APD/GBA (Belgium) - 149/2022: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 100: | Line 100: | ||
=== Facts === | === Facts === | ||
Two data subjects submitted | Two data subjects submitted complaints at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. This controller was responsible for verifying the eligibility criteria for social housing. The controller held that it had grave suspicions that the data subjects did not qualify for social housing, after the data subjects failed to provide clarity regarding their assets in Turkey. The controller initiated an investigation into these assets. It hired a processor, a private investigation firm, to check personal data of the data subjects. This processor also used a processor of its own, which was located in Turkey. Following the investigation, the controller determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey. | ||
After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles. | After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles. | ||
Line 111: | Line 111: | ||
<u>DPA authorized?</u> | <u>DPA authorized?</u> | ||
The DPA first held that it had the authority to decide if the | The DPA first held that it had the authority to decide if the investigation ordered by the controller was GDPR compliant. It held that it was not competent to rule on other issues which were already covered by the district court of Lier. | ||
<u>Violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]</u> | <u>Violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]</u> | ||
Line 127: | Line 127: | ||
''Legal ground'' | ''Legal ground'' | ||
The DPA held that in order to rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution. This Article constituted the constitutional right to housing, which was an ‘internationally acknowledged right’. The DPA | The DPA held that in order to rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution. This Article constituted the constitutional right to housing, which was an ‘internationally acknowledged right’. The DPA continued by referring to Article 33 of the Flemish Housing Code, which gave the obligation to social housing organisations to create criteria to decide who is eligible for social housing. | ||
Bassed on the above, the DPA held that was predictable that the eligibility requirements for social housing would be checked by the controller. However, the methods used for this purpose were less predictable, because the legal provision in question ([https://etaamb.openjustice.be/nl/besluit-van-de-vlaamse-regering-van-12-oktober-2007_n2007036959.html Article 52 Kaderbesluit]) provided a non limited list with options for the controller to check eligibility for social housing. The DPA pointed out that that tasks of public interest are often not based on precisely defined obligations, but rather on a more general authority to act. The DPA stated that this was applicable in the present case. | |||
''Necessity of the processing'' | ''Necessity of the processing'' | ||
Line 135: | Line 135: | ||
The DPA stated that the requirement of necessity of processing is often not specified in laws. Therefore, controllers using [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] often have to make an assessment between the necessity of their processing against the public interest and interests of data subjects. The DPA held that the data subjects were asked multiple times to provide clarity regarding their potential foreign assets. The data subjects failed to reply, which resulted in reasonable suspicions at the side of the controller. The district court of Lier already determined that the controller had send letters to the data subjects and that these letters had remained unanswered. The controller stated that it had no other choice than to enlist the processor to start the foreign investigation into the assets of the data subjects. | The DPA stated that the requirement of necessity of processing is often not specified in laws. Therefore, controllers using [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] often have to make an assessment between the necessity of their processing against the public interest and interests of data subjects. The DPA held that the data subjects were asked multiple times to provide clarity regarding their potential foreign assets. The data subjects failed to reply, which resulted in reasonable suspicions at the side of the controller. The district court of Lier already determined that the controller had send letters to the data subjects and that these letters had remained unanswered. The controller stated that it had no other choice than to enlist the processor to start the foreign investigation into the assets of the data subjects. | ||
Based on the above, the DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing, because of the grave suspicions of the controller. The DPA also mentioned the shortage of social housing and the difficulty of getting access to data regarding foreign assets of data subjects. It did not matter that the option of hiring a private investigation firm was not listed in [https://etaamb.openjustice.be/nl/besluit-van-de-vlaamse-regering-van-12-oktober-2007_n2007036959.html Article 52 Kaderbesluit], since the list of options in this article was not limited. | |||
The DPA also rejected the argument of the data subjects that the controller could not rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], because the privacy policy was not delivered to them. The DPA held that there was no obligation to deliver a privacy policy for the controller. Providing an online link to a privacy policy was sufficient, which the controller had done. The DPA supported its argument by refering to the [https://ec.europa.eu/newsroom/article29/items/622227 WP29 Guidelines for transperency]. | The DPA also rejected the argument of the data subjects that the controller could not rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], because the privacy policy was not delivered to them. The DPA held that there was no obligation to deliver a privacy policy for the controller. Providing an online link to a privacy policy was sufficient, which the controller had done. The DPA supported its argument by refering to the [https://ec.europa.eu/newsroom/article29/items/622227 WP29 Guidelines for transperency]. | ||
Line 155: | Line 155: | ||
The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller, because it defined the means and purposes of processing ([[Article 4 GDPR|Article 4(7) GDPR]]). Therefore, it was also the controller's responsibility to ensure its processing was complaint with the GDPR, also when it was the processor that transferred personal data to a third country. | The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller, because it defined the means and purposes of processing ([[Article 4 GDPR|Article 4(7) GDPR]]). Therefore, it was also the controller's responsibility to ensure its processing was complaint with the GDPR, also when it was the processor that transferred personal data to a third country. | ||
The controller also made an argument stating that it could rely on the exception of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]] for important reasons for public interest. The DPA accepted this argument. The DPA held that under [[Article 49 GDPR|Article 49( | The controller also made an argument stating that it could rely on the exception of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]] for important reasons for public interest. The DPA accepted this argument. The DPA held that under [[Article 49 GDPR|Article 49(4) GDPR]], only public interests can be used that are recognised in EU law or in member state law. This public interest cannot be too abstract. As an example, the DPA stated public interests that are recognised in international treaties, signed by member states. | ||
The DPA determined that the controller provided social housing for vulnerable people, to support the public interest of the right to housing. This right is internationally recognised in the UDHR (''Universal Declaration of Human Rights'') as well as the ICESCR (''International Covenant on Economic, Social and Cultural Rights)'', which is ratified by both Belgium and Turkey. The DPA also determined that the processing by the controller passed the necessity requirement of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]]. The DPA referred to its necessity assessment earlier in the decision, when it assessed the possible violations of [[Article 5 GDPR|Articles 5]] and [[Article 6 GDPR|6 GDPR]]. | The DPA determined that the controller provided social housing for vulnerable people, to support the public interest of the right to housing. This right is internationally recognised in the UDHR (''Universal Declaration of Human Rights'') as well as the ICESCR (''International Covenant on Economic, Social and Cultural Rights)'', which is ratified by both Belgium and Turkey. The DPA also repeated that the right to housing was provided in Belgian law. | ||
The DPA also determined that the processing by the controller passed the necessity requirement of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]]. The DPA referred to its necessity assessment earlier in the decision, when it assessed the possible violations of [[Article 5 GDPR|Articles 5]] and [[Article 6 GDPR|6 GDPR]]. | |||
Therefore, the DPA determined that controller did not violate [[Article 44 GDPR|Articles 44]], [[Article 46 GDPR|46]], [[Article 24 GDPR|24(1)]] and [[Article 5 GDPR#2|5(2) GDPR]], in contrast with the findings of the investigation unit. | Therefore, the DPA determined that controller did not violate [[Article 44 GDPR|Articles 44]], [[Article 46 GDPR|46]], [[Article 24 GDPR|24(1)]] and [[Article 5 GDPR#2|5(2) GDPR]], in contrast with the findings of the investigation unit. |
Revision as of 09:16, 2 November 2022
APD/GBA - 149/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(e) GDPR Article 24(1) GDPR Article 28(2) GDPR Article 28(3) GDPR Article 44 GDPR Article 46 GDPR Article 49(1)(d) GDPR Article 49(4) GDPR Article 57(4) GDPR Article 23 Constitution Article 33 Vlaamse Wooncode Vlaamse Codex Wonen |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 27.09.2021 |
Decided: | 18.10.2022 |
Published: | 21.10.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 149/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgium DPA held that a social housing organisation could rely public interest (Article 6(1)(e) GDPR) to investigate foreign financial assets of data subjects. The DPA also determined that this controller could rely on important public interest (Article 49(1)(d) GDPR) to conduct international data transfers for the purpose of conducting this foreign investigation. The DPA reprimanded this controller for omissions in the controller-processor agreement, which resulted in violations of Articles 28(2) and 28(3) GDPR.
English Summary
Facts
Two data subjects submitted complaints at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. This controller was responsible for verifying the eligibility criteria for social housing. The controller held that it had grave suspicions that the data subjects did not qualify for social housing, after the data subjects failed to provide clarity regarding their assets in Turkey. The controller initiated an investigation into these assets. It hired a processor, a private investigation firm, to check personal data of the data subjects. This processor also used a processor of its own, which was located in Turkey. Following the investigation, the controller determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey.
