APD/GBA (Belgium) - 77/2023: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=77/2023 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-77-2023.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=...") |
No edit summary |
||
Line 69: | Line 69: | ||
}} | }} | ||
A pharmacist association, storing data related to disciplinary sanction issued under a former regulation | A pharmacist association, indefinitely storing data related to disciplinary sanction issued under a former regulation violates, among others, principles of lawfulness, purpose limitation, data minimisation, accuracy and storage limitation. The DPA issued a €30,000 fine. | ||
== English Summary == | == English Summary == | ||
Line 76: | Line 76: | ||
A pharmacist (data subject) was disciplinary sanctioned by the pharmacists' association for having used certain commercial practices prohibited in this profession. The data subject contested this decision with several courts. This led the controller to amend the rules of professional conduct. | A pharmacist (data subject) was disciplinary sanctioned by the pharmacists' association for having used certain commercial practices prohibited in this profession. The data subject contested this decision with several courts. This led the controller to amend the rules of professional conduct. | ||
Following this change, the data subject considered that the sanction was now illegal and requested the controller to erase the mention of its sanction from all registers and to stop processing this data. The controller considered that the sanction had not been made illegal and refused to delete the sanction from the registers. This led the data subject to lodge a complaint with the DPA. | Following this change, the data subject considered that the sanction was now illegal and requested the controller to erase the mention of its sanction from all registers and to stop processing this data. The controller considered that the sanction had not been made illegal and refused to delete the sanction from the registers. This led the data subject to lodge a complaint with the Belgian DPA. | ||
The data subject considered that the unlimited retention of sanctions was inappropriate, that the controller had breached [[Article 17 GDPR|Article 17 GDPR]] by refusing to delete her data and that the principles set out in [[Article 5 GDPR|Article 5 GDPR]] had been violated. It added that the disciplinary sanction was included in the notion of conviction within the meaning of [[Article 10 GDPR|Article 10 GDPR]]. | The data subject considered that the unlimited retention of sanctions was inappropriate, that the controller had breached [[Article 17 GDPR|Article 17 GDPR]] by refusing to delete her data and that the principles set out in [[Article 5 GDPR|Article 5 GDPR]] had been violated. It added that the disciplinary sanction was included in the notion of conviction within the meaning of [[Article 10 GDPR|Article 10 GDPR]]. | ||
In its defence, the controller explained in particular that unlimited retention was prescribed by national regulation and that Article 17 included exceptions that applied to the case in point. It added that it had taken steps to improve data processing. | In its defence, the controller explained in particular that unlimited retention was prescribed by national regulation and that [[Article 17 GDPR|Article 17]] included exceptions that applied to the case in point. It added that it had taken steps to improve data processing. | ||
=== Holding === | === Holding === | ||
The DPA analysed the respect of each principle for each purpose of the processing. | The DPA analysed the respect of each principle for each purpose of the processing. | ||
As to the lawfulness of the processing, the DPA considered that each purpose had to have a legal basis. The processing in question had several purposes and the DPA considered that for some of them there was no adequate legal basis, in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], in particular when the controller wrongly relied on national regulations. | As to the <u>lawfulness</u> of the processing, the DPA considered that each purpose had to have a legal basis. The processing in question had several purposes and the DPA considered that for some of them there was no adequate legal basis, in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], in particular when the controller wrongly relied on national regulations. | ||
As for the storage limitation, it must not exceed what is necessary for each purpose. Here, the DPA considered that unlimited storage was not necessary for all purposes, for example to manage disciplinary cases, it was not necessary to retain data for an unlimited period and that the controller was in breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] by not having a reasonable personal data retention policy. | As for the <u>storage limitation,</u> it must not exceed what is necessary for each purpose. Here, the DPA considered that unlimited storage was not necessary for all purposes, for example to manage disciplinary cases, it was not necessary to retain data for an unlimited period and that the controller was in breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] by not having a reasonable personal data retention policy. | ||
As regards purpose limitation, the DPA considered that the controller had not sufficiently specified the purposes, in breach of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. | As regards <u>purpose limitation</u>, the DPA considered that the controller had not sufficiently specified the purposes, in breach of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. | ||
