APD/GBA (Belgium) - 162/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=162/2022 |ECLI= |Or...") |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 100: | Line 100: | ||
The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the controller interprets its legal obligations too broadly. | The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the controller interprets its legal obligations too broadly. | ||
On top of that, the Inspection Service held that the controller breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[ | On top of that, the Inspection Service held that the controller breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] because the information in their privacy policy was not concise, transparent, nor easily accessible, as well as containing wrong and missing information. The controller admits that this used to be the case, but that this issue has now been resolved. | ||
Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices. | Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices. | ||
Line 111: | Line 111: | ||
The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | ||
Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[ | Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] but that the shortcomings have been resolved in the meantime. | ||
The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove. | The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove. |
Latest revision as of 08:21, 23 November 2022
APD/GBA - 162/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 38(1) GDPR Article 39(1) GDPR Decreet houdende het toeristische logies Decreet tot oprichting van het intern verzelfstandigd agentschap met rechtspersoonlijkheid "Toerisme Vlaanderen" |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 14.01.2022 |
Decided: | 16.11.2022 |
Published: | |
Fine: | n/a |
Parties: | Toerisme Vlaanderen |
National Case Number/Name: | 162/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA reprimands a government agency for not proactively involving its DPO in a processing activity relying on Article 6(1)(c) GDPR. All processing activities must be in line with the GDPR, even those mandated by legislation predating the GDPR.
English Summary
Facts
The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on Article 6(1)(c) GDPR, the controller interprets its legal obligations too broadly.
On top of that, the Inspection Service held that the controller breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR because the information in their privacy policy was not concise, transparent, nor easily accessible, as well as containing wrong and missing information. The controller admits that this used to be the case, but that this issue has now been resolved.
Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices.
Lastly, the Inspection Service held that the DPO was not proactively involved nor consulted, resulting in a breach of Article 38(1) GDPR and Article 39(1) GDPR. For the processing as described above, the controller stated that the DPO did not need to be consulted as the Logiesdecreet provided the legal basis to process data. However, the DPO did provide a positive advice afters the first contact of the Inspection Service.
Holding
First, the Belgian DPA checks whether the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts. This processing can only happen if it is necessary to fulfill a legal obligation. The GDPR does not require each separate processing to have its exclusive norm. The norm must be sufficiently clear and precise, its application must be foreseeable by data subjects.
The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of Article 6(1)(c) GDPR.
Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR but that the shortcomings have been resolved in the meantime.
The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.
Lastly, the DPA assesses whether the DPO should be been proactively involved. The DPA holds that the DPO is a key-figure regarding data protection. As such, a DPO must be involved for all matters concerning personal data, in a proper and timely manner. The fact that the Logiesdecreet predates the GDPR does not absolve the organisation from applying the GDPR and thus involving the DPO to check whether all processing of personal data is compliant. The DPA holds that the controller breached Article 38(1) GDPR and Article 39(1) GDPR.
The DPA reprimands the controller for its (past) breaches and dismisses the parts which did not lead to GDPR infractions. The DPA also reaffirms that it cannot impose a fine on a governmental agency.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/23 Litigation room Decision on the basis of 162/2022 of 16 November 2022 File number : DOS-2021-05803 Subject : Research on the sharing of accommodation data via the Airbnb platform The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Frank De Smet and Jelle Stassijns, members. Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The defendant: VISITFLANDERS, with registered office at 1000 Brussels, Grasmarkt 61, with company number 0225.944.375, hereinafter “the defendant”. Decision on the substance 162/2022 - 2/23 Fact procedure 1. On 14 January 2022, the Executive Committee of the Data Protection Authority will decide (hereinafter: “GBA”) to catch the Inspection Service on the basis of Article 63, 1° WOG because of a practice that may give rise to a violation of the fundamental principles of the protection of personal data. The object of the proceedings concerns the broad way in which personal data of operators of accommodation via the Airbnb platform in the context of "random sampling". requested by the defendant from various intermediaries. This practice lasted following a judgment of the Court of First Instance which held that this sampling can only take place in very limited cases. This procedure has also relates to the fact that hereby no advice from the officer for this data protection was requested. 2. On 27 January 2022 the investigation will be completed by the Inspection Service, the report will be appended to the file and the file is transferred by the Inspector General to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject matter of the decision Management Committee and decides that there is: a. a breach of article 5, paragraph 1, a) and c) and paragraph 2 of the GDPR, article 6, paragraph 1 of the GDPR, article 24 (1) GDPR and Article 25 (1) and (2) GDPR; b. a breach of Article 12(1) and (6) GDPR, Article 13(1) and (2) GDPR and Article 14(1) and (2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR and Article 25(1) of the GDPR; and c. a violation of Article 38(1) and (3) of the GDPR. d. an infringement of Article 4, 11) of the GDPR, Article 5, paragraph 1, a) and paragraph 2 of the GDPR, Article 6, paragraph 1, a) of the GDPR and Article 7, paragraphs 1 and 3 of the GDPR for the use of non-strict necessary cookies. 3. On 4 February 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits. 4. On 4 February 2022, the defendant will be notified by e-mail of the provisions such as mentioned in article 95, § 2, as well as in article 98 WOG. They are also based on Article 99 WOG of the time limits for submitting their defences. With regard to the findings within and outside the subject matter of the decision of the Management Committee became the deadline for receipt of the statement of reply of recorded by the defendant on 18 March 2022. Decision on the substance 162/2022 - 3/23 5. On February 8, 2022, the defendant electronically accepts all communications regarding the matter. 