 2019/AR/1600- p. 15
- Article 63:
      "Referral to the inspectorate may be made:
      1° when the executive committee establishes serious indications of the existence of a
      practices which may give rise to a breach of the fundamental principles of protection
      of the personal data, within the framework of this law and of the laws that provide for it
      contain provisions on the protection of the privacy of personal data;
      2° when the dispute/en-su Chamber has decided on the basis of a k/acht a
      investigation by the inspectorate is necessary;
      3° by the Disputes Chamber within the framework of a request for the performance of a
      additional research;
      4 at the request of the Management Committee, with a view to cooperating with a
      g°data protection authority of another stoat;
      5 request from the management committee in the event that the data protection authority is caught
      by a judicial authority or an administrative supervisor;
      6 on its own initiative where it finds serious indications of the existence of a
      practices which may give rise to a breach of the fundamental principles of protection
      of the personal data, within the framework of this law and of the laws that provide for it
      contain provisions on the protection of the processing of personal data.
Article 108 § 1:
      "The Arbitration Chamber shall inform the parties of the court's decision and of the decision.
      may/can appeal within a period of thirty days from [...] the date of receipt of the letter of appeal.
      notification, at the Court of Justice of the European Communities.
      Subject to the exceptions laid down by law or unless the dispute/court with
      special reasons for decision/commissioning otherwise the decision/commission is enforceable in the case of
      stock, notwithstanding an appeal.
                                                                                  °
      The decision to delete data in accordance with Article 100(1)(10) is not
      workable stockpiles'.
5.    Discuss admissibility.
The admissibility ratione materiae and ratione temporis have not been disputed.
The GBA concludes {page 8, No 16 with reference to its document 18) that the notification -
dates from 19 September 2019.
The appellant is the party in respect of whom the decision has been taken and the recourse is by
within a period of 30 days from notification of the decision, and
in accordance with the legal form requirements.
The appeal is admissible.
                                                              �
            I PAGE 01-00001582885-0015-0033-01-01-
            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 16
6.      Discussion - the means invoked.
6.1.
The appellant puts forward the following pleas in law:
        1. The GBA shall not establish at a/s a full/full independent/several supervisory authority within the meaning of this Directive.
            of Article 52(1) of the General Data Protection Regulation (hereinafter referred to as the "GSA") (First
            midde/J;
        2.  The GBA violated art. 54.2 AVG and art. 48, §1 GBA Act, because the guard / hats did not comply with the
            ve respected the obligation to preserve the confidentiality of the facts,
            acts or information coming to their knowledge in the course of their duties
            (Second midshipman J;
        3.  The GBA violated art. 96, §1 of the GBA Act because the request of the Geschi/lenkamer for
            do not carry out an investigation by the lnspection service within thirty days
            after the k/eight was brought before the Dispute Chamber by the
            First line service was transferred to the inspector-generaa/of the /nspection service
            (Third midshipman J;
        4.  The GBA violated Article 63 of the GBA Act by the fact that the Inspectorate carried out an investigation.
            for aspects not brought before the Court of Justice (Fourth mids;
        5.  The GBA violated the rights of defence and the principles of good administration
            (Fifth amendment);
        6.  The Appellant respected the beginning/of minimum data processing and starting point.
            no infringement of Article 5(1)(c) AVG (Sixth VAT Directive);
        7.  The processing of the appellant was not unlawful and did not infringe
            artike/ 6.1 AVG from (Seventh midde/J;
        8.  The GBA / imposed the administrative fine without taking into account the Jijst
            of criteria from article 83.2 AVG (Eighth plea in law).
        9.  NINE MEASUREMENT: THE RESPONSIBILITY OF THE COURT
6.2.
The GBA will use the following means:
        o Principally, that the appellant's claim is in part outside the jurisdiction of
            the Court falls.
She is subordinate:
        o With regard to the appellant's first plea in law: Article 52.1 and Article 53.1 of the AVG are not
            violated;
5 Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and
on the free movement of such data and repealing Directive 95.4Pub L119/1 Data Protection Directive)
              IPAGE 01-00001582885-0016-0033-01- �
                                                                    Court of Appeal Brussels - 2019/AR/1600-p. 24
of a rule of procedure or consultation prior to the adoption of the contested decision.
decision was necessary).
However, in the exercise of that voile jurisdiction, the -Markthof must not exceed the limits of its jurisdiction.
respect judicial debate. Within the limits of the rules of public order and within the
limits of the interpretation to be given to the pleas in law relied on before the Court,
the Court must carry out its assessment, that is to say - the possible substitution of its own
decision - limited to the grounds and pleas in law put forward by the applicant
defence of the rebellion17-
In short, the Market Court may substitute its decision for that annulled by the Court.
judgment under appeal, provided that the Court does not give rise to any challenge which is not contradictory
were subject to the same conditions in the course of proceedings before the Court of Justice, and in so far as no decision has been given
shall be affected where the parties to the proceedings have been unable to defend themselves in the
proceedings before the Court of Justice.
The GBA's criticism where it says:
        In addition to "ordinary" councillors, there are also a number of18 councillors in the Market Court with
        "specific/advanced knowledge of economic, financial/ or market law Well, the rules
      in the field of data protection, cannot immediately be dealt with in one of those areas of law
      be caught. On the other hand, these are rules to ensure that an individual
      human rights and therefore a so-called transversa/jurisdiction, which in many aspects
                                                                                    19
      of society (similar to the law of discrimination, for example).
overlooks the fact that (also) the !eden of the Market Court, which show the specialized
knowledge (see above) are, at the same time, legal advisers in the Brussels Court of Appeal who satisfy the following requirements
meet the legal requirements to which each magistrate of the court is subject and that their appointment
shall be made on the proposal of the Supreme Judicial Council and that any interested party shall have the opportunity to
has a claim to annul the appointment before the Council of State.
A "critique" by a party to proceedings of the alleged or alleged (in)competence of one or more of the following
in the light of the foregoing, the Court's reasoning is considered to be of little pertinence or relevance.
over.
The Court of Justice of the European Communities therefore has jurisdiction to give the contested decision.
destroy and, where appropriate, replace the sanction by another sanction such as that imposed by the
Appellant in a minor capacity, a plea which the GBA was able to rely on
defend.
8.      Discussion of the grounds for destruction.
8.1. Infringement of Article 5.1. clAVG
The appellant is asserting himself:
17
18 Compare Cour °es marches 22 January 2020, 2019 AR 1470, no. 26.
19A rt. 207, § 3, 4 , Ger. W.
  These were the subject of various comments in the parliamentary debates on
the draft that led to the GBA Act. See Par/. St. Kamer 2017-2018, no. 54-2648/6, 10, 13, 48, 50,
57, 59, 61-62, 69-70 and 77.
              r PAGE 01-00001582885-0024-0033-01-01-�
              L _JCourt of Appeal Brussels - 2019/AR/1600 - p. 25
      44. The Dispute Chamber ruled that the infringement of the principle of minimum
          data processing would include the use made by the appellant
          have the riiksreqisternumber by reading in the e/D card to create
          a loyalty card:
              "For the Dispute Chamber, the following is paramount, Data processing
              implies the use of the national registry number, included in the barcode of the
              e/ektronic identity card, which is irrelevant. The
              Geschillenkamer het van belong dat er bijzonder rege/s ge/den voor het gebruik van
              the National Register number (oak already ge/dend v66r 23 December 2018), which has a very high number of
              prescribe restrained roaring of this National Register number. Because the
              barcode before/when the lnspection service is used to identify the customer
              to be found in the client database, the Disputes Chamber assumes that the
              become a national registration number or at least a dee/ of the identity card bucket
              used contrary to the principle of minima/e
              data protection". (emphasis added by the appellant)
      In other words, the Chamber of Disputes 'assumes' that the appellant has not received the
      would process the national register number. The Inspectorate's report mentions this in the following terms
      However, no enke/e report was made. The lnspectorate requested we/
      the appellant's written information. She asked the appellant "more
      information about the specific data your company reads and uses from the
      eDs of your customers". The Appellant replied: "the data that
      saved are [...] Surname, first names, address, date of birth, age, customer since,
      turnover and the latest 10 purchase amounts and the number of points". (document 8.8) The
      The national register number was not given.
      De Geschil/enkamer ha d bijgevo/g geen enke/e grand om appellant een inbreuk op het
      principle of minimum data processing at Jaste te Jeggen because of the
      Alleged use of the national registration number to create a loyalty card.
      She was not allowed to "assume", without any document in the file, that the appellant's
      State registry number used.
      The Disputes Chamber was not allowed to take the national register number into account in order to
      to withhold an infringement of the AVG and to impose an administrative fine.
      Soa/s your court noted in previous appeal proceedings against decisions of the GBA can
      reasons invoked by the GBA "only support a decision where it is apparent from the
      documents of the case on which the authority {GBA} deems s/a20 to be murdered and holds "the
      subject matter/justification of the fact that it is required to support the administrative act.
      for reasons of which the fact/factual existence has been duly proven and which have been the subject of legal proceedings.
      may have taken into account the justification for that act" 21 The motives
      of the Contested Decision on the infringement of the principle of minimum standards for the protection of legitimate expectations.
      data processing in connection with the national register number did not find any enke/e support in the
      documents of the file.
20
21Brussels (Sectie Marktenhof) 23 October 2012, FOO Public Health t. GBA, 2019/AR/1234, 24.
  Brussels (Sectie Marktenhof) 23 October 2019, ING Be/gie NV t. GBA, 2019/AR/1006, 19.
              I PAGE 01-00001582885-0025-0033-01-01-�
              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 26