As for minimisation, the DPA concluded that there had been a breach of Article 5(1)(c), in particular because all the data relating to a sanction could be consulted to check the eligibility of a candidate for election to the pharmacists' association, which was not necessary. | As for <u>minimisation</u>, the DPA concluded that there had been a breach of [[Article 5 GDPR|Article 5(1)(c)]], in particular because all the data relating to a sanction could be consulted to check the eligibility of a candidate for election to the pharmacists' association, which was not necessary. | ||
As for the principle of accuracy, the DPA considered that the controller should review the sanctions after the amendment of the regulations to | As for the principle of <u>accuracy,</u> the DPA considered that the controller should review the sanctions after the amendment of the professional conduct regulations to assess whether the sanction was maintained. By failing to do so, the controller was in breach of [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. | ||
As for Article 10, the DPA did not follow the data subject's argument. It held that a minor disciplinary sanction such as that in the case in point | As for Article 10, the DPA did not follow the data subject's argument. It held that a minor disciplinary sanction such as that in the case in point was not a criminal conviction within the meaning of [[Article 10 GDPR|Article 10 GDPR]]. | ||
As for [[Article 17 GDPR|Article 17 GDPR]], the DPA held that the processing operations were unlawful, which meant that the data subject was entitled to request the erasure of her data under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] without the exceptions applying. | As for [[Article 17 GDPR|Article 17 GDPR]], the DPA held that the processing operations were unlawful, which meant that the data subject was entitled to request the erasure of her data under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] without the exceptions applying. | ||
In conclusion, the DPA found a breach of Articles 5(1)(a), (b), (c), (d) and (e). It ordered the controller to comply with the erasure request and fined €30,000. | In conclusion, the DPA found a breach of [[Article 5 GDPR|Articles 5(1)(a), (b), (c), (d) and (e)]]. It ordered the controller to comply with the erasure request and fined €30,000. | ||
== Comment == | == Comment == |
Revision as of 07:29, 21 June 2023
APD/GBA - 77/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 30,000 EUR |
Parties: | n/a |
National Case Number/Name: | 77/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | n/a |
A pharmacist association, indefinitely storing data related to disciplinary sanction issued under a former regulation violates, among others, principles of lawfulness, purpose limitation, data minimisation, accuracy and storage limitation. The DPA issued a €30,000 fine.
English Summary
Facts
A pharmacist (data subject) was disciplinary sanctioned by the pharmacists' association for having used certain commercial practices prohibited in this profession. The data subject contested this decision with several courts. This led the controller to amend the rules of professional conduct.
Following this change, the data subject considered that the sanction was now illegal and requested the controller to erase the mention of its sanction from all registers and to stop processing this data. The controller considered that the sanction had not been made illegal and refused to delete the sanction from the registers. This led the data subject to lodge a complaint with the Belgian DPA.
The data subject considered that the unlimited retention of sanctions was inappropriate, that the controller had breached Article 17 GDPR by refusing to delete her data and that the principles set out in Article 5 GDPR had been violated. It added that the disciplinary sanction was included in the notion of conviction within the meaning of Article 10 GDPR.
In its defence, the controller explained in particular that unlimited retention was prescribed by national regulation and that Article 17 included exceptions that applied to the case in point. It added that it had taken steps to improve data processing.
Holding
The DPA analysed the respect of each principle for each purpose of the processing.
As to the lawfulness of the processing, the DPA considered that each purpose had to have a legal basis. The processing in question had several purposes and the DPA considered that for some of them there was no adequate legal basis, in breach of Article 5(1)(a) GDPR, in particular when the controller wrongly relied on national regulations.
As for the storage limitation, it must not exceed what is necessary for each purpose. Here, the DPA considered that unlimited storage was not necessary for all purposes, for example to manage disciplinary cases, it was not necessary to retain data for an unlimited period and that the controller was in breach of Article 5(1)(e) GDPR by not having a reasonable personal data retention policy.
As regards purpose limitation, the DPA considered that the controller had not sufficiently specified the purposes, in breach of Article 5(1)(b) GDPR.
As for minimisation, the DPA concluded that there had been a breach of Article 5(1)(c), in particular because all the data relating to a sanction could be consulted to check the eligibility of a candidate for election to the pharmacists' association, which was not necessary.
As for the principle of accuracy, the DPA considered that the controller should review the sanctions after the amendment of the professional conduct regulations to assess whether the sanction was maintained. By failing to do so, the controller was in breach of Article 5(1)(d) GDPR.
As for Article 10, the DPA did not follow the data subject's argument. It held that a minor disciplinary sanction such as that in the case in point was not a criminal conviction within the meaning of Article 10 GDPR.