6. On 25 February 2022, the defendant requests a copy of the file (Article 95, §2, 3 ° WOG), which was transferred to him on February 25, 2022. 7. On March 17, 2022, the Disputes Chamber will receive the statement of defense from the defendant with regard to the findings with regard to the object of the decision of the Executive Committee. This conclusion also contains the reaction of the defendant about the findings made by the Inspectorate outside the scope of the complaint. The defendant argues, first, that the processing on its part is a lawful data processing. Second, the defendant argues that the data processing in question constitutes correct and permitted data processing, whereby the basic principle of data minimization from Article 5, paragraph 1, c) GDPR is respected and that he can also demonstrate this transparent and understandable, that it contains complete information, and that it can do this demonstrate. Fourth, the defendant argues that it was not obliged to to seek advice from the Data Protection Officer in relation to it Memorandum of Understanding. Finally, the defendant argues that on its website only Strictly necessary or functional cookies are employed for which there is no permission is required. According to him, no non-necessary cookies were active. Consequently it was providing (transparent) information about such cookies according to the defendant irrelevant. Nor is this a legal obligation, according to the defendant. 8. On September 14, 2022, the parties will be notified that the hearing will take place on October 21, 2022. 9. On 21 October 2022, the party appearing will be heard by the Disputes Chamber. During the day the hearing has explained to the defendant what steps it has already taken on the matter of data protection since the submission of the complaint and the Inspectorate investigation. So the Litigation Chamber could determine during the hearing that virtually all grievances from the complaint and areas of concern from the Inspection Report were addressed by the defendant. 10. On October 25, 2022, the minutes of the hearing will be sent to the parties transferred. 11. On October 29, 2022, the Disputes Chamber will receive some from the defendant remarks with regard to the official report, which it decides to include in her deliberation. Decision on the substance 162/2022 - 4/23 Motivation 12. The Disputes Chamber then assesses each of the findings included in the Inspection report in the light of the pleas put forward by the defendant in this regard. I.1. Article 5, paragraph 1, a) and c) and paragraph 2 GDPR, Article 6, paragraph 1 GDPR, Article 24, paragraph 1 and Article 25, paragraph 1 en 2 GDPR. I.1.1. Article 5 paragraph 1 a) and c) and Article 6 paragraph 1 GDPR 13. The Litigation Chamber recalls that the starting point of Article 5(1)(a) GDPR is that personal data may only be processed lawfully. This means that a legal basis for the processing of personal data as referred to in Article 6(1) of the GDPR must be present. Article 6(1) states in further elaboration of this basic principle GDPR that personal data may only be processed on the basis of one of the Article listed legal bases. 14. During the Inspection investigation, the defendant admits that he has complied with article 6, paragraph 1c) of the AVG invokes, with regard to the request to Airbnb for operator and accommodation data to be delivered to the defendant. The Inspectorate establishes that the defendant assumes a too broad interpretation of his legal obligations that he does not show why it processing of personal data in the context of a sample is necessary. On base of these elements, the Inspectorate declares an infringement of article 5, paragraph 1, a) and c) and article 6 (1) GDPR. 15. The Litigation Chamber recalls that in order to be able to rely lawfully on the legal basis from article 6, paragraph 1, c) AVG, personal data may only be processed if this is necessary for the fulfillment of a legal obligation on the controller rest. In these cases, the processing must always be a have a basis in the law of the European Union or that of the Member State concerned, which must also state the purpose of the processing. It should therefore be checked whether in this case the conditions set out in that article have been met. 16. In accordance with Article 6.3 GDPR, read in conjunction with Article 22 of the Constitution and Article 7 and 8 of the Charter, a legislative standard should contain the essential features of to record data processing that is necessary for the fulfillment of a legal obligation, regardless of whether it is in the law of the European Union or in the law 1 of the Member States. In the aforementioned provisions it is hereby emphasized that the processing involved should be framed by a standard that is sufficiently clear and is accurate, the application of which is foreseeable for the persons concerned. The GDPR however, does not prescribe specific legislation for each individual processing 1See e.g. decision 149/2022 dd. October 18, 2022 and 48/2022 dated April 4, 2022. Substantive decision 162/2022 - 5/23 is. Legislation that serves as a basis for several will suffice processing based on a legal obligation on the controller rest. 17. The Litigation Chamber will determine the terms of legal basis and necessity below judge. A clear, precise and predictable legal basis 18. According to Recital 41 of the GDPR, this legal basis or legislative measure be clear and precise and its application must be for the litigants be foreseeable, in accordance with the jurisprudence of the Court of Justice of the European Union and the European Court of Human Rights. 19. Recital 41 GDPR specifies in this regard: “When in this regulation to a referenced to a legal basis or a legislative measure does not require this necessarily require a legislative act enacted by a parliament, without prejudice to the requirements in accordance with the constitutional order of the Member State matter. However, this legal basis or legislative measure must be clear and precise and its application must be predictable for those to whom it applies applies, as required by the case law of the European Court of Justice Union (“Court of Justice”) and the European Court of Human Rights”. In accordance with Article 22 of the Belgian Constitution, essential elements of the processing in addition by means of a formal legal standard (law, decree or ordinance) to be adopted.2 20. In this context, the Disputes Chamber refers more specifically to the Privacy judgment International of the Court of Justice dated October 6, 2020, in which the Court states that the relevant legislation should contain clear and precise rules “about the scope and the application of the measure concerned, so that those whose personal data at issue, have sufficient guarantees that those data are effective be protected against the risk of abuse”. The Court adds: “That arrangement must be legally binding under domestic law and in particular indicate in which circumstances and under what conditions a measure provides for the processing of such data can be taken, thus ensuring that the interference to what is strictly necessary is limited. (...) These considerations apply in particular 2“Everyone has the right to respect for his private and family life, except in the cases and under the conditions set by law. The law, decree or rule referred to in Article 134 guarantees protection of that right.” 