Court of Appeal Brussels - 2019/A R/1600 - p. 2 ON APPELLANT, represented by its director Mr _________________ with KBO No ___________________, having its registered office at ______________________, hereinafter 'the appellant', represented by its counsel Mr VANDENDRIESSCHE Gerrit and Mr VanDENDRIESSCHE Gerrit. CLINC:K Jan, lawyers, both with offices in ____________________________, against decision 06/2019 of 17 September 2019 of the Geschillenkamer van de Gegevensbescher m i ngsa u tor itieit; TEGEN De GEGEVENSBESCHERMINGSAUTORITY, independent public institution (supervisory authority) with legal personality, with KBO nr.  04694.679.950, with registered office at 1000 BRUSSELS, Drukpersstraat 35, hereinafter "GBA" intimate, represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETS Joos, lawyers, alien office at 2018 ANTWERPEN, Oostenstraat 38 bus 201 1. Jurisdiction of the Court of Appeal The Court of Appeal derives its jurisdiction from an appeal lodged by the appellant on 18 October 2019 at the Registry of the Court of Appeal against the decision of 17 September 2019 (notification dated 19 September 2019) taken by the Disputes Chamber of the Data Protection Authority (hereinafter 'GBA') on the merits in accordance with Article 108 § 1 of the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter 'GBA Act'). 2. The Arbitration Chamber ruled: to impose sanctions in relation to the violation of Article 5(1)(c); 6.1.
Court of Appeal Brussels - 2019/AR/1600 -p. 3 -in grand of art. 100, Si, 9° WOG, order the defendant to bring the processing into conformity with art. 5.1. c}, art. 6.1.; art. 13.1. c), art. 13.1. e)and 13.2. a) impose on AVG-in grand of art. 101 WOG an administrative fine of 10.000EUR pursuant to the infringement of art. 5.1. c) and art. 6.1. AVG. grand of Sections 100, 51 and 16 of the WOG, to publish this decision on the website of the Data Protection Authority, albeit anonymously. The appellant gives the following factual account: 1. the appellant, the applicant, is a drinks business established in______________. It is a family business with more than 40 years of experience. It has branches in ______, _____and ______.2. In the past, the Appellant used paper loyalty cards to sign benefits to customers. Recently, the appellant switched to an electronic cash register software system that also allows a customer's electronic identity card (elD card) to be read in electronically using the barcode and, based on this barcode, to grant benefits on purchases. The present case concerns the administrative procedure initiated by the GBA against the appellant following a complaint lodged by a (1) client of the appellant. The name of this customer is otherwise irrelevant and is therefore not mentioned. The client is hereinafter referred to as "Complainant". 3. On 28 August 2018, the Complainant filed a complaint with the Data Protection Authority because she did not want her elD card to be read in order to grant discounts on her purchases (Section A.1}. The complaint was as follows: Explaining the facts On Friday 8 June, I went to buy drinks from the drinks trade appellant,_________________________. With a few bottles of liquor it was a high amount. At the checkout - arrived they asked me if I did not like a loyalty card. I said ''ia''. I answered that I did not want to give my identity card, but that I would like to write down the data needed to create a loyalty card. I was refused my loyalty card - they only create loyalty cards by reading the identity card. This/this scenario happened again on Saturday 30 June - this time at the liquor store appellant in ____________________. Because we had a BBQ with a grate group that day, the bill for drinks was again a hefty amount. When we arrived at the checkout they asked me if I didn't want a loyalty card. IPAGE 01-00001582885-0003-0033-01-01-�L _J
Court of Appeal Brussels - 2019/ AR/1600 -p. 4 I said "Yes". I answered that I didn't want to give my identity card, but that I wanted to write down the data needed to create a loyalty card. The loyalty card was refused to me - one creates enke/ k/anten cards by middle/ of reading the identity card. At that moment there were several people behind me at the cash register. One of them also made the remark dot it can't dot for a - loyalty card the identity card must have been read in/ read. The lady at the cash register said dot she had nothing to do with this and dot this now was their way of working. Maybe a k/eine remark: I am 51 years old and really don't look like a/s someone of 16 years old:) In other words, the person concerned agreed to her personal data being processed by the appellant in order to receive a loyalty card. However, she did not wish this processing to take place by reading her elD card. 4.On 26 September 2018, the person concerned received a message from Mr Willem De Beuckelaere of the GBA that her complaint had been 'declared admissible/ verified and referred to the relevant department, which will inform you of the further progress of your case' (section B.2). The First Line Service apparently decided not to start mediation. 5.On 29 October 2018, Mr Van Der l<elen, in his capacity as chairman of the Disputes Chamber of the GBA, informed the Inspector General of the lnspection Service of the GBA as follows: In accordance with Article 96, §1 of the Act of 3 December 2017 establishing the Data Protection Authority, you are hereby informed of the request of the Disputes Chamber from today to conduct an investigation, together with the k/eacht and the proces-verbaa/ of that decision. (document B.3) The Disputes Chamber did not provide any further details on we Ike aspects of the processing the lnspection Service had to investigate. That same day, Mr Van der Kelen also informed the person involved of the decision of the Disputes Settlement Chamber to have the Inspection Service carry out further investigation into the complaint (document B.4). 6.On 7 February 2019, the appellant received a letter from Mr FrankSchuermans, Inspector-General of the Inspectorate of the GBA (document B.6). On 7 February 2019, Mr FrankSchuermans, inspector general of the Inspectorate of the GBA, received a letter from Mr FrankSchuermans, inspector general of the Inspectorate of the GBA (document B.6), requesting the Inspectorate to provide the appellant with information and documents in order to 'gain a better understanding of your procedure for the acquisition of personal data from your IPAGE □1-00001582885-□□4-0033-□1-□1-;iL _J
Court of Appeal Brussels - 2019/ AR/1600 -p. 5 customers, the internal use of these personal data in your company and the possible distribution of these obtained personal data to third parties in accordance with the recalled AVG obligations (... )". 7.On 12 April 2019, the appellant's counsel provided the answers to the questionnaire of the Inspectorate, together with additional documents (document B.7).8 On 10 May 2019, the inspector-general of the GBA's Inspectorate, now Mr Van den Eynde, submitted his report of the investigation to the chairman of the Disputes Settlement Chamber, now Mr Hielke Hijmans (document B.8). This report contained, on the one hand, 'findings (within the scope of the k/acht or serious indications)' and, on the other hand, 'additional findings (outside the scope of the k/acht or serious indications)'.9. On 28 May 2019, the Disputes Chamber decided to deal with the substance of the case (document B.9).10. On 3 June 2019, the Disputes Chamber informed the appellant of its decision to deal with the substance of the case (document 8.10). The Appellant was also informed of its options, such as requesting a copy of the case file and submitting a defence. It was only at this point that the Appellant was given the opportunity to become aware of the content of the Complainant's complaint against the processing of personal data by the Appellant.On the same day, the GBA Oak sent a registered letter to the Complainant. On the same day, the GBA sent a registered letter to the Complainant, who immediately received a copy of the inspection report (Section B.11). 11.On 27 July 2019, the Appellant submitted his defences (documents C.1 and C.2).On 17 September 2019, the Disputes Committee issued a decision on the merits, hereinafter referred to as the 'Challenged Decision' (document D.1). For its part, the Data Protection Authority (hereinafter referred to as the 'GBA') explained the facts as follows: 1.On _28 August 2018, the GBA received a complaint from a person (hereinafter referred to as "the Complainant" or "the Complainant") who is a customer of the Appellant, a beverage company with various establishments in _________________. In the complaint form, the person concerned stated that, in order to obtain a customer card from the liquor trade, she was required to have her electronic identity card read into the liquor trade's computer system. However, the person concerned did not wish to have her identity card read electronically. The data subject did not wish to have her identity card read electronically, however. -Her suggestion was made, as an alternative, that the personal data necessary to obtain aIPAGE 01-00001582885-0005-0033-01-01-�L _J
Brussels Court of Appeal -2019/ AR/1600 -p. 6 customer card to be issued in any other way was rejected. Consequently, the person concerned was refused a loyalty card from the beverage trade, although she wished to obtain one. This was done twice, both at the _________ branch (on 8 June 2018) and at the ____ branch (on 30 June 2018). The person concerned described the facts as follows in particular in the complaint form that she submitted to the GBA (document 1): On Friday 8 June, I went to buy drinks from the liquor trade appellant,_______________ ______________________--appella,t address appellant adresss________. With a few bottles of spirits it was a high amount. At the checkout they asked me if I didn't want a loyalty card. I said ''ia''. I answered that I did not want to give my identity card, but that I would like to write down the data needed to create a loyalty card. I was refused the loyalty card - they only create loyalty cards by reading the identity card. This/this scenario happened again on Saturday 30 June - this time in the liquor store appellant in _____addressaddressaddress. Because we had a BBQ with a grate group that day, the bill for drinks was again a hefty amount. At the checkout they asked me if I didn't want a loyalty card. I said 'la'. They asked my identity card to read it in. I answered that I didn't want to give my identity card, but that I wanted to write down the data needed to create a loyalty card. I was refused the loyalty card - they only create loyalty cards by reading the identity card.  At that moment there were several people behind me at the checkout. One of them made the remark that it is not possible for a loyalty card to have to read the identity card. The lady at the cash register said that she had nothing to do with this and that this was their way of working. Maybe a small remark: I am 51 years old and really don't look like a 16 year old @." 2.On 26 September 2018, the GBA declared the complaint admissible on grand of articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter: "GBA Act")1 (piece 2). The complaint was subsequently submitted to the Disputes Chamber of the GBA in accordance with Article 62, § 1, of the GBA Act. The admissibility decision was also notified to the complainant on 26 September 2018' in accordance with Article 61 GBA Act (document 3). On 23 October 2018, the Disputes Settlement Chamber decided, on the basis of Article 63, 2°, and Article 94, 1°, of the GBA Act, to request an investigation from the Inspection Service of the GBA (document 4).4 On 29 October 2018, the request of the Disputes Settlement Chamber to conduct an investigation was submitted to the Inspection Service, in accordance with Article 96, § 1, GBA-1 Act 3 December 2017 establishing the Data Protection Authority, BOJ 10 January 2018. IPAGE 01-00001582885-0006-0033-01-01-�L _J
Brussels Court of Appeal -2019/ AR/1600 -p. 7 law.  The complaint and the minutes of the decision of the Disputes Chamber of 23 October 2018 were attached to this request. By letter dated 29 October 2018, the Chamber of Disputes informed the person concerned of the transfer to the Inspectorate (document 5). 5. In order to examine the file, the Inspection Service sent a written inquiry to the data controller on 7 February 2019 (document 6). As this written questionnaire was not initially answered, the Inspectorate sent a reminder by registered letter on 4 April 2019 (document 7). On 12 April 2019, the appellant, through her counsel, finally sent a reply to the Inspection Service (document 8).6. After completing its investigation, the Inspection Service drew up a report on 10 May 2019 and attached it to the file, in accordance with Section 91(1) of the GBA Act (document 9).The inspection report noted in particular the following findings (p. 1-2): " -De k/acht [ ... ] concerns the automatic /healing of the e-/D for the creation of a loyalty card for a drinkhande/. The barcode is linked to the customer's data during the successive visits to the k/ant [ ... ]. -The customer data thus stored are: name, first names, address, date of birth, etc., from when the person concerned is a customer, amount of purchases. -The dispute/en-room did not provide any additional indications to be examined by the inspection service [ ... ], soa/s concerning an examination of the declaration of deprivacy of the processing party responsible for processing [ ... ].Rather, the Commission accepted that some traders can identify their customers if these customers register in a strictly personal loyalty system that allows them to benefit from a price reduction or to receive a price reduction in the Gout of the purchases made (marginal number 17 recommendation03/2011).-However, the Committee also considered it belong dot the consent of the customer to be obtained when /reading the e / D in the context of a loyalty system, and dot the customer 'an a/ternative for the use of his identity card (is) proposed' (recommendation 6 at the end of recommendation 03/2011). The e / D legislation has been amended by article 27 of the Act of 25 November 2018 containing various provisions relating to the National Register and debevo /kingsregisters. Article 6(4) of the Act of 19 July 1991 provides a new framework for the use of the data on the e-D dot as from 23 December 2018 must be checked/implemented by the data controller. The electronic identity card may only be read or used with the free, specific and informed consent of the holder of the electronic identity card.Where a benefit or service is offered to a citizen by means of his electronic identity card in the context of an IT application, an alternative that does not require the use of the electronic identity card must also be proposed to the person concerned.'r PAGE □1-□□□1582885-0007-0033-□1-□1-i;-iL _J