As for Article 17 GDPR, the DPA held that the processing operations were unlawful, which meant that the data subject was entitled to request the erasure of her data under Article 17(1)(d) GDPR without the exceptions applying.
In conclusion, the DPA found a breach of Articles 5(1)(a), (b), (c), (d) and (e). It ordered the controller to comply with the erasure request and fined €30,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/49 Litigation Chamber Decision on the merits77/2023 of 16 June 2023 File number: DOS-2022-01379 Subject: Complaint for refusal to follow up on the exercise of the right to erasure and for the unlawful processing of personal data relating to a sanction disciplinary The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, Chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter “ACL”); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to processing of personal data (hereinafter “LTD”); Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Ms. X, represented by Me Etienne Wéry, hereinafter “the complainant” The defendant: Order of Pharmacists, whose registered office is located at Avenue Henri Jaspar 94, 1060 Saint-Gilles, registered under company number 0218.024.029, represented by Me Jérémie Doornaert, hereinafter “the defendant”. Decision on the merits 77/2023 – 2/49 I. Facts and procedure 1. On March 24, 2022, the complainant filed a complaint with the Authority for the Protection of data (hereinafter “ODA”). The complaint relates to the unlawful processing carried out by the defendant, in particular personal data relating to a disciplinary sanction pronounced by the defendant (hereinafter "the disputed data") and the defendant's refusal to follow up on a request to erase this disputed data. I.1. Relevant facts I.1.1. The parties involved in the case 2. The plaintiff is a pharmacist-holder of the pharmacy Z. On 22 December 2016, she is subject to a disciplinary sanction by the defendant. 3. The defendant, the Order of Pharmacists, is a professional order created by the law of May 19 1949 and is governed by Royal Decree No. 80 relating to the Order of Pharmacists (hereinafter “the RD n°80”) and by the Royal Decree of 29 May 1970 regulating the organization and operation of councils of the Order of Pharmacists (hereinafter “the RD of May 29, 1970”). He enjoys a 2 civil personality under public law. 4. The Order of Pharmacists: To. is invested with a mission of general interest in the field of public health; 3 b. is composed of three bodies which are the Provincial Councils (a Council provincial in each province), Appeals Councils (an Appeals Council French-speaking and a Dutch-speaking Appeal Board) and 5 6 the National Council; vs. has regulatory, disciplinary and administrative jurisdictional powers: these powers are distributed among the aforementioned organs of the Order through the various missions reserved for them by Royal Decree no. 80; d. includes "all holders of the legal diploma or the foreign diploma legally recognized as a pharmacist, domiciled in Belgium, and registered on the roll of the Order of 7 the province in which their domicile is located. [...]”; 1 2Royal Decree No. 80 of November 10, 1967 relating to the Order of Pharmacists, M.B. on November 14, 1967. 3AR no. 80, art. err. Royal Decree no. 80, art. 1 . 4AR no. 80, art. 5, paragraph 1. 5AR no. 80, art. 12, §1. 6AR no. 80, art. 1 art. 12, §1. 7AR n°80, art.2. ;"To be able to practice pharmaceutical art in Belgium, all pharmacists must be registered on the the Order.[...]No one may be registered on more than one of the provincial rolls, which together constitute the roll of the Order. [...]” (RD n°80, art. 2, §2). Decision on the merits 77/2023 – 3/49 e. acts by its National Council in justice "and is represented by the president of the ci or, in his absence, by his deputy chairman, jointly with the assessor”. 8 5. The organization and missions of the National Council are mainly defined in Articles 14 and 15 of Royal Decree no. 80. 6. In addition to establishing its internal rules and elaborating “the general principles and rules relating to morality, honor, discretion, probity, dignity and devotion essential to the exercise of the profession, which constitute the code of ethics 10 11 pharmaceutical industry", the National Council is also responsible for: “1° to keep an up-to-date list of disciplinary decisions that are no longer subject to appeal and which have been taken by the provincial councils and by the appeal advice; to adapt, if necessary, the code of ethics in order to supplement or clarify the provisions on the basis of this case law; […] 3° to take all necessary measures to achieve the object of the Order; 4° to set and collect the contributions necessary for the operation of the various organs of the Order; […]”. (emphasis added by the Litigation Chamber) 7. The organization and missions of the Provincial Councils are mainly defined in Articles 5 to 11 of Royal Decree no. 80. In each province, there is established "a provincial council of the College of Pharmacists which has authority and jurisdiction over registered pharmacists, in accordance with article 2, on the roll of the Order of this province [...]” 