After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles.
The data subjects stated that they were not the owners of the assets in question. They also contested the value of evidence in the reports and stated that the evidence was received illegitimately.
The district court of Lier already delivered a judgement in a case between the controller and the data subjects, which was about the termination of the rental contract. In this ruling, the district Court held amongst other things that the controller could use Article 6(1)(e) GDPR for conducting the investigation into the foreign assets. It also determined that the controller had send letters to the data subjects which remained unanswered.
Holding
DPA authorized?
The DPA first held that it had the authority to decide if the investigation ordered by the controller was GDPR compliant. It held that it was not competent to rule on other issues which were already covered by the district court of Lier.
Violations of Article 5(1)(a) GDPR and Article 6(1) GDPR
The DPA held that the controller did not violate Article 5(1)(a) GDPR and Article 6(1) GDPR (in line with the findings of the investigations unit).
The DPA stated that in order to lawfully process personal data according to Article 5(1)(a) GDPR, the controller needed to base its processing on one of the legal grounds described in Article 6(1) GDPR. Based on the answers of the controller during the investigation, the investigation unit determined that the controller relied on public interest (Article 6(1)(e) GDPR) to process the personal data.
The DPA held that the controller could only rely on Article 6(1)(e) GDPR when processing was necessary for a task in the public interest or when it is necessary for exercising public authority that has been invested in the controller. In these cases, a legal ground for processing, based in European law or national law, was required (Article 6(1)(e) GDPR, Article 6(3) GDPR and recital 45).
Task in the public interest
The DPA held that the controller processed personal data within its legal obligation to do so for a task in the public interest, which was the allocation of limited government funds for the purpose of providing affordable housing to the most vulnerable people.
Legal ground
The DPA held that in order to rely on Article 6(1)(e) GDPR, a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution. This Article constituted the constitutional right to housing, which was an ‘internationally acknowledged right’. The DPA continued by referring to Article 33 of the Flemish Housing Code, which gave the obligation to social housing organisations to create criteria to decide who is eligible for social housing.
Bassed on the above, the DPA held that was predictable that the eligibility requirements for social housing would be checked by the controller. However, the methods used for this purpose were less predictable, because the legal provision in question (Article 52 Kaderbesluit) provided a non limited list with options for the controller to check eligibility for social housing. The DPA pointed out that that tasks of public interest are often not based on precisely defined obligations, but rather on a more general authority to act. The DPA stated that this was applicable in the present case.
Necessity of the processing
The DPA stated that the requirement of necessity of processing is often not specified in laws. Therefore, controllers using Article 6(1)(e) GDPR often have to make an assessment between the necessity of their processing against the public interest and interests of data subjects. The DPA held that the data subjects were asked multiple times to provide clarity regarding their potential foreign assets. The data subjects failed to reply, which resulted in reasonable suspicions at the side of the controller. The district court of Lier already determined that the controller had send letters to the data subjects and that these letters had remained unanswered. The controller stated that it had no other choice than to enlist the processor to start the foreign investigation into the assets of the data subjects.
Based on the above, the DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing, because of the grave suspicions of the controller. The DPA also mentioned the shortage of social housing and the difficulty of getting access to data regarding foreign assets of data subjects. It did not matter that the option of hiring a private investigation firm was not listed in Article 52 Kaderbesluit, since the list of options in this article was not limited.
The DPA also rejected the argument of the data subjects that the controller could not rely on Article 6(1)(e) GDPR, because the privacy policy was not delivered to them. The DPA held that there was no obligation to deliver a privacy policy for the controller. Providing an online link to a privacy policy was sufficient, which the controller had done. The DPA supported its argument by refering to the WP29 Guidelines for transperency.
Violations of Articles 5, 24(1), 25(1) and 25(2) GPDR
The inspection unit had determined that the controller breached several provisions of the GPDR. However, the DPA determined that the Inspection Unit did not conduct the investigation in a ‘loyal way’. It failed to ask for further question and more precise information when the provided information by the controller was deemed insufficient. The DPA determined that, based on the additional input the controller provided, it could not be concluded that the controller breached Articles 5, 24(1), 25(1) and 25(2) GPDR.
Violation of Articles 28(2) and 28(3) GDPR
In contrast, the DPA confirmed that the controller violated Articles 28(2) and 28(3) GDPR. The investigations unit held that the data processing agreement of the controller with the processor did not contain all the necessary aspects. Aspects such as a signature of the controller and the starting data of the agreement were missing. The controller did not object to this assessment and stated that it acted immediately after receiving the report form the investigations unit. It changed its standard agreement with processors for conducting foreign investigations accordingly. It also did not instruct processors to conduct any further investigations.
The DPA held that the controller breached Articles 28(2) and Article 23(3) GDPR, but that the shortcomings that caused these violations had already been fixed.
Violations of Articles 44, 46, 24(1), 24(2) and 5(2) GDPR
The DPA stated that the transfer of data to third countries (outside of the EU) is only allowed when the level of protection guaranteed by the GDPR is not compromised. This is the case when a third country provides an adequate level of protection or provides supplementary measures.
The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller, because it defined the means and purposes of processing (Article 4(7) GDPR). Therefore, it was also the controller's responsibility to ensure its processing was complaint with the GDPR, also when it was the processor that transferred personal data to a third country.
The controller also made an argument stating that it could rely on the exception of Article 49(1)(d) GDPR for important reasons for public interest. The DPA accepted this argument. The DPA held that under Article 49(4) GDPR, only public interests can be used that are recognised in EU law or in member state law. This public interest cannot be too abstract. As an example, the DPA stated public interests that are recognised in international treaties, signed by member states.
The DPA determined that the controller provided social housing for vulnerable people, to support the public interest of the right to housing. This right is internationally recognised in the UDHR (Universal Declaration of Human Rights) as well as the ICESCR (International Covenant on Economic, Social and Cultural Rights), which is ratified by both Belgium and Turkey. The DPA also repeated that the right to housing was provided in Belgian law.
The DPA also determined that the processing by the controller passed the necessity requirement of Article 49(1)(d) GDPR. The DPA referred to its necessity assessment earlier in the decision, when it assessed the possible violations of Articles 5 and 6 GDPR.
Therefore, the DPA determined that controller did not violate Articles 44, 46, 24(1) and 5(2) GDPR, in contrast with the findings of the investigation unit.
Violation of Article 30(1) GDPR
Lastly, the DPA held that the controller did not violate Article 30(1) GDPR. The investigation unit had determined that the registry of the controller was not specific enough in describing the categories of personal data and data subjects, but the DPA disagreed. The DPA held that whether or not the registry is clear and detailed enough should be assessed on a case to case basis. The DPA held that in this case, the registry was specific enough and that the elements in the registry left little room for different interpretations in the context of social housing. Therefore, the DPA held that the controller did not violate Article 30(1)(c) GDPR.