<pre>
The GBA argues in this regard:
      "74. Furthermore, the GBA notes that the Disputes Chamber infringed Article 5(1)(c) AVG
      derived, not al/one from the use of the national register number, but oak from the
      save the date of birth and the date of birth of the k/sides. That the /aatste
      personal data were kept by the appellant, does not contest the appeal/ante, so that the
 
      Infringement of article 5.1.c) AVG how oak remains. It is indeed impossible to see
      how the gender and date of birth could be relevant for the act/
      of data processing, namely the creation of a loyalty card. The fact that there is
      other do(s) could exist for the purpose of which such data we/
      lawfully processed, such as the verification of compliance with legal requirements.
      minimum age for the purchase of alcohol is irrelevant in this context. To be superfluous
 
      reminds me that, following the ruling of the Constitutional Court of 19 June 2019 on
      the law on transgender persons22 the registration of the sex/esteem of persons in any case not
      is no longer taken for granted, not by the government and therefore certainly not by a private company.
      person, soa/s a drinkhande/.
      75. Finally, it is clear that the e/ektronic identity card does not show how oak cattle/ more
 
      data is then required for the creation of a loyalty card. It is precisely for this reason that
      the complainant is/are willing to provide the specific information required
      for the creation of a loyalty card, but not agreeing to read hoar
 
      e/ektronic identity card, where he or she loses control over which data was on him or her.
      read and kept by the processing responsible/keeper.
 
      76. Conclusion: The Dispute Chamber led the infringement of Article 5.1.c}. AVG on the basis of proven facts".
 
 
The contested decision is under consideration:
      The lnspectiedienst thus confirms the k/acht in the sense that no alternative is offered
      to customers who want a k/s edge card, but not their electronic identity card
 
      the defendant wishes to use /have used /aten for the creation of a third party /ijke
      customer card, while obtaining the consent and offering an
      a/terative ffor the lnspection servicewe/ is required.
 
      The Inspectorate also refers to Article 6(4) of the Act of 19 July 1991.
      on population registers, identity cards, aliens' identity cards and aliens' identity documents
 
      verb/ive documents, as applicable from 23 December 2018, containing
      that the e/ektronic identity card may be read or used enke/ with the
      free, specific and informed consent of the holder. When a forement/
      or service is offered to a citizen through his e/ektronial identity card within the framework of
      of an informatics application, an alternative should also be proposed that the
      use of the e/ektronic identity card is not required. In addition, the lnspection Service
 
      with regard to oak, to Recommendation No 03/2011 in order to meet the consent requirement and the
      support the offer of an a/terative.
 
 
 
 
22GwH, No 99/2019, 19 June 2019.
 
 
            r PAGE 01-00001582885-0026-0033-01-01-�
 
 
 
            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 27
 
 
 
 
 
The Law of 19 July 1991 on population registers, identity cards, the
Alien cards and residence documents now state in Article 6 § 4 second and third
Member:
      The National Register number and the Joto of the holder may only be used if
      is authorised to do so by. or by virtue of a law, a decree or an ordinance. The
      e/ektronic identity card may be enkeed/ read or used with the free, specific
 
      and informed consent of the holder of the electronic identity card.
      When a benefit or service is offered to a citizen through his e/ektronial
      identity card in the context of an IT application, should also provide an alternative
      dot require the use of the e/ektronic identity card, proposed/d were added to the
      person concerned.
 
This text was added by the law of 25 November 2018 and entered into force on 23 December.
 
2018. This law is therefore not applicable to the facts giving rise to the current dispute.
since the complaint dates from 28 August 2018.
 
At the time of the complaint, the text was as follows:
      "Any automated check of the card by optical or other/eesprocessing means must
      be the subject of a royal decree, no opinion of the sectoral committee of the
 
      National Register referred to in section 15 of the Act of 8 August 1983 on the regulation of an
      National Register of Natural Persons, ..,
 
The motives of the inspectorate - which the GBA states serve as a basis for the
decision - are unlawful. A law that was absolutely inapplicable at the time of the complaint and
a "recommendation" which has no legal force cannot serve as a basis for the
 
assessment of conduct as contrary to the legislation in force.
 
It has not been demonstrated, nor has it been conclusively proven, that at the time of the complaint a
The alternative had to be offered.
 
The contested decision is also under consideration:
 
      "The Chamber of Disputes also notes the processing of customer data.
      (surname, first names, address, date of birth, gender, date of birth, date from which the person concerned is a customer)
      and the amount of purchases) the starting/of minimum data processing not
      respects, as the given 'gender and date of birth' is also irrelevant
      are. In this case, the Dispute Resolution Chamber does not use the loyalty card for
      check/erendage the minimum age for alcohol sales.
 
 
      The fact that the defendant's hand/method in relation to the creation of loyalty cards
      the beginning/of minimum data processing does not n,,eeft, the Dispute/Chamber is consequently
      of the opinion that the infringement of Article 5.1. c)AVG has been proven.
 
No EID card was offered by the complainant in this case, so there is no processing at all
of its data. Therefore, the GBA does not show any actual infringement in relation to
 
personal data.
 
 
 
 
 
            I PAGE 01- 00001582885-0027-0033-01-01-�
 
 
 
            L _JCourt of Appeal Brussels 2019/AR/1600-p. 28
 
 
 
 
 
At that time, the complainant was not (yet) legally obliged to offer alternatives. This is different since
23 December 2018, but that regulation could not have been applied retroactively by the GBA.
 
In addition, the Dispute Carner is wrongly based on a number of unsubstantiated assumptions:
- that a loyalty card of a beverage company would not have been used to check the
 
    a ban on the sale of alcohol to minors;
- that the complainant would suffer an undeniable disadvantage as a result of the creation of a
 
    loyalty card, discounts would run riot. This is not a disadvantage because only a
    possible additional advantage is lost (the Court emphasises). The situation is different when the EID card
    request a legal or contractual right (e.g. the right to a guarantee) to
 
    to be shortened or retained.
 
 
A breach of Article 5.1. c)AVG has not been proven in this specific case.
 
 
The appellant's sixth plea is well-founded on this point.
 
8.2. Infringement opart. 6.1. AVG:
 
The GBA shall further base its decision on a breach of Article 6.1. AVG, namely that the
 
the lawfulness of the processing is subject to the data subject's consent for the
softening of his personal data for one or more specific purposes or the processing thereof
is necessary in order to safeguard the legitimate interests of the
controller or of a third party, except where interests or fundamental rights
and fundamental freedoms of the data subject which require the protection of personal data,
 
outweigh those interests, especially when the person involved is a single child.
 
The GBA states:
      "Contrary to what the defendant argues, there can be no
      there is consent a/s legal basis for the processing, as the consent
 
      within the defendant's current modus operandi, cannot in any way be regarded as a
      free consent within the meaning of Article 4.11. AVG, in the absence of an alternative system dot
      Allow/allows the creation of a loyalty card without the use of the electronic identity card,
      which makes it possible for the person concerned to benefit from discounts even in such cases.
 
 
      In this context, the Dispute Settlement Chamber also refers to the Group 29 Guidelines on
      authorisation in accordance with Regulation 2016/6792 stating that the element
      implies "free" work/rich choice and control for those involved. As a general rule, the
      AVG for the fact that if a person concerned has no work or choice, he or she is compelled to
      to give his or her consent as to whether it will have negative consequences for him or her if he or she does not
 
      consent, the consent is not valid. lndien consent shall be merged as a
      non-negotiable/negotiable part of terms and conditions, it is presumed not free
      to be given. Accordingly, authorisation shall not be deemed to have been granted if the
      cannot refuse the person concerned or hoar consent_ without adverse consequences, or
      withdraw. Because, in the present case, the complainant, and by extension a/le customers, only of
 
      can benefit from discounts by m_ ddel of their electronic identity card, and by the
      the defendant is not offered any alternative to the creation of a loyalty card
 
 
              IPAGE □1- □0001582885-0028-0033- □1- □1-�
 
 
 
                                                                Court of Appeal Brussels - 2019/AR/1600- p. 29
 
 
 
 
      In order to benefit from this advantage, it is clear/seemly that there is no free
      consent.
 
      Although the defendant did not rely on it, the Litigation Chamber examined in
 
      to what extent the processing could be based on Article 6.1. f). AVG and the
      processing necessity/justification could be necessary for the protection of his legitimate interest.
      De Geschil/enkamer observes that in order to do so, it is necessary to weigh up the following issues with the
      the importance of the end of the chain concerned to be assessed/and to be given more weight. Oak for
      As far as this legal basis is concerned, the Dispute Settlement Chamber states that such a weighing-up should be carried out,
      in the present case, /decides that it is in the complainant's interest, and extends to
      a/le customers of the defendant, takes precedence.
 
 
      The Dispute / Chamber rules that the infringement of Article 6.1. AVG has been proven"
 
To the extent that the GBA again refers to the lack of an alternative, it refers again (see
point 8.1 above) to a secondary legislation which is not applicable.
 