12 (this is the Chamber Litigation that emphasizes). The provincial tables together constitute the table of 13 the Order. Each Provincial Council establishes its rules of procedure submitted to the National Council which definitively adopts the text. 8. The Provincial Councils are also responsible for: “1° draw up the picture of the Order […] 2° to ensure compliance with the rules of pharmaceutical ethics and the maintenance of honor, discretion, probity and dignity of the members of the Order. They 8 Royal Decree no. 80, art. 3. 9AR n°80, art. 14, §2. 10AR no. 80, art. 15, §1. 11AR no. 80, art. 15, §2. 12AR no. 80, art. 5, paragraph 1. 13AR n°80, art. 2, paragraph 4.; “no one can be registered in more than one of the provincial rolls” (RD n°80, art. 2, paragraph 4). 14 Royal Decree no. 80, art. 6. Decision on the merits 77/2023 – 4/49 are responsible for this purpose to punish disciplinary 15 the faults of the members entered on their roll, committed in the exercise or on the occasion of the exercise of profession as well as serious misconduct committed outside the activity professional, when these faults are likely to tarnish the honor or dignity of the profession; 3° to give members of the Order, on their own initiative or at their request, opinions on pharmaceutical ethical issues that are not addressed in the code provided for in Article 15, § 1 or by the case law established pursuant to § 2, 1 of the same item; the opinions are sent to the National Council for approval and then communicated to the provincial council which forwards them to interested pharmacists; 4° report to the competent authorities the acts of illegal exercise of art pharmaceutical of which they are aware; 5° to arbitrate as a last resort, at the joint request of the interested parties, disputes relating to the fees claimed by the pharmacist from his client, except jurisdiction clauses included in agreements or commitments made in terms of health and disability insurance; 6° to respond to any request for an opinion from the courts and tribunals relating to 16 fee disputes. » . (emphasis added by the Litigation Chamber) 9. Article 16 of Royal Decree no. 80 indicates that the Provincial Council has the power to pronounce following sanctions: warning, censure, reprimand, suspension of the right to exercise the profession for a maximum period of two years and removal from the roll of the order. 10. The organization and missions of the Appeals Boards are mainly defined in Articles 12 and 13 of Royal Decree no. 80. In addition to establishing its internal rules submitted to the Board which finalizes the text, each Appeals Council 17 is responsible for hear “appeals of decisions taken respectively by the provincial councils using the French language or by those using the Dutch language and who apply of article 6, 1° or 2°”. 15AR no. 80, art. 16: “The sanctions available to the provincial council are: warning, censure, reprimand, suspension of the right to practice the profession for a term that may exceed two years and removal from the table the Order. Pharmacists affected by a decision which is no longer subject to appeal, the suspension of the right to practice the profession, are permanently deprived of the right of eligibility and during the suspension period, of the right to take part in provincial council elections. » ; Royal Decree no. 80, art. 25, §5: “The Appeals Council cannot apply a sanction while the provincial council shall not pronounce any, or aggravate the sanction pronounced by this council, except by a two-thirds majority. ". 16 17AR n°80, art. 6.st Royal Decree no. 80, art. 12, §1. ; There is the appeal board using the French language and the appeal board using the language 18 Dutch. Royal Decree no. 80, art. 13. Decision on the merits 77/2023 – 5/49 I.1.2. The context of the case 11. A disciplinary sanction - namely a reprimand - was pronounced against the complainant in second instance by the French-speaking Appeal Board on December 22, 2016. This sanction was adopted following the violation of the essential principles of the profession of pharmacist due to the following commercial practices: advertisements advertisements, the installation of advertising banners on a website and the use of Google AdWords services. The plaintiff lodged an appeal in cassation against this decision but the Court of Cassation rejected the appeal on January 5, 2018. er 12. On September 1, 2017, the complainant, alongside other pharmacists, filed a complaint with the Belgian Competition Authority (hereinafter “ABC”) to denounce the practices restrictive of the defendant, both because of its normative policy and the exercise of its disciplinary mission. In response to these complaints, the CBA issued two rulings closure, subject to the adoption of undertakings by the defendant in the first 19 decision and a transaction in the second decision. One of the commitments offered by the defendant sought to reform the Code of Pharmaceutical Ethics (hereinafter “the Code”) in order to remedy restrictive interpretations of competition by the authorities disciplinary matters in matters of advertising and commercial practices, or to review all five years the Code taking into account the decision-making practice of the disciplinary councils in a to avoid restrictive interpretations of competition by them. 20 21 13. As a result of these decisions, the Respondent adopted a new Code in January 2020. 