APD/GBA (Belgium) - 158/2022: Difference between revisions

From GDPRhub
No edit summary
 
(14 intermediate revisions by 2 users not shown)
Line 75: Line 75:
}}
}}


The Belgian DPA issued a warning to the controller for having published an invoice on Facebook containing the data subject’s personal details without a legal basis and for not having responded to the data subject’s data erasure request.
The Belgian DPA warned a controller for publishing an invoice with personal data on Facebook. The controller did not have a legal basis ([[Article 6 GDPR]]) and did not delete the invoice after the data subject requested erasure.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller offered medical care to the data subject. On 23 June 2022, following a dispute, to which it seemed that the data subject did not pay for her treatments, the controller published an invoice on her professional Facebook page on which it contained the surname, first name and address of the data subject.
A service provider (controller) published an invoice on its Facebook page which contained the data subject's first, last name, and address. Although it was not clearly specified in this preliminary decision, it seemed like there was a dispute between the data subject and the controller regarding payment(s), where the controller published the invoice to illustrate the tariffs it applied. The data subject filed, among the others, a complaint with the local police office claiming GDPR violations. Following this, the controller only removed the postal address on the invoice, but did not delete the last name and first name. The controller also blocked the data subject from accessing the Facebook page of the controller. On 19 July 2022, the data subject filed a complaint with the Belgian DPA to raise the refusal of the controller to comply with her erasure request.  
On 28 June 2022, the data subject filed a complaint with the Conseil Régional Francophone and with the police on 1 July 2022 for invasion of privacy and GDPR violation. Following her complaint to the police, the controller only removed the data subject’s address from Facebook and blocked the data subject from accessing her Facebook page.  
On 19 July 2022, the data subject filed a complaint with the Belgian DPA to order the controller to comply with her request to exercise her right to data erasure.


=== Holding ===
=== Holding ===
Even after the data subject filed the two complaints, the controller only partially removed the data subject’s personal information on her Facebook post which was still visible on 3 October 2022. The Belgian DPA held, therefore, that the controller failed to comply with [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|Article 12(4)]].
The DPA stated that an invoice obliges the controller to collect certain basic information about the data subject. The invoice has to include first names, surnames, e-mail, billing address, delivery address as well as the content of the purchases and/or the service [[Article 4 GDPR|(Article 4(1) GDPR)]]. It also stated that the controller was a service provider and had to comply with requests made by data subjects under Articles 15 to 22 GDPR.


Moreover, the DPA examined whether the legal basis for the processing of the data subject’s data could have been based on [[Article 6 GDPR#1f|Article 6(1)(f)]], where the processing is necessary for the purposes of the legitimate interests pursued by the controller. The controller needed to meet 3 conditions to use this legal basis. Firstly, the publication by the controller of the price list of its services for reasons of transparency and to gain customers' trust could be considered a legitimate interest. However, publishing the names and address of the data subject to fulfil this aim was not considered as necessary. It only helped in labelling the data subject as a bad payer and was an attack on her person and dignity. Finally, the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook to meet a transparency principle, let alone with the intention of publicly settling a dispute. The controller did not seek the data subject's consent before posting the invoice. ([[Article 6 GDPR#1a|Article 6(1)(a)]]). Thus, the DPA held that the controller did not meet any of the conditions of lawfulness set out in [[Article 6 GDPR]].  
The DPA also determined that even after the data subject previous complaint, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post.


Moreover, the means chosen by the controller (i.e., publishing an invoice on Facebook to settle a dispute and display her price list) put the responsibility principle into question ([[Article 24 GDPR]]).  
The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing ([[Article 6 GDPR]]). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail (balancing test).
Thus, the DPA held that the controller did not respect [[Article 12 GDPR#3|Article 12(3)]], [[Article 12 GDPR#4|Article 12(4)]] in relation with [[Article 17 GDPR#1|Article 17(1)]] and ordered the controller to comply with the data subject’s request to data erasure. The controller also breached [[Article 6 GDPR]] and [[Article 24 GDPR]], therefore, the DPA issued a warning (pursuant to [[Article 58 GDPR#2a|Article 58(2)(a)]]) for the controller to respect the data subjects’ requests and the responsibility principle in the future. This decision aimed to inform the controller of the different articles she breached and to enable her to comply with the GDPR under 30 days of receiving this decision ([[Article 58 GDPR#2c|Article 58(2)(c)]]).
 
Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and a way to gain customers' trust. Secondly, the processing (publication) was not considered necessary to reach the purpose. The DPA stated that for this necessity test, it had to be analysed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing. In this case, the processing only helped in labelling the data subject as someone who did not fulfil her financial obligations, which was also an attack on her person and dignity in the event of a dispute. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published. Thirdly, the DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook. The controller also did not ask for consent to publish the invoice on Facebook ([[Article 6 GDPR|Article 6(1)(a) GDPR]]). The controller therefore failed the balancing test. The DPA held that the controller could not rely on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) and stated that the controller did not seem to comply with [[Article 6 GDPR]]. The controller was obliged to the delete the personal data of the data subject as soon as possible ([[Article 17 GDPR|Article 17(1) GDPR]]). The DPA also determined that the controller seemed to fail to comply with [[Article 24 GDPR]], because it had published the invoice to illustrate the tariffs it applied and/or to settle a dispute. This did not seem to ensure that processing was carried out in compliance with the GDPR and other data protection laws.  
 
Thus, the DPA held that the controller seemed to fail to comply with [[Article 12 GDPR|Articles 12(3)]] [[Article 12 GDPR|and 12(4)]] [[Article 17 GDPR|and 17(1) GDPR]] and ordered the controller to comply with the data subject’s request to data erasure (Article 95(1)(5) LCA). The DPA also issued a warning (pursuant to Article 95(1)(4) LCA and [[Article 58 GDPR|Article 58(2)(a) GDPR]]) for the controller because it seemed to fail to comply with [[Article 6 GDPR|Articles 6]] [[Article 24 GDPR|and 24 GDPR]]. The DPA warned the controller to respect data subject requests in the future. The DPA also emphasised that this was a ''prima facie'' decision and part of the ''procedure'' ''prior to the decision on the merits''.  


== Comment ==
== Comment ==
''Share your comments here!''
It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deduced from the wording in paragraph 25, which stated that the controller “treated”.
 
Although it was not clearly specified, it is most likely that there was a dispute between the data subject and the controller, which resulted in the publication of the invoice on the controller's Facebook page. This dispute seemed to be about the lack of payment by the data subject. This can be deduced from paragraph 38, which stated that the publication of the name of the data subject only results in the data subject being labelled online as a bad payer or even results in an attack on his person and dignity in the event of a dispute. Another indication can be found in paragraph 42, were the DPA stated that the controller had published the invoice to illustrate applied tariffs and/or settle a dispute. 


== Further Resources ==
== Further Resources ==

Latest revision as of 12:47, 16 November 2022

APD/GBA - 158/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6 GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 17(1) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started: 15.09.2022
Decided: 07.11.2022
Published: 07.11.2022
Fine: n/a
Parties: X (the data subject)
Y (the controller)
National Case Number/Name: 158/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR) (in FR)
Initial Contributor: n/a

The Belgian DPA warned a controller for publishing an invoice with personal data on Facebook. The controller did not have a legal basis (Article 6 GDPR) and did not delete the invoice after the data subject requested erasure.  

English Summary

Facts

A service provider (controller) published an invoice on its Facebook page which contained the data subject's first, last name, and address. Although it was not clearly specified in this preliminary decision, it seemed like there was a dispute between the data subject and the controller regarding payment(s), where the controller published the invoice to illustrate the tariffs it applied. The data subject filed, among the others, a complaint with the local police office claiming GDPR violations. Following this, the controller only removed the postal address on the invoice, but did not delete the last name and first name. The controller also blocked the data subject from accessing the Facebook page of the controller. On 19 July 2022, the data subject filed a complaint with the Belgian DPA to raise the refusal of the controller to comply with her erasure request.

Holding

The DPA stated that an invoice obliges the controller to collect certain basic information about the data subject. The invoice has to include first names, surnames, e-mail, billing address, delivery address as well as the content of the purchases and/or the service (Article 4(1) GDPR). It also stated that the controller was a service provider and had to comply with requests made by data subjects under Articles 15 to 22 GDPR.

