APD/GBA (Belgium) - 149/2022: Difference between revisions

Latest revision as of 15:07, 2 November 2022

APD/GBA - 149/2022

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(e) GDPR Article 24(1) GDPR Article 28(2) GDPR Article 28(3) GDPR Article 44 GDPR Article 46 GDPR Article 49(1)(d) GDPR Article 49(4) GDPR Article 57(4) GDPR Article 23 Constitution Article 33 Vlaamse Wooncode Vlaamse Codex Wonen
Type:	Complaint
Outcome:	Partly Upheld
Started:	27.09.2021
Decided:	18.10.2022
Published:	21.10.2022
Fine:	n/a
Parties:	n/a
National Case Number/Name:	149/2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Dutch
Original Source:	Gegevensbeschermingsautoriteit (in NL)
Initial Contributor:	Enzo Marquet

The Belgium DPA held that a social housing organisation could rely on Article 6(1)(e) GDPR to investigate foreign assets of data subjects and on Article 49(1)(d) GDPR for international data transfers in connection with this purpose. However, the DPA reprimanded the controller for violations of Articles 28(2) and 28(3) GDPR in a data processing agreement.

English Summary

Facts

Two data subjects submitted complaints at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. The controller was responsible for verifying the eligibility criteria for social housing and was suspecting that the data subjects did not qualify for social housing, after they failed to provide clarity regarding their assets in Turkey. The controller initiated an investigation into these assets. It hired a processor, a private investigation firm, to check personal data of the data subjects. This processor also used a processor of its own, which was located in Turkey. Following the investigation, the controller determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey.

After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles.

The data subjects stated that they were not the owners of the assets in question. They also contested the value of evidence in the reports and stated that the evidence was received illegitimately.

The district court of Lier already delivered a judgement in a case between the controller and the data subjects, which was about the termination of the rental contract. In this ruling, the district Court held amongst other things that the controller could use Article 6(1)(e) GDPR for conducting the investigation into the foreign assets. It also determined that the controller had send letters to the data subjects which remained unanswered.

Holding

Violations of Article 5(1)(a) GDPR and Article 6(1) GDPR

The DPA held that the controller did not violate Article 5(1)(a) GDPR and Article 6(1) GDPR. The DPA stated that in order to lawfully process personal data (Article 5(1)(a) GDPR), the controller needed a legal basis for processing (Article 6(1) GDPR). The investigation unit determined that the controller relied on public interest (Article 6(1)(e) GDPR).

The DPA held that the controller could only rely on Article 6(1)(e) GDPR when processing was necessary for a task in the public interest or when it is necessary for exercising public authority that has been invested in the controller. In these cases, a legal ground for processing, based in European law or national law, was required (Articles 6(1)(e) and 6(3) GDPR and recital 45).

Task in the public interest

The DPA held that the controller processed personal data within its legal obligation for a task in the public interest: the allocation of limited government funds for providing affordable housing.

Legal ground

The DPA held that in order to rely on Article 6(1)(e) GDPR, a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution, the constitutional right to housing and an ‘internationally acknowledged right’. The DPA continued by referring to Article 33 of the Flemish Housing Code, which gave the obligation to social housing organisations to create eligibility criteria for applicants.

Based on the above, the DPA held that it was predictable that the eligibility requirements for social housing would be checked by the controller. However, the methods used for this purpose were less predictable, because the legal provision in question (Article 52 Kaderbesluit) provided a non-limited list with tools for the controller. The DPA pointed out that tasks of public interest are often based on a more general authority to act, which was the case in this decision.

Necessity of the processing

The DPA held that the processing was necesary to investigate the potential foreign assets of the data subjects as they had failed to reply to the controller's requests to provide clarity on the matter. Hence, the DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing, because of the controller's understandable suspicions."

The DPA also rejected the argument of the data subjects that the controller could not rely on Article 6(1)(e) GDPR, because the privacy policy was not delivered to them. The DPA held that providing an online link to a privacy policy was sufficient, which the controller had done.

Violations of Articles 5, 24(1), 25(1) and 25(2) GPDR

The DPA held that the controller did not violate Articles 5, 24(1), 25(1) and 25(2) GPDR, because the Inspection Unit did not conduct the investigation in a ‘loyal way’. It failed to ask for further questions and more precise information when the provided information by the controller was deemed insufficient.

Violation of Articles 28(2) and 28(3) GDPR

The DPA confirmed that the controller violated Articles 28(2) and 28(3) GDPR. The investigations unit held that the data processing agreement of the controller with the processor did not contain all the necessary aspects. The controller agreed with this assessment and stated that it acted immediately after receiving the report from the investigations unit to make its processing GDPR complaint.

The DPA held that the controller breached Articles 28(2) and Article 23(3) GDPR, but that the shortcomings that caused these violations had already been fixed.

Violations of Articles 44, 46, 24(1), 24(2) and 5(2) GDPR

The DPA determined that controller did not violate Articles 44, 46, 24(1) and 5(2) GDPR, in contrast with the investigation unit. The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller (Article 4(7) GDPR) and that it was the controller's responsibility to ensure its processing was GDPR compliant, including processing of its processor.

The controller also stated that it could rely on the exception of Article 49(1)(d) GDPR for important reasons for public interest. The DPA accepted this argument and held that under Article 49(4) GDPR, only public interests can be used that are recognised in EU law or in member state law. This public interest cannot be too abstract. The DPA determined that the controller provided social housing for the public interest of the right to housing. This right is internationally recognised in several international treaties (UDHR and ICESCR), ratified by both Belgium and Turkey. The DPA also repeated that the right to housing was provided in Belgian law.

The DPA also determined that the processing by the controller passed the necessity requirement of Article 49(1)(d) GDPR. The DPA referred to its necessity assessment earlier in the decision.

Violation of Article 30(1) GDPR

The DPA held that the controller did not violate Article 30(1)(c) GDPR . The investigation unit had determined that the registry of the controller was not specific enough in describing the categories of personal data and data subjects, but the DPA disagreed. The DPA held that whether or not the registry is clear and detailed enough should be assessed on a case to case basis. The DPA held that in this case, the registry was specific enough and that the elements in the registry left little room for different interpretations in the context of social housing.

The DPA determined violations of Articles 28(2) and 28(3) GDPR and reprimanded the controller (Article 100, §1, 5° WOG). All other determined violations by the investigation unit were deemed unfounded (Article 57(4)GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/30

Dispute room

Decision on the merits 149/2022 of 18 October 2022

File number: DOS-2021-06293 and DOS-2021-06884

Subject : Sharing personal data concerning tenants of social housing in

in the context of an asset investigation

The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members.

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

In view of the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;

Having regard to the documents in the file;

Has made the following decision regarding:

The complainant: Mr X1 and Mrs X1, hereinafter: complainant 1

Mr X2 and Mrs X2, hereinafter: complainant 2

all represented by mr. Rahim Aktepe, with office in 2000
Antwerp, Amerikalei 95

hereinafter collectively referred to as “the complainant”;

Defendant: Y, represented by Mr. Myrthe Maes, Mr. Nele Somers and Mr. Thomas

Bronselaer, with office in 2000 Antwerp, Amerikalei 79, box 201,

hereinafter referred to as “the Defendant”. Decision on the merits 149/2022 - 2/30

I. Facts procedure

1. The subject of the complaint concerns the communication of personal data of social

tenants to third parties in the context of a foreign asset investigation.

2. Complainant 1 and complainant 2 serving on 27 September 2021 and 22 October 2021 respectively

lodge a complaint with the Data Protection Authority against the defendant.

3. On October 1, 2021 and January 5, 2022 respectively, the complaints will be handled by the

First-line servicedeclaredadmissibleunderarticle58and60WOGenbe

they have been transferred to the Disputes Chamber pursuant to Article 62, § 1 WOG.

4. On 27 October 2021 and 17 January 2022 respectively, in accordance with Article 96,

§ 1 WOG the request of the Disputes Chamber to conduct an investigation

submitted to the Inspectorate, together with the complaint and the inventory of the documents.

5. The inspections will be completed by the Inspectorate on February 15, 2022

bothreportsattachedtothefileandthefilesbecomebytheinspector-general

submitted to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).

The report prepared in relation to complainant 1 contains findings with
relating to the subject matter of the complaint and decides that:

1. there is no infringement of Article 5(1)(a) and (2) GDPR, Article 6(1) GDPR

with regard to the principle of legality;

2. there is an infringement of Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1)

and 2 GDPR with regard to the principles of fairness and transparency,

purpose limitation, minimal data processing, accuracy, storage limitation and integrity
and confidentiality;

3. there is an infringement of Article 28(2) and (3) GDPR; and

4. there is an infringement of Articles 44, 46, 24(1) and 5(2) GDPR for what

concerns the transfer of personal data to Turkey.

The report prepared in relation to complainant 1 also contains findings that

go further than the object of the complaint. In general terms, the Inspectorate establishes that:

1. there is an infringement of Article 30(1) GDPR due to non-compliance with

various obligations regarding the register of processing activities.

6. The report prepared in connection with complainant 2 concurs with the findings

of the first report. Reference will therefore be made in this decision to the first

report as the Inspection Report. Decision on the merits 149/2022 - 3/30

7. On February 21, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

WOG that both files are ready for treatment on the merits. The Disputes Chamber states

for the parties to merge both businesses. Also on February 21, 2022 was allowed

the Disputes Chamber has received the agreement to merge the two parties.