14. On January 27, 2020, the plaintiff friends ordered the defendant to proceed with the erasure in “all registers, files and other ‘criminal records’ of the Order, any information in connection with the reprimand pronounced on December 22, 2016, and to cease all processing involving this personal data”. 22According to the complainant, the decision of 22 December 2016 pronounced by the Respondent’s Francophone Appeal Board would be the result of an anti-competitive practice sanctioned as such by the ABC. This decision would be unlawful and the processing of the data contained in such a decision would therefore violate the GDPR. 15. In this formal notice, the complainant cites two damages suffered: her sanction prevent him from being eligible for election to the Provincial Council, the Appeals Council and the 19 Belgian Competition Authority, decision of October 15, 2019, ABC-2019-P/K-34 and decision of October 15, 2019, ABC- 2019-P/K-35. ; Complainant exhibits 8 and 9. ; Exhibits 4 and 5 of the defendant. 20 Belgian Competition Authority, decision of October 15, 2019, ABC-2019-P/K-34 and decision of October 15, 2019, ABC- 2119-P/K-35, paragraph 177 to 182.; Complainant exhibits 8 and 9. ; Exhibits 4 and 5 of the defendant. Paragraphs 84 and 85 of Respondent's Reply Submissions; New code of ethics, art. 125, available on https://www.ordredespharmaciens.be/assets/files/PHARMA-Code-double-A4-v.%C3%A9lectronique-avec-liens-r15.pdf 22Exhibits 1 of the plaintiff and 9 of the defendant. Decision on the merits 77/2023 – 6/49 National Council and this sanction could be taken into account as an aggravating factor in any future disciplinary decisions. 23 16. Finally, the complainant alleges several breaches of the provisions of the GDPR: the defendant would have violated both the principles of data minimization, accuracy and limitationofpreservation,becausethepreservationofanillegaldisciplinary decision would not relevant or necessary, that the principle of transparency enshrined in Articles 12, 13 24 and 14. Regarding the absence of a retention period, it indicates that the Order would not have not set a retention period for disciplinary data, as required by article 5.1.e of the GDPR. Disciplinary sanctions would therefore never be erased. The Complainant therefore requested the erasure of the disputed data in accordance with Article 17.1.d of the GDPR. 25 17. On April 22, 2020, the Respondent responded to the Complainant's request. In summary, according to the defendant, there is no reason to consider that the disciplinary sanction taken against the complainant is invalidated by the decisions of the CBA and the adoption of the new Code. THE data would remain adequate, relevant and necessary since they allow the assessment of recidivism in the context of new disciplinary cases and applications to become an internship supervisor and are also used to assess the conditions eligibility for the different councils. The retention of disciplinary sanctions is always relevant in view of the annual requests from universities that verify the past ethics of internship supervisor candidates. In addition, the table of pharmacists, containing the disciplinary sanctions, is only accessible to a limited number of people. The defendant indicates that he can avail himself of two exceptions provided for in Article 17, paragraph 3 of the GDPR, namely, on the one hand, a legal obligation of the Order to process this data (art. 17.3.b GDPR) and, on the other hand, the defense of its rights in court (art. 17.3.e GDPR). 18. In the same letter, the Respondent also stated that he was beginning to reflect on the principle of limitation of data retention. 23For the influence of an existing disciplinary decision on the part of a pharmacist on a future decision, the council of the complainant recalls that “a decision of December 12, 2017 of the Provincial Council of Liège imposed on Mrs. X a suspension of the right to practice the profession for a period of three days, justifying this serious sanction by the existence of a sanction for previous similar behavior (publicity). Admittedly, this suspension never came into force because Mrs. X appealed against this decision and the procedure before the Appeal Board was suspended following the complaint before the competition authority, but it is a good illustration of the risk. (point 4 of the appendix to the complaint filed on March 24, 2022). There Litigation Chamber notes the absence of proof of this damage. 