The DPA also determined that even after the data subject previous complaint, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post.

The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing (Article 6 GDPR). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest (Article 6(1)(f) GDPR), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail (balancing test).

Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and a way to gain customers' trust. Secondly, the processing (publication) was not considered necessary to reach the purpose. The DPA stated that for this necessity test, it had to be analysed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing. In this case, the processing only helped in labelling the data subject as someone who did not fulfil her financial obligations, which was also an attack on her person and dignity in the event of a dispute. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published. Thirdly, the DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook. The controller also did not ask for consent to publish the invoice on Facebook (Article 6(1)(a) GDPR). The controller therefore failed the balancing test. The DPA held that the controller could not rely on legitimate interest (Article 6(1)(f) GDPR) and stated that the controller did not seem to comply with Article 6 GDPR. The controller was obliged to the delete the personal data of the data subject as soon as possible (Article 17(1) GDPR). The DPA also determined that the controller seemed to fail to comply with Article 24 GDPR, because it had published the invoice to illustrate the tariffs it applied and/or to settle a dispute. This did not seem to ensure that processing was carried out in compliance with the GDPR and other data protection laws.

Thus, the DPA held that the controller seemed to fail to comply with Articles 12(3) and 12(4) and 17(1) GDPR and ordered the controller to comply with the data subject’s request to data erasure (Article 95(1)(5) LCA). The DPA also issued a warning (pursuant to Article 95(1)(4) LCA and Article 58(2)(a) GDPR) for the controller because it seemed to fail to comply with Articles 6 and 24 GDPR. The DPA warned the controller to respect data subject requests in the future. The DPA also emphasised that this was a prima facie decision and part of the procedure prior to the decision on the merits.

Comment

It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deduced from the wording in paragraph 25, which stated that the controller “treated”.

Although it was not clearly specified, it is most likely that there was a dispute between the data subject and the controller, which resulted in the publication of the invoice on the controller's Facebook page. This dispute seemed to be about the lack of payment by the data subject. This can be deduced from paragraph 38, which stated that the publication of the name of the data subject only results in the data subject being labelled online as a bad payer or even results in an attack on his person and dignity in the event of a dispute. Another indication can be found in paragraph 42, were the DPA stated that the controller had published the invoice to illustrate applied tariffs and/or settle a dispute.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/13






                                                                         Litigation Chamber


                                                     Decision 158/2022 of November 7, 2022






File number: DOS-2022-03009


Subject: Complaint for publication on social networks (Facebook) of an invoice with

mentionofthelastname/firstnameofthecustomerandpartialresponseoftheprocessingresponsible

on request for erasure


The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke

Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;


Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The complainant: Ms. X, hereinafter “the complainant”; .

                                                                                                         .
The defendant: Y , hereinafter: “the defendant”.
                                                                                                         . Decision 158/2022 - 2/13


I. Facts and procedure


 1. On July 19, 2022, the complainant filed a complaint with the Authority for the Protection of

       data (hereinafter “ODA”).


 2. The subject of the complaint concerns the publication, on June 23, 2022, of an invoice addressed to the name

       of the plaintiff by the defendant on the professional Facebook page (public page)

       of the latter. This invoice contained the following personal information: the names

       and first names as well as the postal address of the complainant.


 3. On July 17, 2022, the complainant contacted the DPA to obtain information following the

       publication of his invoice on the defendant's professional Facebook page. 18
       July 2022, the APD provides response elements and communicates the various

       procedures available to the complainant.


 4. On July 19, 2022, the complainant replies to the email from the DPA and attaches the complaint form

       supplemented by appendices to support her comments: she indicates that she has exercised her rights

       with the data controller (the defendant); having filed a complaint, on June 28, 2022,

       to the Francophone Regional Council of […] (hereinafter “Z”) and, on July 1, 2022, to the police for

       invasion of his privacy and violation of the GDPR (PV number (...)). The complainant explains

       also that, following the complaint lodged with the police, the defendant, on the one hand, withdrew the
       July 12, 2022 from his professional Facebook page some of the information

       personal data appearing on the invoice, except for his first and last names, and on the other hand, blocked

       his access to said Facebook page.