8. On February 21, 2022, the parties concerned will be notified by registered letter

of the provisions as stated in article 95, § 2, as well as of these in article 98 WOG.

They are also informed, pursuant to Article 99 of the WOG, of the deadlines to

to file defences.

As regards the findings relating to the subject matter of the complaint, the

deadline for receipt of the defendant's response

recorded on April 4, 2022, this for the conclusion of the reply from the bearing on April 25, 2022

and finally that for the defendant's reply on 16 May 2022.

The latest date for receipt of the defendant's response for

with regard to the findings outside the draft of the complaint, it was set at 4

Apr 2022.

9. On February 21, 2022, the complainant electronically accepts all communication regarding the case.

10. On March 8, 2022, the defendant requests a copy of the file (Article 95, §2, 3° WOG),
which was transferred to her on March 23, 2022.

11. On March 8, 2022, the defendant electronically accepts all communications regarding the case

and expresses its wish to make use of the opportunity to be heard,
in accordance with article 98 WOG.

12. On April 4, 2022, the Disputes Chamber will receive the statement of defense from the

the defendant with regard to the findings relating to the subject-matter of the

complaint, as well as the findings outside the subject of the complaint. The defendant argues that
the processing in its head constitutes a lawful data processing. Second

the defendant argues that the data processing in question is a correct and permissible

data processing, whereby all the basic principles of Art. 5 (1) GDPR are applied

respected and that she can also demonstrate this. Third, the defendant denies the

determinations of the Inspectorate regarding the processing agreement, but states

that it has eliminated these infringements. Fourth, the defendant argues that the
transfer of personal data to Turkey has taken place in a lawful manner.

Finally, the defendant argues that the register of processing activities was

updated to comply with the Inspectorate set

shortcomings.

13. On April 22, 2022, the Disputes Chamber will receive the conclusion of the complainant's reply, in which

an overview is given of the previous procedure conducted by the complainant with regard to Decision on the merits 149/2022 - 4/30

of the defendant before the justice of the peace. The complainant disputes the legality of the

data processing, and the complainant states that the data processing is not

has taken place in accordance with the fundamental principles of Article 5(1) of the GDPR.
With regard to the determinations regarding the processing agreement, the transfer of

personal data to Turkey and the register of processing activities, the complainant closes

adhere to the findings of the Inspectorate.

14. On May 18, 2022, the Disputes Chamber will receive the statement of reply from the defendant
with regard to the findings with regard to the subject matter of the complaint. In here

the defendant repeats its views from the statement of defense.

15. On August 10, 2022, the parties will be notified that the hearing will
take place on September 22, 2022.

16. On September 22, 2022, the parties will be heard by the Disputes Chamber.

17. On September 23, 2022, the minutes of the hearing will be sent to the parties

submitted.

18. On September 29, 2022, the Disputes Chamber will receive some

comments with regard to the official report, which it decides to include in

her deliberation].

19. The Disputes Chamber does not receive any comments with regard to the official report

because of the complainant.

II. Justification

II.1. Jurisdiction of the Dispute Chamber

20. In his conclusions, the bearing states in his first three pleas that they do not own

a property in Turkey, they dispute the evidential value of the investigation reports

that have been drawn up by Z in the context of the foreign asset research, and finally

the complainant discusses the doctrine of the illegally obtained evidence.

21. However, the Disputes Chamber is only authorized to judge whether the foreign

asset investigation has taken place in accordance with the GDPR. The

the above resources do not belong to the jurisdiction of the Disputes Chamber and were

already assessed by the justice of the peace van Lier (see below). So these arguments will
not be the subject of the proceedings before the Disputes Chamber.

II.2. Article 5 (1) a) GDPR, Article 6 (1) GDPR

22. The Inspectorate determines that the defendant has fulfilled the obligations imposed by
Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the principle Decision on the merits 149/2022 - 5/30

regarding legality. Based on the answers obtained from the defendant during

the investigation, the Inspectorate follows the defendant's assertion that it invokes

the legal basis from article 6, paragraph 1, e) AVG (necessity for the fulfillment of a task

of general interest).

23. The basic principle of article 5, paragraph 1, a) GDPR is that personal data only in a lawful manner

may be processed. This means that a legal ground for processing

personal data as referred to in Article 6(1) of the GDPR must be present. In further

elaboration of this basic principle, Article 6(1) of the AVG states that personal data may only be
are processed on the basis of one of the legal grounds listed in the article.

24. The complainant disputes the findings of the Inspectorate and argues that the defendant

wrongly invokes article 6, paragraph 1, e) AVG. In addition, the lower claims that the defendant

Nor can it rely on any other legal basis, such as consent (Article 6,
paragraph 1, a) GDPR).

25. To legally rely on the legal basis of Article 6(1) e) GDPR

personal data may only be processed if this is necessary for the fulfillment
of a task in the public interest or if it is necessary for the performance of the

public authority entrusted to the person responsible. The processing must take place in this

cases always have a basis in the law of the European Union or that of the

Member State concerned, which must also state the purpose of the processing. There must therefore

it will be checked whether the conditions set out in that article have been met in this case.

26. Pursuant to Article 6(3) and Recital 45 of the GDPR, processing on the basis of

Article 6 (1) e) GDPR meet the following conditions:

a. The controller must be charged with the fulfillment of a
mission in the public interest or an order that is part of the

exercise of public authority on a legal basis, irrespective of

whether it is in the law of the European Union or in the law of the Member States

contained;

b. The purposes of the processing are established on the legal basis or must be

are necessary for the performance of the assignment in the public interest or the

exercise of public authority.

27. The Disputes Chamber will determine the conditions of general interest, legal basis and

necessity below.

Public interest task

28. The public interest task in question relied on by the defendant is control

on the registration and allocation conditions in the context of social housing in order to Decision on the merits 149/2022 - 6/30

to rent out homes to tenants who are not self-sufficient in their housing needs

can provide. As also confirmed by the justice of the peace of the canton of Lier who has already

has ruled in this case with regard to the termination aspects

of the lease, social housing companies are subject to the legal

obligation to check whether their (prospect) tenants meet the applicable conditions

both at the start and during the entire term of the rental agreement.

After all, social housing is reserved for vulnerable people who cannot afford it themselves

meet their housing needs without assistance. Given the limited availability

government budgets, the social rental housing should belong to those persons who

are most in need of housing. 1

29. It is clear to the Disputes Chamber that the defendant by processing in the context

fulfills the public interest of its legal task, being a meaningful use of

limited government resources by allocating social housing to persons who

are most in need of housing. The defendant therefore rightly argues that the processing may be
2
be based on Article 6 (1) e) of the GDPR. The complainant's consent is

therefore not required for the processing to be lawful, especially since this legal basis

for legality is not relied upon by the defendant.

A clear, precise and predictable legal basis

30. According to Recital 41 of the GDPR, this legal basis or legislative measure

be clear and precise and their application must be for litigants

predictable, in accordance with the case law of the Court of Justice of the

European Union and the ECHR. In the Rotaru judgment 3 the ECtHR used the concept

predictability of the legal basis. As the case concerned

on surveillance systems of a state's security apparatus, the context of

the present case. In other cases, the ECtHR has indicated that it

may be guided by these principles, but it believes that these criteria, which are set out in the

specificcontextofthatconcretecasearedeterminedandfollowedsonotassuchon

all cases apply.

31. It is apparent from the form of order sought by the defendant that it relies on its mission as a social worker

housing company to implement Article 23 of the Constitution in which

1T. VANDROMME, Definition of terms in B. HUBEAU and A. HANSELAER, Social Rent, Bruges, die Keuren, 2010, p. 24.

2See in this sense also T. VANDROMME, Professional judge also allows proof of immovable foreign property by a private firm,
De Juristenkrant, January 27, 2021 and a.o.
3EHRM, May 4, 2000, Rotaru t. Romania.

4EHRM, September 2, 2010,Uzun t. Germany, § 66. Judgment on the substance 149/2022 - 7/30

5
the right to decent housing. The defendant hereby

implementation of the internationally recognized right to decent housing.

32. On the basis of article 33 of the Decree containing the Flemish Housing Code (hereinafter: “Flemish

Housing Code”), the social housing companies serve, among other things, the

improve the living conditions of families and single persons in need of housing,

especially of the most needy families and singles, by taking care of a

sufficient supply of social rental housing and social housing for sale. This matters

resulted in the Flemish Government having laid down various conditions that

(candidate) tenants must comply, so that the most needy to live

assigned housing.

33. In order to qualify for social rent, the potential tenant must therefore include:

meet the registration conditions from Article 3 of the Decree of the Flemish

Government to regulate the social housing system in implementation of Title VII of the

Flemish Housing Code (hereinafter: Framework Decision) including:

“Article 3 § 1. A natural person can be registered in the register stated in

Article 7, if he meets the following conditions:

[…]

3°he, together with his family members, has no house or plot intended for

housing that is fully owned or fully usufruct in domestic or

abroad, unless it concerns a camping stay located in the Flemish Region;

[…].”

