APD/GBA (Belgium) - 162/2022: Difference between revisions

Latest revision as of 08:21, 23 November 2022

APD/GBA - 162/2022

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 38(1) GDPR Article 39(1) GDPR Decreet houdende het toeristische logies Decreet tot oprichting van het intern verzelfstandigd agentschap met rechtspersoonlijkheid "Toerisme Vlaanderen"
Type:	Investigation
Outcome:	Violation Found
Started:	14.01.2022
Decided:	16.11.2022
Published:
Fine:	n/a
Parties:	Toerisme Vlaanderen
National Case Number/Name:	162/2022
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Dutch
Original Source:	Gegevensbeschermingsautoriteit (in NL)
Initial Contributor:	Enzo Marquet

The Belgian DPA reprimands a government agency for not proactively involving its DPO in a processing activity relying on Article 6(1)(c) GDPR. All processing activities must be in line with the GDPR, even those mandated by legislation predating the GDPR.

English Summary

Facts

The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on Article 6(1)(c) GDPR, the controller interprets its legal obligations too broadly.

On top of that, the Inspection Service held that the controller breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR because the information in their privacy policy was not concise, transparent, nor easily accessible, as well as containing wrong and missing information. The controller admits that this used to be the case, but that this issue has now been resolved.

Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices.

Lastly, the Inspection Service held that the DPO was not proactively involved nor consulted, resulting in a breach of Article 38(1) GDPR and Article 39(1) GDPR. For the processing as described above, the controller stated that the DPO did not need to be consulted as the Logiesdecreet provided the legal basis to process data. However, the DPO did provide a positive advice afters the first contact of the Inspection Service.

Holding

First, the Belgian DPA checks whether the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts. This processing can only happen if it is necessary to fulfill a legal obligation. The GDPR does not require each separate processing to have its exclusive norm. The norm must be sufficiently clear and precise, its application must be foreseeable by data subjects.

The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of Article 6(1)(c) GDPR.

Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR but that the shortcomings have been resolved in the meantime.

The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.

Lastly, the DPA assesses whether the DPO should be been proactively involved. The DPA holds that the DPO is a key-figure regarding data protection. As such, a DPO must be involved for all matters concerning personal data, in a proper and timely manner. The fact that the Logiesdecreet predates the GDPR does not absolve the organisation from applying the GDPR and thus involving the DPO to check whether all processing of personal data is compliant. The DPA holds that the controller breached Article 38(1) GDPR and Article 39(1) GDPR.

The DPA reprimands the controller for its (past) breaches and dismisses the parts which did not lead to GDPR infractions. The DPA also reaffirms that it cannot impose a fine on a governmental agency.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/23

Litigation room

Decision on the basis of 162/2022 of 16 November 2022

File number : DOS-2021-05803

Subject : Research on the sharing of accommodation data via the Airbnb platform

The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Frank De Smet and Jelle Stassijns, members.

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;

Having regard to the documents in the file;

Made the following decision regarding:

The defendant: VISITFLANDERS, with registered office at 1000 Brussels, Grasmarkt

61, with company number 0225.944.375, hereinafter “the defendant”. Decision on the substance 162/2022 - 2/23

Fact procedure

1. On 14 January 2022, the Executive Committee of the Data Protection Authority will decide

(hereinafter: “GBA”) to catch the Inspection Service on the basis of Article 63, 1° WOG because of

a practice that may give rise to a violation of the fundamental principles of the
protection of personal data.

The object of the proceedings concerns the broad way in which personal data of

operators of accommodation via the Airbnb platform in the context of "random sampling".
requested by the defendant from various intermediaries. This practice lasted

following a judgment of the Court of First Instance which held that this

sampling can only take place in very limited cases. This procedure has

also relates to the fact that hereby no advice from the officer for this

data protection was requested.

2. On 27 January 2022 the investigation will be completed by the Inspection Service, the report will be

appended to the file and the file is transferred by the Inspector General to

the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

The report contains findings regarding the subject matter of the decision

Management Committee and decides that there is:

a. a breach of article 5, paragraph 1, a) and c) and paragraph 2 of the GDPR, article 6, paragraph 1 of the GDPR, article

24 (1) GDPR and Article 25 (1) and (2) GDPR;

b. a breach of Article 12(1) and (6) GDPR, Article 13(1) and (2) GDPR and
Article 14(1) and (2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR

and Article 25(1) of the GDPR; and

c. a violation of Article 38(1) and (3) of the GDPR.

d. an infringement of Article 4, 11) of the GDPR, Article 5, paragraph 1, a) and paragraph 2 of the GDPR, Article 6, paragraph

1, a) of the GDPR and Article 7, paragraphs 1 and 3 of the GDPR for the use of non-strict

necessary cookies.

3. On 4 February 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

WOG that the file is ready for treatment on the merits.

4. On 4 February 2022, the defendant will be notified by e-mail of the provisions such as

mentioned in article 95, § 2, as well as in article 98 WOG. They are also based on

Article 99 WOG of the time limits for submitting their defences.

With regard to the findings within and outside the subject matter of the decision of the

Management Committee became the deadline for receipt of the statement of reply of

recorded by the defendant on 18 March 2022. Decision on the substance 162/2022 - 3/23

5. On February 8, 2022, the defendant electronically accepts all communications regarding the

matter.

6. On 25 February 2022, the defendant requests a copy of the file (Article 95, §2, 3 ° WOG),

which was transferred to him on February 25, 2022.

7. On March 17, 2022, the Disputes Chamber will receive the statement of defense from the

defendant with regard to the findings with regard to the object of the
decision of the Executive Committee. This conclusion also contains the reaction of the

defendant about the findings made by the Inspectorate outside the

scope of the complaint. The defendant argues, first, that the processing on its part is a

lawful data processing. Second, the defendant argues that the

data processing in question constitutes correct and permitted data processing,

whereby the basic principle of data minimization from Article 5, paragraph 1, c) GDPR is respected
and that he can also demonstrate this

transparent and understandable, that it contains complete information, and that it can do this

demonstrate. Fourth, the defendant argues that it was not obliged to

to seek advice from the Data Protection Officer in relation to it

Memorandum of Understanding. Finally, the defendant argues that on its website only

Strictly necessary or functional cookies are employed for which there is no permission
is required. According to him, no non-necessary cookies were active. Consequently it was

providing (transparent) information about such cookies according to the defendant

irrelevant. Nor is this a legal obligation, according to the defendant.