The Market Court refers to what was stated above under point 8.1.
The infringement of Article 6.1. AVG has therefore not been proven. The seventh ground of appeal of the
 
The appellant is well-founded on this point.
 
 
8.3.          Decision of points 8.1 and 8.2:
 
To the extent that the contested decision does not contain an adequate statement of reasons on the grounds that certain
reasons for the contested decision are incompatible with the documents in the file and with the
legal provisions in force at the time of the complaint and cannot be verified by the Market Court
 
what motive or motives, if any, were de facto decisive for the contested decision?
In order to justify its decision, the Market Court must find that the GBA cited
grounds for declaring the infringements to be proven (and, as a consequence, imposing
sanctions because of these alleged infringements).
The decision was therefore taken unlawfully and should be annulled.
warden.
 
 
 
8.4. Infringement of Articles 13.1. c), 13.1. e) and 13.2. a)AVG:
 
With regard to the other findings of the lnspection Service, that is:
 
      (a) the contradiction between the defendant's assertion that there has been no communication of
      data to third parties, while the privacy statement states that transfer is possible within the
      European Economic Area for associated companies.
 
 
      (b) The lack of clear information for the person concerned, in particular on the
      the legal basis and the storage period.
 
 
 
 
 
            r PAGE 01-00001582885-0029-0033-01-01-�
 
 
 
            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 30
 
 
 
 
the Clerk of Disputes takes note that the appellant admits that he is right to submit as
shortcomings in the AVG may have been considered and indicates that in the short term
additional measures will be taken to ensure that the data processing complies with
 
with the requirements of the AVG.
To the extent that these elements fall outside the scope of the complaint and do not give rise to a sanction,
should not be assessed separately.
 
The order in accordance with Article 100 § 1, 9 of the GBA Act, to the effect that the appellant must submit the processing in
brings it into line with Art. 5.1. c), Art. 6.1, Art. 13.1. c), Art. 13.1. e) and 13.2. a) AVG makes
 
is not in itself the object of the story. The appellant does not develop any
only means.
 
 
9.    The sanction
 
 
In addition to the fact that the contested decision does not contain an adequate statement of reasons (see point 8.3.
for this), the penalty imposed, namely a fine of €10,000, is in turn inadequate
motivated.
 
lndien with the GBA may have argued that it is not every possible sanction of Article 83.2 AVG
it should be overflowing and it should not justify why some sanctions were not considered,
 
this does not detract from the fact that the choice of the sanction imposed is adequate
must be substantiated. When determining the sanction in concrete terms, the following should be taken into account
general criteria should be leading:
 
    the seriousness of the infringement;
    the duration of the infringement;
 
    the necessary deterrent effect to prevent further infringements.
 
The GBA shall determine the manner in which it considers that a sanction is appropriate.
 
However, as stated above, a decision of the GBA with regard to (the amount of) an
financial penalty is not binding on the Market Court.
 
 
The Market Court shall assess the extent of a possible sanction in such a way that, on the one hand, in
is appropriate to the circumstances and proportionate to the infringement found
and to the capacity of the party committing the infringement.
 
 
The mere statement that the infringement relates to a fundamental legal principle of
Data protection is not enough. The nature and seriousness of the infringements constitute a
of the appreciation characteristics for determining the sanction and its budget if there are
a fine is opted for, but these elements must be assessed against 'all'.
elements of the dossier (e.g. whether it is a one-off infringement or not,
what the impact is generally considered to be in legal life, or any intention or intent by virtue of
 
of the il'.l offender is demonstrated,.....) and where - in the absence of a clear
Qualification and quantification of the possible sanctions through a publicly accessible tool
document (guideline or scale transparently communicated by the GBA) before a
 
 
                        □ 1-□□□□1582885-0030-0033- □1-□ 1-;i
            I PAGE
 
 
 
            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 31
 
 
 
 
concrete facts - at least a justification must be given as to why a sanction less far-reaching than
the imposition of a fine of€ 10 000 could not be of such a nature as to deter the infringements
to put an end to it. Only if these requirements of sufficient, clear and transparent
Article 83 AVG, which states that the sanction shall be effective in every case,
 
must be proportionate and dissuasive, effectively enforced. In this respect, the
criteria of effectiveness and proportionality
 
Where the GBA once again retains as a motive "a gross negligence with a far-reaching impact
not all/one on the data processing of the k/ager, but on that of a/le customers of the
defendant in the absence of an a/ternative for the creation of the c/antic file on grand of the
 
e/ektronic identity card absence of valid consent and excessive
data processing" and from . the data of the dispute it appears that the plaintiff has never given her
has made identity information available to her, so that she cannot suffer any personal disadvantage
and the fact that no alternative was available was not a valid legal basis on
the moment of the complaint, it follows that oak is the sanction in itself (oak even if infringements have been proven)
have been) illegal.
 
 
For that reason alone, the contested decision should be annulled. Oak the Eighth
middeI of the appellant is well-founded.
 
The reasons currently put forward by the GBA in conclusion (No 106) to post factum the imposed and
sanctions implemented cannot be taken into account. The
 
the offender must be informed of the nature of the sanction before the imposition of a sanction
which is under consideration and of its scale (where a fine is contemplated). The
the offender must be warned (with a view to avoiding unnecessary sanctioning)
and have the opportunity to defend themselves on the issues proposed by the Dispute Settlement Chamber
amounts of the fine, before the sanction is effectively imposed and executed.
 
 
 
10.    The publication.
 
To the extent that the sanctioning of infringements of the AVG and the GBA Act should be of a nature to
should be partly dissuasive, the Market Court recommends that the GBA recommends that the present judgment
publish on its website omitting the identification details of the person concerned
 
parties.
 
 
11.    Decision,
 
The appeal is admissible and well founded.
 
 
The contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection authority concerning the appellant is destroyed.
 
It will belong to the Data Protection Authority those already paid by the appellant.
administrative fine of€ 10,000 to be refunded to the appellant. The Market Court may
 
 
 
 
            I PAGE 01-00001582885-0031-0033-01- �
 
 
 
 
            L _J Court of Appeal Brussels19/AR/1600p. 32
 
 
 
 
However, the Court of Justice of the European Communities and the Court of Justice of the European Communities were not seized of a claim for payment of a subjective right.
cannot, therefore, condemn it.
 
 
 
 
.12.    The costs,
 
 
in accordance with the law of 21 apri! 2007 and the Royal Decree of 26 October 2007 shall become the
nursing care allowance budgeted at the basic fee of€ 1,440.
 
 
 
 
For these reasons,
The court,
 
 
 
 
Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court proceedings,
 
Declares the higher beroepontvankelijken grorn;l;
 
 
 
Annuls the contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of
the data protection authority collapsed appellant;
 
 
 
Orders the Data Protection Authority to pay the costs of the appeal, settled on
1,860.00 euro (being € 400.00 rolling right, € 20.00 contribution Budgetary Fund and € 1440.00
procedural indemnity).
 
 
 
Condemns the Data Protection Authority, in accordance with Article 269/2 of the Belgian Data Protection Code
registration, mortgage and court registry fees for the payment to the Belgian State, Federal Public Service Finance, of the
an appeal in the amount of EUR 400.00, and until such time as the final charge is borne by the
 
contribution of€20.00Budgetary Fund;
 
                                            * * *
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
              IPAGE 01- □□□□ 1582885-0032- □033-01-01-�
 
 
 
 
                                                                _J<pre>

Latest revision as of 16:17, 22 March 2022

Court of Appeal of Brussels -
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 13(1)(c) GDPR
Article 13(1)(e) GDPR
Article 13(2)(a) GDPR
Decided: 19.02.2020
Published:
Parties: Liquor store
Belgian DPA
National Case Number/Name:
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Hof van beroep Brussel (in Dutch)
Initial Contributor: n/a

The Court of Appeal of Brussels annulled the DPA's decision to impose a €10,000 fine on a liquor store because it was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint.

English Summary

Facts

In August 2018, the DPA received a complaint from a customer (the data subject) regarding a liquor store (the controller). According to the complaint, the store had required this person to let them scan their electronic ID in order to issue a customer card. After an investigation, the DPA concluded that the controller had breached the GDPR. More specifically, according to the DPA the controller:

1. Did not have a valid legal basis for processing. Consent was not freely given because no alternative was offered to the complainant, in violation of Article 6(1) GDPR;

2. Did not provide the complainant with enough information prior to the processing, in violation of Article 13 GDPR;

3. Processed more personal data than necessary, including national ID number, date of birth and gender, in violation of Article 5(1)(c) GDPR.

Dispute

The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated Article 52(1), Article 54(2) and Article 82(2) GDPR. Most importantly, the controller challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.

Holding

The Court annulled the DPA’s decision as it was insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. The Court did not have the power to order the DPA to pay back the fine, as that falls outside of its jurisdiction, but it did quash the decision imposing the fine.

The Court held that, first, the DPA had no evidence to support the finding that the controller was actually processing the national ID number of the data subject. Second, the controller was not obliged to give the data subject an alternative way of creating a discount card because the relevant provision of the e-ID law was not applicable at the time. Thirdly, the Court found that no personal data processing took place because the complainant had refused to have her e-ID scanned. Fourth, the Court considered that the DPA’s finding that the data subject’s date of birth was not used to verify their age, was a mere assumption. Fifth, the DPA should not have assumed that the data subject would have suffered an undeniable disadvantage by missing out on discounts available via the client card. The Court found that this is not a disadvantage because only potential benefit was lost in this case.

Hence, the Court upheld the appeal against and annulled the DPA's decision.

Comment

Analyses of the judgment:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.

Brussels Court of Appeal -2019/1 600-p. 2




ABOUT

APPELLANT, represented by its director Mr _____________ with KBO no.

_______________, having its registered office at ______________________________, below
"appelant",
appellant,


represented by its counsel Mr. VANDENDRIESSCHE Gerrit and Mr. CLINC:K Jan,
lawyers, both with offices at ________________________________



against a decision6/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection;




AGAINST


The DATA PROTECTION AUTHORITY, independent public body (supervisory authority)
authority) with legal personality, with CDE No 04694.67 having its registered office at

1000BRUSSEL, rue de la Pression 35, hereinafter referred to as "GBA".
intimate,


represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETSJoos,
advocaten, alien kantoorhoudende te 2018 ANTWERPEN, Oostenstraat 38bus 201




1.     Court of Justice.

The Court's jurisdiction is derived from an appeal lodged by the appellant on 18 December 2010.
October 2019 was deposited at the Registry of the Court of Appeal, and a
redress pursuant to Article 108 § 1 of the Law of 3 December 2017 establishing it

of the Data Protection Authority (hereinafter referred to as the "GBA Act") is brought against the decision on
ground 6/9 of 17 September 2019 (notification dated 19 September 2019) adopted
by the Disputes Chamber of the Data Protection Authority (hereinafter "GBA").