In conclusion, the DPA only determined violations of Articles 28(2) and 28(3) GDPR but only reprimanded the controller (Article 100, §1, 5° WOG). All other determined violations by the investigation unit were deemed unfounded by the DPA (Article 57(4)GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/30 Dispute room Decision on the merits 149/2022 of 18 October 2022 File number: DOS-2021-06293 and DOS-2021-06884 Subject : Sharing personal data concerning tenants of social housing in in the context of an asset investigation The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members. Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Has made the following decision regarding: The complainant: Mr X1 and Mrs X1, hereinafter: complainant 1 Mr X2 and Mrs X2, hereinafter: complainant 2 all represented by mr. Rahim Aktepe, with office in 2000 Antwerp, Amerikalei 95 hereinafter collectively referred to as “the complainant”; Defendant: Y, represented by Mr. Myrthe Maes, Mr. Nele Somers and Mr. Thomas Bronselaer, with office in 2000 Antwerp, Amerikalei 79, box 201, hereinafter referred to as “the Defendant”. Decision on the merits 149/2022 - 2/30 I. Facts procedure 1. The subject of the complaint concerns the communication of personal data of social tenants to third parties in the context of a foreign asset investigation. 2. Complainant 1 and complainant 2 serving on 27 September 2021 and 22 October 2021 respectively lodge a complaint with the Data Protection Authority against the defendant. 3. On October 1, 2021 and January 5, 2022 respectively, the complaints will be handled by the First-line servicedeclaredadmissibleunderarticle58and60WOGenbe they have been transferred to the Disputes Chamber pursuant to Article 62, § 1 WOG. 4. On 27 October 2021 and 17 January 2022 respectively, in accordance with Article 96, § 1 WOG the request of the Disputes Chamber to conduct an investigation submitted to the Inspectorate, together with the complaint and the inventory of the documents. 5. The inspections will be completed by the Inspectorate on February 15, 2022 bothreportsattachedtothefileandthefilesbecomebytheinspector-general submitted to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG). The report prepared in relation to complainant 1 contains findings with relating to the subject matter of the complaint and decides that: 1. there is no infringement of Article 5(1)(a) and (2) GDPR, Article 6(1) GDPR with regard to the principle of legality; 2. there is an infringement of Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and 2 GDPR with regard to the principles of fairness and transparency, purpose limitation, minimal data processing, accuracy, storage limitation and integrity and confidentiality; 3. there is an infringement of Article 28(2) and (3) GDPR; and 4. there is an infringement of Articles 44, 46, 24(1) and 5(2) GDPR for what concerns the transfer of personal data to Turkey. The report prepared in relation to complainant 1 also contains findings that go further than the object of the complaint. In general terms, the Inspectorate establishes that: 1. there is an infringement of Article 30(1) GDPR due to non-compliance with various obligations regarding the register of processing activities. 6. The report prepared in connection with complainant 2 concurs with the findings of the first report. Reference will therefore be made in this decision to the first report as the Inspection Report. Decision on the merits 149/2022 - 3/30 7. On February 21, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that both files are ready for treatment on the merits. The Disputes Chamber states for the parties to merge both businesses. Also on February 21, 2022 was allowed the Disputes Chamber has received the agreement to merge the two parties. 8. On February 21, 2022, the parties concerned will be notified by registered letter of the provisions as stated in article 95, § 2, as well as of these in article 98 WOG. They are also informed, pursuant to Article 99 of the WOG, of the deadlines to to file defences. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the defendant's response recorded on April 4, 2022, this for the conclusion of the reply from the bearing on April 25, 2022 and finally that for the defendant's reply on 16 May 2022. The latest date for receipt of the defendant's response for with regard to the findings outside the draft of the complaint, it was set at 4 Apr 2022. 9. On February 21, 2022, the complainant electronically accepts all communication regarding the case. 10. On March 8, 2022, the defendant requests a copy of the file (Article 95, §2, 3° WOG), which was transferred to her on March 23, 2022. 11. On March 8, 2022, the defendant electronically accepts all communications regarding the case and expresses its wish to make use of the opportunity to be heard, in accordance with article 98 WOG. 12. On April 4, 2022, the Disputes Chamber will receive the statement of defense from the the defendant with regard to the findings relating to the subject-matter of the complaint, as well as the findings outside the subject of the complaint. The defendant argues that the processing in its head constitutes a lawful data processing. Second the defendant argues that the data processing in question is a correct and permissible data processing, whereby all the basic principles of Art. 5 (1) GDPR are applied respected and that she can also demonstrate this. Third, the defendant denies the determinations of the Inspectorate regarding the processing agreement, but states that it has eliminated these infringements. Fourth, the defendant argues that the transfer of personal data to Turkey has taken place in a lawful manner. Finally, the defendant argues that the register of processing activities was updated to comply with the Inspectorate set shortcomings. 13. On April 22, 2022, the Disputes Chamber will receive the conclusion of the complainant's reply, in which an overview is given of the previous procedure conducted by the complainant with regard to Decision on the merits 149/2022 - 4/30 of the defendant before the justice of the peace. The complainant disputes the legality of the data processing, and the complainant states that the data processing is not has taken place in accordance with the fundamental principles of Article 5(1) of the GDPR. With regard to the determinations regarding the processing agreement, the transfer of personal data to Turkey and the register of processing activities, the complainant closes adhere to the findings of the Inspectorate. 14. On May 18, 2022, the Disputes Chamber will receive the statement of reply from the defendant with regard to the findings with regard to the subject matter of the complaint. In here the defendant repeats its views from the statement of defense. 15. On August 10, 2022, the parties will be notified that the hearing will take place on September 22, 2022. 16. On September 22, 2022, the parties will be heard by the Disputes Chamber. 17. On September 23, 2022, the minutes of the hearing will be sent to the parties submitted. 18. On September 29, 2022, the Disputes Chamber will receive some comments with regard to the official report, which it decides to include in her deliberation]. 19. The Disputes Chamber does not receive any comments with regard to the official report because of the complainant. II. Justification II.1. Jurisdiction of the Dispute Chamber 20. In his conclusions, the bearing states in his first three pleas that they do not own a property in Turkey, they dispute the evidential value of the investigation reports that have been drawn up by Z in the context of the foreign asset research, and finally the complainant discusses the doctrine of the illegally obtained evidence. 21. However, the Disputes Chamber is only authorized to judge whether the foreign asset investigation has taken place in accordance with the GDPR. The the above resources do not belong to the jurisdiction of the Disputes Chamber and were already assessed by the justice of the peace van Lier (see below). So these arguments will not be the subject of the proceedings before the Disputes Chamber. II.2. Article 5 (1) a) GDPR, Article 6 (1) GDPR 22. The Inspectorate determines that the defendant has fulfilled the obligations imposed by Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the principle Decision on the merits 149/2022 - 5/30 regarding legality. Based on the answers obtained from the defendant during the investigation, the Inspectorate follows the defendant's assertion that it invokes the legal basis from article 6, paragraph 1, e) AVG (necessity for the fulfillment of a task of general interest). 23. The basic principle of article 5, paragraph 1, a) GDPR is that personal data only in a lawful manner may be processed. This means that a legal ground for processing personal data as referred to in Article 6(1) of the GDPR must be present. In further elaboration of this basic principle, Article 6(1) of the AVG states that personal data may only be are processed on the basis of one of the legal grounds listed in the article. 24. The complainant disputes the findings of the Inspectorate and argues that the defendant wrongly invokes article 6, paragraph 1, e) AVG. In addition, the lower claims that the defendant Nor can it rely on any other legal basis, such as consent (Article 6, paragraph 1, a) GDPR). 25. To legally rely on the legal basis of Article 6(1) e) GDPR personal data may only be processed if this is necessary for the fulfillment of a task in the public interest or if it is necessary for the performance of the public authority entrusted to the person responsible. The processing must take place in this cases always have a basis in the law of the European Union or that of the Member State concerned, which must also state the purpose of the processing. There must therefore it will be checked whether the conditions set out in that article have been met in this case. 26. Pursuant to Article 6(3) and Recital 45 of the GDPR, processing on the basis of Article 6 (1) e) GDPR meet the following conditions: a. The controller must be charged with the fulfillment of a mission in the public interest or an order that is part of the exercise of public authority on a legal basis, irrespective of whether it is in the law of the European Union or in the law of the Member States contained; b. The purposes of the processing are established on the legal basis or must be are necessary for the performance of the assignment in the public interest or the exercise of public authority. 27. The Disputes Chamber will determine the conditions of general interest, legal basis and necessity below. Public interest task 28. The public interest task in question relied on by the defendant is control on the registration and allocation conditions in the context of social housing in order to Decision on the merits 149/2022 - 6/30 to rent out homes to tenants who are not self-sufficient in their housing needs can provide. As also confirmed by the justice of the peace of the canton of Lier who has already has ruled in this case with regard to the termination aspects of the lease, social housing companies are subject to the legal obligation to check whether their (prospect) tenants meet the applicable conditions both at the start and during the entire term of the rental agreement. After all, social housing is reserved for vulnerable people who cannot afford it themselves meet their housing needs without assistance. Given the limited availability government budgets, the social rental housing should belong to those persons who are most in need of housing. 