 5. On September 5, 2022, the Service de Première Ligne (hereinafter “SPL”) declares the complaint

       inadmissible "on the ground that the processing complained of has ceased" because the defendant deleted

       the identification data of the complainant. On the same date, the complainant informed the SPL

       that his surnames/first names are always mentioned on the professional Facebook page of
       the defendant.


 6. On September 9, 2022, the SPL claimed proof of the facts invoked, namely "copy/capture

       screenshot of the invoice which is always present on the professional Facebook page of the […]

       containing [the] name [of the complainant] and the details of the services performed on [her] (...)”. the

       September 12, 2022, the complainant sends a screenshot of the disputed publication.


 7. On September 13, 2022, the SPL asked the complainant to send it a copy of the

       publication in another format because the screenshot received is not readable and does not allow

       not to read the information published by the defendant. The Complainant

       sends by email two documents in PDF format containing the screenshots of the
       contentious publication. Decision 158/2022 - 3/13


 8. On September 15, 2022, the DPA SPL declares the complaint admissible on the basis of Articles

       58 and 60 of the LCA, and sends it to the Litigation Chamber in accordance with article

       62, § 1 of the ACL.






II. Motivation


 9. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the principles

       of data protection contained in the GDPR and other laws containing

       provisions relating to the protection of the processing of personal data.

 10. Pursuant to Article 33, §1 of the LCA, the Litigation Chamber is the body for

       ODA administrative litigation. It receives complaints that the SPL forwards to it in

       application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with

       Article 60 paragraph 2 of the LCA, complaints are admissible if they are written in one of the

       national languages, contain a statement of the facts and the information necessary to

       identify the processing of personal data to which they relate and which

       fall within the competence of the ODA.


 11. Pursuant to articles 51 and s. of the GDPR and Article 4, § 1 of the LCA, it is up to the
       Litigation Chamber as an administrative litigation body of the DPA, to exercise

       effective control of the application of the GDPR and to protect the freedoms and rights

       fundamental rights of natural persons with regard to processing and to facilitate the free flow

       personal data within the Union.


 12. On the basis of the facts described in the complaint file as summarized above, and on the
                                                                                                  er
       powers attributed to it by the legislator under Article 95, §1 of the

       the LCA, the Litigation Chamber decides to proceed, on the one hand, to take a decision
                                             er
       in accordance with Article 95, § 1, 5° of the LCA, more specifically to order the
       controller to comply with the complainant's request to exercise its

       right to erasure (Art. 17.1 GDPR), on the other hand, to a warning in accordance with

       Article 95, § 1, 4° of the LCA; for the reasons set out below.


 13. The Litigation Chamber notes that the complainant raises the refusal by the head of the

       processing to follow up on the request to exercise their right to erasure.


 14. Firstly, it appears from the documents in the file that the complainant does not provide proof of

       the exercise of his rights with the controller as stipulated in the
       complaint form; filed a complaint on June 28, 2022 with the Francophone Regional Council […]

       (hereinafter “Z”)and July 1, 2022 to the police for invasion of his privacy and violation of the GDPR

       (PV number: (...)). Decision 158/2022 - 4/13


 15. The Litigation Chamber also notes that the complaints filed with Z and the police

       relate to the publication of an invoice – mentioning the surnames and first names as well as

       the postal address – of the complainant on the professional Facebook page of the manager of the


       treatment: “therefore, I wish to lodge a complaint against this […] for […] having published
                                                                                      1
       in public mode my personal data on his Facebook page. " or " [...]

       file a complaint of injury to life and violation of the GDPR against named Y
           2
       [...] » .


 16. The Litigation Chamber understands that the complainant has had to exercise her right to erasure

       (Art. 17.1.c of the GDPR), especially since she filed a complaint with the Z and the police; but

       that the controller has only partially responded to his request in

       deleting only the postal address appearing on the invoice published on the page

       Professional Facebook.