24The complainant points out in her email of January 27, 2020 that the Order never provided the mandatory information CONCERNING THE TREATMENTS FOLLOWED BY THE ORDER OR THE disciplinary bodies depending on it, THEIR implementation and the rights related thereto or that no information relating to the GDPR is made available to 25pharmaciens on the Order's website in order to inform them of the processing of data concerning them. Exhibits 2 of the plaintiff and 10 of the defendant; Paragraphs 34 of the submissions in response and 35 of the submissions in respondent's reply. Decision on the merits 77/2023 – 7/49 I.2. Procedure I.2.1. Admissibility of the complaint 19. As indicated in point 1, on March 24, 2022, the complainant lodged a complaint with ODA. 20. On April 7, 2022, the complaint was declared admissible by the Service de Première Ligne on the of articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber in pursuant to Article 62, § 1 of the LCA. I.2.2. Object of the complaint 21. In her complaint, 26 the complainant regrets that, following her request of January 27, 2020, the defendant did not erase the disputed data. She regrets that the principle of registration ad vitam aeternam of any sanction in a disciplinary file is still in force despite the promises of reflection announced by the defendant in April 2020 and complains that the personal disciplinary file of a pharmacist is accessible without restriction of access. It opposes the reasoning of the Order which justifies the unlimited preservation of the sanctions because of their relevance for assessing recidivism in new cases and evaluate applications for internship supervisors. 22. The complainant points to other breaches of the provisions of the GDPR. The defendant would violated the fundamental principles enshrined in Article 5, paragraph 1 of the GDPR as well than Article 10 of the GDPR since, according to the complainant, data relating to the sanction disciplinary data must be assimilated to judicial data and require measures of adequate guarantees. Finally, the defendant would also have violated Article 17 of the GDPR by refusing to erase the disputed data despite his formal notice (points 14 to 16). 23. The Complainant's claims regarding the disputed data are as follows: - The deletion from his personal file of the sanction of reprimand pronounced on December 22, 2016 against him; - Prohibition on the defendant from disclosing this information on the occasion of any new disciplinary proceedings; - The injunction to the defendant to modify his data protection declaration for pharmacists of 28 May 2020 in order to remove any reference to the interest legitimate as the basis of lawfulness for the processing carried out in the context of its disciplinary mission; 26Points 3 to 5 of the appendix to the complaint filed on March 24, 2022. Decision on the merits 77/2023 – 8/49 - The injunction to the defendant to modify his data protection declaration for pharmacists in order to make it compliant with the principles of the GDPR, in particular the principle of the retention period and the minimization of data. I.2.3. Substantive examination by the Litigation Chamber er er 24. On September 1, 2022, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and of article 98 of the LCA, that the case can be dealt with on the merits. 25. The same day, the parties concerned are informed by registered mail of the provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their conclusions. For findings relating to the subject of the complaint, the deadline for receipt of the defendant's submissions in response was set for September 30, 2022, that for the submissions in reply of the complainant on October 21, 2022 and finally that for the Respondent's submissions of November 4, 2022. 26. In this same letter, the Litigation Division invites the parties to present their arguments on the following allegations: - Violation of the principles of purpose limitation, minimization of data, accuracy and limitation of storage (Article 5.1.b, 5.1.c, 5.1.d and 5.1.e of the GDPR); - Violation of the principle of legality (article 5.1.a of the GDPR); - Violation of Article 10 of the GDPR on the processing of judicial data; - Violation of Article 17 of the GDPR relating to the request for erasure. 27. On September 1, 2022, the complainant acknowledged receipt of the letter sent on September 1 2022 informing the parties that the Litigation Chamber has decided to proceed with an examination of the substantive complaint. 28. On September 2, 2022, the Respondent acknowledges receipt of the aforementioned letter, agrees to receive all case-related communications electronically and manifestly his intention to make use of the possibility of being heard, in accordance with Article 98 of the LCA. On the same day, the defendant requests a copy of the file (art.95,§2,3°LCA), which is sent to them on September 8, 2022. I.2.4. Arguments of the parties Decision on the merits 77/2023 – 9/49 29. On September 30, 2022, the Litigation Chamber receives the submissions in response from the respondent. A summary of his full argument will be detailed in paragraphs 45 and following. I.2.4.1. The complainant's position 30. On October 20, 2022, the Litigation Chamber receives the conclusions in reply of the complainant. His argument can be summarized as follows. 1. Regarding compliance with the principle of the storage limitation (article 5.1.e of the GDPR) 31. The complainant considers that the unlimited retention of personal data relating to the disciplinary sanctions adopted by the defendant, that is to say throughout the career of a pharmacist, is excessive. This excessive nature would also be reinforced by the fact that the defendant does not distinguish between the degrees of seriousness of the sanctions adopted: a minor sanction, in this case the sanction of reprimand pronounced in December 2016, should not be kept for the entire duration of the career of a pharmacist. 