3 ECJ, C-623/17, 6 October 2020, Privacy International t. Secretary of State for Foreign and Commonwealth Affairs and others Decision on the substance 162/2022 - 6/23 when it comes to the protection of a special category of personal data, te know sensitive data” 21. The defendant's mission is, among other things, to increase the attractiveness of Flanders as a destination. To fulfill this mission, article 5 of the decree lays down establishing the internal independent agency with legal personality “ToerismeVlaanderen” tasks on the defendant that he must fulfill, including tasks on integral quality assurance. This includes: responsible for the development and the promotion of integral quality assurance within the framework of the powers that are granted by current and future legal and regulatory provisions regarding the following matters: (a) tourism infrastructure, subsidies, participations and other initiatives and (b) provision of information, services, training and labelling. In implementation of the above is determined by the decree on tourist accommodation 6 of 5 February 2016 (hereinafter: Accommodation Decree) (and its implementing decrees) different conditions that every tourist accommodation in the Flemish Region must meet sufficient for it to be recognized as tourist accommodation and subsequently to be operated in this way become. The defendant is charged with the implementation of this Accommodation Decree, including the recognition as tourist accommodation and monitoring compliance with this recognition conditions. 22. In order to be recognized as tourist accommodation, the accommodation must therefore comply with the conditions as stipulated in Article 6 of the Accommodation Decree. The research into it meeting the conditions for recognition is regulated in chapter 5 of the Accommodation Decree. Article 10 of the Accommodation Decree prescribes that the Flemish Government designate persons authorized to supervise and control the compliance with the provisions of the Accommodation Decree (i.e. inspectors at VISITFLANDERS which can be designated by the Flemish Government). 23. In the context of this supervisory and control power, Article 11 of the Accommodation Decree as follows: “Art. 11. The intermediaries, referred to in Article 2, 5°, must provide tourist accommodation located in the Flemish Region for which they mediate or promote, op written request, the details of the operator and the address details of the communicate tourist accommodation to the agents of the federal and local police and to the authorized persons, stated in Article 10. These details can be requested in the context of a random check, if in doubt on the tourist accommodation comply with the 4Article 4 of the decree establishing the internal independent agency with legal personality “Tourism Flanders”, BS 29 April 2004 (hereinafter: Establishment Decree). 5 BS April 29, 2004. 6BS 8 March 2016. Substantive decision 162/2022 - 7/23 conditions of this decree or its implementing decrees, or in the context of a complaint about a tourist accommodation.” 7 24. Article 11 of the Accommodation Decree therefore prescribes that intermediaries, such as Airbnb in this case, the details of the operator and the address details of the tourist accommodation must inform the officials authorized by the Flemish Government when they do so be requested. In view of the above, the defendant argues that, through the the aforementioned authorized officials, can request specific data from a intermediary such as Airbnb in at least three cases: - in the context of a clearly defined random check; - in case of doubt whether the tourist accommodation meets the conditions of the Accommodation Decree and its implementing decrees; - in the context of a complaint about tourist accommodation. 25. Contrary to the finding of the Inspectorate, the defendant believes that he does not interpret Article 11 too broadly. The defendant refers in this regard to the parliamentary preparation of the Accommodation Decree, which states in this regard: “ [t]he written request referred to must be made with reasonableness and proportionality are used. The data must be requested specifically, it is too say in the context of a clearly defined sample (e.g. one or more accommodation in the same city, municipality or region), in case of doubt whether these tourist accommodations are sufficient to the conditions of this decree and its implementing decrees or within the framework of a complaint about these tourist accommodations.” 26. This position, according to the defendant, is also consistent with the report on behalf of the Committee on Foreign Policy, European Affairs, International Cooperation, Tourism and Real Estate which reads as follows: “[…] Every tourist accommodation can be checked at all times for basic standards. Inspection is done at the request of a hotel manager (with the possibility of recognition) or on government initiative (randomly, in case of doubt or complaint)[…]”. In an opinion the Commission for the Protection of Privacy (CBPL) the same position taken: “The data should be requested specifically, within the framework of a clearly defined sample, in case of doubt or in case of a complaint”. 7Article 2,5°Accommodation Decree: “5°intermediary: any natural or legal person who in any way against payment mediates in offering tourist accommodation on the tourist market, promotes tourist accommodation or offers services through which operators and tourists can interact directly.' Decision on the substance 162/2022 - 8/23 27. However, the Inspectorate argues that this is an incorrect reading of Article 11 of the Accommodation Decree and refers in this regard to a judgment of the Court of First Instance in Brussels . In this verdict, the court concluded that there are only two cases in which the data can be be requested from the intermediaries: (1) in case of doubt as to whether the accommodation is satisfactory to the conditions of the decree, and (2) in the case of a complaint about a tourist accommodation.According to the court, the sample is not a substantive situation that meets the conditions which may or may not be satisfied, but merely a particular method or procedure which prescribed by the legislature to be in either hypothesis used when requesting information. 28. Following this judgment of the Brussels Court of First Instance, the defendant withAirbnbeenagreement("MemorandumofUnderstanding",hereinafter:"MoU") being voluntary and in good will to a workable application of this provision is coming. The MoU regulates a number of modalities about the delivery of operators accommodation data in the context of a request by the defendant pursuant to Article 11 of the Accommodation Decree. This includes the data that the defendant will request specifically named, as well as the number of applications and the geographical demarcation of one request are specified. 29. The Disputes Chamber notes that the text of Article 11 of the Accommodation Decree has been established that uncertainty may exist about the cases in which the personal data may be requested by the defendant from intermediaries. This becomes illustrated by the fact that the defendant gives a different interpretation to Article 11 of the Accommodation Decree than the Court of First Instance in Brussels in the above stated verdict. To find out the intention of the legislator, the Litigation Chamber to the preparatory works of the Accommodation Decree. 