8. On September 14, 2022, the parties will be notified that the hearing will

take place on October 21, 2022.

9. On 21 October 2022, the party appearing will be heard by the Disputes Chamber. During the day

the hearing has explained to the defendant what steps it has already taken on the matter
of data protection since the submission of the complaint and the Inspectorate investigation. So

the Litigation Chamber could determine during the hearing that virtually all grievances

from the complaint and areas of concern from the Inspection Report were addressed by the defendant.

10. On October 25, 2022, the minutes of the hearing will be sent to the parties
transferred.

11. On October 29, 2022, the Disputes Chamber will receive some from the defendant

remarks with regard to the official report, which it decides to include in
her deliberation. Decision on the substance 162/2022 - 4/23

Motivation

12. The Disputes Chamber then assesses each of the findings included in the

Inspection report in the light of the pleas put forward by the defendant in this regard.

I.1. Article 5, paragraph 1, a) and c) and paragraph 2 GDPR, Article 6, paragraph 1 GDPR, Article 24, paragraph 1 and Article 25, paragraph
1 en 2 GDPR.

I.1.1. Article 5 paragraph 1 a) and c) and Article 6 paragraph 1 GDPR

13. The Litigation Chamber recalls that the starting point of Article 5(1)(a) GDPR is that

personal data may only be processed lawfully. This means that

a legal basis for the processing of personal data as referred to in Article 6(1) of
the GDPR must be present. Article 6(1) states in further elaboration of this basic principle

GDPR that personal data may only be processed on the basis of one of the

Article listed legal bases.

14. During the Inspection investigation, the defendant admits that he has complied with article 6, paragraph 1c) of the

AVG invokes, with regard to the request to Airbnb for operator and accommodation data
to be delivered to the defendant. The Inspectorate establishes that the defendant assumes

a too broad interpretation of his legal obligations that he does not show why it

processing of personal data in the context of a sample is necessary. On base

of these elements, the Inspectorate declares an infringement of article 5, paragraph 1, a) and c) and article

6 (1) GDPR.

15. The Litigation Chamber recalls that in order to be able to rely lawfully on the

legal basis from article 6, paragraph 1, c) AVG, personal data may only be processed

if this is necessary for the fulfillment of a legal obligation on the

controller rest. In these cases, the processing must always be a

have a basis in the law of the European Union or that of the Member State concerned,

which must also state the purpose of the processing. It should therefore be checked whether

in this case the conditions set out in that article have been met.

16. In accordance with Article 6.3 GDPR, read in conjunction with Article 22 of the Constitution and

Article 7 and 8 of the Charter, a legislative standard should contain the essential features of

to record data processing that is necessary for the fulfillment of a

legal obligation, regardless of whether it is in the law of the European Union or in the law
1
of the Member States. In the aforementioned provisions it is hereby emphasized that the

processing involved should be framed by a standard that is sufficiently clear and
is accurate, the application of which is foreseeable for the persons concerned. The GDPR

however, does not prescribe specific legislation for each individual processing

1See e.g. decision 149/2022 dd. October 18, 2022 and 48/2022 dated April 4, 2022. Substantive decision 162/2022 - 5/23

is. Legislation that serves as a basis for several will suffice

processing based on a legal obligation on the

controller rest.

17. The Litigation Chamber will determine the terms of legal basis and necessity below

judge.

A clear, precise and predictable legal basis

18. According to Recital 41 of the GDPR, this legal basis or legislative measure

be clear and precise and its application must be for the litigants
be foreseeable, in accordance with the jurisprudence of the Court of Justice of the

European Union and the European Court of Human Rights.

19. Recital 41 GDPR specifies in this regard: “When in this regulation to a

referenced to a legal basis or a legislative measure does not require this

necessarily require a legislative act enacted by a parliament,

without prejudice to the requirements in accordance with the constitutional order of the Member State

matter. However, this legal basis or legislative measure must be clear and precise
and its application must be predictable for those to whom it applies

applies, as required by the case law of the European Court of Justice

Union (“Court of Justice”) and the European Court of Human Rights”.

In accordance with Article 22 of the Belgian Constitution, essential elements of

the processing in addition by means of a formal legal standard (law, decree or

ordinance) to be adopted.2

20. In this context, the Disputes Chamber refers more specifically to the Privacy judgment

International of the Court of Justice dated October 6, 2020, in which the Court states that the

relevant legislation should contain clear and precise rules “about the scope and

the application of the measure concerned, so that those whose personal data

at issue, have sufficient guarantees that those data are effective

be protected against the risk of abuse”. The Court adds: “That arrangement

must be legally binding under domestic law and in particular indicate in which

circumstances and under what conditions a measure provides for the processing

of such data can be taken, thus ensuring that the interference to

what is strictly necessary is limited. (...) These considerations apply in particular

2“Everyone has the right to respect for his private and family life, except in the cases and under the

conditions set by law. The law, decree or rule referred to in Article 134 guarantees protection
of that right.”
3 ECJ, C-623/17, 6 October 2020, Privacy International t. Secretary of State for Foreign and Commonwealth Affairs and others Decision on the substance 162/2022 - 6/23

when it comes to the protection of a special category of personal data, te

know sensitive data”

21. The defendant's mission is, among other things, to increase the attractiveness of

Flanders as a destination. To fulfill this mission, article 5 of the decree lays down

establishing the internal independent agency with legal personality

“ToerismeVlaanderen” tasks on the defendant that he must fulfill, including tasks

on integral quality assurance. This includes: responsible for the development and

the promotion of integral quality assurance within the framework of the powers that are

granted by current and future legal and regulatory provisions

regarding the following matters: (a) tourism infrastructure, subsidies, participations and

other initiatives and (b) provision of information, services, training and labelling. In

implementation of the above is determined by the decree on tourist accommodation
6
of 5 February 2016 (hereinafter: Accommodation Decree) (and its implementing decrees)

different conditions that every tourist accommodation in the Flemish Region must meet
sufficient for it to be recognized as tourist accommodation and subsequently to be operated in this way

become. The defendant is charged with the implementation of this Accommodation Decree, including the

recognition as tourist accommodation and monitoring compliance with this

recognition conditions.