32. The Complainant accuses the Respondent of hiding behind the lack of precision in the retention period law for not adopting a retention period adequate and emphasizes that it would be up to the data controller to fill the deficiency of the law under Article 5.2 and recital 39 of the GDPR). 2. Regarding compliance with the principle of purpose limitation (Articles 5.1.b of the GDPR) 33. The complainant considers that the ad vitama eternam conservation of data, in this case the sanction of reprimand, would violate the principle of minimization: a piece of data is only relevant and adequate for the pursuit of a purpose only during the retention period justified by this same purpose. The complainant admits that the Order may sanction at a given time unethical behavior, due to its legal mission. However, she do not realize that this appreciation given at a given moment is permanent and affects the professional life of the pharmacist "until [his] death" without the possibility of deletion or reappraisal. 3. Regarding compliance with the principle of data minimization (article 5.1.c of the GDPR) 34. As to the principle of purpose limitation, the complainant links compliance with this principle to the principle of retention limitation: data stored for too long could not be processed again for its original purpose. Decision on the merits 77/2023 – 10/49 4. Regarding compliance with the principle of accuracy (Article 5.1.e of the GDPR) 35. The Complainant argues that the principle of accuracy of personal data should be examined with regard to the purpose for which the data is processed and insists on the distinction to be made between the “veracity” of the data (which, according to her, refers to reliability) and “the accuracy of the data” (which refers to the link between the data and the purpose of the processing). So that true data can become inaccurate within the meaning of the GDPR when it is no longer relevant to the purpose initially pursued. Therefore, keeping a disciplinary sanction is acceptable to assess the recidivism, but only for a time. 5. Regarding compliance with the principle of lawfulness (Art. 5.1.a of the GDPR) 36. According to the Complainant, the principle of lawfulness must be applied in combination with the other principles of Article 5. Therefore, the shortcomings attributed by the plaintiff in the defendant would lead to the violation of the principle of legality. To support his point, the complainant relies on the Google Spain judgment of the Court of Justice of the European Union (hereinafter “the CJEU”) which would deduce the unlawful nature of data processing “not only from the fact that these data are inaccurate but, in particular, also because they are inadequate, irrelevant or excessive in relation to the purposes of the processing, whether are not updated or that they are kept for a period exceeding that necessary, unless their conservation is necessary for historical, statistical or scientists”.7 37. Next, referring to the Respondent's privacy statement, the complainant contests the basis of certain processing operations on the basis of the lawfulness of the interest legitimate within the meaning of Article 6.1.f of the GDPR. The Respondent could not rely on such a basis of lawfulness because of its mission of public interest. In addition, the criteria for the duration of retention of data would be too vague. This imprecision would lead to the violation of the principles of loyalty and transparency. 38. According to the Complainant, the processing carried out by the Respondent should be based on a legal obligation (article 6.1.c) or on a mission of public interest (article 6.1.e of the GDPR). 6. Regarding compliance with Article 10 of the GDPR 39. For the complainant, the ethical sanctions, because of their characteristics and their consequences, in particular on the ability to exercise the profession, must be included in the concept of criminal convictions and offenses within the meaning of Article 10 of the GDPR. Therefore, for the plaintiff, the defendant should have provided guarantees appropriate for the rights and freedoms of data subjects. 27CJEU, judgment of May 13, 2014, Google Spain SL and Google Inc, C-131/12, §92. Decision on the merits 77/2023 – 11/49 7. Regarding compliance with Article 17 of the GDPR 40. According to the complainant, the retention of personal data would no longer be necessary with regard to the purposes for which they were collected and the data would be treated without rules as to their retention period. Therefore, the defendant would have had to follow up on his request to delete the disputed data. Rejecting his request to exercise his right to erasure, the defendant would have violated the provisions of Article 17.1 a), d) and e) GDPR. 41. The Complainant contests the justifications put forward by the Respondent for not following up his right to delete personal data. First, the defendant invokes a legal obligation, making it necessary to process the disputed data (art. 17.3.b). The defendant considers itself legally bound to process this data on the basis of several duties: - The maintenance of the list of pharmacists as well as the exercise of the functions of the College of Pharmacists (articles 8, 12, 14 and 15 of AR no. 80); - The transmission of data relating to a disciplinary sanction to the FPS Health public as part of the permanent federal database of health professionals (based on articles 97 and following of the law coordinate of 10 May 2015 relating to health care professions). data request rosters and opt-out information temporary or permanent right to practice health professionals; - The transmission of disciplinary sanctions to the other Member States via the IMI system (based on article 114/1 of the law of 10 May 2015). This basis of data requires information on the restriction of the exercise of professionals health. 