30. The preparatory works of the Accommodation Decree state that in practice it is found that more and more intermediaries such as tourist rental offices and Internet platforms, such as Airbnb, offer tourist accommodation on the market without mention of the concrete (address) details of the tourist accommodation or contact details of the operator. This makes (or even prevents) locating difficult or checking these accommodations, even in case of complaints. Article 11 of the Accommodation Decree tries to meet this problem and offers the competent authorities persons responsible for the supervision and control of the accommodation decree (in addition to the authorized officials mentioned above, including federal and local agents police) the possibility to request the operator data and the address details of tourist accommodation located in the Flemish Region at te ask these intermediaries such as Airbnb. The written request that applies 8 Court of first instance in Brussels, case A.R. 2018/3527/A. Decision on the substance 162/2022 - 9/23 to be used with fairness and proportionality. The data should be purposeful to be requested, that is to say, in the context of a demarcated sample (for example, one or more accommodations in the same city, municipality or region), in case of doubt whether this tourist accommodation meets the conditions of the accommodation decree and are implementing decrees or in the context of a complaint about these tourist accommodations. 31. In view of the above, the Disputes Chamber concludes that the intention of the legislature was to provide for at least three distinct cases in which the personal data could be specifically requested from an intermediary: - in the context of a clearly defined sample; - in case of doubt whether these accommodations meet the conditions of the Accommodation Decree; - in the context of a complaint about tourist accommodation. 32. This interpretation also satisfies the requirement of foreseeability as defined in Article 6.3 GDPR. As already explained, Article 6 of the Accommodation Decree determines the conditions for recognition of a tourist accommodation. These conditions have under others relate to the safety of the users of the accommodation, such as fire safety. As soon as these conditions are no longer met, in accordance with Article 12 of the Accommodation Decree, an administrative fine may be imposed. In addition, can also be ordered to stop the operation of tourist accommodation (article of the decree). Based on the above, it is therefore predictable for those involved that the compliance with the registration conditions must be verifiable by the authorized officials, both during the recognition and afterwards. 33. The Litigation Chamber finds that this interpretation also allows the defendant to be proactive to act in the context of its enforcement activity through clearly defined samples. If the defendant could only act in the event of a complaint or doubt, the defendant would not have the necessary tools to enforce his decree audit duty properly. Sampling is therefore absolutely necessary defendant to be able to implement a sound enforcement policy and thus to comply with its legal obligation. 34. To the extent necessary, and also as cited by the defendant, the 10 Litigation Chamber that the Amendment Decree was adopted on 9 February 2021 Article 11 of the Accommodation Decree referred to above changes as follows: 9Proposed decree on tourist accommodation, Vl. Parl. 2015-16 499/1 p. 13. 10 In full: Decree amending the Decree of 5 February 2016 concerning tourist accommodation and the abolition of the Decree of 18 July 2003 on accommodation and associations that practice a week in the context of tourism for Allen, Parl.St. Vl. Parl., 2021-22, no. 1028/6, p.3. Decision on the substance 162/2022 - 10/23 “Art. 11. The intermediaries share for tourist accommodation in Flanders Region for which they mediate or promote, upon written request, the details of the operator and the address details of the tourist accommodation to federal and local police officers and authorized persons, mentioned in Article 10. The data, stated in the first paragraph, can be requested in the following cases: 1° as part of a random check to verify whether tourist accommodation for which the intermediary mediates or promotes, are registered with Tourism Flanders. In a sample, at most, the data requested from all operators and tourist accommodations in the same city or Township. Multiple samples can be taken at the same intermediate person; 2° in case of doubt whether a tourist accommodation for which the intermediary mediates or promotes, meets the conditions stated in this decree, and the its implementing decrees; 3° in the context of a complaint about tourist accommodation.” The Litigation Chamber notes in this context that this new legislation has been published after the data processing at issue and therefore does not apply to the processing in present case. Consequently, the Litigation Chamber has not relied on this new one legislation to reach this decision. Necessity 35. Pursuant to Article 6(1)(c) GDPR, the processing is lawful if and to the extent the processing is necessary for the fulfillment of the legal obligation on the controller rest. When personal data is processed they must be adequate and relevant for the purpose. There are no more allowed personal data are processed than necessary for the purpose (article 5.1, c) GDPR). 36. According to the Inspection Report, the defendant does not demonstrate why the processing of personal data in the context of a sample is necessary as imposed by Article 5(1)(c) in the context of its supervision and audit mission. 37. The defendant argues that the necessity of requesting the data regarding the tourist accommodation is evident from the fact that without requesting this the defendant details the tourist accommodation, which is sold on the market through intermediaries offered (1) cannot verify and (2) cannot contact their operators. The The defendant only requests the minimum of information that it needs to make a claim to be able to identify tourist accommodation and to contact its operator so that the the defendant can check whether the conditions of the accommodation decree and the implementing decrees are complied with. Without this control and contact option, the defendant cannot check whether the above-mentioned conditions of the Accommodation Decree and the implementing decrees are complied with. The defendant hereby points out that this is specifically in thecaseofAirbnbthemoreisnecessary.Airbnbparttimesinrulenoaddressdata of the accommodation and no name or contact details of the operator on its website. 38. Based on the conclusion of the defendant, the Litigation Chamber establishes that the following data is requested: - The name of the tourist accommodation (accommodation name on Airbnb) - The address of the tourist accommodation (street, house number,…) - Capacity of the tourist accommodation (in the context of fire safety); - The name of the operator of the tourist accommodation (the first and last name of the operator, where available to Airbnb) and the online host name; - The contact details of the operator of the tourist accommodation (the e-mail address of the operator). 39. The Disputes Chamber is of the opinion that this information is necessary with a view to the correct identification of tourist accommodation and to contact the operator to go or the conditions of the Accommodation Decree and its implementing decrees complied. I.1.2. Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR 40. The controller must comply with the basic principles of Article 5 GDPR and dat can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j° Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every controller takes appropriate technical and organizational measures to ensure and be able to demonstrate that the processing takes place in accordance with the GDPR. As already explained, this case concerns the transfer of operator and accommodation data by Airbnb (as an intermediary) to the defendant. This one transmission was made at the request of the defendant. 