22. In order to be recognized as tourist accommodation, the accommodation must therefore comply with the

conditions as stipulated in Article 6 of the Accommodation Decree. The research into it

meeting the conditions for recognition is regulated in chapter 5 of the

Accommodation Decree. Article 10 of the Accommodation Decree prescribes that the Flemish Government

designate persons authorized to supervise and control the

compliance with the provisions of the Accommodation Decree (i.e. inspectors at VISITFLANDERS

which can be designated by the Flemish Government).

23. In the context of this supervisory and control power, Article 11 of the

Accommodation Decree as follows:

“Art. 11. The intermediaries, referred to in Article 2, 5°, must provide tourist accommodation

located in the Flemish Region for which they mediate or promote, op

written request, the details of the operator and the address details of the
communicate tourist accommodation to the agents of the federal and local police and to the

authorized persons, stated in Article 10. These details can be requested

in the context of a random check, if in doubt on the tourist accommodation comply with the

4Article 4 of the decree establishing the internal independent agency with legal personality “Tourism
Flanders”, BS 29 April 2004 (hereinafter: Establishment Decree).
5
BS April 29, 2004.
6BS 8 March 2016. Substantive decision 162/2022 - 7/23

conditions of this decree or its implementing decrees, or in the context of a complaint about

a tourist accommodation.”

7
24. Article 11 of the Accommodation Decree therefore prescribes that intermediaries, such as Airbnb in this case,

the details of the operator and the address details of the tourist accommodation must

inform the officials authorized by the Flemish Government when they do so

be requested. In view of the above, the defendant argues that, through the
the aforementioned authorized officials, can request specific data from a

intermediary such as Airbnb in at least three cases:

- in the context of a clearly defined random check;

- in case of doubt whether the tourist accommodation meets the conditions of the

Accommodation Decree and its implementing decrees;

- in the context of a complaint about tourist accommodation.

25. Contrary to the finding of the Inspectorate, the defendant believes that he

does not interpret Article 11 too broadly. The defendant refers in this regard to the

parliamentary preparation of the Accommodation Decree, which states in this regard:

“ [t]he written request referred to must be made with reasonableness and proportionality

are used. The data must be requested specifically, it is too

say in the context of a clearly defined sample (e.g. one or more

accommodation in the same city, municipality or region), in case of doubt whether these tourist accommodations are sufficient

to the conditions of this decree and its implementing decrees or within the framework of a

complaint about these tourist accommodations.”

26. This position, according to the defendant, is also consistent with the report

on behalf of the Committee on Foreign Policy, European Affairs, International

Cooperation, Tourism and Real Estate which reads as follows:

“[…] Every tourist accommodation can be checked at all times for basic standards.

Inspection is done at the request of a hotel manager (with the possibility of recognition) or on

government initiative (randomly, in case of doubt or complaint)[…]”. In an opinion
the Commission for the Protection of Privacy (CBPL) the same

position taken: “The data should be requested specifically, within the framework

of a clearly defined sample, in case of doubt or in case of a complaint”.

7Article 2,5°Accommodation Decree: “5°intermediary: any natural or legal person who in any way against payment
mediates in offering tourist accommodation on the tourist market, promotes tourist accommodation
or offers services through which operators and tourists can interact directly.' Decision on the substance 162/2022 - 8/23

27. However, the Inspectorate argues that this is an incorrect reading of Article 11 of the Accommodation Decree and

refers in this regard to a judgment of the Court of First Instance in Brussels . In this

verdict, the court concluded that there are only two cases in which the data can be

be requested from the intermediaries: (1) in case of doubt as to whether the accommodation is satisfactory

to the conditions of the decree, and (2) in the case of a complaint about a tourist

accommodation.According to the court, the sample is not a substantive situation that meets the conditions
which may or may not be satisfied, but merely a particular method or procedure which

prescribed by the legislature to be in either hypothesis

used when requesting information.

28. Following this judgment of the Brussels Court of First Instance, the defendant
withAirbnbeenagreement("MemorandumofUnderstanding",hereinafter:"MoU")

being voluntary and in good will to a workable application of this

provision is coming. The MoU regulates a number of modalities about the delivery of operators

accommodation data in the context of a request by the defendant pursuant to Article 11 of

the Accommodation Decree. This includes the data that the defendant will request

specifically named, as well as the number of applications and the geographical demarcation of one

request are specified.

29. The Disputes Chamber notes that the text of Article 11 of the Accommodation Decree has been

established that uncertainty may exist about the cases in which the personal data

may be requested by the defendant from intermediaries. This becomes

illustrated by the fact that the defendant gives a different interpretation to Article 11
of the Accommodation Decree than the Court of First Instance in Brussels in the above

stated verdict. To find out the intention of the legislator, the

Litigation Chamber to the preparatory works of the Accommodation Decree.

30. The preparatory works of the Accommodation Decree state that in practice
it is found that more and more intermediaries such as tourist rental offices and

Internet platforms, such as Airbnb, offer tourist accommodation on the market without

mention of the concrete (address) details of the tourist accommodation or

contact details of the operator. This makes (or even prevents) locating difficult

or checking these accommodations, even in case of complaints. Article 11 of the

Accommodation Decree tries to meet this problem and offers the competent authorities

persons responsible for the supervision and control of the accommodation decree (in addition to the
authorized officials mentioned above, including federal and local agents

police) the possibility to request the operator data and the

address details of tourist accommodation located in the Flemish Region at te

ask these intermediaries such as Airbnb. The written request that applies

8
Court of first instance in Brussels, case A.R. 2018/3527/A. Decision on the substance 162/2022 - 9/23

to be used with fairness and proportionality. The data should be purposeful

to be requested, that is to say, in the context of a demarcated sample

(for example, one or more accommodations in the same city, municipality or region), in case of doubt whether this

tourist accommodation meets the conditions of the accommodation decree and are

implementing decrees or in the context of a complaint about these tourist accommodations.