 17. The Litigation Chamber recalls that Article 4(1) of the GDPR defines “data to be

       personal character” as “any information relating to a natural person

       identified or identifiable (hereinafter referred to as the "data subject"); is deemed to be a


       "identifiable natural person" means a natural person who can be identified,

       directly or indirectly, in particular by reference to an identifier, such as a name,

       identification number, location data, an online identifier, or to one or

       several specific elements specific to its physical, physiological, genetic,

       psychological, economic, cultural or social. 3


 18. A “processing” of personal data means, according to the GDPR, “any

       operation or any set of operations whether or not carried out using processes

       automated and applied to personal data or sets of data

       personnel, such as collecting, recording, organizing, structuring,

       storage, adaptation or modification, extraction, consultation, use,

       communication by transmission, broadcast or any other form of making available, the

                                                                                             4
       reconciliation or interconnection, limitation, erasure or destruction”.

                                                                          5
 19. GDPR Article 4(7) defines “controller” as “the person

       physical or legal entity, public authority, service or other body which, alone or

       jointly with others, determines the purposes and means of the processing”.


 20. As the EDPB pointed out in Guidelines 07/2020 on the notions of

       controller and processor, the controller may be


1
2A reproduction of the complaint filed with Z.
3A reproduction of the complaint lodged with the police (report number: (..)).
 GDPR, art. 4.1).; Opinion 4/2007 of the “article 29” working group on data protection on the concept of personal data,
adopted on June 20, 2007, available at https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp136_fr.pdf. ; Cf. the Nowak judgments
4CJUE, 20 December 2017, C-434/16, ECLI:EU:C:2017:994) and Breyer (CUJE, 19 October 2016, C-582/14, ECLI:EU:C:2016:779).
5GDPR, Art. 4, 2).
 GDPR, recitals 74, 79 and 81; GDPR, art. 4. 7), 4.8), 24, 26, 28, 29. Decision 158/2022 - 5/13


       designated by a legislative or regulatory text. Otherwise, to identify it, it


       should analyze the factual elements or circumstances of the case, in particular

       determine its legal and organizational capacity, as well as its autonomy in the

       definition of the purposes, i.e. the objectives pursued, and the means of processing.


 21. The Litigation Chamber recalls that the data controller must follow up on the

       request made pursuant to Articles 15 to 22 of the GDPR by the complainant, in this case

       a request for erasure provided for in Article 17 of the GDPR (exercise of the right to

       deletion), in compliance with the conditions set out in Article 12 of the GDPR .7


 22. The Litigation Chamber also emphasizes that it is the responsibility of the controller


       to provide the complainant with information on the measures taken following a request

       formulated in application of Articles 15 to 22 of the GDPR, as soon as possible
                                                                                     8
       cause within one month of receipt of the request. Article 12.3 of the

       GDPR provides that this period may, if necessary, be extended by two months, taking into account the

       complexity and number of requests. In such a case, the controller

       inform the complainant of this extension and the reasons for the postponement within one month

       from receipt of the request. 10


 23. In the event that the data controller does not respond to the request made

                         11
       by the complainant, he shall inform the latter without delay and at the latest within one month from

       from receipt of the request, the reasons for its inaction and the possibility

       to lodge a complaint with a supervisory authority and to lodge an appeal

       jurisdictional.


 24. In this case, the Litigation Chamber recalls that the invoice, whatever its format,

       obliges the data controller to collect certain basic information

       concerning the customer (in this case, an individual). The invoice will include at least: first names,


       names, e-mail, billing address, delivery address as well as the content of the purchases

       and/or the service. In accordance with article 4.1) of the GDPR, the surnames, first names and address

       postal correspond to personal data.


 25. The Litigation Chamber understands that the defendant is at the origin of the provision of

       service (in this case, she treated […]) but also invoicing; and, as such, it must,

       as data controller, respond to the request made in application

       of Articles 15 to 22 of the GDPR by the complainant.