34. The investigation into compliance with the conditions and obligations for social housing

is governed by Article 52 of the Framework Decision:

“Article 52 § 1. The reference person gives the lessor, through his application for

registration in the register, his registration as a prospective tenant or his tenantship, the

permission to submit to the competent authorities and institutions and to the local authorities the

necessary documents or information regarding the requirements set out in this Decree

conditions and obligations, while maintaining the application of the

provisions of the law of 8 December 1992 on the protection of personal data

privacy with regard to the processing of personal data, its

5Article 23: “Everyone has the right to lead a life with dignity […] Those rights include in particular […] 3° the right
on decent housing […]”
6
Decree containing the Flemish Housing Code of 15 July 1997, BS 19 August 1997.
7Decree of 12 October 2007 of the Flemish Government regulating the social rental system in implementation of
Title VII of the Flemish Housing Code, BS 7 December 2007. Decision on the merits 149/2022 - 8/30

implementing decrees and any other provision for the protection of personal

privacy, established by or pursuant to a law, decree or decree.

§ 2. For the implementation of the provisions of this Decree, the landlord invokes
on information provided to him by the competent authorities or institutions or other lessors

can be delivered electronically.

If no or insufficient data is obtained in this way, the candidate-

tenant or tenant is asked to provide the necessary information. If through the obtained

information from the competent authorities or institutions or other lessors shows that the
prospective tenant or tenant does not or no longer meets the conditions and

obligations of this Decree, that determination shall be communicated to the candidate

tenant or tenant who can respond within one week after the notification.

Among the competent authorities and institutions referred to in § 1 and § 2, first paragraph,

including: 1° the National Register of Natural Persons, mentioned in the law
of 8 August 1983 regulating a national register of natural persons ;2° de

social security institutions, mentioned in articles 1 and 2, first paragraph, 2°, of the law of

15January1990establishingorganizationofacrossroadsbankoftheSociale

Security and the persons to whom the social security network applies

of Article 18 of the same Act was extended; 3° the Federal Public Service

finances; 4° the Civic Integration Crossroads Bank; 5° the Houses of Dutch; 6° the
reception desks; 7° the Flemish E-government coordination cell; 8° the organizations and the

institutions, mentioned in article 4, first paragraph, including the policy domain Education

and Formation of the Flemish Community.

35. From analysis of the above, it is therefore predictable that compliance with the

enrollment conditions can be controlled by social
housing companies such as the defendant both at the start and throughout the

duration of the lease.

36. The way in which this check will take place is less predictable as the aforementioned

Article 52 of the Framework Decision contains a non-exhaustive list (“among other things”)
which allows the landlord to use various instruments that are not included in this

article are included.

37. The Disputes Chamber has already pointed this out in decision 124/2021 dated. 10
November 2021 that tasks of general interest or public authority with which

controllers are charged, often not based on accuracy

defined obligations or legislative standards that meet the requirements listed under

marginal 29 et seq., more specifically the recording of the essential characteristics of the

data processing. Rather, processing takes place on the basis of a more general Decision on the merits 149/2022 - 9/30

authorization to act, such as for the performance of the task necessary, such as

is also the case in this case. This results in the relevant legal basis in practice

often does not contain any concretely defined provisions regarding the necessary

data processing. Controllers who, on the basis of such

wish to rely on Article 6 (1) e) of the GDPR for a legal basis

balancing the necessity of the processing for the task of general

interests and the interests of those involved.

38. Unnecessarily, the Disputes Chamber points out that since 1 January 2022, the Flemish

legislator has acted to provide a new legal basis for the

processing of personal data in the context of a foreign asset investigation.

To the Codified Decree on the Flemish housing policy (hereinafter: Flemish Codex
8
housing), Articles 6.3/1 and 63/2 were added, which now explicitly provide that social
housing companies to private research agencies personal data

pass on in the context of a foreign asset investigation. These articles read as

follows:

Article 6/3.1 of the Flemish Housing Code:

§ 1. For the purposes of this book, personal data is processed for the following

purposes:

1° check whether the conditions and obligations of this book have been met and that the

Flemish Government determines in accordance with this book;

[…]

§ 2. The controllers, referred to in Article 4, 7) of the general

Data Protection Regulation are:
1° the lessor, with regard to the processing that he takes care of;

[…]

§ 3. Pursuant to paragraph 1, the following categories of

personal data is processed:

1° identification data;

2° the national register number and the social security identification numbers;

3° personal characteristics;

4° family composition;
5° financial details;

6° data on immovable rights;

7° data of students of Dutch as a second language (NT2);

8° housing characteristics;

9° profession and position;

8 Codified Decree on the Flemish housing policy, codified on 17 July 2020, BS 13 November 2020. Decision on the merits 149/2022 - 10/30

10° data from social research;

11° living habits;

12° judicial information about the termination of the rental agreement due to the

causing serious nuisance or serious neglect of social housing;
13° data on physical or psychological health;

14° education and training;

15° details of the lease that has been terminated by the landlord.

16° consumption data.

[…]

§ 6. The controller, referred to in paragraph 2, 1° and 2°, may

transfer personal data under the following conditions:

1° […];
2° the personal data, mentioned in paragraph 3, first paragraph, 1°, 2°, 3°, 8° and 10°, to the

private partners designated by the Flemish Government in accordance with Article 6.3/2, second paragraph, for

the investigation of the immovable property abroad;

[…]”

Article 6/3.2, paragraph 1 of the Flemish Housing Code:

“The lessor who checks whether the conditions for immovable property have been met,

mentioned in Article 6.8, first paragraph, 2°, Article 6.11 and 6.21, first paragraph, for the immovable

possession abroad, rely on private or public partners. The Flemish

Government may designate the entity that enters into a framework agreement in which the private

partners are identified.”

The Disputes Chamber notes in this regard that this new legislation has been published

after the disputed data processing and therefore does not apply to the foreign

property investigations in this case. Since this Flemish Codex Living is not yet in

had entered into force at the time of the foreign asset investigations
the Disputes Chamber did not invoke this legislation to make this decision

come.

Necessity

39. Pursuant to Article 6(1)(e) GDPR, the processing is lawful only if and for
to the extent that the processing is necessary for the fulfillment of a task in the public interest or

of a task in the exercise of public authority vested in the

controller has been assigned. As explained above contains

legislation often lacks concretely defined provisions regarding the necessary

data processing. Controllers who, on the basis of such

If you wish to invoke Article 6 (1) e) of the GDPR on a legal basis, you must then make a Decision on the merits yourself 149/2022 - 11/30

balancing the necessity of the processing for the task of general
interests and the interests of those involved.

40. The defendant submits that, in the context of the assessment of necessity, it

has performed a balancing of interests before transferring the personal data in question

to Z for conducting a foreign asset investigation. The Defendant

argues that this balancing of interests has manifested itself in offering the

possibility to spontaneously report property abroad in advance

and the transfer of personal data subsequently took place on the basis of

reasonable suspicions of property fraud. The justice of the peace of the canton of Lier has in
its judgment dated 8 March 2022 (with regard to complainant 1) and its judgment dated 12 April 2022 (for

with regard to complainant 2) established that on 29 July 2020 the defendant informed all its tenants

sent a letter announcing that they would be checked

immovable is abroad. The letter was personally delivered by carrier to each

tenant and in his absence the letter was left in the letterbox. Due to the lack

In response to the complainants' response to this letter, the defendant argues that it has no other

then had the opportunity to conduct such a foreign asset investigation.

41. The Disputes Chamber establishes on the one hand that Article 52 of the Framework Decision does not explicitly
includes reference to private research firms such as Z to provide the required data

collect, but also that the aforementioned list is non-exhaustive

formulated so that the appeal to private research agencies is not covered by the aforementioned

Article 52 of the Framework Decision is excluded.

9
42. In accordance with its previous decision, the Disputes Chamber recalls that

domestic wealth investigations can be done through a simple consultation

of the land registry. Investigations into real estate abroad and especially non-

However, EU member states are less evident. The social housing companies then let
the tenants also declare that they do not own any real estate abroad

to verify these statements, these social housing companies, such as the

defendant, relied on specialized firms, such as Z in this case, as processors to

to conduct foreign asset investigations when they have serious indications or

has suspicions of foreign property.

43. The necessity of the foreign asset investigation is apparent from the fact that the

the complainant has already been invited several times to sell any property abroad

report, first when signing the above-mentioned declaration on honor and then
when the defendant had informed the complainant via the warning letter

of its intention to conduct a foreign asset investigation. The Defendant

9 Decision 124/2021 dated. November 10, 2021, to be consulted via
https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the merits 149/2022 - 12/30

however, did not receive a satisfactory answer. In view of its legal duty to
use public funds to accommodate the most vulnerable people, given

in view of the severe shortage of social housing and in view of the difficulties of

to look up data for real estate located abroad, the

the defendant compelled to carry out the foreign asset investigation in order to

serious suspicion of foreign real estate.

44. These findings have already been made by the justice of the peace of the canton of Lier in

her verdict dated March 8, 2022 (with regard to complainant 1) and in her judgment dated. Apr 12, 2022

(with regard to the complainant 2). The justice of the peace concluded that the defendant
could lawfully rely on Art. 6 (1) e) GDPR for the purpose of carrying out the foreign

asset research. The Disputes Chamber sees no reason to

to take a different position.

45. Finally, the complainant argues that the defendant cannot rely on Article 6(1)(e) GDPR

as stated in the privacy policy on its website because this privacy policy does not comply with the

complainant was served. In this regard, the Disputes Chamber refers to the guidelines on

transparency of the Data Protection Working Party Article 29 stipulating if

follows: “Any company with a website should have a statement or notice on that site
about the protection of privacy should publish. A direct

link to this statement or notice on the protection of personal

privacy should be clearly visible on every page of the website, under a

commonly used term (e.g. "Confidentiality", "Confidentiality Policy" or

"Notice on the protection of privacy". 10So there is no

obligation to provide this information personally to the complainant. Even more, the Group

Data Protection Article 29 states that "any information disclosed to a data subject"

sent, should also be accessible in a single place or in the same

document (on paper or in electronic format) that can be easily accessed by
11
this person if he wishes to consult all the information sent to him."