2.     Disputed decisions the facts.
The Chamber of Disputes ruled:

      to impose sanctions in connection with the violation of article/and 5.1. c); 6.1.; 13.1.

      (c);13.1(e) and13.2(a)AVG:



            r PAGE 01-00001582885-0002-0033-01- □1-� r



            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 3




           - • °
              on grand art. 100, Si, 9 WOG, order the defendant to order that the processing in
              be brought into line with Articles 5(1)(c), 6(1); 13(1)(c), 13(1)(e).
              and 13.2. a)AVG

           - on the grand of art. 101 of the WOG, an administrative fee of 10,000.

              EUR as a result of the infringement of°art.5.1. c)and art. 6.1.AVG.
           - on grand of art. 100, 51, 16 WOG, to publish this decision on the
              website of the Data Protection Authority, albeit after anonymisation.


The appellant gives the following factual account:

        1.     The Appellant, the applicant, is a beverage company established at __________. It is a

       family business with more than 40 years of experience. It has offices at ______, _____ and
       _____.


        2.     In the past, the Apellant used paper loyalty cards in order to obtain benefits.
       know to customers. Recently, the appellant has switched to an electronic

       Cash register software system that also allows the electronic identity card (elD card}
       of a customer to be read electronically using the barcode and on this basis

       granting advantages on purchases.

       The present case concerns the administrative procedure launched by the GBA.

       against the appellant following the complaint of a (1} client of the appellant. The name of
       this customer is otherwise irrelevant and is therefore not mentioned. The customer is hereinafter referred to as

       referred to as 'person concerned'.


       3.     On 28 August 2018, the party concerned lodged a complaint with the
       Data protection authority because she did not want her elD card to be read in
       to grant discounts on its purchases (section A.1}. The complaint was as follows:


              Presentation of the facts
              On Friday 8 June, I went to buy drinks from the appellant,___________.

              __________________________. With a few bottles of spirits it was a high
              amount. At the checkout - arrived they asked me if I would not like a loyalty card.
              I wish. Iia "They asked my identity card to read it in. l
              replied that I didn't want to give my identity card, but that I would feel free to give the
              the data needed to create a loyalty card on paper for a short while
              wanted to put. I was refused the loyalty card - they only make

              customer cards by reading the identity card.

              This/this scenario happened again on Saturday 30 June - this time in the shop
              of drinks trade appellant at ________________________. Because that day we
              having a BBQ with a grate group, the bill for booze was again a hefty

              amount. When I arrived at the checkout they asked me if I would not like a loyalty card.

                                                              �
             I PAGE 01-00001582885-0003-0033-01-01-



             L _JCourt of Appeal Brussels -2019/AR/1600- p. 4




              I said 'yes'. They asked me to read my identity card and I answered.

              dot I didn't want to give my identity card, but dot I feel free to give the data that I need
              wanted to put the goods on paper before creating a loyalty card. The
              customer card was refused to me - one creates enke/ k/anten cards by
              of reading the identity card. At dot moment there were
              different people at the deck mass. One of them also made the remark
              dot it cannot dot for a customer's card the identity card must be read in/receive
              warden. The lady at the checkout said dot she had nothing to do with this and now dot this

              was a mani�on of work.

              Maybe a k/eine remark: I'm 51 years old and I really don't look like a/s anyone
              of 16 years of age:)

       In other words, the person concerned agreed to the processing of her personal data

       information by the appellant to receive a loyalty card. However, it did not wish these
       Processing took place by means of reading her elD card.

       4.     On 26 September 2018 Mr. Willem De Beuckelaere of

       the GBA the message that its complaint was declared "admissible/complainant" and for further action
       treatment has been referred to the competent service which will inform you about
       the vrderever/oop of your k/acht" (piece)B.2


       The first-line service apparently decided not to initiate mediation.

       5.     On 29 October 2018 Mr Van Der l<elen, in his capacity of

       President of the GBA Dispute Settlement Chamber, the Inspector General of the
       ln section of the GBA as follows:


              Pursuant to Article 96, §1 of the Law of 3 December 2017 establishing the
              Data Protection Authority, you hereby become the request of the Dispute Chamber

              from today to the conduct of an investigation, together with the k/eacht
              and the judgment of the court or tribunal. (document B.3)


       De Geschillenkamerveprovided no further details on what aspects of the processing
       the lnspectorate had to investigate.

       On the same day, Mr van der Kelen also informed the person concerned of the decision of the

       Disputes Chamber to have the lnspection Service carry out further investigation of the complaint
       (stuB.4).


       6.     On 7 February 2019, the appellant received a letter from Mr Frank
      Schuermans, Inspector General of the Inspectorate of the GBA (stu k B.6). The
      lnspection Service requested the appellant to provide information and documents in order to

       "to gain a better understanding of your practice for the acquisition of personal data from your


             I PAGE □ 1-00001582885- □ 4-0033- □1-□ 1-;i



             L _JCourt of Appeal Brussels - 2019/AR/1600-p. 5




       customers, the internal use of this personal information in your company and the possible use of this personal information in your company.

       distribution of these obtained personal data to third parties in accordance with the terms of the agreement.
       AVG obligations (...)".


       7.     On 12 April 2019, the appellant's counsel d: replied to the
       questionnaire of the lnspection Service, together with additional documents (document B.7).


       8.     On 10 May 2019, the Inspector General of the GBA's Inspectorate,
       in the meantime, Mr van den Eynde, his report of the enquiry to the chairman of the
       Dispute Chamber, meanwhile Mr. Hielke Hijmans (piece B.8). This report contained the following,

       on the one hand, "findings (within the scope of the k/eight seriousness indications)" and,
       on the other hand, 'additional findings (outside the scope of the k/eight or serious

       indications'.

       9.     On 28 May 2019, the Disputes Chamber decided to hear the substance of the case.

       (part B.9).

       10. On 3 June 2019, the Disputes Chamber informed the appellant of the decision to withdraw the

       deal with the substance of the case (document 8.10). The Appellant was also informed
       on its possibilities such as requesting a copy of the file as well as the
       submission of defences. It was only at this point that the appellant was given the opportunity to

       to take note of the content of the Complainant's complaint against the processing of
       personal data by the appellant.


       On the same day, the GBA Oak sent a registered letter to the person concerned. This
       immediately received a copy of the inspection report (document B.11).


       On 27 July 2011, the appellant submitted her defences (documents C.1 and C.2).

       On 17 September 2019, the Disputes Chamber took a decision on the merits, hereinafter referred to as the

       "Contested Decision" (document D.1).

       For its part, the Data Protection Authority (hereinafter "GBA") shall explain the facts as .
       follows:

       1.     On _28 August 2018, the GBA received a complaint from a person ('the

       person concerned' or 'the complainant') who is a customer of the appellant, a beverage business with
       Various branches at _____________________. In the complaint form, the person concerned stated that they were,
       in order to be able to obtain a loyalty card from the beverage trade, it was obliged to offer its

       to have an electronic identity card read into the computer system of the beverage trade.
       However, the person concerned did not wish her identity card to be read electronically. -Herring
       propose, as an alternative, that the personal data needed to establish a



             I PAGE 01-00001582885-0005-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600-p. 6





        to create a loyalty card in any other way was rejected. As a result,
        the person concerned was refused a loyalty card from the beverage trade, although they would like to

        wished for a loyalty card. This was done on two occasions, both in the branch at the
        _________ (on 8 June 2018) as in the establishment at ____ (on 30 June 2018).

        In particular, the person concerned described the facts as follows in the complaint form which she submitted to
        submitted the GBA (part 1):


               On Friday 8 June, I went to buy drinks from the drinks trade appellant,___________ __________________________________--appella,t
               appellant's address: ________. With a few bottles of spirits it was a high amount.
               At the checkout - arrived they asked me if I didn't want a loyalty card. I said
               ia. I was asked to read my identity card and I replied that

               I did not want to give my identity card, but that I would feel free to give the data that I needed
               wanted to put the goods on paper before creating a loyalty card. The
               loyalty card was refused to me - one only creates loyalty cards by means of
               of reading the identity card.
               This/this scenario happened again on Saturday 30 June - this time in the shop of

               beverage trade appellant in _____ address address address address address address address address . Because we
               day had a BBQ with a grate group, the bill for booze was again a
               considerable amount. When I arrived at the checkout they asked me if I would not like a loyalty card.
               I said 'la'. They asked me to read my identity card. Yk

               replied that I did not want to give my identity card, but that I would be happy to give the
               data needed to create a loyalty card on
               wanted to make paper. The loyalty card was refused to me - they only make
               customer cards by reading the identity card. On that
               moment ston_ den er different/ende people behind me at the checkout. A v them

               made the comment that it is not possible for a loyalty card to have the
               Identity card must be read in. The lady at the checkout said that she was here
               had nothing to do with it and that this was their way of doing things.
               Perhaps a small remark: I am 51 years old and I really do not look like someone
               of 16 years @."


       2.      On 26 September 2018, the GBA declared the complaint admissible on grand of the
       Articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter referred to as 'the Act'):
                  1
       "GBA Act") (document 2). The complaint was subsequently submitted to the Disputes Chamber of
       the GBA, in accordance with Article 62(1) of the GBA Act. The admissibility decision was
       also notified to the complainant on 26 September 2018, in accordance with Article

       61 GBA Act (document3).

                                                                                         °
       3.      On 23 October 2018, the Chamber of Disputes ruled on grand of article 63(2) , and
       article94, °,GBA law honor:, investigated questions to the lnspectiedienst van de GBA (document4).


       4.      On 29 October 2018, the request of the Disputes Chamber to carry out
       submitted an investigation to the lnspectorate, in accordance with Article 96(1) of the GBA-

1
 Law 3 December 2017 establishing the Data Protection AuthorityB.S.10 January 2018.


              I PAGE 01-00001582885-0006-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 7




       law. The complaint and the minutes of the decision of the Dispute Chamber of 23

       October 2018 was attached to this request. The person concerned was referred to the Dispute Chamber
       informed cle by letter dated 29 October 2018 of the transfer to the
       lnspection service (document 5).