6EDPB, “Guidelines 07/2020 concerning the notions of controller and processor in the GDPR”, adopted on 7
July 2021.
7GDPR, Art. 12.
8 GDPR, Art. 12.2 and 12.3.
9GDPR, Art. 12.3.
1 GDPR, Art. 12.3.
1 GDPR, Art. 12.4. Decision 158/2022 - 6/13



26. Secondly, it is apparent from the documents in the file that the publication at issue – the invoice

      mentioning the surnames/first names of the complainant – is always published on the Facebook page

      of the controller on October 3, 2022 at 10:56 a.m. (time
                                                                                           er
      Belgium), despite the complaints lodged with the Z (June 28, 2022) and the police (July 1

      2022). It also notes that the complainant's surname/first name still appears in the

      comment from the controller.


27. In addition, the Litigation Division notes that the controller indicates in his

      comment published on his professional Facebook page the following sentence: “having

      no worries about exposing my rates, I attach your invoice to this comment”.


     Figure 1 - Screenshot of October 03, 2022 at 10:56 a.m. (Belgian time - following URL address […])




























     Figure 2 - Screenshot of 03 October 2022 at 10:56 (Belgian time - following URL address […]) Decision 158/2022 - 7/13



 28. The Litigation Chamber recalls that the GDPR clearly sets out the principle of

       responsibility, according to which the data controller is obliged to implement

       appropriate technical and organizational measures to ensure and be able to

       demonstrate that the processing is carried out in accordance with the GDPR and other laws of

       protection of personal data. 12


 29. The Court of Justice of the European Union in its judgment of 13 May 2014, Google Spain and

       Google, also recalls that "the data controller must ensure, within the framework

       of its responsibilities, competences and possibilities, that the processing of

       data in question satisfies the requirements of Directive 95/46 so that the guarantees

       provided for by it can develop their full effect and that effective and

       of the persons concerned, in particular their right to respect for private life,

       can actually be carried out”.3


 30. The Litigation Chamber also emphasizes that the processing is "lawful only if, and in

       provided that at least one of the following conditions is met:


       a) the data subject has consented to the processing of his or her personal data
       for one or more specific purposes;


       b) the processing is necessary for the performance of a contract to which the data subject is
       party or the execution of pre-contractual measures taken at the latter's request;


       c) processing is necessary for compliance with a legal obligation to which the controller
       treatment is submitted;


       d) the processing is necessary to safeguard the vital interests of the data subject
       or another natural person;


       e) processing is necessary for the performance of a task carried out in the public interest or falling within the
       the exercise of official authority vested in the controller;

       f) processing is necessary for the purposes of the legitimate interests pursued by the controller

       processing or by a third party, unless the interests or freedoms and rights

       fundamentals of the data subject which require data protection to be

                                                                                              14
       personal nature, in particular when the person concerned is a child. [...] » .

 31. In the present case, the Litigation Division finds that the publication as a whole, apart from

       know the publication of the invoice with the surname/first name of the complainant as well as the mention

       in the comment of his name/first name on the professional Facebook page of the

       controller, constitutes processing of personal data at the

       meaning of Article 4, 1) of the GDPR, in the context of which the principles of data protection




1GDPR, recital 74. ; GDPR, art. 5, §2 and 24.
13 Conclusions of Advocate General Y. Bot, 24 October 2017, in the case ULD c. Wirtschaftakademie Schleswig-Holstein, item 44; see
also C.J.U.E., 13 May 2014, Google Spain SL and Google Inc v. Spanish Agency for the Protection of Datos and Gonzales, case. C-131/12, points
38 and 83.
1 GDPR, Art. 6, §1. Decision 158/2022 - 8/13



       must apply to any data relating to an identified natural person or

       identifiable.


 32. The Litigation Chamber questions the publication of an invoice from a client (a

       particular) with mention of the surname/first name on social networks, in this case the page

       professional Facebook (public page) of the controller, and the lawfulness of this

       treatment. The Litigation Chamber considers that the controller does not respond to

       none of the conditions of lawfulness provided for in Article 6 of the GDPR. For the sake of completeness, the

       Chamber nevertheless examines whether the processing of data could be based on the basis
                                                                         15
       of lawfulness of the “legitimate interest” provided for in Article 6.1, f) of the GDPR.