31. In view of the above, the Disputes Chamber concludes that the intention of the

legislature was to provide for at least three distinct cases in which the

personal data could be specifically requested from an intermediary:

- in the context of a clearly defined sample;

- in case of doubt whether these accommodations meet the conditions of the Accommodation Decree;

- in the context of a complaint about tourist accommodation.

32. This interpretation also satisfies the requirement of foreseeability as defined

in Article 6.3 GDPR. As already explained, Article 6 of the Accommodation Decree determines the

conditions for recognition of a tourist accommodation. These conditions have under

others relate to the safety of the users of the accommodation, such as fire safety.

As soon as these conditions are no longer met, in accordance with Article 12 of

the Accommodation Decree, an administrative fine may be imposed. In addition, can also be ordered
to stop the operation of tourist accommodation (article of the decree).

Based on the above, it is therefore predictable for those involved that the

compliance with the registration conditions must be verifiable by the

authorized officials, both during the recognition and afterwards.

33. The Litigation Chamber finds that this interpretation also allows the defendant to be proactive

to act in the context of its enforcement activity through clearly defined

samples. If the defendant could only act in the event of a complaint

or doubt, the defendant would not have the necessary tools to enforce his decree
audit duty properly. Sampling is therefore absolutely necessary

defendant to be able to implement a sound enforcement policy and thus to comply with

its legal obligation.

34. To the extent necessary, and also as cited by the defendant, the
10
Litigation Chamber that the Amendment Decree was adopted on 9 February 2021

Article 11 of the Accommodation Decree referred to above changes as follows:

9Proposed decree on tourist accommodation, Vl. Parl. 2015-16 499/1 p. 13.
10 In full: Decree amending the Decree of 5 February 2016 concerning tourist accommodation and the abolition of the
Decree of 18 July 2003 on accommodation and associations that practice a week in the context of tourism for
Allen, Parl.St. Vl. Parl., 2021-22, no. 1028/6, p.3. Decision on the substance 162/2022 - 10/23

“Art. 11. The intermediaries share for tourist accommodation in Flanders

Region for which they mediate or promote, upon written request, the

details of the operator and the address details of the tourist accommodation

to federal and local police officers and authorized persons,
mentioned in Article 10.

The data, stated in the first paragraph, can be requested in the following cases:

1° as part of a random check to verify whether tourist accommodation

for which the intermediary mediates or promotes, are registered with

Tourism Flanders. In a sample, at most, the data

requested from all operators and tourist accommodations in the same city or
Township. Multiple samples can be taken at the same intermediate

person;

2° in case of doubt whether a tourist accommodation for which the intermediary mediates or

promotes, meets the conditions stated in this decree, and the

its implementing decrees;

3° in the context of a complaint about tourist accommodation.”

The Litigation Chamber notes in this context that this new legislation has been published

after the data processing at issue and therefore does not apply to the processing in

present case. Consequently, the Litigation Chamber has not relied on this new one

legislation to reach this decision.

Necessity

35. Pursuant to Article 6(1)(c) GDPR, the processing is lawful if and to the extent

the processing is necessary for the fulfillment of the legal obligation on the

controller rest. When personal data is processed

they must be adequate and relevant for the purpose. There are no more allowed

personal data are processed than necessary for the purpose (article 5.1, c) GDPR).

36. According to the Inspection Report, the defendant does not demonstrate why the processing of

personal data in the context of a sample is necessary as imposed by

Article 5(1)(c) in the context of its supervision and audit mission.

37. The defendant argues that the necessity of requesting the data

regarding the tourist accommodation is evident from the fact that without requesting this

the defendant details the tourist accommodation, which is sold on the market through intermediaries

offered (1) cannot verify and (2) cannot contact their operators. The

The defendant only requests the minimum of information that it needs to make a claim

to be able to identify tourist accommodation and to contact its operator so that the
the defendant can check whether the conditions of the accommodation decree and the implementing decrees

are complied with. Without this control and contact option, the defendant cannot

check whether the above-mentioned conditions of the Accommodation Decree and the

implementing decrees are complied with. The defendant hereby points out that this is specifically in

thecaseofAirbnbthemoreisnecessary.Airbnbparttimesinrulenoaddressdata

of the accommodation and no name or contact details of the operator on its website.

38. Based on the conclusion of the defendant, the Litigation Chamber establishes that the following

data is requested:

- The name of the tourist accommodation (accommodation name on Airbnb)

- The address of the tourist accommodation (street, house number,…)

- Capacity of the tourist accommodation (in the context of fire safety);

- The name of the operator of the tourist accommodation (the first and last name of the

operator, where available to Airbnb) and the online host name;

- The contact details of the operator of the tourist accommodation (the e-mail address of

the operator).

39. The Disputes Chamber is of the opinion that this information is necessary with a view to the

correct identification of tourist accommodation and to contact the operator to go

or the conditions of the Accommodation Decree and its implementing decrees

complied.

I.1.2. Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR

40. The controller must comply with the basic principles of Article 5 GDPR and dat

can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j°

Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every

controller takes appropriate technical and organizational measures

to ensure and be able to demonstrate that the processing takes place
in accordance with the GDPR. As already explained, this case concerns the transfer of

operator and accommodation data by Airbnb (as an intermediary) to the defendant. This one

transmission was made at the request of the defendant.