1 29. It is clear to the Disputes Chamber that the defendant by processing in the context fulfills the public interest of its legal task, being a meaningful use of limited government resources by allocating social housing to persons who are most in need of housing. The defendant therefore rightly argues that the processing may be 2 be based on Article 6 (1) e) of the GDPR. The complainant's consent is therefore not required for the processing to be lawful, especially since this legal basis for legality is not relied upon by the defendant. A clear, precise and predictable legal basis 30. According to Recital 41 of the GDPR, this legal basis or legislative measure be clear and precise and their application must be for litigants predictable, in accordance with the case law of the Court of Justice of the European Union and the ECHR. In the Rotaru judgment 3 the ECtHR used the concept predictability of the legal basis. As the case concerned on surveillance systems of a state's security apparatus, the context of the present case. In other cases, the ECtHR has indicated that it may be guided by these principles, but it believes that these criteria, which are set out in the specificcontextofthatconcretecasearedeterminedandfollowedsonotassuchon all cases apply. 31. It is apparent from the form of order sought by the defendant that it relies on its mission as a social worker housing company to implement Article 23 of the Constitution in which 1T. VANDROMME, Definition of terms in B. HUBEAU and A. HANSELAER, Social Rent, Bruges, die Keuren, 2010, p. 24. 2See in this sense also T. VANDROMME, Professional judge also allows proof of immovable foreign property by a private firm, De Juristenkrant, January 27, 2021 and a.o. 3EHRM, May 4, 2000, Rotaru t. Romania. 4EHRM, September 2, 2010,Uzun t. Germany, § 66. Judgment on the substance 149/2022 - 7/30 5 the right to decent housing. The defendant hereby implementation of the internationally recognized right to decent housing. 32. On the basis of article 33 of the Decree containing the Flemish Housing Code (hereinafter: “Flemish Housing Code”), the social housing companies serve, among other things, the improve the living conditions of families and single persons in need of housing, especially of the most needy families and singles, by taking care of a sufficient supply of social rental housing and social housing for sale. This matters resulted in the Flemish Government having laid down various conditions that (candidate) tenants must comply, so that the most needy to live assigned housing. 33. In order to qualify for social rent, the potential tenant must therefore include: meet the registration conditions from Article 3 of the Decree of the Flemish Government to regulate the social housing system in implementation of Title VII of the Flemish Housing Code (hereinafter: Framework Decision) including: “Article 3 § 1. A natural person can be registered in the register stated in Article 7, if he meets the following conditions: […] 3°he, together with his family members, has no house or plot intended for housing that is fully owned or fully usufruct in domestic or abroad, unless it concerns a camping stay located in the Flemish Region; […].” 34. The investigation into compliance with the conditions and obligations for social housing is governed by Article 52 of the Framework Decision: “Article 52 § 1. The reference person gives the lessor, through his application for registration in the register, his registration as a prospective tenant or his tenantship, the permission to submit to the competent authorities and institutions and to the local authorities the necessary documents or information regarding the requirements set out in this Decree conditions and obligations, while maintaining the application of the provisions of the law of 8 December 1992 on the protection of personal data privacy with regard to the processing of personal data, its 5Article 23: “Everyone has the right to lead a life with dignity […] Those rights include in particular […] 3° the right on decent housing […]” 6 Decree containing the Flemish Housing Code of 15 July 1997, BS 19 August 1997. 7Decree of 12 October 2007 of the Flemish Government regulating the social rental system in implementation of Title VII of the Flemish Housing Code, BS 7 December 2007. Decision on the merits 149/2022 - 8/30 implementing decrees and any other provision for the protection of personal privacy, established by or pursuant to a law, decree or decree. § 2. For the implementation of the provisions of this Decree, the landlord invokes on information provided to him by the competent authorities or institutions or other lessors can be delivered electronically. If no or insufficient data is obtained in this way, the candidate- tenant or tenant is asked to provide the necessary information. If through the obtained information from the competent authorities or institutions or other lessors shows that the prospective tenant or tenant does not or no longer meets the conditions and obligations of this Decree, that determination shall be communicated to the candidate tenant or tenant who can respond within one week after the notification. Among the competent authorities and institutions referred to in § 1 and § 2, first paragraph, including: 1° the National Register of Natural Persons, mentioned in the law of 8 August 1983 regulating a national register of natural persons ;2° de social security institutions, mentioned in articles 1 and 2, first paragraph, 2°, of the law of 15January1990establishingorganizationofacrossroadsbankoftheSociale Security and the persons to whom the social security network applies of Article 18 of the same Act was extended; 3° the Federal Public Service finances; 4° the Civic Integration Crossroads Bank; 5° the Houses of Dutch; 6° the reception desks; 7° the Flemish E-government coordination cell; 8° the organizations and the institutions, mentioned in article 4, first paragraph, including the policy domain Education and Formation of the Flemish Community. 35. From analysis of the above, it is therefore predictable that compliance with the enrollment conditions can be controlled by social housing companies such as the defendant both at the start and throughout the duration of the lease. 36. The way in which this check will take place is less predictable as the aforementioned Article 52 of the Framework Decision contains a non-exhaustive list (“among other things”) which allows the landlord to use various instruments that are not included in this article are included. 37. The Disputes Chamber has already pointed this out in decision 124/2021 dated. 10 November 2021 that tasks of general interest or public authority with which controllers are charged, often not based on accuracy defined obligations or legislative standards that meet the requirements listed under marginal 29 et seq., more specifically the recording of the essential characteristics of the data processing. Rather, processing takes place on the basis of a more general Decision on the merits 149/2022 - 9/30 authorization to act, such as for the performance of the task necessary, such as is also the case in this case. This results in the relevant legal basis in practice often does not contain any concretely defined provisions regarding the necessary data processing. Controllers who, on the basis of such wish to rely on Article 6 (1) e) of the GDPR for a legal basis balancing the necessity of the processing for the task of general interests and the interests of those involved. 38. Unnecessarily, the Disputes Chamber points out that since 1 January 2022, the Flemish legislator has acted to provide a new legal basis for the processing of personal data in the context of a foreign asset investigation. To the Codified Decree on the Flemish housing policy (hereinafter: Flemish Codex 8 housing), Articles 6.3/1 and 63/2 were added, which now explicitly provide that social housing companies to private research agencies personal data pass on in the context of a foreign asset investigation. These articles read as follows: Article 6/3.1 of the Flemish Housing Code: § 1. For the purposes of this book, personal data is processed for the following purposes: 1° check whether the conditions and obligations of this book have been met and that the Flemish Government determines in accordance with this book; […] § 2. The controllers, referred to in Article 4, 7) of the general Data Protection Regulation are: 1° the lessor, with regard to the processing that he takes care of; […] § 3. Pursuant to paragraph 1, the following categories of personal data is processed: 1° identification data; 2° the national register number and the social security identification numbers; 3° personal characteristics; 4° family composition; 5° financial details; 6° data on immovable rights; 7° data of students of Dutch as a second language (NT2); 8° housing characteristics; 9° profession and position; 8 Codified Decree on the Flemish housing policy, codified on 17 July 2020, BS 13 November 2020. Decision on the merits 149/2022 - 10/30 10° data from social research; 11° living habits; 12° judicial information about the termination of the rental agreement due to the causing serious nuisance or serious neglect of social housing; 13° data on physical or psychological health; 14° education and training; 15° details of the lease that has been terminated by the landlord. 16° consumption data. […] § 6. The controller, referred to in paragraph 2, 1° and 2°, may transfer personal data under the following conditions: 1° […]; 2° the personal data, mentioned in paragraph 3, first paragraph, 1°, 2°, 3°, 8° and 10°, to the private partners designated by the Flemish Government in accordance with Article 6.3/2, second paragraph, for the investigation of the immovable property abroad; […]” Article 6/3.2, paragraph 1 of the Flemish Housing Code: “The lessor who checks whether the conditions for immovable property have been met, mentioned in Article 6.8, first paragraph, 2°, Article 6.11 and 6.21, first paragraph, for the immovable possession abroad, rely on private or public partners. The Flemish Government may designate the entity that enters into a framework agreement in which the private partners are identified.” The Disputes Chamber notes in this regard that this new legislation has been published after the disputed data processing and therefore does not apply to the foreign property investigations in this case. Since this Flemish Codex Living is not yet in had entered into force at the time of the foreign asset investigations the Disputes Chamber did not invoke this legislation to make this decision come. Necessity 39. Pursuant to Article 6(1)(e) GDPR, the processing is lawful only if and for to the extent that the processing is necessary for the fulfillment of a task in the public interest or of a task in the exercise of public authority vested in the controller has been assigned. As explained above contains legislation often lacks concretely defined provisions regarding the necessary data processing. Controllers who, on the basis of such If you wish to invoke Article 6 (1) e) of the GDPR on a legal basis, you must then make a Decision on the merits yourself 149/2022 - 11/30 balancing the necessity of the processing for the task of general interests and the interests of those involved. 