41. In the context of its investigation, the Inspectorate assessed to what extent the the defendant has taken the necessary technical and organizational measures to comply with the principle of lawfulness and data minimization within the scope of this request for transfer. In this respect, the Inspectorate decides that the defendant does not has sufficiently demonstrated that he has taken the necessary measures to ensure that the disputed processing takes place in accordance with Article 5(1) a) and c) and Article 6 (1) GDPR, since the Inspection Service has come to the conclusion that the processing operations were not in accordance with these principles. Decision on the substance 162/2022 - 12/23 42. The Litigation Chamber has in section I.1.1. no infringements detected of Article 5(1)(a) and c) and Article 6 (1) GDPR. Consequently, there is also no reason to infringe the accountability. The Disputes Chamber therefore rules that the Defendant has sufficiently demonstrated that it does indeed comply with its obligations accountability there is therefore no breach of Article 5(2), Article 24(1) and Article 25, paragraphs 1 and 2 GDPR was committed by the defendant, in connection with the legality of the processing. I.2. Article 12(1) and (2), Article 13(1) and (2), Article 14(1) and (2), Article 5(2), Article 24 (1) and Article 25 (1) GDPR I.2.1. Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and paragraph 2, Article 14, paragraph 1 and paragraph 2 43. In implementation of the transparency principle from Article 5, paragraph 1, a) GDPR, based on Article 12 (1), Article 13 (1) and Article 14 (1) and (2) GDPR, it is necessary that the controller, in this case the defendant, to the data subjects concise, provides transparent and understandable information about the personal data that is processed become. In its capacity as controller, the defendant must implement Articles 12, 13 and 14 of the GDPR. 44. In the present case, the Inspectorate concludes that the defendant has committed an infringement committed on Article 12 Paragraph 1 and Paragraph 2 GDPR, Article 13 Paragraph 1 and Paragraph 2 GDPR, Article 12 Paragraph 1 and Paragraph 2, Art. 5(2), Art. 24(1) GDPR and Art. 25(2) GDPR as the privacy statement Operator's portal would contain incorrect information and would be incomplete. 45. Pursuant to Article 12(1) of the GDPR, the defendant is responsible for the take appropriate measures to comply with Articles 13 and 14 of the GDPR information in a concise, transparent, comprehensible and easily accessible manner plain language and in writing or by other means, including electronic means provide. 46. As regards the content of this information, data subjects were provided with the information referred to in paragraphs 1 and 2 listed points of both Articles 13 and 14 to be communicated because not all information was obtained directly from them. 11 47. First of all, the Inspection Report concludes that the “Operator Portal Privacy Statement” of the defendant is not transparent and understandable, as required by Article 12 (1) GDPR and contains incorrect information from a data protection point of view, because of the following observations: 11 Article 29 Working Party, Guidelines on Transparency under Regulation (EU) 2016/679, WP 260, revised version of 11 April 2018 (adopted by the European Data Protection Board https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23). Decision on the substance 162/2022 - 13/23 a. ThePrivacy StatementOperator Portalcontainsirrelevantandconfusinginformation, such as a reference to the “Privacy Act of 1992”, the mention of hyperlinks without any explanation and clear connection to the text, and a reference to ‘part 9’ of the Operator Portal privacy statement that does not contain part 9. b. The defendant's Operator Portal privacy statement incorrectly creates the perception towards data subjects that the GDPR is being complied with. This would be misleading as the Inspection Service has reported several breaches of the GDPR has established. c. The defendant's Operator Portal privacy statement erroneously does not make any notification of the possibility for data subjects to submit a complaint to the GBA. However, there is mention of the possibility to file a complaint serve at the Flemish Supervisory Commission (VTC). d. Finally, the Inspectorate concludes that the Privacy Statement Operator portal is not clear and therefore not transparent with regard to: i. the purposes and legal bases of the processing: there is no clarifies which legal obligations the defendant must meet requirements that require the processing of personal data; ii. the exercise of the rights of data subjects: there is no clarifies what a data subject may specifically do with the defendant expect if he exercises his rights; and iii. the adjustments that were made: it is not specified when adjustments were made, water was precisely adjusted and via which “common communication channels” are involved in this regard to be informed. 48. Secondly, the Inspectorate also notes that the privacy statement for the Operators Portal of the defendant is incomplete because not all are required according to Articles 13 and 14 GDPR information is effectively stated, as no information is given about: a. the processing purposes and the legal basis for the processing; b. the fact that data subjects have the right to a given consent at all time to withdraw; c. that the data subjects have the right to submit a complaint to the GBA; and d. the source from which the personal data originates, and where applicable, or they come from public sources. Decision on the substance 162/2022 - 14/23 49. Since the defendant carries out a large number of data processing operations, resulting in a large amount of information must be provided to the data subjects, is the Litigation Chamber considers that a 12 controller such as the defendant must adopt a multi-layered approach: - On the one hand, the data subject must have clear and accessible information about the fact that there are information about the processing of personal data exists (privacy policy) and where he will be able to do it in full find. - On the other hand, without prejudice to the accessibility of the privacy policy in its entirety, from the first communication of the controller with him be informed of the details of the purpose of the processing in question, the identity of the controller and the rights available to him. 50. The importance of providing this multi-layered information arises in particular from recital 39 of the GDPR. Any additional information necessary to identify the data subject on the basis of the information provided at this first level to understand what the consequences of the processing concerned will be for him should be added. 51. The defendant is of the opinion that the information he provided to the concerned provided meets the requirements of Articles 12, 13 and 14 of the GDPR. In this connection emphasizes the defendant that he has strict compliance with the legislation concerning pursues data protection and works closely with its data protection officer for this purpose data protection. The defendant argues that since the drafting of the Inspection report has adjusted the privacy statement Uitbatersportaal in consultation with the data protection officer. In his conclusions, the defendant explains which how the new privacy statement for the Operators Portal has been amended. 