It can therefore be concluded from this that publishing a direct link

to the statement on the protection of personal data on the website (which in

present case) is sufficient.

46. As a result of the above, the Disputes Chamber is of the opinion that there is no infringement of the

Articles 5 (1) a) 6 (1) GDPR was committed by the defendant.

10Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11.

1Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 149/2022 - 13/30

II.3. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR

Article 5(2), Article 24(1) and Article 25(1) and (2) GDPR

47. The controller must comply with the principles set out in Article 5 of the GDPR and that

can demonstrate. This follows from the accountability obligation as understood in Article 5, paragraph 2 j°

Article 24(1) GDPR. On the basis of Articles 24 and 25 GDPR, each

controller takes the appropriate technical and organizational measures
to ensure and to be able to demonstrate that the processing takes place

in accordance with the GDPR.

48. In its inspection report, the Inspectorate establishes that articles 5, 24, paragraph 1, and 25, paragraph 1 and

2 GDPR were violated. As part of his research on the
accountability, the Inspectorate has forwarded the following question to the

defendant:

“Please demonstrate using documents in accordance with Articles 5, 6, 24 and 25”
oftheGDPRthatyourorganizationhasappropriatetechnicalandorganizationalmeasures

taken to ensure compliance with data protection principles, such as minimum

data processing, to be ensured in the context of the asset investigation in the

abroad mentioned in the complaint”.

49. The defendant has formulated a reply in which, according to the Inspectorate,

explanation is given about the security measures taken in the context of which

various attachments are also transferred. The Inspectorate establishes in its report

that security measures are related to integrity and confidentiality, such as

included in Article 5(1)(f) GDPR, but that the defendant does not clarify how the other
principles of Article 5(1) of the GDPR are guaranteed. In addition, the . concludes

Inspectorate that certain elements are not specifically explained by the

defendant. It concerns, among other things, whether and, if necessary, how the highest management

level of the defendant the agreements on security measures in reports and

follows up on team meetings, whether and, if necessary, how the officer
data protection of the defendant is involved in the preparation and

following security measures, whether and, if so, how breaches of the

code of ethics for members of the board of directors for the defendant effective

is sanctioned, when the analysis of the technical infrastructure of the

was carried out by the defendant and what concrete measures the defendant will take after the
has taken cognizance of that analysis and, finally, how compliance with the aforementioned

security measures is generally controlled by the defendant and how

infringements are effectively sanctioned. Consequently, the Inspectorate comes to the

determination of a breach of Article 5, Article 24(1) and Article 25(1) GDPR. Decision on the merits 149/2022 - 14/30

50. In its submissions, the defendant disputes that finding. She argues that she

supposed to demonstrate which technical and organizational measures

it took with the help of the documents it had to prepare, such as

for example the register of processing activities, the closed

processing agreement with the processor of the personal data during the

foreign asset investigation, and other documents proving that they have appropriate

has taken technical and organizational measures in the context of the

foreign asset research. The defendant regrets that the Inspectorate

have violated all the principles of Article 5(1) of the GDPR because of a

misconception of one of the Inspectorate's questions by the defendant. The
the defendant argues that the findings of the Inspectorate are based on a

incorrect interpretation of the research question by the defendant. In its conclusions

the defendant therefore provides more information regarding compliance with the principles of Article 5,

paragraph 1 GDPR.

51. The Disputes Chamber states that the Inspectorate, as the investigative body of the GBA,

is investigating complaints about and serious indications of violations of the
European and Belgian legislation on personal data, including the GDPR. One of

the ways in which the investigation is conducted is to obtain all useful information and

to provide documents. This option allows the controllers

and/or processors to explain and demonstrate which measures have been taken to

comply with applicable law.2

52. In the context of the examination of compliance with the Fundamental Principles and the
accountability as understood in Article 5 of the GDPR, the Inspectorate has a

general question to the controller that reads as follows:

“Please demonstrate using documents accordingly articles 5, 6, 24 and 25”

of the GDPR that your organization takes appropriate technical and organizational measures

has taken to ensure compliance with data protection principles, such as

minimum data processing, to be guaranteed in the context of the asset investigation

abroad mentioned in the complaint”.

53. In the present case, the defendant provided a detailed reply to the

controller, in which it indeed implements the taken

security measures. However, the Disputes Chamber reads in the Inspection report that it

answer formulated by the defendant was not sufficient for the

inspection service. In this case, as explained above, the Inspectorate is of the opinion that

certain information,whichisessentialtotheInspectionservice,toagoodassessment

12 Charter of the Inspectorate, August 2022, can be consulted online via
https://www.dataprotectionauthority.be/publications/charter-van-de-informatiedienst.pdf Decision on the merits 149/2022 - 15/30

to come is missing. Consequently, it was ruled by the Inspectorate that there

was a violation of Article 5, Article 24(1) and Article 25(1) and (2) GDPR.

54. The Disputes Chamber states, however, that an investigation by the Inspectorate into a loyal

manner should be done. If the response from the controller for the

Inspection service is not sufficient, in the context of a loyal investigation it falls to the

Inspection service to clarify on which points more information is requested. This

can be done, for example, by asking more specific questions about a certain topic or by
request specific documents or information. After all, it's for the

controller is not always easy to understand in such general and broad terms

to formulate a comprehensive answer. If the Inspectorate is more specific

has asked questions or has requested concrete documents and the

controller has not been able to provide the requested information, comes
it is up to the Inspectorate to report breach of accountability as understood

in Article 5(2) and Article 24(1) of the GDPR. The Disputes Chamber notes in this regard:

that the Inspectorate has not asked any additional questions about specific

subjects or that no specific documents were requested in order to

good assessment of the case. The Disputes Chamber therefore also establishes that
the inspection investigation was not conducted in a loyal manner with regard to this finding.

Consequently, the Disputes Chamber comes to the conclusion that on the basis of the

investigation reportcannotbedecidedtoviolatearticle5, paragraph2, article24,

paragraph 1 and Article 25, paragraphs 1 and 2 GDPR.

Article 5(1) GDPR

55. As stated above, the defendant explained how it

compliance with the fundamentals of the AVG. The Disputes Chamber notes that,
based on the answer provided by the defendant in the context of the investigation,

the Inspectorate determines that there is a violation of all basic principles with

with regard to the protection of personal data as defined in Article 5(1) of the GDPR.

Although Article 5(1) and (2) GDPR are closely related, any

breach of the accountability obligation of Article 5(2) of the GDPR does not automatically include a
violation of Art. 5 (1) GDPR. After all, accountability is the formal

externalization to document compliance with the material

demonstrate the basic principles of the GDPR.

56. In its submissions, the defendant explained how the processing operations do meet the

basic principles of Art. 5 (1) GDPR. These are briefly resumed below.

57. The defendant argues that it does comply with the principle of propriety and transparency.

It processes the following personal data in the context of the asset investigation: name
and first name of the tenant, date and place of birth, national register number (if Decision on the merits 149/2022 - 16/30

applicable and available), date and place of marriage (if applicable and

available, the file number and elements of the social investigation. The Defendant

obtains this personal data either because it is legally obliged to request it

(Article 68 of the Flemish Housing Code), either because it receives this data from Z

(file number and elements of the social inquiry). This was also confirmed by the

jurisdiction. 13For the legality of the legal basis, the Disputes Chamber refers

to what was explained in section II.2. With regard to the principle of transparency,

the defendant that it has before the commencement of the foreign asset investigation

reported, in clear language adapted to the target group, in this case residents of social

homes, that the data would be used for a foreign
asset research. This information was included in the privacy statement on the

website and then in the warning letter. With regard to the principle of

transparency, the Disputes Chamber establishes that the relevant passage from the

privacy statement reads as follows:

The warning letter sent by the defendant on July 29, 2020 is also in

clear intelligible language:

13See, among other things, Peace. Hamme June 6, 2019, Rent 2020/1, 57. Decision on the merits 149/2022 - 17/30

58. As already stated, the privacy statement was accessible via a direct link on the

website and drafted in clear language. The warning letter to the complainants was also

sent on July 29, 2020 is written in sufficiently clear language. In view of the

above, the Dispute Chamber concludes that there is no violation of
Article 5(1)(a) GDPR.

59. The Disputes Chamber recalls that in accordance with Article 5(1)(b) GDPR

personal data may only be collected and processed for specified,
expressly defined and justified purposes. When the data is later for

be used for another purpose, that new purpose must be compatible with the

original collection purpose. With regard to Article 5(1)(b) GDPR, the

the defendant that the purpose of the processing was established and determined ab initio,

since the privacy statement explicitly states that personal data can be

are passed on to private bodies for checking the above mentioned
registration and admission requirements. The purpose is also expressly described in

the privacy statement, according to the defendant. To determine the justified

purpose, this purpose must be related to the activities of the

controller, i.e. the defendant. In this regard, the defendant refers Decision on the merits 149/2022 - 18/30

to Article 52 of the Framework Decree, being checking compliance with the

registration and admission requirements in the context of social housing.