40. The defendant submits that, in the context of the assessment of necessity, it has performed a balancing of interests before transferring the personal data in question to Z for conducting a foreign asset investigation. The Defendant argues that this balancing of interests has manifested itself in offering the possibility to spontaneously report property abroad in advance and the transfer of personal data subsequently took place on the basis of reasonable suspicions of property fraud. The justice of the peace of the canton of Lier has in its judgment dated 8 March 2022 (with regard to complainant 1) and its judgment dated 12 April 2022 (for with regard to complainant 2) established that on 29 July 2020 the defendant informed all its tenants sent a letter announcing that they would be checked immovable is abroad. The letter was personally delivered by carrier to each tenant and in his absence the letter was left in the letterbox. Due to the lack In response to the complainants' response to this letter, the defendant argues that it has no other then had the opportunity to conduct such a foreign asset investigation. 41. The Disputes Chamber establishes on the one hand that Article 52 of the Framework Decision does not explicitly includes reference to private research firms such as Z to provide the required data collect, but also that the aforementioned list is non-exhaustive formulated so that the appeal to private research agencies is not covered by the aforementioned Article 52 of the Framework Decision is excluded. 9 42. In accordance with its previous decision, the Disputes Chamber recalls that domestic wealth investigations can be done through a simple consultation of the land registry. Investigations into real estate abroad and especially non- However, EU member states are less evident. The social housing companies then let the tenants also declare that they do not own any real estate abroad to verify these statements, these social housing companies, such as the defendant, relied on specialized firms, such as Z in this case, as processors to to conduct foreign asset investigations when they have serious indications or has suspicions of foreign property. 43. The necessity of the foreign asset investigation is apparent from the fact that the the complainant has already been invited several times to sell any property abroad report, first when signing the above-mentioned declaration on honor and then when the defendant had informed the complainant via the warning letter of its intention to conduct a foreign asset investigation. The Defendant 9 Decision 124/2021 dated. November 10, 2021, to be consulted via https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the merits 149/2022 - 12/30 however, did not receive a satisfactory answer. In view of its legal duty to use public funds to accommodate the most vulnerable people, given in view of the severe shortage of social housing and in view of the difficulties of to look up data for real estate located abroad, the the defendant compelled to carry out the foreign asset investigation in order to serious suspicion of foreign real estate. 44. These findings have already been made by the justice of the peace of the canton of Lier in her verdict dated March 8, 2022 (with regard to complainant 1) and in her judgment dated. Apr 12, 2022 (with regard to the complainant 2). The justice of the peace concluded that the defendant could lawfully rely on Art. 6 (1) e) GDPR for the purpose of carrying out the foreign asset research. The Disputes Chamber sees no reason to to take a different position. 45. Finally, the complainant argues that the defendant cannot rely on Article 6(1)(e) GDPR as stated in the privacy policy on its website because this privacy policy does not comply with the complainant was served. In this regard, the Disputes Chamber refers to the guidelines on transparency of the Data Protection Working Party Article 29 stipulating if follows: “Any company with a website should have a statement or notice on that site about the protection of privacy should publish. A direct link to this statement or notice on the protection of personal privacy should be clearly visible on every page of the website, under a commonly used term (e.g. "Confidentiality", "Confidentiality Policy" or "Notice on the protection of privacy". 10So there is no obligation to provide this information personally to the complainant. Even more, the Group Data Protection Article 29 states that "any information disclosed to a data subject" sent, should also be accessible in a single place or in the same document (on paper or in electronic format) that can be easily accessed by 11 this person if he wishes to consult all the information sent to him." It can therefore be concluded from this that publishing a direct link to the statement on the protection of personal data on the website (which in present case) is sufficient. 46. As a result of the above, the Disputes Chamber is of the opinion that there is no infringement of the Articles 5 (1) a) 6 (1) GDPR was committed by the defendant. 10Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11. 1Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 149/2022 - 13/30 II.3. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR Article 5(2), Article 24(1) and Article 25(1) and (2) GDPR 47. The controller must comply with the principles set out in Article 5 of the GDPR and that can demonstrate. This follows from the accountability obligation as understood in Article 5, paragraph 2 j° Article 24(1) GDPR. On the basis of Articles 24 and 25 GDPR, each controller takes the appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing takes place in accordance with the GDPR. 48. In its inspection report, the Inspectorate establishes that articles 5, 24, paragraph 1, and 25, paragraph 1 and 2 GDPR were violated. As part of his research on the accountability, the Inspectorate has forwarded the following question to the defendant: “Please demonstrate using documents in accordance with Articles 5, 6, 24 and 25” oftheGDPRthatyourorganizationhasappropriatetechnicalandorganizationalmeasures taken to ensure compliance with data protection principles, such as minimum data processing, to be ensured in the context of the asset investigation in the abroad mentioned in the complaint”. 49. The defendant has formulated a reply in which, according to the Inspectorate, explanation is given about the security measures taken in the context of which various attachments are also transferred. The Inspectorate establishes in its report that security measures are related to integrity and confidentiality, such as included in Article 5(1)(f) GDPR, but that the defendant does not clarify how the other principles of Article 5(1) of the GDPR are guaranteed. In addition, the . concludes Inspectorate that certain elements are not specifically explained by the defendant. It concerns, among other things, whether and, if necessary, how the highest management level of the defendant the agreements on security measures in reports and follows up on team meetings, whether and, if necessary, how the officer data protection of the defendant is involved in the preparation and following security measures, whether and, if so, how breaches of the code of ethics for members of the board of directors for the defendant effective is sanctioned, when the analysis of the technical infrastructure of the was carried out by the defendant and what concrete measures the defendant will take after the has taken cognizance of that analysis and, finally, how compliance with the aforementioned security measures is generally controlled by the defendant and how infringements are effectively sanctioned. Consequently, the Inspectorate comes to the determination of a breach of Article 5, Article 24(1) and Article 25(1) GDPR. Decision on the merits 149/2022 - 14/30 50. In its submissions, the defendant disputes that finding. She argues that she supposed to demonstrate which technical and organizational measures it took with the help of the documents it had to prepare, such as for example the register of processing activities, the closed processing agreement with the processor of the personal data during the foreign asset investigation, and other documents proving that they have appropriate has taken technical and organizational measures in the context of the foreign asset research. The defendant regrets that the Inspectorate have violated all the principles of Article 5(1) of the GDPR because of a misconception of one of the Inspectorate's questions by the defendant. The the defendant argues that the findings of the Inspectorate are based on a incorrect interpretation of the research question by the defendant. In its conclusions the defendant therefore provides more information regarding compliance with the principles of Article 5, paragraph 1 GDPR. 51. The Disputes Chamber states that the Inspectorate, as the investigative body of the GBA, is investigating complaints about and serious indications of violations of the European and Belgian legislation on personal data, including the GDPR. One of the ways in which the investigation is conducted is to obtain all useful information and to provide documents. This option allows the controllers and/or processors to explain and demonstrate which measures have been taken to comply with applicable law.2 52. In the context of the examination of compliance with the Fundamental Principles and the accountability as understood in Article 5 of the GDPR, the Inspectorate has a general question to the controller that reads as follows: “Please demonstrate using documents accordingly articles 5, 6, 24 and 25” of the GDPR that your organization takes appropriate technical and organizational measures has taken to ensure compliance with data protection principles, such as minimum data processing, to be guaranteed in the context of the asset investigation abroad mentioned in the complaint”. 53. In the present case, the defendant provided a detailed reply to the controller, in which it indeed implements the taken security measures. However, the Disputes Chamber reads in the Inspection report that it answer formulated by the defendant was not sufficient for the inspection service. In this case, as explained above, the Inspectorate is of the opinion that certain information,whichisessentialtotheInspectionservice,toagoodassessment 12 Charter of the Inspectorate, August 2022, can be consulted online via https://www.dataprotectionauthority.be/publications/charter-van-de-informatiedienst.pdf Decision on the merits 149/2022 - 15/30 to come is missing. Consequently, it was ruled by the Inspectorate that there was a violation of Article 5, Article 24(1) and Article 25(1) and (2) GDPR. 54. The Disputes Chamber states, however, that an investigation by the Inspectorate into a loyal manner should be done. If the response from the controller for the Inspection service is not sufficient, in the context of a loyal investigation it falls to the Inspection service to clarify on which points more information is requested. This can be done, for example, by asking more specific questions about a certain topic or by request specific documents or information. After all, it's for the controller is not always easy to understand in such general and broad terms to formulate a comprehensive answer. If the Inspectorate is more specific has asked questions or has requested concrete documents and the controller has not been able to provide the requested information, comes it is up to the Inspectorate to report breach of accountability as understood in Article 5(2) and Article 24(1) of the GDPR. The Disputes Chamber notes in this regard: that the Inspectorate has not asked any additional questions about specific subjects or that no specific documents were requested in order to good assessment of the case. The Disputes Chamber therefore also establishes that the inspection investigation was not conducted in a loyal manner with regard to this finding. Consequently, the Disputes Chamber comes to the conclusion that on the basis of the investigation reportcannotbedecidedtoviolatearticle5, paragraph2, article24, paragraph 1 and Article 25, paragraphs 1 and 2 GDPR. Article 5(1) GDPR 55. As stated above, the defendant explained how it compliance with the fundamentals of the AVG. The Disputes Chamber notes that, based on the answer provided by the defendant in the context of the investigation, the Inspectorate determines that there is a violation of all basic principles with with regard to the protection of personal data as defined in Article 5(1) of the GDPR. Although Article 5(1) and (2) GDPR are closely related, any breach of the accountability obligation of Article 5(2) of the GDPR does not automatically include a violation of Art. 5 (1) GDPR. After all, accountability is the formal externalization to document compliance with the material demonstrate the basic principles of the GDPR. 56. In its submissions, the defendant explained how the processing operations do meet the basic principles of Art. 5 (1) GDPR. These are briefly resumed below. 