52. With regard to the transparency and comprehensibility of the privacy statement, the defendant tohehasadjustedtheprivacystatementOperator's portalsince it was drawn up of the Inspection Report where the following adjustments were made: there is none reference more to the abolished Privacy Act, only to the GDPR. The confusing reference to a non-existent part 9 was also removed. The reference to the contact options of the defendant were also adjusted. As for the possible confusion around the hyperlinks without further explanation, argues the defendant that in the passage above the hyperlinks it is indeed explained why the defendant processes the personal data with explicit reference to it 12 In the same sense: decision no. 81/2020 of the Litigation Chamber (points 53 et seq.) and decision 76/2021 (points 58 et seq.), can be consulted via https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the substance 162/2022 - 15/23 Accommodation decrees and the basic register of Flemish accommodation he has not yet received any question or comment in this regard, which means that he raises the question of whether there is any confusion at all. Under the title “What are your rights and how you can exercise them”, the new privacy statement now also provides the mention (in addition to the VTC) of the GBA in the context of exercising the rights of data subjects. 13 53. As far as necessary and in accordance with its previous decisions, the Litigation chamber that the GBA as federal supervisory authority is competent in any case 14 is to monitor compliance with the GDPR. This is also the case if the data processing relates to a matter covered by the competence of the communities or the regions (state authorities) and/or if the controller is a public authority that falls under the communities or regions, even if the federal state itself has one supervisory authority within the meaning of the GDPR. 54. Subsequently, the defendant sets out the following arguments in its claims show that the determination of the Inspectorate regarding the alleged incompleteness of the Privacy Statement is incorrect. 55. As regards the determination of the purposes and legal bases for the processing the defendant refers that this has been dealt with earlier [see section II.1]. Then the defendant that the possibility to submit a complaint and therefore also an objection is explicitly stated in the privacy statement Operators portal was included. In the new privacy statement The operator portal contains the following passage: “Right to object: If you believe that your personal data is not may be processed longer because of your specific situation, you can object to such processing, in the context of our products and services we offer in the public interest.” 56. The Disputes Chamber notes that under part 6 of the previous privacy statement Operator portal the data subject has been informed about his rights that he can exercise against the defendant. The Litigation Chamber refers to the relevant passage that read as follows: “With regard to your personal data, you always have the right to […] a submit a complaint regarding the processing of your personal data[…].All requests for the exercise of the above rights can be delivered through the channels provided are listed in section 9 of this privacy statement. If you don't join us in one 13See e.g. Marktenhof judgment, 2022/AR/457, dd. October 26, 2022, and also the following decisions of the Litigation Chamber: decision 62/2022 of April 29, 2022, decision 31/2022 of March 4, 2022, decision 15/2020 of April 15, 2020. 14The judgment of the Marktenhof dd. October 26, 2022 (2022/AR/457) confirms the jurisdiction of the DPA regarding of Flemish authorities. Decision on the substance 162/2022 - 16/23 If a solution is found, you also have the right to submit a complaint to the Flemish Supervisory Committee […]”. 57. The Disputes Chamber finds that the defendant in the old privacy statement Operator portal has not used the correct terminology, which can cause confusion to care. As far as necessary, the Disputes Chamber reminds that a complaint and a objection (both mentioned in the privacy statement Uitbatersportaal) do not have the same meaning cover under the GDPR and every controller must use the correct terminology handling. A data subject has the right to inform a controller request that his/her personal data is no longer used. This is called the right of objection. The right to object can be exercised in accordance with Art. 21 GDPR when the processing is based on one of the following legal grounds: the justified interest and the performance of a task of public interest or public authority. In others cases, the data subject cannot object because of the other legal grounds alternatives exist to achieve the same goal: with consent, the data subject can do this moving in; the data subject cannot object to processing imposed by law. If the data subject does not agree with how a controller with handles his/her personal data and there is no agreement with the controller solution can be found, the person concerned can submit a complaint to the GBA. In the originalprivacy statementOperator portal should also have been clarified that the data subject has the right to lodge an objection with the defendant, and if necessary, then has the right to submit a complaint to the GBA. In the new privacy statement Operators portal, this distinction is correctly used, despite the fact that both terms are used incorrectly in the conclusion. 58. The Defendant also believes that the Privacy Statement of the Operator Portal expressly identifies the source of mentions the personal data as well as that the public data becomes available made via the basic register of Flemish accommodation offerings, stating a link to it base register. The new privacy statement Operators Portal explicitly states under the title “Why do we process your personal data” following text: “Toerisme Vlaanderen can obtain the following personal data at three (3) ways, namely: on paper, via the operator portal or via the web service Crossroads Bank for Holiday Homes (CIB Vlaanderen is freely available and accessible via the website of VISITFLANDERS (click here).” 59. In conclusion, the defendant concludes that the new privacy statement The operator portal is transparent and understandable, and that this information is correct and complete at least that the determination of the Inspection Service has become meaningless in view of the changes made to the new privacy statement for the Operators Portal. Decision on the substance 162/2022 - 17/23 60. The Disputes Chamber is of the opinion that the new privacy statement for the Operator Portal contains the Articles 13 and 14 of the GDPR requirement now contain elements believes that the defendant, as required by Article 12(1) of the GDPR, in its privacy policy has mainly used simple, clear and straightforward wording to convey the to inform data subjects about the data processing operations it carries out. 61. However, the Disputes Chamber also finds that the defendant was negligent in the past acted, as was also established in the Inspection Report. More specifically contained the privacy statement Operator portal irrelevant and confusing information, such as a reference to a non-existent Part 9 and a reference to the Privacy Act of 1992. In addition, the operator portal privacy statement was incomplete and not transparent, among other things due to the lack of reference to the possibility to file a complaint with the GBA, by unclear reference to the purposes and legal bases of the processing and exercising the rights of the data subject, and by using incorrect terminology. 