60. On the basis of the defendant's documents, the Disputes Chamber finds that the

personal data were collected for the purpose of administrative registration on

to enable the waiting list and possible allocation of social housing. The

privacy statement (see marginal 56) clearly states that the defendant is charged with a

task of general interest, namely the use of scarce government resources to
allocating social housing to the most vulnerable. To that end . can

charge the defendant private bodies with investigations into immovable assets in

abroad, as is also included in the privacy statement. This control on the

fulfillingtheenrolmentandadmissionconditionsisinherentlyconnectedwiththetask

in the general interest of the defendant, as regards the implementation of the right to due process
housing, especially for the most deprived. Given the above

the Disputes Chamber concludes that there has been no violation of Article 5(1)

b) GDPR.

61. The principle of data minimum processing as set out in Article 5(1)(c) GDPR states

that the personal data processed must be adequate, relevant and limited

to what is necessary for the purposes for which they are processed. It follows that

the data may only be processed if the purpose of the processing is not

can reasonably be accomplished in another way. As to the principle

of "minimum data processing", the defendant argues that both the purpose, the
data and the processing are proportional.

62. Recital 39 of the GDPR states that personal data may only be processed

if the purpose of the processing cannot reasonably be achieved in any other way
accomplished. On the basis of the documents in the file, the Disputes Chamber determines that the

the defendant processed the following data in the context of the foreign

asset investigation: surname and first name, date of birth, place of birth,

National register number (Belgian or of the home country, if applicable), date and place of the

marriage (if applicable and available) and any elements of the study
of the Supervision Service that led to the transmission of the file (suspected of

foreign real estate). From the documents, the Disputes Chamber understands that the defendant

did not immediately proceed with a foreign asset investigation. The complainants have

firstly, a declaration on honor signed at the start of the lease, further

does the complainant have the legal obligation to refuse the possible acquisition of an immovable property?
to report to the landlord during the current tenancy agreement, in this case the

defendant, then the defendant received a warning letter on July 29, 2020

transferred to the complainants, in which, on the one hand, the foreign asset investigation is made Decision on the merits 149/2022 - 19/30

announced, and, on the other hand, the possibility is given to

to report immovable property in order to reach an amicable settlement. Finally, the

Defendant to conduct an exploratory investigation first. Only when there

serious indications or suspicions of foreign immovable property, there will be
proceeded with a foreign asset investigation as is the case in the present case

used to be. Since the defendant does not have the necessary resources or expertise to

conducting investigations, it is not excessive to have recourse to a

specialized firm. In view of the above, the Disputes Chamber concludes that there

there is no violation of Article 5(1)(c) GDPR.

63. Pursuant to Article 5(1)(d) GDPR, the controller must take all reasonable

take measures to ensure that the data is correct and up to date. Data

that are not (anymore) must be deleted or corrected. The defendant argues that it

has drawn up an internal policy together with its data protection officer

with guidelines for its employees who come into contact with personal data. Out
the agenda of the defendant's team meeting dd. October 19, 2021 it turns out that this

internal note together with other points regarding the AVG were discussed. The Dispute Room

concludes that there has been no violation of Article 5(1)(d) GDPR.

64. The Disputes Chamber recalls that pursuant to the principle of storage limitation (Article
5, paragraph 1, e) AVG data may not be stored for longer than is necessary for

the purpose of the processing. When the data is no longer necessary, then

they are destroyed or erased. The defendant points out that the register of

processing activities provides a detailed overview of the retention periods of the

categories of personal data it processes. In addition, Article 10 of the

processing agreement with Z that it contains all personal data received and processed
with regard to the foreign asset investigation when the

processing agreement comes to an end, i.e. May 31, 2022 (subject to extension).

Contrary to the complainant's contention, the defendant does not therefore admit that it

violated the principle of storage limitation. In view of the above concludes

the Disputes Chamber that there has been no violation of Article 5, paragraph 1, e) GDPR.

65. Article 5, 1, f) of the GDPR prescribes that “[personal data] by taking

appropriate technical or organizational measures in such a way

processed that an appropriate security is ensured, and that they include:

be protected against unauthorized or unlawful processing and against accidental

loss, destruction or damage”. In this context, the defendant explained its conclusions
how it has taken various measures independent of the

processing activities in the context of foreign asset research, such as

informing its employees about the security measures to be observed (such as Decision on the merits 149/2022 - 20/30

password use, two-factor identification, internal policies regarding the treatment of

personal data). Furthermore, the defendant explains that the directors have an ethical

must sign a code whereby they commit themselves to secrecy of

personal data and confidential company data. The defendant then states
a series of measures taken after an analysis of the technical infrastructure

by an independent company. This includes: creating offline and

online backups of the processed personal data, firewall installation, antivirus and anti-virus

malware software, password policy with regular password changes and

disable all default user accounts. This independent company carries

periodic checks regarding the security of the IT infrastructure. Also the
processing agreement determines which measures the processor must take with the

with a view to security, such as regular renewal of passwords and access codes,

pseudonymisation and encryption of personal data, internal audit procedures for

assessment of the security measures taken, confidentiality clause for the

concerning employees, etc. From the above, the Disputes Chamber concludes that there

there is no infringement of Article 5 (1) f) GDPR.

66. The Disputes Chamber states again that in the present case it is disproportionate to find a violation of

to adopt Articles 5, 24, paragraphs 1 and 25, paragraphs 1 and 2 GDPR on the basis of a general question

in the context of accountability, to which was replied by the defendant,

without further follow-up questions from the Inspectorate. It belongs to the Inspectorate
to determine a possible shortcoming of Article 5 (1) GDPR on the basis of a loyal investigation

by the defendant.

67. Since the Inspectorate does not demonstrate how the defendant de

has violated fundamental principles of Article 5, including accountability, and the
The defendant explains in detail in its claims to what extent it does comply with these principles

complies, the Disputes Chamber concludes that there is no infringement of Articles 5, 24, paragraph 1 and

25 para. 1 and 2 GDPR was committed by the defendant.

II.4. Article 28, paragraphs 2 and 3 GDPR

68. Pursuant to Article 28(2) of the GDPR, the processor does not employ another processor without

prior specific or general written consent of the

controller. In the event of general written consent, the

processor informs the controller about intended changes to the

addition or replacement of other processors, where the controller

the opportunity to object to these changes.

69. Article 28(3) of the GDPR provides that processing by a processor is governed by a

agreement or other legal act under Union or Member State law Decision on the substance 149/2022 - 21/30

which binds the processor towards the controller, and in which

the subject matter and duration of the processing, the nature and purpose of the processing, the

type of personal data and the categories of data subjects, and the rights and

obligations of the controller are described. That
agreement or other legal act provides in particular that the processor:

• process the personal data only under the written instructions of the

controller, including with regard to the transfer of

personal data to a third country or an international organization (unless it
is legally obliged to do so);

• ensures that access to that data is restricted to authorized persons.

These persons must be bound by secrecy on the basis of a

agreement or a legal obligation;

• maintains at least the same level of data security as the

controller does;

• the controller provides all possible support in

fulfilling its obligations with a view to answering requests

regarding the rights of data subjects;

• assists the controller in fulfilling its obligations
in the field of security of personal data and the obligation to report data leaks;

• after termination of the agreement between the controller and

processor, the data processed on behalf of the controller

delete or return personal data to him, and delete existing copies;

• the controller makes all necessary information available

to demonstrate that the obligations under the Regulation

around the deployment of a processor are complied with and is necessary to carry out audits

to make possible;

• makes agreements with regard to sub-processors.

70. In its investigation, the Inspectorate establishes that there has been an infringement of Article 28,

paragraphs 2 and 3 of the GDPR as in the processing agreement between the defendant and

processor the following elements are missing:

- The signature of the director representing the defendant, only the
signature of the director of the processor is in the processing agreement;

- The date on which the processing agreement starts. On page 10 of the

processing agreement states “October 14, 2020” but it is not clear whether that is also the

start date is; Decision on the merits 149/2022 - 22/30

- A description of the duration of the processing;

- A description of the type of personal data and the categories of data subjects and
the nature of the processing; and

- A prior specific or general written consent of the defendant

to the processor to hire other processors. Despite the lack of any

provision in this regard, the processor has engaged a processor in Turkey.

71. The defendant does not dispute those findings. It states that after receiving the

inspection report has immediately instructed to terminate the processing agreement

which it uses for carrying out wealth investigations by private companies
and to elaborate and insert the cited elements. The Defendant

argues that at this time, the processor does not conduct asset investigations for the benefit of

the defendant performs more, nor does the defendant transfer any personal data

the processor. The defendant attaches to its claims a modified template of

processing agreement that will be used in any future

foreign asset investigations.

72. The Disputes Chamber rules that the processing agreement that was transferred by

the defendant is incomplete, as established in the Inspection Report. In her conclusions

the defendant states that it no longer conducts foreign asset investigations,

but that they use the revised template of the processing agreement, in accordance with the
Submit an inspection report. The Disputes Chamber finds that the defendant

has made efforts to implement the processing agreement in accordance with the

requirements of Article 28(2) and (3) GDPR.

73. Despite the corrective measures, the Disputes Chamber finds that the
processing agreement on the basis of which the foreign asset investigation has

performed did not meet the requirements of Article 28, paragraphs 2 and 3 GDPR, as a result of which

was of an infringement of Article 28, paragraphs 2 and 3 GDPR, but that this has been remedied in the meantime.