41. In the context of its investigation, the Inspectorate assessed to what extent the

the defendant has taken the necessary technical and organizational measures to

comply with the principle of lawfulness and data minimization within the scope of this

request for transfer. In this respect, the Inspectorate decides that the defendant does not

has sufficiently demonstrated that he has taken the necessary measures to ensure that the

disputed processing takes place in accordance with Article 5(1) a) and c) and

Article 6 (1) GDPR, since the Inspection Service has come to the conclusion that the
processing operations were not in accordance with these principles. Decision on the substance 162/2022 - 12/23

42. The Litigation Chamber has in section I.1.1. no infringements detected of Article 5(1)(a)

and c) and Article 6 (1) GDPR. Consequently, there is also no reason to infringe the

accountability. The Disputes Chamber therefore rules that the

Defendant has sufficiently demonstrated that it does indeed comply with its obligations

accountability there is therefore no breach of Article 5(2), Article 24(1) and Article 25,

paragraphs 1 and 2 GDPR was committed by the defendant, in connection with the legality of the

processing.

I.2. Article 12(1) and (2), Article 13(1) and (2), Article 14(1) and (2), Article 5(2),
Article 24 (1) and Article 25 (1) GDPR

I.2.1. Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and paragraph 2, Article 14, paragraph 1 and paragraph 2

43. In implementation of the transparency principle from Article 5, paragraph 1, a) GDPR, based on Article

12 (1), Article 13 (1) and Article 14 (1) and (2) GDPR, it is necessary that the

controller, in this case the defendant, to the data subjects concise,

provides transparent and understandable information about the personal data that is processed

become. In its capacity as controller, the defendant must

implement Articles 12, 13 and 14 of the GDPR.

44. In the present case, the Inspectorate concludes that the defendant has committed an infringement

committed on Article 12 Paragraph 1 and Paragraph 2 GDPR, Article 13 Paragraph 1 and Paragraph 2 GDPR, Article 12 Paragraph 1 and Paragraph 2,

Art. 5(2), Art. 24(1) GDPR and Art. 25(2) GDPR as the privacy statement

Operator's portal would contain incorrect information and would be incomplete.

45. Pursuant to Article 12(1) of the GDPR, the defendant is responsible for the
take appropriate measures to comply with Articles 13 and 14 of the GDPR

information in a concise, transparent, comprehensible and easily accessible manner

plain language and in writing or by other means, including electronic means

provide.

46. As regards the content of this information, data subjects were provided with the information referred to in paragraphs 1 and 2
listed points of both Articles 13 and 14 to be communicated because not all

information was obtained directly from them. 11

47. First of all, the Inspection Report concludes that the “Operator Portal Privacy Statement” of

the defendant is not transparent and understandable, as required by Article 12 (1) GDPR and

contains incorrect information from a data protection point of view, because of the
following observations:

11 Article 29 Working Party, Guidelines on Transparency under Regulation (EU) 2016/679, WP 260,
revised version of 11 April 2018 (adopted by the European Data Protection Board
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23). Decision on the substance 162/2022 - 13/23

a. ThePrivacy StatementOperator Portalcontainsirrelevantandconfusinginformation,

such as a reference to the “Privacy Act of 1992”, the mention of hyperlinks

without any explanation and clear connection to the text, and a reference to

‘part 9’ of the Operator Portal privacy statement that does not contain part 9.

b. The defendant's Operator Portal privacy statement incorrectly creates the

perception towards data subjects that the GDPR is being complied with. This would

be misleading as the Inspection Service has reported several breaches of the GDPR

has established.

c. The defendant's Operator Portal privacy statement erroneously does not make any

notification of the possibility for data subjects to submit a complaint to the

GBA. However, there is mention of the possibility to file a complaint

serve at the Flemish Supervisory Commission (VTC).

d. Finally, the Inspectorate concludes that the Privacy Statement

Operator portal is not clear and therefore not transparent with regard to:

i. the purposes and legal bases of the processing: there is no

clarifies which legal obligations the defendant must meet

requirements that require the processing of personal data;

ii. the exercise of the rights of data subjects: there is no

clarifies what a data subject may specifically do with the defendant

expect if he exercises his rights; and

iii. the adjustments that were made: it is not specified when

adjustments were made, water was precisely adjusted and via

which “common communication channels” are involved in this regard

to be informed.

48. Secondly, the Inspectorate also notes that the privacy statement for the Operators Portal of

the defendant is incomplete because not all are required according to Articles 13 and 14 GDPR

information is effectively stated, as no information is given

about:

a. the processing purposes and the legal basis for the processing;

b. the fact that data subjects have the right to a given consent at all

time to withdraw;

c. that the data subjects have the right to submit a complaint to the GBA; and

d. the source from which the personal data originates, and where applicable, or they

come from public sources. Decision on the substance 162/2022 - 14/23

49. Since the defendant carries out a large number of data processing operations, resulting in a

large amount of information must be provided to the data subjects, is the

Litigation Chamber considers that a
12
controller such as the defendant must adopt a multi-layered approach:

- On the one hand, the data subject must have clear and

accessible information about the fact that there are information about the processing of

personal data exists (privacy policy) and where he will be able to do it in full

find.

- On the other hand, without prejudice to the accessibility of the

privacy policy in its entirety, from the first communication of the

controller with him be informed of the

details of the purpose of the processing in question, the identity of the

controller and the rights available to him.

50. The importance of providing this multi-layered information arises in particular from

recital 39 of the GDPR. Any additional information necessary to identify the data subject

on the basis of the information provided at this first level to understand what

the consequences of the processing concerned will be for him should be added.

51. The defendant is of the opinion that the information he provided to the concerned
provided meets the requirements of Articles 12, 13 and 14 of the GDPR. In this connection

emphasizes the defendant that he has strict compliance with the legislation concerning

pursues data protection and works closely with its data protection officer for this purpose

data protection. The defendant argues that since the drafting of the

Inspection report has adjusted the privacy statement Uitbatersportaal in consultation with the

data protection officer. In his conclusions, the defendant explains which

how the new privacy statement for the Operators Portal has been amended.