       5.     In order to examine the file, the lnspection Service sent an
       written questioning of the person responsible for processing (document 6). As he or she is
       written questioning was not initially answered, sent by the lnspectorate on 4 April

       2019 a reminder by registered letter (piece 7). On 12 April 2019, the
       The appellant, through her counsel, finally gave an answer to the
       lnspection service (document 8).


       6.     On 10 May 2019, following the completion of its investigation, the lnspection's Office issued an
       report and attach it to the dossier in accordance with Article 91 § 1 GBA Act (document 9).

       The inspection report mentioned in particular the following findings (p. 1-2):
              "The k/acht [...] concerns the automatic /healing of the e/D for the creation of an

              loyalty card at a drinkshande/. At the consecutive/ordinary visits of the k/side
              the barcode is linked to the customer's data [...].
              - The customer data stored in this way are: name, first names, address,
              date of birth, date of birth/eight, from which the person concerned is a customer, amount of purchases.
              - The dispute/en-su Chamber did not provide any additional indications that should have been given.
              examined by the inspectorate [...], soa/s concerning an examination of the

              privacy statement of the processing responsible/ijke.
              - The Commission has previously accepted that some traders may disclose to their customers
              identify these customers if they register in a strictly personal
              fidelity system allowing the c/anten to benefit from a price reduction or for the/and
              received in the gout of purchases made (marginal 17 recommendation
              03/2011).
              -However, the Commission also considered it belong dot the consent of the client.

              is obtained at the /reading of the e / D in the framework of a loyalty system,
              and dot the customer 'an a/ternative for the use of his identity card'.
              proposed' (recommendation 6 at the end of recommendation 03/2011).
              -The e-D legislation has been adapted by article 27 of the law of 25 November 2018.
              containing various provisions relating to the National Register and the
              humidification/registers. Artike/ 6 § 4 of the law of 19 July 1991 provides a new framework.
              for the use of the e/D dot data as from 23 December 2018

              must have been checked/checked by the person responsible for processing. This article ste/t o.a.
              The electronic identity card may only be read or used with the free one,
              specific and informed consent of the holder of the electronic
              identity card'.
              When a benefit or service is offered to a citizen through his
              electronic identity card in the context of an IT application, must
              also an alternative that the use of the electronic identity card does not

              required, be introduced to the person concerned'.



             r PAGE □ 1-□□□□ 1582885-0007-0033- □1-i;-i



             L _J Hof van beroep Brussel - 2019/AR/1600- p. 11





        The Chamber of Disputes took note that the defendant admitted that this method of proceeding was inconsistent.
        with the AVG and indicated that additional measures would be taken in the short term in order to strengthen the
       bring data processing in line with the AVG.

        15. In accordance with Article 100, § 1, 9 , GBA Act, the Dispute Settlement Chamber ordered the

       Respondent to bring the data processing in conformity with Article 5.1(c),
       article 6.1 and article 13 AVG. In addition, the Disputes Chamber decided the following sanctions on
       to be laid:

               - an administrative fine of EUR 10 000 as a result of the infringement of an article

               5.1.c) and Article 6.1 AVG (on the basis of Article 101 of the GBA Act);
                  the publication of the decision on the website of d°
               Data protection authority, after rendering anonymous (on the basis of Article 100(1)(a), 16)
               GBA Act).

       In order to justify its decision to impose an administrative fine of that amount on

       the Chamber of Disputes referred in particular to the seriousness and nature of the
       infringements of Article 5.1.c) and Article 6.1 AVG. In particular, the Disputes Chamber found that
       relevant that:
       - the infringed Article 5.1.c) AVG contains a fundamental principle;
              - the infringement of Article 6.1 of the AVG is such that there is no valid legal basis at all
              is for data processing.


       Non-compliance with the relevant provisions of the GCG must, in accordance with the
       Litigation chamber was considered to be "grossly negligent with a far-reaching impact
       not all/one on the data processing of the k/ager, but on that of a/le customers of the
       defendant.


       16. On 19 September 2019, the Chamber of Disputes informed the parties of its
       decision and of the possibility of applying for reprimand within a time limit of thirty days
       days, as from the notification, before the Market Court (Article 108(1)(1) of the GBA Act) (doc.

       18).


       17. By petition of 18 October 2019, the appellant made the following amendments
       Your Court appealed against the decision of the Dispute Chamber of 17 September.
       2019. That decision is hereinafter referred to as the 'contested decision'.




3.     The claims before the Court.

3.1.
By Summary Conclusion lodged at the Court Registry on 20 December 2019, the
appellant:

       "to declare the appellant's appeal admissible and well-founded,




              I PAGE 01-00001582885-0011-0033-01-01-�



              L _JCourt of Appeal Brussels -2019/AR/1600- p. 12





       the decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
       Destroy the data protection authority and the data protection authority to
       recommend the administrative fine of EUR 10 000 already paid by the appellant

       appellantterugte beta/en,
       do justice again:

       o in main order, that is to say, before entitlement to dot the complaint of the person concerned dated 28 August 2018 by

           the data protection authority was unfounded in relation to the appellant, and
           to dismiss this k/eight, or


       o subordinate, if your court is of the opinion that the Complainant's complaint dated 28 August

           2018 at the Data Protection Authority in respect of the appellant's breach of
           constitutes a reprimand on the appellant's right to data protection.

           formulate.

       In each case, order the data protection authority to pay a/le
       court costs to the appellant, including the procedural indemnity for the appellant

       of EUR 1,440.00.

3.2.
The GBA concludes as follows by conclusion deposited on January 1, 2020:


              Declare that the appellant's claim is/is outside the jurisdiction of
              Your Court is falling;
               Declare the appellant/ante's claim to be unfounded;
              In any event, order the appellant to pay the costs, including the costs of the proceedings.

              basic amount of the legal claim/legal allowance.

3.3.
All these conclusions have been laid down in accordance with the final calendar.



4.     The legal framework.


The appellant's claim is based on the following articles:
- Art. 5 AVG

       Principles governing the processing of personal data.
       Personal data must be:

       [...]


3 Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data and repealing
Directive 95/46/EC (general data protection regulation).



             IPAGE 01-00001582885-0012-0033-01- �




             L _Jourt of Appeal Brussels - 2019/AR/1600- p. 15




- Article 63:

       "Referral to the inspectorate may be made:

       1° when the executive committee establishes serious indications of the existence of a
       practices which may give rise to a breach of the fundamental principles of protection
       of the personal data, within the framework of this law and of the laws that provide for it
       contain provisions on the protection of the privacy of personal data;
       2° when the dispute/en-su Chamber has decided on the basis of a k/acht a

       investigation by the inspectorate is necessary;
       3° by the Disputes Chamber within the framework of a request for the performance of a
       additional research;
       4 at the request of the Management Committee, with a view to cooperating with a

       g°data protection authority of another stoat;
       5 request from the management committee in the event that the data protection authority is caught
       by a judicial authority or an administrative supervisor;
       6 on its own initiative where it finds serious indications of the existence of a

       practices which may give rise to a breach of the fundamental principles of protection
       of the personal data, within the framework of this law and of the laws that provide for it
       contain provisions on the protection of the processing of personal data.

Article 108 § 1:


       "The Arbitration Chamber shall inform the parties of the court's decision and of the decision.
       may/can appeal within a period of thirty days from [...] the date of receipt of the letter of appeal.
       notification, at the Court of Justice of the European Communities.


       Subject to the exceptions laid down by law or unless the dispute/court with
       special reasons for decision/commissioning otherwise the decision/commission is enforceable in the case of
       stock, notwithstanding an appeal.

                                                                                  °
       The decision to delete data in accordance with Article 100(1)(10) is not
       workable stockpiles'.



5.     Discuss admissibility.

The admissibility ratione materiae and ratione temporis have not been disputed.


The GBA concludes {page 8, No 16 with reference to its document 18) that the notification -
dates from 19 September 2019.

The appellant is the party in respect of whom the decision has been taken and the recourse is by
within a period of 30 days from notification of the decision, and

in accordance with the legal form requirements.

The appeal is admissible.




                                                              �
             I PAGE 01-00001582885-0015-0033-01-01-



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 16




6.      Discussion - the means invoked.


6.1.

The appellant puts forward the following pleas in law:

        1. The GBA shall not establish at a/s a full/full independent/several supervisory authority within the meaning of this Directive.
            of Article 52(1) of the General Data Protection Regulation (hereinafter referred to as the "GSA") (First

            midde/J;
        2.   The GBA violated art. 54.2 AVG and art. 48, §1 GBA Act, because the guard / hats did not comply with the

            ve respected the obligation to preserve the confidentiality of the facts,
            acts or information coming to their knowledge in the course of their duties

            (Second midshipman J;
        3.   The GBA violated art. 96, §1 of the GBA Act because the request of the Geschi/lenkamer for

            do not carry out an investigation by the lnspection service within thirty days

            after the k/eight was brought before the Dispute Chamber by the
            First line service was transferred to the inspector-generaa/of the /nspection service

            (Third midshipman J;
        4.   The GBA violated Article 63 of the GBA Act by the fact that the Inspectorate carried out an investigation.

            for aspects not brought before the Court of Justice (Fourth mids;
        5.   The GBA violated the rights of defence and the principles of good administration

            (Fifth amendment);
        6.   The Appellant respected the beginning/of minimum data processing and starting point.

            no infringement of Article 5(1)(c) AVG (Sixth VAT Directive);
        7.   The processing of the appellant was not unlawful and did not infringe

            artike/ 6.1 AVG from (Seventh midde/J;
        8.   The GBA / imposed the administrative fine without taking into account the Jijst

            of criteria from article 83.2 AVG (Eighth plea in law).
        9.   NINE MEASUREMENT: THE RESPONSIBILITY OF THE COURT




6.2.

The GBA will use the following means:
        o Principally, that the appellant's claim is in part outside the jurisdiction of

            the Court falls.

She is subordinate:

        o With regard to the appellant's first plea in law: Article 52.1 and Article 53.1 of the AVG are not
            violated;



5 Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and
on the free movement of such data and repealing Directive 95.4Pub L119/1 Data Protection Directive)


               IPAGE 01-00001582885-0016-0033-01- �




                                                                     Court of Appeal Brussels - 2019/AR/1600-p. 24




of a rule of procedure or consultation prior to the adoption of the contested decision.
decision was necessary).