II.5. Articles 44, 46, 24, paragraphs 1 and 5, and paragraph 2 GDPR

74. When personal data is transferred to countries outside the European Union

transferred, there is a transfer of personal data. For passing on

of data to countries outside the European Union, the AVG states that this is only allowed

if the level of protection provided by the GDPR is not undermined. This is the case

if the country outside the European Union has an adequate level of data protection

oradditionalguaranteesprovideonthetransmissionofdata.IftheEuropeanCommission
has not made an adequacy decision, appropriate

safeguards to provide a sufficiently high level of protection. Decision on the merits 149/2022 - 23/30

75. With regard to the transfer of data to Turkey, the Inspectorate notes that

the defendant has infringed Articles 44, 46, 24, paragraphs 1 and 5 and 2 of the GDPR

as the defendant has failed to demonstrate what measures it and Z have taken
taken to comply with Articles 44 and 46 GDPR when transferring personal data to Turkey

and to comply with the Schrems II judgment. The Inspectorate comes to the conclusion that the

Turkish law on the protection of personal data provides an exemption for the

processing of personal data within the framework of preventive, protective and

intelligence activities conducted by public institutions and organizations

belong to are authorized and designated by law to the national defense, national
security, public safety, public order or economic security. The

processing agreement between Z and its Turkish partner would not provide sufficient additional

provide guarantees to ensure an adequate level of protection of the transferred

guarantee personal data.

76. First, the defendant argues that it is not the exporter of these personal data

to Turkey as part of the asset investigation. It is Z who receives the data

of the defendant, but who in turn passes it on to her partner in Turkey, who then

uses this data to make the necessary searches in the public registers.

77. The Disputes Chamber does not follow this reasoning. Article 4(7) GDPR defines

“controller” as the “natural or legal person,

government agency, agency or other body which, alone or jointly with others, serves the purpose

of and the means of processing personal data”. It's also the
the defendant as a social housing company which determines the aim and the means,

as it has transferred the personal data to Z as a processor for the purpose of

conducting a foreign asset survey in Turkey. In other words, the

The Disputes Chamber comes to the conclusion that the defendant as

controller must be qualified, including with regard to the
transfer to Turkey. As a controller, it is her duty to

verify that this transfer will take place in a manner that is in accordance with the

obligations in the GDPR in this regard. This obligation also applies if they do not themselves

transfers, but through an appointed processor, as is the case in the present case

is. If the controller determines that this transfer by the
processor cannot take place in accordance with the AVG, he may not use this personal data

transfer to the processor.

78. In the event that the defendant were nevertheless classified as a controller
it submits in a subordinate order that it is committed to the transfer of

personal data relies on Article 49 (1) d) GDPR. Decision on the merits 149/2022 - 24/30

In the context of the assessment of the transfer of personal data to Turkey

refers the Disputes Chamber to Recommendation 1/2020 of the European Committee for
data protection (hereinafter: “EDPB”). To help exporters with the complex task of

assessing the data protection of third countries and where necessary

adopting appropriate additional measures, the EDPB has a roadmap

provided.14

Step 1: familiarity with the transfers

79. First of all, it is important for the exporter to be aware of the

personal data that are passed on, for example by relying on his

processing register. The defendant acknowledges in its claims that the processing register

was not yet ready at this point. However, the EDPB does not determine how the exporter meets these

step must comply, but only formulates suggestions. The defendant argues in its

conclusions that the categories of personal data that were transferred were

included in the processing agreement, so that there was a good overview of the

relevant personal data that were the subject of the transfer.

Step 2: determination of the relevant instrument of transfer

80. Secondly,theexportermustdeterminewhichtransmissioninstrumentfromchapterVofthe

AVG he uses.

81. The Dispute Chamber reminds that the transfer of data to one third

country, in the absence of an adequacy decision by the European Commission under

Article 45 GDPR, is only possible if the controller or processor

has provided appropriate safeguards, and provided that for the data subjects

enforceable rights and effective remedies are available (Article 46 GDPR). Bee

lack of a decision declaring the level of protection adequacy
pursuant to Article 45(3) of the GDPR, or of appropriate safeguards pursuant to Article

46 GDPR, finds a transfer or a category of transfers of personal data to a

third country in specific circumstances only under one of the conditions of

Article 49 GDPR ("Data Protection Derogations").

82. As stated above, the defendant relies on the derogation provided for in Article 49(1)(d)

GDPR. Under this Article, transfers to third countries may take place when the

transfer is "necessary for important reasons of public interest". This one is very similar to
15
the provision contained in Article 26(1)(d) of Directive 95/46/EC , in which

14EDPB Recommendations 01/2020 on measures to complement transfer instruments to ensure compliance with the

ensure the level of protection of personal data in the Union dd. June 18, 2021, to be consulted via
https://edpb.europa.eu/system/files/2022-
04/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
15Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection Decision on the substance 149/2022 - 25/30

states that a transfer may only take place when it is necessary or legal

is mandatory because of an important public interest.

83. In accordance with Article 49(4) GDPR, only public

interests recognized in the law of the Union or in the law of the Member State including the

responsible for the processing. The provision constituting such a public interest

defines should not be abstract. Transfer is permitted, for example, in the event of a

substantial general interest that is recognized in international agreements in which
16
the Member States are parties .

84. In the present case, the transfer takes place in the context of the public interest and more

determines the right to housing. The right to housing is recognized in a number of

international human rights instruments. Article 25 of the Universal Declaration of the

Human Rights recognizes the right to housing as part of the right to a
17
decent standard of living. Also Article 11(1) of the International Covenant on

economic, social and cultural rights (ICESCR), which applies to both Belgium and Turkey

have ratified, guarantees the right to housing as part of the right to
18
a decent standard of living. For the determination of the right to housing as

public interest in Belgian national law, reference is made to section II.2 of this

decision.

85. On the basis of Article 49(1)(d) GDPR, the necessity test must be applied to

assess its applicability. This necessity test requires an evaluation

by the data exporter of whether the transfer of personal data as

may be considered necessary for the specific purpose of Article 49(1)(d)

GDPR. With regard to the necessity of the transfer, the Disputes Chamber refers

to section II.2 of this decision.

86. In view of the above, the Disputes Chamber concludes that the transfer of the

personal data to Turkey, in the context of the foreign asset investigation

legally valid based on article 49, paragraph 1, d) of the AVG, which means that there is no infringement

is on Article 44, Article 46, Article 24 (1) and Article 5 (2) GDPR.

of natural persons in connection with the processing of personal data and on free movement

of that data.
16EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679 dated. May 25, 2018, te
consult at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf

17Article 25: Everyone has the right to a standard of living adequate for his own health and well-being
and his family, including food, clothing, housing, medical care and necessary social services, and law
security in case of unemployment, illness, disability, widowhood, old age or other lack of livelihood
circumstances beyond his control.
18
Article 11, paragraph “The States Parties to this Covenant recognize the right of everyone to an adequate
standard of living for himself and his family, including adequate food, clothing and housing, and at all times
better living conditions. The States Parties to this Convention are taking appropriate measures to achieve it
of this right, recognizing the essential importance of voluntary international cooperation” Decision on the substance 149/2022 - 26/30

II.6. Article 30(1) GDPR

87. Under Article 30 GDPR, each controller must keep a register

of the processing activities carried out under its responsibility.

Article 30(1) a) to g) GDPR provides that, with regard to the capacity
processing carried out by the controller, the following information

must be available:

a) the name and contact details of the controller and any

joint controllers and, where applicable, of the
representative of the controller and of the officer for

data protection;

b) the processing purposes;

c) a description of the categories of data subjects and of the categories of

personal data;

d) the categories of recipients to whom the personal data have been or will be

provided, including to recipients in third countries or international organisations;

e) where applicable, transfers of personal data to a third country or

international organisation, including an indication of that third country or
international organization and, in the case of the second subparagraph of Article 49(1) of the GDPR,

the transfers referred to, the documents regarding the appropriate guarantees;

f) if possible, the envisaged deadlines within which the different categories of
data must be erased;

g) if possible, a general description of the technical and organizational

security measures as referred to in Article 32(1) of the GDPR.

88. The Inspectorate does with regard to the register of processing activities of the

the defendant makes the following findings, as summarized below:

• There is no description of the categories of data subjects in the tab
“Lists” (cf. Article 30(1)(c) of the GDPR). It is therefore unclear what words

as “staff members”, “directors”, “volunteers”, “(candidate) tenants and

(candidate) buyers in practice.

• The description of the categories of personal data is incomplete, since in
the tab "Lists" are several times non-exhaustive lists (cf. article 30,

paragraph 1, c) of the GDPR). It is therefore unclear what words like “Electronic

identification data”, “electronic localization data”, “financial Decision on the merits 149/2022 - 27/30

identifiers”, “images” and “sound recordings” in practice

mean.

89. The Disputes Chamber establishes the defendant in its register of processing activities

provides a summary for:

- the categories of data subjects (Article 30(1)(c) GDPR), i.e. “staff members”,

“drivers”, “volunteers”, “(prospective) tenants and (prospective) buyers; and

- the categories of personal data (article 30, paragraph 1, c) AVG), namely “electronic”

identification data”, “electronic location data”, “financial
identifiers”, “images” and “sound recordings”.

90. The Disputes Chamber must rule on whether Article 30(1)(c) GDPR requires

that a description is given of the categories of personal data and the
categories of data subjects in the register of processing activities, or whether a

summary may suffice.