52. With regard to the transparency and comprehensibility of the privacy statement, the

defendant tohehasadjustedtheprivacystatementOperator's portalsince it was drawn up

of the Inspection Report where the following adjustments were made: there is none

reference more to the abolished Privacy Act, only to the GDPR. The confusing

reference to a non-existent part 9 was also removed. The reference to the
contact options of the defendant were also adjusted. As for the

possible confusion around the hyperlinks without further explanation, argues the

defendant that in the passage above the hyperlinks it is indeed explained why the

defendant processes the personal data with explicit reference to it

12
In the same sense: decision no. 81/2020 of the Litigation Chamber (points 53 et seq.) and decision 76/2021 (points 58
et seq.), can be consulted via https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the substance 162/2022 - 15/23

Accommodation decrees and the basic register of Flemish accommodation

he has not yet received any question or comment in this regard, which means that he

raises the question of whether there is any confusion at all. Under the title “What are your

rights and how you can exercise them”, the new privacy statement now also provides the

mention (in addition to the VTC) of the GBA in the context of exercising the rights of

data subjects. 13

53. As far as necessary and in accordance with its previous decisions, the

Litigation chamber that the GBA as federal supervisory authority is competent in any case
14
is to monitor compliance with the GDPR. This is also the case if the

data processing relates to a matter covered by the

competence of the communities or the regions (state authorities) and/or

if the controller is a public authority that falls under the
communities or regions, even if the federal state itself has one

supervisory authority within the meaning of the GDPR.

54. Subsequently, the defendant sets out the following arguments in its claims

show that the determination of the Inspectorate regarding the alleged incompleteness of

the Privacy Statement is incorrect.

55. As regards the determination of the purposes and legal bases for the processing

the defendant refers that this has been dealt with earlier [see section II.1]. Then the

defendant that the possibility to submit a complaint and therefore also an objection is explicitly stated in the
privacy statement Operators portal was included. In the new privacy statement

The operator portal contains the following passage:

“Right to object: If you believe that your personal data is not

may be processed longer because of your specific situation, you can

object to such processing, in the context of our products

and services we offer in the public interest.”

56. The Disputes Chamber notes that under part 6 of the previous privacy statement

Operator portal the data subject has been informed about his rights that he can exercise

against the defendant. The Litigation Chamber refers to the relevant passage that
read as follows: “With regard to your personal data, you always have the right to […] a

submit a complaint regarding the processing of your personal data[…].All

requests for the exercise of the above rights can be delivered through the channels provided

are listed in section 9 of this privacy statement. If you don't join us in one

13See e.g. Marktenhof judgment, 2022/AR/457, dd. October 26, 2022, and also the following decisions of the Litigation Chamber:
decision 62/2022 of April 29, 2022, decision 31/2022 of March 4, 2022, decision 15/2020 of April 15, 2020.
14The judgment of the Marktenhof dd. October 26, 2022 (2022/AR/457) confirms the jurisdiction of the DPA regarding
of Flemish authorities. Decision on the substance 162/2022 - 16/23

If a solution is found, you also have the right to submit a complaint to the Flemish

Supervisory Committee […]”.

57. The Disputes Chamber finds that the defendant in the old privacy statement
Operator portal has not used the correct terminology, which can cause confusion

to care. As far as necessary, the Disputes Chamber reminds that a complaint and a

objection (both mentioned in the privacy statement Uitbatersportaal) do not have the same meaning

cover under the GDPR and every controller must use the correct terminology

handling. A data subject has the right to inform a controller

request that his/her personal data is no longer used. This is called the right of
objection. The right to object can be exercised in accordance with Art. 21 GDPR

when the processing is based on one of the following legal grounds: the justified

interest and the performance of a task of public interest or public authority. In others

cases, the data subject cannot object because of the other legal grounds

alternatives exist to achieve the same goal: with consent, the data subject can do this

moving in; the data subject cannot object to processing imposed by law.
If the data subject does not agree with how a controller with

handles his/her personal data and there is no agreement with the controller

solution can be found, the person concerned can submit a complaint to the GBA. In the

originalprivacy statementOperator portal should also have been clarified

that the data subject has the right to lodge an objection with the defendant, and

if necessary, then has the right to submit a complaint to the GBA. In the new
privacy statement Operators portal, this distinction is correctly used, despite the

fact that both terms are used incorrectly in the conclusion.

58. The Defendant also believes that the Privacy Statement of the Operator Portal expressly identifies the source of

mentions the personal data as well as that the public data becomes available

made via the basic register of Flemish accommodation offerings, stating a link to it
base register. The new privacy statement Operators Portal explicitly states under the

title “Why do we process your personal data” following text:

“Toerisme Vlaanderen can obtain the following personal data at three (3)

ways, namely: on paper, via the operator portal or via the web service

Crossroads Bank for Holiday Homes (CIB Vlaanderen is freely available and
accessible via the website of VISITFLANDERS (click here).”

59. In conclusion, the defendant concludes that the new privacy statement

The operator portal is transparent and understandable, and that this information is correct and complete

at least that the determination of the Inspection Service has become meaningless

in view of the changes made to the new privacy statement for the Operators Portal. Decision on the substance 162/2022 - 17/23

60. The Disputes Chamber is of the opinion that the new privacy statement for the Operator Portal contains the

Articles 13 and 14 of the GDPR requirement now contain elements

believes that the defendant, as required by Article 12(1) of the GDPR, in its privacy policy

has mainly used simple, clear and straightforward wording to convey the
to inform data subjects about the data processing operations it carries out.

61. However, the Disputes Chamber also finds that the defendant was negligent in the past

acted, as was also established in the Inspection Report. More specifically contained

the privacy statement Operator portal irrelevant and confusing information, such as a

reference to a non-existent Part 9 and a reference to the Privacy Act of 1992.
In addition, the operator portal privacy statement was incomplete and not transparent, among other things due to

the lack of reference to the possibility to file a complaint with the GBA, by

unclear reference to the purposes and legal bases of the processing and

exercising the rights of the data subject, and by using incorrect terminology.

62. The Disputes Chamber does point out that the defendant has made efforts
to update the information to be provided under Articles 12, 13 and 14 GDPR,

albeit after receipt of the Inspectorate's comments.