However, in the exercise of that voile jurisdiction, the -Markthof must not exceed the limits of its jurisdiction.
respect judicial debate. Within the limits of the rules of public order and within the
limits of the interpretation to be given to the pleas in law relied on before the Court,
the Court must carry out its assessment, that is to say - the possible substitution of its own

decision - limited to the grounds and pleas in law put forward by the applicant
defence of the rebellion17-

In short, the Market Court may substitute its decision for that annulled by the Court.
judgment under appeal, provided that the Court does not give rise to any challenge which is not contradictory

were subject to the same conditions in the course of proceedings before the Court of Justice, and in so far as no decision has been given
shall be affected where the parties to the proceedings have been unable to defend themselves in the
proceedings before the Court of Justice.

The GBA's criticism where it says:

        In addition to "ordinary" councillors, there are also a number of18 councillors in the Market Court with
        "specific/advanced knowledge of economic, financial/ or market law Well, the rules
       in the field of data protection, cannot immediately be dealt with in one of those areas of law
       be caught. On the other hand, these are rules to ensure that an individual
       human rights and therefore a so-called transversa/jurisdiction, which in many aspects
                                                                                     19
       of society (similar to the law of discrimination, for example).
overlooks the fact that (also) the !eden of the Market Court, which show the specialized
knowledge (see above) are, at the same time, legal advisers in the Brussels Court of Appeal who satisfy the following requirements
meet the legal requirements to which each magistrate of the court is subject and that their appointment

shall be made on the proposal of the Supreme Judicial Council and that any interested party shall have the opportunity to
has a claim to annul the appointment before the Council of State.

A "critique" by a party to proceedings of the alleged or alleged (in)competence of one or more of the following
in the light of the foregoing, the Court's reasoning is considered to be of little pertinence or relevance.

over.

The Court of Justice of the European Communities therefore has jurisdiction to give the contested decision.
destroy and, where appropriate, replace the sanction by another sanction such as that imposed by the
Appellant in a minor capacity, a plea which the GBA was able to rely on

defend.

8.      Discussion of the grounds for destruction.

8.1. Infringement of Article 5.1. clAVG

The appellant is asserting himself:

17
18 Compare Cour °es marches 22 January 2020, 2019 AR 1470, no. 26.
19A rt. 207, § 3, 4 , Ger. W.
   These were the subject of various comments in the parliamentary debates on
the draft that led to the GBA Act. See Par/. St. Kamer 2017-2018, no. 54-2648/6, 10, 13, 48, 50,
57, 59, 61-62, 69-70 and 77.


              r PAGE 01-00001582885-0024-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600 - p. 25




       44. The Dispute Chamber ruled that the infringement of the principle of minimum
           data processing would include the use made by the appellant

           have the riiksreqisternumber by reading in the e/D card to create
           a loyalty card:


               "For the Dispute Chamber, the following is paramount, Data processing
               implies the use of the national registry number, included in the barcode of the
               e/ektronic identity card, which is irrelevant. The

               Geschillenkamer het van belong dat er bijzonder rege/s ge/den voor het gebruik van
               the National Register number (oak already ge/dend v66r 23 December 2018), which has a very high number of
               prescribe restrained roaring of this National Register number. Because the
              barcode before/when the lnspection service is used to identify the customer
              to be found in the client database, the Disputes Chamber assumes that the

               become a national registration number or at least a dee/ of the identity card bucket
               used contrary to the principle of minima/e
               data protection". (emphasis added by the appellant)

       In other words, the Chamber of Disputes 'assumes' that the appellant has not received the

       would process the national register number. The Inspectorate's report mentions this in the following terms
       However, no enke/e report was made. The lnspectorate requested we/
       the appellant's written information. She asked the appellant "more
       information about the specific data your company reads and uses from the

       eDs of your customers". The Appellant replied: "the data that
       saved are [...] Surname, first names, address, date of birth, age, customer since,
       turnover and the latest 10 purchase amounts and the number of points". (document 8.8) The
       The national register number was not given.


       De Geschil/enkamer ha d bijgevo/g geen enke/e grand om appellant een inbreuk op het
       principle of minimum data processing at Jaste te Jeggen because of the
       Alleged use of the national registration number to create a loyalty card.
       She was not allowed to "assume", without any document in the file, that the appellant's
       State registry number used.


       The Disputes Chamber was not allowed to take the national register number into account in order to
       to withhold an infringement of the AVG and to impose an administrative fine.
       Soa/s your court noted in previous appeal proceedings against decisions of the GBA can
       reasons invoked by the GBA "only support a decision where it is apparent from the

       documents of the case on which the authority {GBA} deems s/a20 to be murdered and holds "the
       subject matter/justification of the fact that it is required to support the administrative act.
       for reasons of which the fact/factual existence has been duly proven and which have been the subject of legal proceedings.
       may have taken into account the justification for that act" 21 The motives

       of the Contested Decision on the infringement of the principle of minimum standards for the protection of legitimate expectations.
       data processing in connection with the national register number did not find any enke/e support in the
       documents of the file.

20
21Brussels (Sectie Marktenhof) 23 October 2012, FOO Public Health t. GBA, 2019/AR/1234, 24.
  Brussels (Sectie Marktenhof) 23 October 2019, ING Be/gie NV t. GBA, 2019/AR/1006, 19.


              I PAGE 01-00001582885-0025-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 26






The GBA argues in this regard:
       "74. Furthermore, the GBA notes that the Disputes Chamber infringed Article 5(1)(c) AVG
       derived, not al/one from the use of the national register number, but oak from the
       save the date of birth and the date of birth of the k/sides. That the /aatste
       personal data were kept by the appellant, does not contest the appeal/ante, so that the

       Infringement of article 5.1.c) AVG how oak remains. It is indeed impossible to see
       how the gender and date of birth could be relevant for the act/
       of data processing, namely the creation of a loyalty card. The fact that there is
       other do(s) could exist for the purpose of which such data we/
       lawfully processed, such as the verification of compliance with legal requirements.
       minimum age for the purchase of alcohol is irrelevant in this context. To be superfluous

       reminds me that, following the ruling of the Constitutional Court of 19 June 2019 on
       the law on transgender persons22 the registration of the sex/esteem of persons in any case not
       is no longer taken for granted, not by the government and therefore certainly not by a private company.
       person, soa/s a drinkhande/.
       75. Finally, it is clear that the e/ektronic identity card does not show how oak cattle/ more

       data is then required for the creation of a loyalty card. It is precisely for this reason that
       the complainant is/are willing to provide the specific information required
       for the creation of a loyalty card, but not agreeing to read hoar

       e/ektronic identity card, where he or she loses control over which data was on him or her.
       read and kept by the processing responsible/keeper.

       76. Conclusion: The Dispute Chamber led the infringement of Article 5.1.c}. AVG on the basis of proven facts".


The contested decision is under consideration:
       The lnspectiedienst thus confirms the k/acht in the sense that no alternative is offered
       to customers who want a k/s edge card, but not their electronic identity card

       the defendant wishes to use /have used /aten for the creation of a third party /ijke
       customer card, while obtaining the consent and offering an
       a/terative ffor the lnspection servicewe/ is required.

       The Inspectorate also refers to Article 6(4) of the Act of 19 July 1991.
       on population registers, identity cards, aliens' identity cards and aliens' identity documents

       verb/ive documents, as applicable from 23 December 2018, containing
       that the e/ektronic identity card may be read or used enke/ with the
       free, specific and informed consent of the holder. When a forement/
       or service is offered to a citizen through his e/ektronial identity card within the framework of
       of an informatics application, an alternative should also be proposed that the
       use of the e/ektronic identity card is not required. In addition, the lnspection Service

       with regard to oak, to Recommendation No 03/2011 in order to meet the consent requirement and the
       support the offer of an a/terative.




22GwH, No 99/2019, 19 June 2019.


             r PAGE 01-00001582885-0026-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 27





The Law of 19 July 1991 on population registers, identity cards, the
Alien cards and residence documents now state in Article 6 § 4 second and third
Member:
       The National Register number and the Joto of the holder may only be used if
       is authorised to do so by. or by virtue of a law, a decree or an ordinance. The
       e/ektronic identity card may be enkeed/ read or used with the free, specific

       and informed consent of the holder of the electronic identity card.
       When a benefit or service is offered to a citizen through his e/ektronial
       identity card in the context of an IT application, should also provide an alternative
       dot require the use of the e/ektronic identity card, proposed/d were added to the
       person concerned.

This text was added by the law of 25 November 2018 and entered into force on 23 December.

2018. This law is therefore not applicable to the facts giving rise to the current dispute.
since the complaint dates from 28 August 2018.

At the time of the complaint, the text was as follows:
       "Any automated check of the card by optical or other/eesprocessing means must
       be the subject of a royal decree, no opinion of the sectoral committee of the

       National Register referred to in section 15 of the Act of 8 August 1983 on the regulation of an
       National Register of Natural Persons, ..,

The motives of the inspectorate - which the GBA states serve as a basis for the
decision - are unlawful. A law that was absolutely inapplicable at the time of the complaint and
a "recommendation" which has no legal force cannot serve as a basis for the

assessment of conduct as contrary to the legislation in force.

It has not been demonstrated, nor has it been conclusively proven, that at the time of the complaint a
The alternative had to be offered.

The contested decision is also under consideration:

       "The Chamber of Disputes also notes the processing of customer data.
       (surname, first names, address, date of birth, gender, date of birth, date from which the person concerned is a customer)
       and the amount of purchases) the starting/of minimum data processing not
       respects, as the given 'gender and date of birth' is also irrelevant
       are. In this case, the Dispute Resolution Chamber does not use the loyalty card for
       check/erendage the minimum age for alcohol sales.


       The fact that the defendant's hand/method in relation to the creation of loyalty cards
       the beginning/of minimum data processing does not n,,eeft, the Dispute/Chamber is consequently
       of the opinion that the infringement of Article 5.1. c)AVG has been proven.

No EID card was offered by the complainant in this case, so there is no processing at all
of its data. Therefore, the GBA does not show any actual infringement in relation to

personal data.