91. The Disputes Chamber notes that Article 30(1)(c) GDPR requires that a description of the
categories of data subjects and of the categories of personal data is

included in the register of processing activities. Those involved are the

identified or identifiable natural persons whose data is

processed (article 4(1) of the GDPR). Regarding the categories data, it should of course

concern personal data as defined in Article 4 (1) of the GDPR.

92. The Disputes Chamber recalls what the purpose of the register of

processing activities. To effectively fulfill the obligations contained in the GDPR

apply, it is essential that the controller (and the

processors) have an overview of the processing of personal data that they
to carry out. This register is therefore primarily an instrument to

assist the data controller in complying with the GDPR for the different

data processing and it performs because it registers the most important features of

makes visible. The Disputes Chamber is of the opinion that this processing register is a

essential tool in the context of the already mentioned accountability (Article
5 (2) and Article 24 GDPR) and that this register is the basis for all obligations that the

GDPR on the controller.

93. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the
GDPR prevent an enumeration of the categories of personal data and the

categories of data subjects is included in the register of processing activities

or that a more detailed description would be needed. Decision on the merits 149/2022 - 28/30

94. With regard to the categories of recipients, the Disputes Chamber refers to a
recommendation of the CPP and doctrine stating that it is not true

it is necessary to state the individual recipients of the data, but that these

can be grouped by category of recipients. Mutatis mutandis can this

statement can also be applied to the categories of personal data and data subjects.

95. The Disputes Chamber points out, however, that the completion of the register of

processing activities should always be evaluated on a case-by-case basis to determine whether the

description or summary contained herein is sufficiently clear and specific.

96. In the present case, the Disputes Chamber finds that the enumerations included in the

register of processing activities were sufficiently concrete. According to the

Litigation room little doubt about the meaning of the above listed

elements in the context of social rent. Consequently, the Disputes Chamber concludes that there

there is no violation of Article 30(1)(c) GDPR. The Disputes Chamber reminds

also because the register of processing activities is now up-to-date with regard to

the international transfers, as recognized by the defendant, as a result of which there is no question

of a violation of Article 30(1) GDPR.

III. Sanctions

97. On the basis of the documents in the file, the Disputes Chamber determines that there is

an infringement of 28, paragraphs 2 and 3 of the GDPR. Although the defendant remedied these infringements

it is established that there are violations of the right to data protection

have taken place. As already explained, the processing agreement is a

important instrument in GDPR compliance. With the processing agreement, the

controller can rely on processors who provide sufficient guarantees

offer, in particular in terms of expertise, reliability and resources, to

ensure that the technical and organizational measures comply with the

regulations of the GDPR, including with regard to the security of the processing.

98. When determining the sanction, the Disputes Chamber takes into account the fact that the

Defendant has already rectified these infringements and has provided evidence thereof.

The Disputes Chamber therefore decides that in the concrete factual circumstances of this

case, a reprimand for the aforementioned infringements will suffice. The seriousness of the infringement is not

such that an administrative fine should be imposed.

99. The Disputes Chamber proceeds to a deposit of the other grievances and findings of the

Inspectorate because, on the basis of the facts and the documents in the file, they do not belong to the

19Available at: https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-06-2017.pdf
20W.Kotschy,"Article30:recordsofprocessingactivities",inCh.KunerTheEUGeneralDataProtectionRegulation(GDPR),
a commentary, 2020, p. 621. Decision on the substance 149/2022 - 29/30

conclude that there is a breach of the GDPR. These grievances and

findings of the Inspectorate are therefore regarded as manifestly unfounded
21
within the meaning of Article 57(4) of the GDPR.

IV. Publication of the decision

100. In view of the importance of transparency with regard to the decision-making of the

Litigation Chamber, this decision is published on the website of the

Data Protection Authority. However, it is not necessary for the

identifiers of the parties are disclosed directly.

FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

- To formulate a reprimand with regard to the . pursuant to Article 100, §1, 5° WOG

defendant with regard to the infringement of Article 28(2) and (3) GDPR.

- To dismiss all other grievances from the complaint pursuant to Article 100, §1, 1° WOG.

Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice against this decision, an appeal may be lodged with the Marktenhof (court of

profession Brussels), with the Data Protection Authority as defendant.

Such an appeal may be lodged by means of an adversarial petition that the
22
Mentions listed in Article 1034ter of the Judicial Code must contain .It

adversarial petition must be submitted to the registry of the Marktenhof

21 See point 3.A.2 of the Disputes Chamber's Dismissal Policy, dated. June 18, 2021, to be consulted via
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
22
The petition states, on pain of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and the brief summary of the grounds of the claim;
5° the court before whom the claim is brought;
6° the signature of the applicant or of his lawyer. Decision on the merits 149/2022 - 30/30

23
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).

(get). Hielke H IJMANS

Chairman of the Disputes Chamber

23The application with its annex, in as many copies as there are interested parties, shall be sent by registered letter
sent to the clerk of the court or deposited at the clerk's office.