63. The Disputes Chamber therefore establishes that the Privacy Statement for the Operators Portal initially does not

met the requirements of Articles 12, 13 and 14 GDPR, resulting in a

violation of Articles 12, 13 and 14 GDPR. This does not alter the fact that this has been rectified in the meantime.

I.2.2. Article 5 (2), Article 24 (1) and Article 25 (1) GDPR

64. With regard to accountability (as defined above in section I.1.2) with

with regard to the transparency obligations, the Inspectorate notes that these are not

was complied with by the defendant with regard to the transparency obligations of the

defendant. This follows from the breach of Articles 12, 13 and 14 mentioned above
AVG.

65. The Litigation Chamber ruled in part I.2.1 that there was indeed a

breach of the principles of transparency as understood in these articles. The Dispute Chamber

notes, therefore, that the defendant failed to demonstrate that it had the necessary technical and

has taken organizational measures to comply with the obligations regarding
transparency as stipulated in Articles 12, 13 and 14 GDPR. Consequently, the decision

Litigation Chamber that there was a violation of Articles 12, 13 and 14 GDPR.

This does not alter the fact that this has been rectified in the meantime. Decision on the substance 162/2022 - 18/23

I.3. Article 38 (1) GDPR and Article 39 (1) GDPR

66. The Inspectorate's report finds that the defendant has complied with the requirements regarding the

position of the data protection officer under Article 38 (1) GDPR and the
tasks of the data protection officer under Article 39 (1) GDPR

complied.

67. The Inspectorate does the following with regard to the data protection officer

findings, as summarized below:

a. The defendant states in his answer to the Inspection Service during the

investigation he received no advice from his data protection officer

inquired about the data processing between Airbnb and the defendant.

According to the defendant, this was not necessary because the legal basis was already established in article

11 of the Accommodation Decree.

b. In the same answer, the defendant states that he is of his official for

data protection has not sought advice on the interpretation of the

term “random sample” from Article 11 of the Accommodation Decree.

68. The Inspectorate therefore decides that the data protection officer should not go to

was properly and timely involved in the context of this file. The advice of October 11, 2021

that was provided following the letter from the GBA on September 10, 2020 is not sufficient to

to be able to speak of proper and timely (documented) involvement.

Consequently, the Inspection Service claims an infringement of Article 38(1) GDPR and Article 39(1) GDPR

fixed.

69. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the

controller ensures that the officer for

data protection is timely and properly involved in all matters

related to the protection of personal data. Based on Article 39(1).
AVG must be the data protection officer (a) the controller

informing and advising on its obligations under the GDPR and others

Union or Member State data protection provisions and (b) monitor

compliance with the GDPR, other Union or Member State law

data protection provisions and of the policy of the controller
or the processor with regard to the protection of personal data, including

of the allocation of responsibilities, awareness raising and training of the

processing of personnel involved and the relevant audits.

70. The defendant emphasizes regarding the position of the official for
data protection under Article 38(1) GDPR that, in his view, there was no need Decision on the substance 162/2022 - 19/23

to involve the data protection officer in the conclusion of the MoU.

Like all other intermediaries, Airbnb is obliged to provide operator and accommodation data

to the defendant since the entry into force of the Accommodation Decree on 1 April

2017. The legal basis for communicating this information to the defendant is
therefore based on Article 11 of the Accommodation Decree, and not on the MoU

Inspectorate refers to. In any case, the defendant is ahead of the official

data protection involved immediately after the letter dd. September 10, 2020 from the GBA.

The data protection officer subsequently issued a favorable opinion.

In addition, the defendant argues that it has applied the term 'sample' in the way that

is in line with the intention of the legislator of Article 11 of the Accommodation Decree. Finally
the defendant argues that the accommodation decree predates the AVG, since it

accommodation decree entered into force on 1 April 2017, while the GDPR applies with effect from

May 25, 2018. Consequently, according to the defendant, there can be no question of a

infringement of Article 38 (1) GDPR and Article 39 (1) GDPR.

71. The Litigation Chamber recalls that the GDPR recognizes that the officer for
data protection is a key figure in terms of the protection of

personal data whose designation, position and tasks are subject to rules. This one

rules help the controller to comply with its obligations under

the GDPR, but also help the data protection officer to fulfill his duties

should exercise. The data protection officer should be involved

in all matters related to the protection of personal data.
The fact that the legal basis has been laid down in a legal standard does not constitute this

exception to.

72. Based on the defence, the Disputes Chamber establishes that this is precisely the intention of

the MoU to determine between the parties in which cases the transfer of

personal data can take place and under what modalities. Consequently, it concerns
conclusion of the MoU the defendant's policy regarding compliance with the GDPR in the

framework of its enforcement powers.Article 11Logies decree provides that the data

can be requested by the defendant from Airbnb at clearly defined

samples, but the MoU further elaborates what is clearly defined below

samples is understood by the parties. Consequently, the official submitted

data protection to be properly and timely involved in the preparation and
approving the MoU. With regard to the fact that the Accommodation Decree of

was applicable since 2017, the Litigation Chamber points out that it has been applicable since

of the GDPR, each controller is obliged to comply with it

compliance with imposed obligations. Thus, the defendant served this legal basis upon which

he wishes to test himself against the higher legal standard in order to verify whether the decision on the merits 162/2022 - 20/23

requesting the personal data is in accordance with the GDPR. This is also one

matter in which the data protection officer should be involved

become.

73. In view of the above, the Disputes Chamber has determined with regard to Article 38, paragraph 1 GDPR

that the data protection officer was not sufficiently involved with some

data protection matters. Defendant's documents show that the

data protection officer for the purposes of the present case

investigated data processing was only involved after the first writing of the

Inspection Service.

74. In view of the above, the Disputes Chamber rules that there has been a violation of article

38 (1) and Article 39 (1) GDPR.

I.4. Infringement of Articles 4, 11, Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and
paragraph 3 GDPR.