62. The Disputes Chamber does point out that the defendant has made efforts to update the information to be provided under Articles 12, 13 and 14 GDPR, albeit after receipt of the Inspectorate's comments. 63. The Disputes Chamber therefore establishes that the Privacy Statement for the Operators Portal initially does not met the requirements of Articles 12, 13 and 14 GDPR, resulting in a violation of Articles 12, 13 and 14 GDPR. This does not alter the fact that this has been rectified in the meantime. I.2.2. Article 5 (2), Article 24 (1) and Article 25 (1) GDPR 64. With regard to accountability (as defined above in section I.1.2) with with regard to the transparency obligations, the Inspectorate notes that these are not was complied with by the defendant with regard to the transparency obligations of the defendant. This follows from the breach of Articles 12, 13 and 14 mentioned above AVG. 65. The Litigation Chamber ruled in part I.2.1 that there was indeed a breach of the principles of transparency as understood in these articles. The Dispute Chamber notes, therefore, that the defendant failed to demonstrate that it had the necessary technical and has taken organizational measures to comply with the obligations regarding transparency as stipulated in Articles 12, 13 and 14 GDPR. Consequently, the decision Litigation Chamber that there was a violation of Articles 12, 13 and 14 GDPR. This does not alter the fact that this has been rectified in the meantime. Decision on the substance 162/2022 - 18/23 I.3. Article 38 (1) GDPR and Article 39 (1) GDPR 66. The Inspectorate's report finds that the defendant has complied with the requirements regarding the position of the data protection officer under Article 38 (1) GDPR and the tasks of the data protection officer under Article 39 (1) GDPR complied. 67. The Inspectorate does the following with regard to the data protection officer findings, as summarized below: a. The defendant states in his answer to the Inspection Service during the investigation he received no advice from his data protection officer inquired about the data processing between Airbnb and the defendant. According to the defendant, this was not necessary because the legal basis was already established in article 11 of the Accommodation Decree. b. In the same answer, the defendant states that he is of his official for data protection has not sought advice on the interpretation of the term “random sample” from Article 11 of the Accommodation Decree. 68. The Inspectorate therefore decides that the data protection officer should not go to was properly and timely involved in the context of this file. The advice of October 11, 2021 that was provided following the letter from the GBA on September 10, 2020 is not sufficient to to be able to speak of proper and timely (documented) involvement. Consequently, the Inspection Service claims an infringement of Article 38(1) GDPR and Article 39(1) GDPR fixed. 69. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the controller ensures that the officer for data protection is timely and properly involved in all matters related to the protection of personal data. Based on Article 39(1). AVG must be the data protection officer (a) the controller informing and advising on its obligations under the GDPR and others Union or Member State data protection provisions and (b) monitor compliance with the GDPR, other Union or Member State law data protection provisions and of the policy of the controller or the processor with regard to the protection of personal data, including of the allocation of responsibilities, awareness raising and training of the processing of personnel involved and the relevant audits. 70. The defendant emphasizes regarding the position of the official for data protection under Article 38(1) GDPR that, in his view, there was no need Decision on the substance 162/2022 - 19/23 to involve the data protection officer in the conclusion of the MoU. Like all other intermediaries, Airbnb is obliged to provide operator and accommodation data to the defendant since the entry into force of the Accommodation Decree on 1 April 2017. The legal basis for communicating this information to the defendant is therefore based on Article 11 of the Accommodation Decree, and not on the MoU Inspectorate refers to. In any case, the defendant is ahead of the official data protection involved immediately after the letter dd. September 10, 2020 from the GBA. The data protection officer subsequently issued a favorable opinion. In addition, the defendant argues that it has applied the term 'sample' in the way that is in line with the intention of the legislator of Article 11 of the Accommodation Decree. Finally the defendant argues that the accommodation decree predates the AVG, since it accommodation decree entered into force on 1 April 2017, while the GDPR applies with effect from May 25, 2018. Consequently, according to the defendant, there can be no question of a infringement of Article 38 (1) GDPR and Article 39 (1) GDPR. 71. The Litigation Chamber recalls that the GDPR recognizes that the officer for data protection is a key figure in terms of the protection of personal data whose designation, position and tasks are subject to rules. This one rules help the controller to comply with its obligations under the GDPR, but also help the data protection officer to fulfill his duties should exercise. The data protection officer should be involved in all matters related to the protection of personal data. The fact that the legal basis has been laid down in a legal standard does not constitute this exception to. 72. Based on the defence, the Disputes Chamber establishes that this is precisely the intention of the MoU to determine between the parties in which cases the transfer of personal data can take place and under what modalities. Consequently, it concerns conclusion of the MoU the defendant's policy regarding compliance with the GDPR in the framework of its enforcement powers.Article 11Logies decree provides that the data can be requested by the defendant from Airbnb at clearly defined samples, but the MoU further elaborates what is clearly defined below samples is understood by the parties. Consequently, the official submitted data protection to be properly and timely involved in the preparation and approving the MoU. With regard to the fact that the Accommodation Decree of was applicable since 2017, the Litigation Chamber points out that it has been applicable since of the GDPR, each controller is obliged to comply with it compliance with imposed obligations. Thus, the defendant served this legal basis upon which he wishes to test himself against the higher legal standard in order to verify whether the decision on the merits 162/2022 - 20/23 requesting the personal data is in accordance with the GDPR. This is also one matter in which the data protection officer should be involved become. 73. In view of the above, the Disputes Chamber has determined with regard to Article 38, paragraph 1 GDPR that the data protection officer was not sufficiently involved with some data protection matters. Defendant's documents show that the data protection officer for the purposes of the present case investigated data processing was only involved after the first writing of the Inspection Service. 