57. The defendant argues that it does comply with the principle of propriety and transparency. It processes the following personal data in the context of the asset investigation: name and first name of the tenant, date and place of birth, national register number (if Decision on the merits 149/2022 - 16/30 applicable and available), date and place of marriage (if applicable and available, the file number and elements of the social investigation. The Defendant obtains this personal data either because it is legally obliged to request it (Article 68 of the Flemish Housing Code), either because it receives this data from Z (file number and elements of the social inquiry). This was also confirmed by the jurisdiction. 13For the legality of the legal basis, the Disputes Chamber refers to what was explained in section II.2. With regard to the principle of transparency, the defendant that it has before the commencement of the foreign asset investigation reported, in clear language adapted to the target group, in this case residents of social homes, that the data would be used for a foreign asset research. This information was included in the privacy statement on the website and then in the warning letter. With regard to the principle of transparency, the Disputes Chamber establishes that the relevant passage from the privacy statement reads as follows: The warning letter sent by the defendant on July 29, 2020 is also in clear intelligible language: 13See, among other things, Peace. Hamme June 6, 2019, Rent 2020/1, 57. Decision on the merits 149/2022 - 17/30 58. As already stated, the privacy statement was accessible via a direct link on the website and drafted in clear language. The warning letter to the complainants was also sent on July 29, 2020 is written in sufficiently clear language. In view of the above, the Dispute Chamber concludes that there is no violation of Article 5(1)(a) GDPR. 59. The Disputes Chamber recalls that in accordance with Article 5(1)(b) GDPR personal data may only be collected and processed for specified, expressly defined and justified purposes. When the data is later for be used for another purpose, that new purpose must be compatible with the original collection purpose. With regard to Article 5(1)(b) GDPR, the the defendant that the purpose of the processing was established and determined ab initio, since the privacy statement explicitly states that personal data can be are passed on to private bodies for checking the above mentioned registration and admission requirements. The purpose is also expressly described in the privacy statement, according to the defendant. To determine the justified purpose, this purpose must be related to the activities of the controller, i.e. the defendant. In this regard, the defendant refers Decision on the merits 149/2022 - 18/30 to Article 52 of the Framework Decree, being checking compliance with the registration and admission requirements in the context of social housing. 60. On the basis of the defendant's documents, the Disputes Chamber finds that the personal data were collected for the purpose of administrative registration on to enable the waiting list and possible allocation of social housing. The privacy statement (see marginal 56) clearly states that the defendant is charged with a task of general interest, namely the use of scarce government resources to allocating social housing to the most vulnerable. To that end . can charge the defendant private bodies with investigations into immovable assets in abroad, as is also included in the privacy statement. This control on the fulfillingtheenrolmentandadmissionconditionsisinherentlyconnectedwiththetask in the general interest of the defendant, as regards the implementation of the right to due process housing, especially for the most deprived. Given the above the Disputes Chamber concludes that there has been no violation of Article 5(1) b) GDPR. 61. The principle of data minimum processing as set out in Article 5(1)(c) GDPR states that the personal data processed must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It follows that the data may only be processed if the purpose of the processing is not can reasonably be accomplished in another way. As to the principle of "minimum data processing", the defendant argues that both the purpose, the data and the processing are proportional. 62. Recital 39 of the GDPR states that personal data may only be processed if the purpose of the processing cannot reasonably be achieved in any other way accomplished. On the basis of the documents in the file, the Disputes Chamber determines that the the defendant processed the following data in the context of the foreign asset investigation: surname and first name, date of birth, place of birth, National register number (Belgian or of the home country, if applicable), date and place of the marriage (if applicable and available) and any elements of the study of the Supervision Service that led to the transmission of the file (suspected of foreign real estate). From the documents, the Disputes Chamber understands that the defendant did not immediately proceed with a foreign asset investigation. The complainants have firstly, a declaration on honor signed at the start of the lease, further does the complainant have the legal obligation to refuse the possible acquisition of an immovable property? to report to the landlord during the current tenancy agreement, in this case the defendant, then the defendant received a warning letter on July 29, 2020 transferred to the complainants, in which, on the one hand, the foreign asset investigation is made Decision on the merits 149/2022 - 19/30 announced, and, on the other hand, the possibility is given to to report immovable property in order to reach an amicable settlement. Finally, the Defendant to conduct an exploratory investigation first. Only when there serious indications or suspicions of foreign immovable property, there will be proceeded with a foreign asset investigation as is the case in the present case used to be. Since the defendant does not have the necessary resources or expertise to conducting investigations, it is not excessive to have recourse to a specialized firm. In view of the above, the Disputes Chamber concludes that there there is no violation of Article 5(1)(c) GDPR. 63. Pursuant to Article 5(1)(d) GDPR, the controller must take all reasonable take measures to ensure that the data is correct and up to date. Data that are not (anymore) must be deleted or corrected. The defendant argues that it has drawn up an internal policy together with its data protection officer with guidelines for its employees who come into contact with personal data. Out the agenda of the defendant's team meeting dd. October 19, 2021 it turns out that this internal note together with other points regarding the AVG were discussed. The Dispute Room concludes that there has been no violation of Article 5(1)(d) GDPR. 64. The Disputes Chamber recalls that pursuant to the principle of storage limitation (Article 5, paragraph 1, e) AVG data may not be stored for longer than is necessary for the purpose of the processing. When the data is no longer necessary, then they are destroyed or erased. The defendant points out that the register of processing activities provides a detailed overview of the retention periods of the categories of personal data it processes. In addition, Article 10 of the processing agreement with Z that it contains all personal data received and processed with regard to the foreign asset investigation when the processing agreement comes to an end, i.e. May 31, 2022 (subject to extension). Contrary to the complainant's contention, the defendant does not therefore admit that it violated the principle of storage limitation. In view of the above concludes the Disputes Chamber that there has been no violation of Article 5, paragraph 1, e) GDPR. 65. Article 5, 1, f) of the GDPR prescribes that “[personal data] by taking appropriate technical or organizational measures in such a way processed that an appropriate security is ensured, and that they include: be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage”. In this context, the defendant explained its conclusions how it has taken various measures independent of the processing activities in the context of foreign asset research, such as informing its employees about the security measures to be observed (such as Decision on the merits 149/2022 - 20/30 password use, two-factor identification, internal policies regarding the treatment of personal data). Furthermore, the defendant explains that the directors have an ethical must sign a code whereby they commit themselves to secrecy of personal data and confidential company data. The defendant then states a series of measures taken after an analysis of the technical infrastructure by an independent company. This includes: creating offline and online backups of the processed personal data, firewall installation, antivirus and anti-virus malware software, password policy with regular password changes and disable all default user accounts. This independent company carries periodic checks regarding the security of the IT infrastructure. Also the processing agreement determines which measures the processor must take with the with a view to security, such as regular renewal of passwords and access codes, pseudonymisation and encryption of personal data, internal audit procedures for assessment of the security measures taken, confidentiality clause for the concerning employees, etc. From the above, the Disputes Chamber concludes that there there is no infringement of Article 5 (1) f) GDPR. 66. The Disputes Chamber states again that in the present case it is disproportionate to find a violation of to adopt Articles 5, 24, paragraphs 1 and 25, paragraphs 1 and 2 GDPR on the basis of a general question in the context of accountability, to which was replied by the defendant, without further follow-up questions from the Inspectorate. It belongs to the Inspectorate to determine a possible shortcoming of Article 5 (1) GDPR on the basis of a loyal investigation by the defendant. 