75. The Inspection Report notes that no legally valid permission within the meaning of Article 4.11

of the GDPR, website visitors are asked to use non-strict
necessary cookies. After all, the parties involved would not have a free choice on the part of the defendant

about the use of cookies that are not strictly necessary. The Inspection Report determines

in this regard the following: “The two options for the use of not strict

necessary cookies offered by the defendant to data subjects in the

cookie window (namely “no, give me more info” and “ok, I agree”) are not placed on a

displayed in a similar way. The option “ok, I agree” says nothing
more information for those involved. In addition, there is no choice

the cookie window that allows data subjects to opt out of the use of not strictly necessary

refuse cookies immediately.” In addition, the Inspectorate has established that no

transparent information is given on how a given consent to it

use of unnecessary cookies must be withdrawn.

76. In his conclusions, the defendant argues that the additional finding is not legal

basis on which it should be excluded from the proceedings. The Inspection Service

after all, refers to Article 72 WOG to make this determination. The decision of it

Management Committee to comprehend the Inspection Service in accordance with Article 63, 1° WOG

howevertheobjectoftheinvestigationthusthescopeoftheinvestigationmustaccordingto

defendant are limited to the scope resulting from the decision of the
Executive Committee.

77. In subordinate order, the defendant proceeds to refute the finding of

the Inspection Service. The defendant emphasizes that on its website only strictly necessary

cookies or functional cookies were active for which no permission was required. Decision on the substance 162/2022 - 21/23

This is also not refuted by the Inspectorate, which does not demonstrate that there are also non-

necessary cookies were active on the website at the time of the determination. At 25

February 2022, the defendant launched its new website with a new

cookie window that provides the user with the necessary information and choices on the moment

used cookies. According to the defendant, the new website uses a

new cookie statement transparently informed the data subjects about the use of

cookies. Since no non-strictly necessary cookies were active on the website

at the time of the investigation by the Inspectorate, the provision of information about

or asking permission for such cookies was not an issue at that time.

78. In response to the defendant's statements, the Litigation Chamber first of all refers to article

72 WOG which reads as follows:

“Without prejudice to the provisions of this chapter, the Inspector General and the

inspectors proceed to every investigation, every check and every interview, as well as all information

such as they deem necessary to satisfy themselves that the basic principles of the

protection of personal data, within the framework of this law and of the laws that

contain provisions on the protection of the processing of personal data,

that they supervise are actually complied with.”

79. This provision shows that the Inspectorate is not bound by the scope of the complaint

nor by the scope of the decisions of the Executive Committee. The Inspection Service determines

itself the scope and method of the investigation, taking into account the proportionality

and principle of necessity as described in the Charter of the Inspection Service. 15

80. On the basis of the Inspection Report, the Litigation Chamber concludes that the determination of the

Inspection service regarding the effective use of cookies that are not strictly necessary

is sufficiently substantiated by evidence 16 to allow further processing of this file in this

frame is impossible.

Consequently, the Litigation Chamber will make a filing with regard to the determination

of the Inspectorate regarding Articles 4, 11, Article 5, paragraph 1, a), and paragraph 2, Article 6, paragraph 1, a) and

Article 7, paragraph 1 and paragraph 3 GDPR.

II. Sanctions

81. On the basis of the documents in the file, the Disputes Chamber establishes that there is

two breaches of the GDPR: On the one hand, the breach of Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and

paragraph 2, article 14, paragraph 1 and paragraph 2, article 5, paragraph 2, article 24, paragraph 1 and article 25, paragraph 1 GDPR, and on the other hand

15 Charter of the Inspection Service, August 2022, available at

https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf.
16Cf. Section A.1 of the dismissal policy of the Litigation Chamber. Decision on the substance 162/2022 - 22/23

this on Article 38 (1) and Article 39 (1) GDPR. Although the defendant these infringements

has been remedied, it is clear that there have been breaches of the right to data protection

have taken place. As already explained, the principle of transparency is one of them

the fundamental principles of the GDPR. Also the data protection officer

plays a crucial role in data protection at a controller

82. The Disputes Chamber is of the opinion that there are sufficient elements to issue a reprimand

which constitutes a light sanction and is sufficient in the light of the circumstances in this file

identified violations of the GDPR. When determining the sanction, the

Litigation Chamber takes into account the fact that the defendant has already rectified these infringements
and provide supporting documents. Needless to say, the Disputes Chamber points this out

that it is not competent to impose an administrative fine on

government bodies, in accordance with Article 221, § 2 of the Data Protection Act. 17

83. The Disputes Chamber proceeds to dismiss the other grievances and

findings of the Inspectorate because they based on the facts and the documents from the

file cannot come to the conclusion that the GDPR has been breached.

These grievances and findings of the Inspectorate are therefore deemed to be obvious
18
considered unfounded within the meaning of Article 57(4) GDPR.

Publication of the decision

84. Given the importance of transparency with regard to decision-making by the

Litigation Chamber, this decision will be published on the website of the
Data Protection Authority, stating the identification data of the

defendant. This mention is justified by the public interest of

present decision in the context of the exemplary function of the defendant as

public service, on the one hand, and by the unavoidable re-identification of the defendant

case of pseudonymization, on the other hand.

17Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
18 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 162/2022 - 23/23

FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

- on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the

defendant with regard to the infringement of article 12, paragraph 1 and paragraph 2, article 13, paragraph 1 and paragraph 2, article

14 (1) and (2), Article 5 (2), Article 24 (1) and Article 25 (1) GDPR;

- on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the

defendant as regards the infringement of Article 38(1) and Article 39(1) GDPR;

- pursuant to article 100, §1, 1° WOG with regard to all other determinations in

dismiss.

Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.

Such an appeal may be made by means of an inter partes petition

listed in Article 1034ter of the Judicial Code. It 19

a contradictory petition must be submitted to the Registry of the Market Court

in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).

(get). Hielke HIJMANS

Chairman of the Litigation Chamber

19 The petition states, under penalty of nullity:

1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.
20
The petition with its appendix shall be sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.

@@ Line 111: / Line 111: @@
 The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
-Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13GDPR|Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] but that the shortcomings have been resolved in the meantime.
+Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] but that the shortcomings have been resolved in the meantime.
 The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.