 33. In accordance with Article 6.1, f) of the GDPR and the case law of the Court of Justice of the Union

       European Union (hereinafter “the Court”), three cumulative conditions must be met in order to

       that a data controller can validly invoke this basis of lawfulness, "to

       namely, firstly, the pursuit of a legitimate interest by the controller or

       by or third parties to whom the data is communicated, secondly, the need for the

       processing of personal data for the fulfillment of the legitimate interest

       pursued and, thirdly, the condition that the fundamental rights and freedoms of the

       person concerned by data protection do not prevail”


 34. In other words, in order to be able to invoke the basis of lawfulness of “legitimate interest”

       in accordance with Article 6, §1, f) of the GDPR, the controller must demonstrate that:


       1) the interests it pursues with the processing can be recognized as legitimate (the “
       finality test”);


       2) the envisaged processing is necessary to achieve those interests (the “necessity test”);
       and


       3) the weighing of these interests against the fundamental interests, freedoms and rights

       data subjects weighs in favor of the data controller (the “test of

       weighting”).

 35. With regard to the first condition (the "finality test"), the Litigation Chamber

       considers that the purpose of publishing the rates applied by the person responsible for the

       treatment during its services (transparency on prices) to gain the confidence of

       customers, must be considered as having been carried out with a view to a legitimate interest.








15CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA „Rīgas
satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK c/ Asociaţia de Proprietari bloc M5AScaraA, recital
40.; Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§68), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf.
16Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§69), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 9/13



       In accordance with recital 47 of the GDPR, the interest that the defendant was pursuing

       as controller can in itself be considered legitimate. The first one

       condition set out in Article 6.1.f) of the GDPR is therefore fulfilled.

 36. With respect to the second condition (the “necessity test”), the head of the

       processing must demonstrate that the processing is necessary for the achievement of the purposes

       pursued. This means more precisely that one must ask oneself if the same result

       not be achieved by other means, without processing personal data or

       without unnecessary substantial processing for data subjects.


 37. Starting from the purpose, namely the publication on social networks of the tariffs applied by

       the controller, it should therefore be checked whether the publication of the invoice with

       the indication of the surname/first name of the complainant supported by a comment which resumes

       new name/first name may or may not contribute to the transparency of the prices applied by

       the controller.


 38. However, the publication of the invoice with the indication of the surname/first name of the complainant

       supported by a comment which again takes up his surname/first name is not the only

       consequence of the person concerned being described online as a bad payer or even a

       injure his person and his dignity in the event of a dispute. More importantly, this

       method does not offer any added value in the display of the prices charged by the person in charge of the

       processing (price transparency). If the controller's intention is to

       allow potential customers, through this practice, to know the rates, the Room

       Litigation argues that this purpose can also be achieved without publication

       an invoice with the complainant's identification data but rather with a

       brochure or prospectus which only mentions the prices per service The second

       condition is not met.

 39. With regard to the third condition (the "weighting test"), one must first take

       account of the reasonable expectations of the person concerned, in accordance with recital

       47 GDPR. In particular, it must be assessed whether "the data subject can

       reasonably expect, at the time and in the context of data collection, to

       personal character, that they are processed for a given purpose”.


 40. The Litigation Chamber finds that the Complainant could at no time expect

       that his invoice is published with his surname/first name to meet a principle of

       transparency of the prices applied by the data controller, even less in

       the intention to publicly settle a dispute arising from a dispute. Moreover, the


17
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf.au fond 71/2020 (§70 to 72), available at
1GDPR, Recital 47. ; CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari blocM5A-ScaraA, recital 58.; authority of
data protection, Litigation Chamber, 30 October 2020, decision on the merits 71/2020 (§73 to 75), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 10/13


       controller does not appear to have requested, under Article 6, §1, a) of the

       GDPR, the consent of the complainant to publish the invoice with his name/surname on

       social networks, in this case “Facebook”. The third condition is therefore not met.

       no more.


 41. The Litigation Division considers that all of the elements set out above demonstrate

       that the controller cannot invoke article 6.1, f) of the GDPR to qualify

       the publication of the invoice with mention of the surname/first name of the complainant on its page

       Facebook professional lawful. Therefore, the data controller seems not to

       comply with the requirements of article 6 of the GDPR and must respond favorably to the

       complainant's request to exercise the right to erasure: he has the obligation to erase, in

       as soon as possible, the personal data of the complainant (art. 17.1. of the GDPR).