67. Since the Inspectorate does not demonstrate how the defendant de has violated fundamental principles of Article 5, including accountability, and the The defendant explains in detail in its claims to what extent it does comply with these principles complies, the Disputes Chamber concludes that there is no infringement of Articles 5, 24, paragraph 1 and 25 para. 1 and 2 GDPR was committed by the defendant. II.4. Article 28, paragraphs 2 and 3 GDPR 68. Pursuant to Article 28(2) of the GDPR, the processor does not employ another processor without prior specific or general written consent of the controller. In the event of general written consent, the processor informs the controller about intended changes to the addition or replacement of other processors, where the controller the opportunity to object to these changes. 69. Article 28(3) of the GDPR provides that processing by a processor is governed by a agreement or other legal act under Union or Member State law Decision on the substance 149/2022 - 21/30 which binds the processor towards the controller, and in which the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the rights and obligations of the controller are described. That agreement or other legal act provides in particular that the processor: • process the personal data only under the written instructions of the controller, including with regard to the transfer of personal data to a third country or an international organization (unless it is legally obliged to do so); • ensures that access to that data is restricted to authorized persons. These persons must be bound by secrecy on the basis of a agreement or a legal obligation; • maintains at least the same level of data security as the controller does; • the controller provides all possible support in fulfilling its obligations with a view to answering requests regarding the rights of data subjects; • assists the controller in fulfilling its obligations in the field of security of personal data and the obligation to report data leaks; • after termination of the agreement between the controller and processor, the data processed on behalf of the controller delete or return personal data to him, and delete existing copies; • the controller makes all necessary information available to demonstrate that the obligations under the Regulation around the deployment of a processor are complied with and is necessary to carry out audits to make possible; • makes agreements with regard to sub-processors. 70. In its investigation, the Inspectorate establishes that there has been an infringement of Article 28, paragraphs 2 and 3 of the GDPR as in the processing agreement between the defendant and processor the following elements are missing: - The signature of the director representing the defendant, only the signature of the director of the processor is in the processing agreement; - The date on which the processing agreement starts. On page 10 of the processing agreement states “October 14, 2020” but it is not clear whether that is also the start date is; Decision on the merits 149/2022 - 22/30 - A description of the duration of the processing; - A description of the type of personal data and the categories of data subjects and the nature of the processing; and - A prior specific or general written consent of the defendant to the processor to hire other processors. Despite the lack of any provision in this regard, the processor has engaged a processor in Turkey. 71. The defendant does not dispute those findings. It states that after receiving the inspection report has immediately instructed to terminate the processing agreement which it uses for carrying out wealth investigations by private companies and to elaborate and insert the cited elements. The Defendant argues that at this time, the processor does not conduct asset investigations for the benefit of the defendant performs more, nor does the defendant transfer any personal data the processor. The defendant attaches to its claims a modified template of processing agreement that will be used in any future foreign asset investigations. 72. The Disputes Chamber rules that the processing agreement that was transferred by the defendant is incomplete, as established in the Inspection Report. In her conclusions the defendant states that it no longer conducts foreign asset investigations, but that they use the revised template of the processing agreement, in accordance with the Submit an inspection report. The Disputes Chamber finds that the defendant has made efforts to implement the processing agreement in accordance with the requirements of Article 28(2) and (3) GDPR. 73. Despite the corrective measures, the Disputes Chamber finds that the processing agreement on the basis of which the foreign asset investigation has performed did not meet the requirements of Article 28, paragraphs 2 and 3 GDPR, as a result of which was of an infringement of Article 28, paragraphs 2 and 3 GDPR, but that this has been remedied in the meantime. II.5. Articles 44, 46, 24, paragraphs 1 and 5, and paragraph 2 GDPR 74. When personal data is transferred to countries outside the European Union transferred, there is a transfer of personal data. For passing on of data to countries outside the European Union, the AVG states that this is only allowed if the level of protection provided by the GDPR is not undermined. This is the case if the country outside the European Union has an adequate level of data protection oradditionalguaranteesprovideonthetransmissionofdata.IftheEuropeanCommission has not made an adequacy decision, appropriate safeguards to provide a sufficiently high level of protection. Decision on the merits 149/2022 - 23/30 75. With regard to the transfer of data to Turkey, the Inspectorate notes that the defendant has infringed Articles 44, 46, 24, paragraphs 1 and 5 and 2 of the GDPR as the defendant has failed to demonstrate what measures it and Z have taken taken to comply with Articles 44 and 46 GDPR when transferring personal data to Turkey and to comply with the Schrems II judgment. The Inspectorate comes to the conclusion that the Turkish law on the protection of personal data provides an exemption for the processing of personal data within the framework of preventive, protective and intelligence activities conducted by public institutions and organizations belong to are authorized and designated by law to the national defense, national security, public safety, public order or economic security. The processing agreement between Z and its Turkish partner would not provide sufficient additional provide guarantees to ensure an adequate level of protection of the transferred guarantee personal data. 76. First, the defendant argues that it is not the exporter of these personal data to Turkey as part of the asset investigation. It is Z who receives the data of the defendant, but who in turn passes it on to her partner in Turkey, who then uses this data to make the necessary searches in the public registers. 77. The Disputes Chamber does not follow this reasoning. Article 4(7) GDPR defines “controller” as the “natural or legal person, government agency, agency or other body which, alone or jointly with others, serves the purpose of and the means of processing personal data”. It's also the the defendant as a social housing company which determines the aim and the means, as it has transferred the personal data to Z as a processor for the purpose of conducting a foreign asset survey in Turkey. In other words, the The Disputes Chamber comes to the conclusion that the defendant as controller must be qualified, including with regard to the transfer to Turkey. As a controller, it is her duty to verify that this transfer will take place in a manner that is in accordance with the obligations in the GDPR in this regard. This obligation also applies if they do not themselves transfers, but through an appointed processor, as is the case in the present case is. If the controller determines that this transfer by the processor cannot take place in accordance with the AVG, he may not use this personal data transfer to the processor. 78. In the event that the defendant were nevertheless classified as a controller it submits in a subordinate order that it is committed to the transfer of personal data relies on Article 49 (1) d) GDPR. Decision on the merits 149/2022 - 24/30 In the context of the assessment of the transfer of personal data to Turkey refers the Disputes Chamber to Recommendation 1/2020 of the European Committee for data protection (hereinafter: “EDPB”). To help exporters with the complex task of assessing the data protection of third countries and where necessary adopting appropriate additional measures, the EDPB has a roadmap provided.14 Step 1: familiarity with the transfers 79. First of all, it is important for the exporter to be aware of the personal data that are passed on, for example by relying on his processing register. The defendant acknowledges in its claims that the processing register was not yet ready at this point. However, the EDPB does not determine how the exporter meets these step must comply, but only formulates suggestions. The defendant argues in its conclusions that the categories of personal data that were transferred were included in the processing agreement, so that there was a good overview of the relevant personal data that were the subject of the transfer. Step 2: determination of the relevant instrument of transfer 80. Secondly,theexportermustdeterminewhichtransmissioninstrumentfromchapterVofthe AVG he uses. 81. The Dispute Chamber reminds that the transfer of data to one third country, in the absence of an adequacy decision by the European Commission under Article 45 GDPR, is only possible if the controller or processor has provided appropriate safeguards, and provided that for the data subjects enforceable rights and effective remedies are available (Article 46 GDPR). Bee lack of a decision declaring the level of protection adequacy pursuant to Article 45(3) of the GDPR, or of appropriate safeguards pursuant to Article 46 GDPR, finds a transfer or a category of transfers of personal data to a third country in specific circumstances only under one of the conditions of Article 49 GDPR ("Data Protection Derogations"). 82. As stated above, the defendant relies on the derogation provided for in Article 49(1)(d) GDPR. Under this Article, transfers to third countries may take place when the transfer is "necessary for important reasons of public interest". This one is very similar to 15 the provision contained in Article 26(1)(d) of Directive 95/46/EC , in which 14EDPB Recommendations 01/2020 on measures to complement transfer instruments to ensure compliance with the ensure the level of protection of personal data in the Union dd. June 18, 2021, to be consulted via https://edpb.europa.eu/system/files/2022- 04/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf 15Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection Decision on the substance 149/2022 - 25/30 states that a transfer may only take place when it is necessary or legal is mandatory because of an important public interest. 83. In accordance with Article 49(4) GDPR, only public interests recognized in the law of the Union or in the law of the Member State including the responsible for the processing. The provision constituting such a public interest defines should not be abstract. Transfer is permitted, for example, in the event of a substantial general interest that is recognized in international agreements in which 16 the Member States are parties . 