             I PAGE 01- 00001582885-0027-0033-01-01-�



             L _JCourt of Appeal Brussels 2019/AR/1600-p. 28





At that time, the complainant was not (yet) legally obliged to offer alternatives. This is different since
23 December 2018, but that regulation could not have been applied retroactively by the GBA.

In addition, the Dispute Carner is wrongly based on a number of unsubstantiated assumptions:
- that a loyalty card of a beverage company would not have been used to check the

    a ban on the sale of alcohol to minors;
- that the complainant would suffer an undeniable disadvantage as a result of the creation of a

    loyalty card, discounts would run riot. This is not a disadvantage because only a
    possible additional advantage is lost (the Court emphasises). The situation is different when the EID card
    request a legal or contractual right (e.g. the right to a guarantee) to

    to be shortened or retained.


A breach of Article 5.1. c)AVG has not been proven in this specific case.


The appellant's sixth plea is well-founded on this point.

8.2. Infringement opart. 6.1. AVG:

The GBA shall further base its decision on a breach of Article 6.1. AVG, namely that the

the lawfulness of the processing is subject to the data subject's consent for the
softening of his personal data for one or more specific purposes or the processing thereof
is necessary in order to safeguard the legitimate interests of the
controller or of a third party, except where interests or fundamental rights
and fundamental freedoms of the data subject which require the protection of personal data,

outweigh those interests, especially when the person involved is a single child.

The GBA states:
       "Contrary to what the defendant argues, there can be no
       there is consent a/s legal basis for the processing, as the consent

       within the defendant's current modus operandi, cannot in any way be regarded as a
       free consent within the meaning of Article 4.11. AVG, in the absence of an alternative system dot
       Allow/allows the creation of a loyalty card without the use of the electronic identity card,
       which makes it possible for the person concerned to benefit from discounts even in such cases.


       In this context, the Dispute Settlement Chamber also refers to the Group 29 Guidelines on
       authorisation in accordance with Regulation 2016/6792 stating that the element
       implies "free" work/rich choice and control for those involved. As a general rule, the
       AVG for the fact that if a person concerned has no work or choice, he or she is compelled to
       to give his or her consent as to whether it will have negative consequences for him or her if he or she does not

       consent, the consent is not valid. lndien consent shall be merged as a
       non-negotiable/negotiable part of terms and conditions, it is presumed not free
       to be given. Accordingly, authorisation shall not be deemed to have been granted if the
       cannot refuse the person concerned or hoar consent_ without adverse consequences, or
       withdraw. Because, in the present case, the complainant, and by extension a/le customers, only of

       can benefit from discounts by m_ ddel of their electronic identity card, and by the
       the defendant is not offered any alternative to the creation of a loyalty card


              IPAGE □1- □0001582885-0028-0033- □1- □1-�



                                                                 Court of Appeal Brussels - 2019/AR/1600- p. 29




       In order to benefit from this advantage, it is clear/seemly that there is no free
       consent.

       Although the defendant did not rely on it, the Litigation Chamber examined in

       to what extent the processing could be based on Article 6.1. f). AVG and the
       processing necessity/justification could be necessary for the protection of his legitimate interest.
       De Geschil/enkamer observes that in order to do so, it is necessary to weigh up the following issues with the
       the importance of the end of the chain concerned to be assessed/and to be given more weight. Oak for
       As far as this legal basis is concerned, the Dispute Settlement Chamber states that such a weighing-up should be carried out,
       in the present case, /decides that it is in the complainant's interest, and extends to
       a/le customers of the defendant, takes precedence.


       The Dispute / Chamber rules that the infringement of Article 6.1. AVG has been proven"

To the extent that the GBA again refers to the lack of an alternative, it refers again (see
point 8.1 above) to a secondary legislation which is not applicable.

The Market Court refers to what was stated above under point 8.1.
The infringement of Article 6.1. AVG has therefore not been proven. The seventh ground of appeal of the

The appellant is well-founded on this point.


8.3.          Decision of points 8.1 and 8.2:

To the extent that the contested decision does not contain an adequate statement of reasons on the grounds that certain
reasons for the contested decision are incompatible with the documents in the file and with the
legal provisions in force at the time of the complaint and cannot be verified by the Market Court

what motive or motives, if any, were de facto decisive for the contested decision?
In order to justify its decision, the Market Court must find that the GBA cited
grounds for declaring the infringements to be proven (and, as a consequence, imposing
sanctions because of these alleged infringements).
The decision was therefore taken unlawfully and should be annulled.
warden.



8.4. Infringement of Articles 13.1. c), 13.1. e) and 13.2. a)AVG:

With regard to the other findings of the lnspection Service, that is:

       (a) the contradiction between the defendant's assertion that there has been no communication of
       data to third parties, while the privacy statement states that transfer is possible within the
       European Economic Area for associated companies.


       (b) The lack of clear information for the person concerned, in particular on the
       the legal basis and the storage period.





             r PAGE 01-00001582885-0029-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 30




the Clerk of Disputes takes note that the appellant admits that he is right to submit as
shortcomings in the AVG may have been considered and indicates that in the short term
additional measures will be taken to ensure that the data processing complies with

with the requirements of the AVG.
To the extent that these elements fall outside the scope of the complaint and do not give rise to a sanction,
should not be assessed separately.

The order in accordance with Article 100 § 1, 9 of the GBA Act, to the effect that the appellant must submit the processing in
brings it into line with Art. 5.1. c), Art. 6.1, Art. 13.1. c), Art. 13.1. e) and 13.2. a) AVG makes

is not in itself the object of the story. The appellant does not develop any
only means.


9.     The sanction


In addition to the fact that the contested decision does not contain an adequate statement of reasons (see point 8.3.
for this), the penalty imposed, namely a fine of €10,000, is in turn inadequate
motivated.

lndien with the GBA may have argued that it is not every possible sanction of Article 83.2 AVG
it should be overflowing and it should not justify why some sanctions were not considered,

this does not detract from the fact that the choice of the sanction imposed is adequate
must be substantiated. When determining the sanction in concrete terms, the following should be taken into account
general criteria should be leading:

     the seriousness of the infringement;
     the duration of the infringement;

     the necessary deterrent effect to prevent further infringements.

The GBA shall determine the manner in which it considers that a sanction is appropriate.

However, as stated above, a decision of the GBA with regard to (the amount of) an
financial penalty is not binding on the Market Court.


The Market Court shall assess the extent of a possible sanction in such a way that, on the one hand, in
is appropriate to the circumstances and proportionate to the infringement found
and to the capacity of the party committing the infringement.


The mere statement that the infringement relates to a fundamental legal principle of
Data protection is not enough. The nature and seriousness of the infringements constitute a
of the appreciation characteristics for determining the sanction and its budget if there are
a fine is opted for, but these elements must be assessed against 'all'.
elements of the dossier (e.g. whether it is a one-off infringement or not,
what the impact is generally considered to be in legal life, or any intention or intent by virtue of

of the il'.l offender is demonstrated,.....) and where - in the absence of a clear
Qualification and quantification of the possible sanctions through a publicly accessible tool
document (guideline or scale transparently communicated by the GBA) before a


                        □ 1-□□□□1582885-0030-0033- □1-□ 1-;i
             I PAGE



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 31




concrete facts - at least a justification must be given as to why a sanction less far-reaching than
the imposition of a fine of€ 10 000 could not be of such a nature as to deter the infringements
to put an end to it. Only if these requirements of sufficient, clear and transparent
Article 83 AVG, which states that the sanction shall be effective in every case,

must be proportionate and dissuasive, effectively enforced. In this respect, the
criteria of effectiveness and proportionality

Where the GBA once again retains as a motive "a gross negligence with a far-reaching impact
not all/one on the data processing of the k/ager, but on that of a/le customers of the
defendant in the absence of an a/ternative for the creation of the c/antic file on grand of the

e/ektronic identity card absence of valid consent and excessive
data processing" and from . the data of the dispute it appears that the plaintiff has never given her
has made identity information available to her, so that she cannot suffer any personal disadvantage
and the fact that no alternative was available was not a valid legal basis on
the moment of the complaint, it follows that oak is the sanction in itself (oak even if infringements have been proven)
have been) illegal.


For that reason alone, the contested decision should be annulled. Oak the Eighth
middeI of the appellant is well-founded.

The reasons currently put forward by the GBA in conclusion (No 106) to post factum the imposed and
sanctions implemented cannot be taken into account. The

the offender must be informed of the nature of the sanction before the imposition of a sanction
which is under consideration and of its scale (where a fine is contemplated). The
the offender must be warned (with a view to avoiding unnecessary sanctioning)
and have the opportunity to defend themselves on the issues proposed by the Dispute Settlement Chamber
amounts of the fine, before the sanction is effectively imposed and executed.



10.    The publication.

To the extent that the sanctioning of infringements of the AVG and the GBA Act should be of a nature to
should be partly dissuasive, the Market Court recommends that the GBA recommends that the present judgment
publish on its website omitting the identification details of the person concerned

parties.


11.    Decision,

The appeal is admissible and well founded.


The contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection authority concerning the appellant is destroyed.

It will belong to the Data Protection Authority those already paid by the appellant.
administrative fine of€ 10,000 to be refunded to the appellant. The Market Court may




             I PAGE 01-00001582885-0031-0033-01- �




             L _J Court of Appeal Brussels19/AR/1600p. 32




 However, the Court of Justice of the European Communities and the Court of Justice of the European Communities were not seized of a claim for payment of a subjective right.
 cannot, therefore, condemn it.




.12.    The costs,


 in accordance with the law of 21 apri! 2007 and the Royal Decree of 26 October 2007 shall become the
 nursing care allowance budgeted at the basic fee of€ 1,440.




 For these reasons,
 The court,




 Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court proceedings,

 Declares the higher beroepontvankelijken grorn;l;



 Annuls the contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of
 the data protection authority collapsed appellant;



 Orders the Data Protection Authority to pay the costs of the appeal, settled on
 1,860.00 euro (being € 400.00 rolling right, € 20.00 contribution Budgetary Fund and € 1440.00
 procedural indemnity).



 Condemns the Data Protection Authority, in accordance with Article 269/2 of the Belgian Data Protection Code
 registration, mortgage and court registry fees for the payment to the Belgian State, Federal Public Service Finance, of the
 an appeal in the amount of EUR 400.00, and until such time as the final charge is borne by the

 contribution of€20.00Budgetary Fund;

                                            * * *















              IPAGE 01- □□□□ 1582885-0032- □033-01-01-�




                                                                _J