 42. Finally, the Litigation Division points out that the means chosen by the head of the

       processing (in this case, posting on the defendant’s professional Facebook page the

       invoice of a customer with mention of his name / first name to illustrate the rates applied and / or

       settle a dispute) make it difficult for the principle of liability provided for in Article 24 of the

       GDPR. These measures defined by the data controller do not seem to be of

       to ensure that the processing is carried out in accordance with the GDPR and other laws of

       Protection of personal data.


 43. Ultimately, in view of the aforementioned examination, the Litigation Chamber concludes that the

       controller has not, prima facie, complied with Articles 12.3 and 12.4 of the GDPR,
       as well as Article 17.1 of the GDPR, which in this case justifies taking a

       decision on the basis of Article 95, § 1, 5° of the LCA, more specifically to order the

       controller to comply with the complainant's request to exercise its

       right to erasure (Art. 17.1 of the GDPR) and to erase data from

       personal character in question (i.e. the invoice with the indication of the surname/first name of the

       plaintiff supported by a comment that again includes his name/first name).


 44. The Litigation Chamber also concludes that the controller did not,

       prima facie, complied with Articles 6 and 24 of the GDPR, which in this case justifies carrying out the
                                                        er
       takingadecisiononthebasisofarticle95,§1,4°oftheLCA,morespecificallytoaddress

       has responsible for processing a warning within the meaning of Article 58.2.a) of the GDPR so that

       the latter ensures, in the future, to respond to requests for the exercise of human rights
       concerned and to respect the principle of responsibility.









1GDPR, recital 74. ; GDPR, art. 5, §2 and 24. Decision 158/2022 - 11/13



 45. This decision is a prima facie decision taken by the Litigation Chamber

        pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant,

        within the framework of the “procedure prior to the substantive decision” 20 and not a decision on the

        merits of the Litigation Chamber within the meaning of Article 100 of the LCA.


 46. The purpose of this decision is to inform the defendant, allegedly responsible for the


        processing, because it may have violated the provisions of the GDPR,

        in order to enable it to still comply with the aforementioned provisions.


 47. If, however, the controller does not agree with the content of this

        prima facie decision and believes that he can make factual and/or legal arguments

        which could lead to another decision, the latter may address to the House

        Litigation a request for processing on the merits of the case via the e-mail address


        litigationchamber@apd-gba.be, within 30 days of notification of the

        this decision. If necessary, the execution of this decision will be suspended.

        during the aforementioned period.


 48. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

        juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

        conclusions and attach to the file all the documents they deem useful. If applicable, the


        this decision is permanently suspended.


 49. In the interests of transparency, the Litigation Chamber finally emphasizes that a

        dealing with the case on the merits may lead to the imposition of the measures mentioned in

        section 100 of the ACL .1















20Section 3, Subsection 2 of the LCA (arts. 94 to 97 inclusive).
2Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;

 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;

 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the Public Prosecutor's Office of Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 158/2022 - 12/13



III. Publication of the decision


 50. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority

       Datas. However, it is not necessary for this purpose that the identification data

       of the parties are communicated directly.




  FOR THESE REASONS,


  the Litigation Chamber of the Data Protection Authority decides, subject to

  the introduction of a request by the data controller for substantive processing,

  in accordance with articles 98 e.s. of the ACL:


     - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the

         controller to comply with the data subject's request

         to exercise their rights, within 30 days of notification of the

         this decision;


     - pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to pronounce on

         against the data controller a warning;

     - to order the data controller to inform the Data Protection Authority by e-mail

         data (Litigation Chamber) of the follow-up given to this decision, in

         the same deadline, via the e-mail address litigationchamber@apd-gba.be; and


     - if the data controller does not comply in good time with what is

         requested above, to deal ex officio with the case on the merits, in accordance with Articles

         98 p.s. of the ACL.





In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be





2The request contains under penalty of nullity:
 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or number
     business;
 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary statement of the means of the application;
 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer. Decision 158/2022 - 13/13



filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 23

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).



(se). Hielke H IJMANS



President of the Litigation Chamber










































































23
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to
court clerk or filed at the court office.