84. In the present case, the transfer takes place in the context of the public interest and more determines the right to housing. The right to housing is recognized in a number of international human rights instruments. Article 25 of the Universal Declaration of the Human Rights recognizes the right to housing as part of the right to a 17 decent standard of living. Also Article 11(1) of the International Covenant on economic, social and cultural rights (ICESCR), which applies to both Belgium and Turkey have ratified, guarantees the right to housing as part of the right to 18 a decent standard of living. For the determination of the right to housing as public interest in Belgian national law, reference is made to section II.2 of this decision. 85. On the basis of Article 49(1)(d) GDPR, the necessity test must be applied to assess its applicability. This necessity test requires an evaluation by the data exporter of whether the transfer of personal data as may be considered necessary for the specific purpose of Article 49(1)(d) GDPR. With regard to the necessity of the transfer, the Disputes Chamber refers to section II.2 of this decision. 86. In view of the above, the Disputes Chamber concludes that the transfer of the personal data to Turkey, in the context of the foreign asset investigation legally valid based on article 49, paragraph 1, d) of the AVG, which means that there is no infringement is on Article 44, Article 46, Article 24 (1) and Article 5 (2) GDPR. of natural persons in connection with the processing of personal data and on free movement of that data. 16EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679 dated. May 25, 2018, te consult at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf 17Article 25: Everyone has the right to a standard of living adequate for his own health and well-being and his family, including food, clothing, housing, medical care and necessary social services, and law security in case of unemployment, illness, disability, widowhood, old age or other lack of livelihood circumstances beyond his control. 18 Article 11, paragraph “The States Parties to this Covenant recognize the right of everyone to an adequate standard of living for himself and his family, including adequate food, clothing and housing, and at all times better living conditions. The States Parties to this Convention are taking appropriate measures to achieve it of this right, recognizing the essential importance of voluntary international cooperation” Decision on the substance 149/2022 - 26/30 II.6. Article 30(1) GDPR 87. Under Article 30 GDPR, each controller must keep a register of the processing activities carried out under its responsibility. Article 30(1) a) to g) GDPR provides that, with regard to the capacity processing carried out by the controller, the following information must be available: a) the name and contact details of the controller and any joint controllers and, where applicable, of the representative of the controller and of the officer for data protection; b) the processing purposes; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be provided, including to recipients in third countries or international organisations; e) where applicable, transfers of personal data to a third country or international organisation, including an indication of that third country or international organization and, in the case of the second subparagraph of Article 49(1) of the GDPR, the transfers referred to, the documents regarding the appropriate guarantees; f) if possible, the envisaged deadlines within which the different categories of data must be erased; g) if possible, a general description of the technical and organizational security measures as referred to in Article 32(1) of the GDPR. 88. The Inspectorate does with regard to the register of processing activities of the the defendant makes the following findings, as summarized below: • There is no description of the categories of data subjects in the tab “Lists” (cf. Article 30(1)(c) of the GDPR). It is therefore unclear what words as “staff members”, “directors”, “volunteers”, “(candidate) tenants and (candidate) buyers in practice. • The description of the categories of personal data is incomplete, since in the tab "Lists" are several times non-exhaustive lists (cf. article 30, paragraph 1, c) of the GDPR). It is therefore unclear what words like “Electronic identification data”, “electronic localization data”, “financial Decision on the merits 149/2022 - 27/30 identifiers”, “images” and “sound recordings” in practice mean. 89. The Disputes Chamber establishes the defendant in its register of processing activities provides a summary for: - the categories of data subjects (Article 30(1)(c) GDPR), i.e. “staff members”, “drivers”, “volunteers”, “(prospective) tenants and (prospective) buyers; and - the categories of personal data (article 30, paragraph 1, c) AVG), namely “electronic” identification data”, “electronic location data”, “financial identifiers”, “images” and “sound recordings”. 90. The Disputes Chamber must rule on whether Article 30(1)(c) GDPR requires that a description is given of the categories of personal data and the categories of data subjects in the register of processing activities, or whether a summary may suffice. 91. The Disputes Chamber notes that Article 30(1)(c) GDPR requires that a description of the categories of data subjects and of the categories of personal data is included in the register of processing activities. Those involved are the identified or identifiable natural persons whose data is processed (article 4(1) of the GDPR). Regarding the categories data, it should of course concern personal data as defined in Article 4 (1) of the GDPR. 92. The Disputes Chamber recalls what the purpose of the register of processing activities. To effectively fulfill the obligations contained in the GDPR apply, it is essential that the controller (and the processors) have an overview of the processing of personal data that they to carry out. This register is therefore primarily an instrument to assist the data controller in complying with the GDPR for the different data processing and it performs because it registers the most important features of makes visible. The Disputes Chamber is of the opinion that this processing register is a essential tool in the context of the already mentioned accountability (Article 5 (2) and Article 24 GDPR) and that this register is the basis for all obligations that the GDPR on the controller. 93. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the GDPR prevent an enumeration of the categories of personal data and the categories of data subjects is included in the register of processing activities or that a more detailed description would be needed. Decision on the merits 149/2022 - 28/30 94. With regard to the categories of recipients, the Disputes Chamber refers to a recommendation of the CPP and doctrine stating that it is not true it is necessary to state the individual recipients of the data, but that these can be grouped by category of recipients. Mutatis mutandis can this statement can also be applied to the categories of personal data and data subjects. 95. The Disputes Chamber points out, however, that the completion of the register of processing activities should always be evaluated on a case-by-case basis to determine whether the description or summary contained herein is sufficiently clear and specific. 96. In the present case, the Disputes Chamber finds that the enumerations included in the register of processing activities were sufficiently concrete. According to the Litigation room little doubt about the meaning of the above listed elements in the context of social rent. Consequently, the Disputes Chamber concludes that there there is no violation of Article 30(1)(c) GDPR. The Disputes Chamber reminds also because the register of processing activities is now up-to-date with regard to the international transfers, as recognized by the defendant, as a result of which there is no question of a violation of Article 30(1) GDPR. III. Sanctions 97. On the basis of the documents in the file, the Disputes Chamber determines that there is an infringement of 28, paragraphs 2 and 3 of the GDPR. Although the defendant remedied these infringements it is established that there are violations of the right to data protection have taken place. As already explained, the processing agreement is a important instrument in GDPR compliance. With the processing agreement, the controller can rely on processors who provide sufficient guarantees offer, in particular in terms of expertise, reliability and resources, to ensure that the technical and organizational measures comply with the regulations of the GDPR, including with regard to the security of the processing. 98. When determining the sanction, the Disputes Chamber takes into account the fact that the Defendant has already rectified these infringements and has provided evidence thereof. The Disputes Chamber therefore decides that in the concrete factual circumstances of this case, a reprimand for the aforementioned infringements will suffice. The seriousness of the infringement is not such that an administrative fine should be imposed. 99. The Disputes Chamber proceeds to a deposit of the other grievances and findings of the Inspectorate because, on the basis of the facts and the documents in the file, they do not belong to the 19Available at: https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-06-2017.pdf 20W.Kotschy,"Article30:recordsofprocessingactivities",inCh.KunerTheEUGeneralDataProtectionRegulation(GDPR), a commentary, 2020, p. 621. Decision on the substance 149/2022 - 29/30 conclude that there is a breach of the GDPR. These grievances and findings of the Inspectorate are therefore regarded as manifestly unfounded 21 within the meaning of Article 57(4) of the GDPR. IV. Publication of the decision 100. In view of the importance of transparency with regard to the decision-making of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identifiers of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - To formulate a reprimand with regard to the . pursuant to Article 100, §1, 5° WOG defendant with regard to the infringement of Article 28(2) and (3) GDPR. - To dismiss all other grievances from the complaint pursuant to Article 100, §1, 1° WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice against this decision, an appeal may be lodged with the Marktenhof (court of profession Brussels), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an adversarial petition that the 22 Mentions listed in Article 1034ter of the Judicial Code must contain .It adversarial petition must be submitted to the registry of the Marktenhof 21 See point 3.A.2 of the Disputes Chamber's Dismissal Policy, dated. June 18, 2021, to be consulted via https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf 22 The petition states, on pain of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and the brief summary of the grounds of the claim; 5° the court before whom the claim is brought; 6° the signature of the applicant or of his lawyer. Decision on the merits 149/2022 - 30/30 23 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke H IJMANS Chairman of the Disputes Chamber 23The application with its annex, in as many copies as there are interested parties, shall be sent by registered letter sent to the clerk of the court or deposited at the clerk's office.
- APD/GBA (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(c) GDPR
- Article 5(1)(d) GDPR
- Article 5(1)(e) GDPR
- Article 5(1)(f) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 6(1)(e) GDPR
- Article 24(1) GDPR
- Article 28(2) GDPR
- Article 28(3) GDPR
- Article 44 GDPR
- Article 46 GDPR
- Article 49(1)(d) GDPR
- Article 49(4) GDPR
- Article 57(4) GDPR
- 2022
- Dutch