74. In view of the above, the Disputes Chamber rules that there has been a violation of article 38 (1) and Article 39 (1) GDPR. I.4. Infringement of Articles 4, 11, Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and paragraph 3 GDPR. 75. The Inspection Report notes that no legally valid permission within the meaning of Article 4.11 of the GDPR, website visitors are asked to use non-strict necessary cookies. After all, the parties involved would not have a free choice on the part of the defendant about the use of cookies that are not strictly necessary. The Inspection Report determines in this regard the following: “The two options for the use of not strict necessary cookies offered by the defendant to data subjects in the cookie window (namely “no, give me more info” and “ok, I agree”) are not placed on a displayed in a similar way. The option “ok, I agree” says nothing more information for those involved. In addition, there is no choice the cookie window that allows data subjects to opt out of the use of not strictly necessary refuse cookies immediately.” In addition, the Inspectorate has established that no transparent information is given on how a given consent to it use of unnecessary cookies must be withdrawn. 76. In his conclusions, the defendant argues that the additional finding is not legal basis on which it should be excluded from the proceedings. The Inspection Service after all, refers to Article 72 WOG to make this determination. The decision of it Management Committee to comprehend the Inspection Service in accordance with Article 63, 1° WOG howevertheobjectoftheinvestigationthusthescopeoftheinvestigationmustaccordingto defendant are limited to the scope resulting from the decision of the Executive Committee. 77. In subordinate order, the defendant proceeds to refute the finding of the Inspection Service. The defendant emphasizes that on its website only strictly necessary cookies or functional cookies were active for which no permission was required. Decision on the substance 162/2022 - 21/23 This is also not refuted by the Inspectorate, which does not demonstrate that there are also non- necessary cookies were active on the website at the time of the determination. At 25 February 2022, the defendant launched its new website with a new cookie window that provides the user with the necessary information and choices on the moment used cookies. According to the defendant, the new website uses a new cookie statement transparently informed the data subjects about the use of cookies. Since no non-strictly necessary cookies were active on the website at the time of the investigation by the Inspectorate, the provision of information about or asking permission for such cookies was not an issue at that time. 78. In response to the defendant's statements, the Litigation Chamber first of all refers to article 72 WOG which reads as follows: “Without prejudice to the provisions of this chapter, the Inspector General and the inspectors proceed to every investigation, every check and every interview, as well as all information such as they deem necessary to satisfy themselves that the basic principles of the protection of personal data, within the framework of this law and of the laws that contain provisions on the protection of the processing of personal data, that they supervise are actually complied with.” 79. This provision shows that the Inspectorate is not bound by the scope of the complaint nor by the scope of the decisions of the Executive Committee. The Inspection Service determines itself the scope and method of the investigation, taking into account the proportionality and principle of necessity as described in the Charter of the Inspection Service. 15 80. On the basis of the Inspection Report, the Litigation Chamber concludes that the determination of the Inspection service regarding the effective use of cookies that are not strictly necessary is sufficiently substantiated by evidence 16 to allow further processing of this file in this frame is impossible. Consequently, the Litigation Chamber will make a filing with regard to the determination of the Inspectorate regarding Articles 4, 11, Article 5, paragraph 1, a), and paragraph 2, Article 6, paragraph 1, a) and Article 7, paragraph 1 and paragraph 3 GDPR. II. Sanctions 81. On the basis of the documents in the file, the Disputes Chamber establishes that there is two breaches of the GDPR: On the one hand, the breach of Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and paragraph 2, article 14, paragraph 1 and paragraph 2, article 5, paragraph 2, article 24, paragraph 1 and article 25, paragraph 1 GDPR, and on the other hand 15 Charter of the Inspection Service, August 2022, available at https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf. 16Cf. Section A.1 of the dismissal policy of the Litigation Chamber. Decision on the substance 162/2022 - 22/23 this on Article 38 (1) and Article 39 (1) GDPR. Although the defendant these infringements has been remedied, it is clear that there have been breaches of the right to data protection have taken place. As already explained, the principle of transparency is one of them the fundamental principles of the GDPR. Also the data protection officer plays a crucial role in data protection at a controller 82. The Disputes Chamber is of the opinion that there are sufficient elements to issue a reprimand which constitutes a light sanction and is sufficient in the light of the circumstances in this file identified violations of the GDPR. When determining the sanction, the Litigation Chamber takes into account the fact that the defendant has already rectified these infringements and provide supporting documents. Needless to say, the Disputes Chamber points this out that it is not competent to impose an administrative fine on government bodies, in accordance with Article 221, § 2 of the Data Protection Act. 17 83. The Disputes Chamber proceeds to dismiss the other grievances and findings of the Inspectorate because they based on the facts and the documents from the file cannot come to the conclusion that the GDPR has been breached. These grievances and findings of the Inspectorate are therefore deemed to be obvious 18 considered unfounded within the meaning of Article 57(4) GDPR. Publication of the decision 84. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority, stating the identification data of the defendant. This mention is justified by the public interest of present decision in the context of the exemplary function of the defendant as public service, on the one hand, and by the unavoidable re-identification of the defendant case of pseudonymization, on the other hand. 17Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, B.S., September 5, 2018. 18 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 162/2022 - 23/23 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the defendant with regard to the infringement of article 12, paragraph 1 and paragraph 2, article 13, paragraph 1 and paragraph 2, article 14 (1) and (2), Article 5 (2), Article 24 (1) and Article 25 (1) GDPR; - on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the defendant as regards the infringement of Article 38(1) and Article 39(1) GDPR; - pursuant to article 100, §1, 1° WOG with regard to all other determinations in dismiss. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition listed in Article 1034ter of the Judicial Code. It 19 a contradictory petition must be submitted to the Registry of the Market Court in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 19 The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 20 The petition with its appendix shall be sent, in as many copies as there are parties involved, by registered letter sent to the clerk of the court or deposited at the clerk's office.