@@ Line 95: / Line 95: @@
 }}
-The Belgium DPA held that a social housing organisation could rely on public interest ([[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]) to investigate foreign financial assets of data subjects. The DPA also determined that this controller could rely on important public interest ([[Article 49 GDPR#1d|Article 49(1)(d) GDPR]]) to conduct international data transfers for the purpose of conducting this foreign investigation. The DPA reprimanded the controller for ommissions in the controller-processor agreement, which resulted in violations of [[Article 28 GDPR|Articles 28(2) and 28(3) GDPR]].
+The Belgium DPA held that a social housing organisation could rely on [[Article 6 GDPR|Article 6(1)(e) GDPR]] to investigate foreign assets of data subjects and on [[Article 49 GDPR|Article 49(1)(d) GDPR]] for international data transfers in connection with this purpose. However, the DPA reprimanded the controller for violations of [[Article 28 GDPR|Articles 28(2) and 28(3) GDPR]] in a data processing agreement.
 == English Summary ==
 === Facts ===
-Two data subjects submitted a complaint at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. This controller was responsible for verifying the eligibility criteria when requests were made for social housing. The controller held that it had reasonable suspicions that the data subjects did not qualify for social housing, after the data subjects failed to provide clarity regarding their assets in Turkey. The DPA initiated an investigation into these assets, for which it hired a processor to check personal data of the data subjects. This processor also used a sub-processor, which was located in Turkey.
+Two data subjects submitted complaints at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. The controller was responsible for verifying the eligibility criteria for social housing and was suspecting that the data subjects did not qualify for social housing, after they failed to provide clarity regarding their assets in Turkey. The controller initiated an investigation into these assets. It hired a processor, a private investigation firm, to check personal data of the data subjects. This processor also used a processor of its own, which was located in Turkey. Following the investigation, the controller determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey.
-After the data subjects submitted their complaint, the DPA initiated an investigation. Following this investigation, the DPA determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey.
+After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles.
 The data subjects stated that they were not the owners of the assets in question. They also contested the value of evidence in the reports and stated that the evidence was received illegitimately.
+The district court of Lier already delivered a judgement in a case between the controller and the data subjects, which was about the termination of the rental contract. In this ruling, the district Court held amongst other things that the controller could use [[Article 6 GDPR|Article 6(1)(e) GDPR]] for conducting the investigation into the foreign assets. It also determined that the controller had send letters to the data subjects which remained unanswered.
 === Holding ===
-<u>DPA authorized?</u>
-The DPA first held that it was only competent to decide if the foreign investigation by the controller was GDPR compliant.
 <u>Violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]</u>
-The DPA held that the controller did not violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA stated that in order to be compliant with [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the controller needed to base its processing on one of the legal grounds described in [[Article 6 GDPR#1|Article 6(1) GDPR]]. Based on the answers of the controller during the investigation, the DPA determined that the controller relied on public interest ([[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]) to process the personal data. The DPA held that the controller carried out processing in the public interest because it needed to ensure social housing is actually provided to those who need it.
+The DPA held that the controller did not violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA stated that in order to lawfully process personal data ([[Article 5 GDPR#1a|Article 5(1)(a) GDPR)]], the controller needed a legal basis for processing ([[Article 6 GDPR#1|Article 6(1) GDPR]]). The investigation unit determined that the controller relied on public interest ([[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]).
-The DPA held that the controller could only rely on [[Article 6 GDPR|Article 6(1)(e) GDPR]] when processing was ''necessary'' for a ''task in the public interest'' or when it is necessary for exercising public authority that has been invested in the controller. In these cases, a ''legal ground'' and a ''specific goal'' for processing, in European law or national law, is required ([[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] and recital 45).
+The DPA held that the controller could only rely on [[Article 6 GDPR|Article 6(1)(e) GDPR]] when processing was ''<u>necessary</u>'' for a ''<u>task in the public interest</u>'' or when it is necessary for exercising public authority that has been invested in the controller. In these cases, a ''<u>legal ground</u>'' for processing, based in European law or national law, was required ([[Article 6 GDPR#1e|Articles 6(1)(e) and]] [[Article 6 GDPR|6(3) GDPR]] and recital 45).
 ''Task in the public interest''
-The DPA held that the controller processed personal data within its legal obligation to do so for a task in the public interest, which was the allocation of limited government funds for the purpose of providing affordable housing for those people who need low income housing.
+The DPA held that the controller processed personal data within its legal obligation for a task in the public interest: the allocation of limited government funds for providing affordable housing.
+''Legal ground''
-''legal ground'' and a ''specific goal''
+The DPA held that in order to rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution, the constitutional right to housing and an ‘internationally acknowledged right’. The DPA continued by referring to Article 33 of the Flemish Housing Code, which gave the obligation to social housing organisations to create eligibility criteria for applicants.
-The DPA held that in order to rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], a specific, clear and predictable legal basis was required (recital 41 GDPR). At the time of processing, there was no specific reference in the law to rely upon. However, the DPA stated that the controller could rely on Article 23 of the Constitution. This Article constituted the right to housing, which was an ‘internationally acknowledged right’. The DPA held that the controller could also rely on Article 33 of the Flemish Housing Code. The controller was empowered to check the requirements implemented by the Flemish Government. The DPA also enforces its previous point by stating that on the 1st of January 2022, the Flemish Government has introduced a specific legal basis for the controller to process personal data in a foreign investigation through the Flemish Codex Housing. The controller was therefore authorized to fulfill this necessary task.
+Based on the above, the DPA held that it was predictable that the eligibility requirements for social housing would be checked by the controller. However, the methods used for this purpose were less predictable, because the legal provision in question     ([https://etaamb.openjustice.be/nl/besluit-van-de-vlaamse-regering-van-12-oktober-2007_n2007036959.html Article 52 Kaderbesluit]) provided a non-limited list with tools for the controller. The DPA pointed out that tasks of public interest are often based on a more general authority to act, which was the case in this decision.
 ''Necessity of the processing''
-The DPA stated that necessity of processing is often not specified in laws. Therefore, controllers which want to use [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], have to make an assessment between the necessity of their processing against the public interest and interests of data subjects. The DPA held that the data subjects were asked multiple times to provide clarity regarding their potential foreign assets. The data subjects failed to reply, which resulted in reasonable suspicions at the side of the controller. The controller state that it had no other choice than to start the foreign investigation in Turkey through its processor. The DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing.
+The DPA held that the processing was necesary to investigate the potential foreign assets of the data subjects as they had failed to reply to the controller's requests to provide clarity on the matter. Hence, the DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing, because of the controller's understandable suspicions."
-The DPA also rejected the argument of the data subjects that the controller could not rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], because the privacy policy was not delivered. The DPA held that there was no obligation to deliver a privacy policy for the controller. Providing a link to a privacy policy was enough, which was available in this case.
+The DPA also rejected the argument of the data subjects that the controller could not rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], because the privacy policy was not delivered to them. The DPA held that providing an online link to a privacy policy was sufficient, which the controller had done.
-<u>Violations of Articles  [[Article 5 GDPR|5(2)]], [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]] and [[Article 25 GDPR|25(2) GPDR]]</u>
+<u>Violations of [[Article 5 GDPR|Articles 5]], [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]] and [[Article 25 GDPR|25(2) GPDR]]</u>
-The Inspection Service stated that the controller had breached several provisions of the GPDR. However, the DPA determined that the investigation conducted the Inspection Service was too general, and that the Inspection Service did not follow up in a ‘loyal way’. It failed to ask for further question and more precise information when the provided information by the controller was not sufficient. The DPA determined that, based on the additional input the controller provided, the controller actually complied with [[Article 5 GDPR|Article 5]], [[Article 24 GDPR|Article 24(1)]], [[Article 25 GDPR|Article 25(1)]] and [[Article 25 GDPR|Article 25(2) GPDR]].
+The DPA held that the controller did not violate [[Article 5 GDPR|Articles 5]], [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]] and [[Article 25 GDPR|25(2) GPDR]], because the Inspection Unit did not conduct the investigation in a ‘loyal way’. It failed to ask for further questions and more precise information when the provided information by the controller was deemed insufficient.
 <u>Violation of [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|28(3) GDPR]] </u>
-In contrast with the other provisions, the DPA determined that the controller violated [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|28(3) GDPR]]. The investigations unit held that the data processing agreement of the controller with the processor did not contain the following aspects: - a signature of the controller; - the date of commencement; - a description of the length of the processing; - a description of the type of personal data and the categories of data subjects and the nature of the processing; and - a prior specific or general written consent of the controller to the processor to engage other processors.
+The DPA confirmed that the controller violated [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|28(3) GDPR]]. The investigations unit held that the data processing agreement of the controller with the processor did not contain all the necessary aspects. The controller agreed with this assessment and stated that it acted immediately after receiving the report from the investigations unit to make its processing GDPR complaint.
-The controller did not object to this assessment and stated that it acted immediately after the investigation unit contacted the controller with its findings. It changed its standard agreement for conducting foreign investigations accordingly. It also did not instruct its processor to conduct an investigation since.
-The DPA holds that the controller breached [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|Article 23(3)]] GDPR but that these shortcomings have been fixed in the meantime.
-<u>Violations of Articles [[Article 44 GDPR|44]], [[Article 46 GDPR|46]], [[Article 24 GDPR#1|24(1)]], [[Article 24 GDPR#2|24(2)]] [[Article 24 GDPR#5|24(5) GDPR]]</u>
+The DPA held that the controller breached [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|Article 23(3)]] GDPR, but that the shortcomings that caused these violations had already been fixed.
-The DPA also assessed the international transfers of data to Turkey. The DPA stated that the transfer of data to third countries (outside of the EU) is only allowed when the level of protection guaranteed by the GDPR is not compromised. This is the case when a third country provides an adequate level of protection or provides supplementary measures. The European Commission did not issue an adequacy decision for this country. Therefore, an adequate level of data protection had to be guaranteed with different measures.
+<u>Violations of Articles [[Article 44 GDPR|44]], [[Article 46 GDPR|46]], [[Article 24 GDPR#1|24(1)]], [[Article 24 GDPR#2|24(2)]] [[Article 24 GDPR#5|and 5(2) GDPR]]</u>
-The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish sub processor. The DPA disagreed and held that the controller was in fact the controller, because it defined the means and purposes of processing ([[Article 4 GDPR|Article 4(7)]] GDPR). Therefore, it is also the controller's responsibility to ensure the processing is complaint with the GDPR, also when the processors actions result in the transfer of personal data to a third country.
+The DPA determined that controller did not violate [[Article 44 GDPR|Articles 44]], [[Article 46 GDPR|46]], [[Article 24 GDPR|24(1)]] and [[Article 5 GDPR#2|5(2) GDPR]], in contrast with the investigation unit. The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller ([[Article 4 GDPR|Article 4(7) GDPR]]) and that it was the controller's responsibility to ensure its processing was GDPR compliant, including processing of its processor.
-The controller also made an argument stating that it could rely on the exception of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]] for important reasons for public interest. The DPA accepted this argument. The DPA determined that the controller provides housing for those in need, to support the right to housing. This right is internationally vested in the UDHR (Universal Declaration of Human Rights) as well as the ICESCR, which has been ratified by both Belgium and Turkey. The DPA also determined that the processing by the controller was necessary to reach to goal of providing housing.
+The controller also stated that it could rely on the exception of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]] for important reasons for public interest. The DPA accepted this argument and held that under [[Article 49 GDPR|Article 49(4) GDPR]], only public interests can be used that are recognised in EU law or in member state law. This public interest cannot be too abstract. The DPA determined that the controller provided social housing for the public interest of the right to housing. This right is internationally recognised in several international treaties (UDHR and ICESCR), ratified by both Belgium and Turkey. The DPA also repeated that the right to housing was provided in Belgian law.
-Therefore, the DPA determined that controller did not violate [[Article 44 GDPR|Articles 44]], [[Article 46 GDPR|46]], [[Article 24 GDPR|24(1)]] and [[Article 5 GDPR#2|5(2) GDPR]].
+The DPA also determined that the processing by the controller passed the necessity requirement of [[Article 49 GDPR#1d|Article 49(1)(d) GDPR]]. The DPA referred to its necessity assessment earlier in the decision.
 <u>Violation of [[Article 30 GDPR#1|Article 30(1) GDPR]]</u>
-Lastly, the DPA held that the controller did not violate [[Article 30 GDPR|Article 30(1) GDPR]]. The investigation unit held that the registry of the controller was not specific enough in describing the categories of personal data and data subjects, but the DPA disagreed. The DPA held that it is always depended on the specific case to determine whether or not it is clear and detailed enough. The DPA held that in this case, the registry was specific enough and did not constitute a violation of [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]].
+The DPA held that the controller did not violate [[Article 30 GDPR|Article 30(1)(c) GDPR]][[Article 30 GDPR|.]] The investigation unit had determined that the registry of the controller was not specific enough in describing the categories of personal data and data subjects, but the DPA disagreed. The DPA held that whether or not the registry is clear and detailed enough should be assessed on a case to case basis. The DPA held that in this case, the registry was specific enough and that the elements in the registry left little room for different interpretations in the context of social housing.
-The DPA concluded violations of [[Article 28 GDPR#2|Articles 28(2)]] GDPR and [[Article 28 GDPR#3|28(3) GDPR]] but only reprimanded the controller. All other determined violations by the investigations unit were deemed unfounded by the DPA ([[Article 57 GDPR#4|Article 57(4)GDPR]]).
+The DPA determined violations of [[Article 28 GDPR#2|Articles 28(2)]] and [[Article 28 GDPR#3|28(3) GDPR]] and reprimanded the controller (Article 100, §1, 5° WOG). All other determined violations by the investigation unit were deemed unfounded ([[Article 57 GDPR#4|Article 57(4)GDPR]]).
 == Comment ==