42. Secondly, the defendant justifies its refusal to delete the personal data plaintiff's staff by the need to continue to process the disputed data in the defense of his rights in court (art. 17.3.e GDPR). The plaintiff who lodged an appeal in annulment against certain provisions of the Code of Ethics before the Council of State, the defendant would need to process the disputed data in the context of this procedure. 43. As to the first justification put forward by the Respondent, the Complainant denied the need to transmit the data in question to comply with these legal obligations: the minor sanctions would not be data collected by these databases. 114/1 of the law of May 10, 2015 would not require the communication of character data personnel relating to a minor disciplinary sanction because such data would not enter not in the information covered by the obligation of this article. Article refers to restrictions Decision on substance 77/2023 – 12/49 or prohibitions from practicing, which a reprimand would not be. About the bank permanent federal health care professional ethical sanctions would not be part of the information to be communicated. Only temporary withdrawals or should be mentioned, which does not justify the transmission of data contentious. 44. Finally, with regard to the second justification relating to the exercise of the defendant's rights to defend in court the proceedings still pending between the parties before the Council of State refers to the Code of Ethics, a code adopted by the National Council, the normative body of the respondent. According to the complainant, the management of disciplinary sanctions would be the responsibility of the disciplinary bodies of the defendant and not of its normative body. The complainant submits that the defendant would not respect the distinction established by law between its organs of its normative body by invoking this exception to erasure for retain disciplinary action. I.2.4.2. The defendant's position 45. On November 4, 2022, the Litigation Chamber receives the summary conclusions of the respondent. To. Regarding compliance with the principle of storage limitation (article 5.1.e of the GDPR) 46. The defendant established the criteria in order to determine the duration of the retention of the data of a personal nature that he is required to process in a general manner: “The Person in charge of the Processing retains Personal Data (i) for as long as it is necessary or relevant for the purposes indicated above, (ii) for the period during required by law, or (iii) for as long as legal litigation or investigations may 28 take place. » . These criteria would meet the requirement of Article 13.2.a of the GDPR. 47. With regard to the disputed data, the defendant considers that their retention period is reasonable since the processing of personal data relating to the sanction disciplinary action against the complainant would have started when the sanction decision became effective, after the appeal in cassation, i.e. on February 5, 2018. The disputed data would thus have been kept for a period of less than five years. 48. Furthermore, more generally, the Respondent indicates that the disciplinary sanctions are kept until the end of the pharmacists' career, because Royal Decree no. 80 obliges them to do so. 49. The Respondent argues that it has undertaken a reflection on the retention period of the disciplinary sanctions since 2020. 28Pages 34 to 35 of the Respondent's summary submissions Decision on the merits 77/2023 – 13/49 b. Regarding compliance with the principle of purpose limitation (Articles 5.1.b of the GDPR) 50. The Respondent considers that the disputed data was collected and processed for a specific, explicit and legitimate purpose, namely compliance with the legal obligations of the disciplinary defendant. The disputed data would have been processed subsequently in a manner compatible with the aforementioned purpose. vs. Regarding compliance with the principle of data minimization (article 5.1.c of the GDPR) 51. The disputed data processed would be relevant for the purposes of processing for which they are intended (i.e. the management of the disciplinary file, the evaluation of eligibility conditions for counsel for the defendant). In addition, access to data contentious is restricted. This principle is therefore not infringed. d. Regarding compliance with the principle of accuracy (Article 5.1.e of the GDPR) 52. The Respondent emphasizes that the disputed data, including the sanction, were recorded, following the appeal in cassation and that the decisions adopted by the ABC and the adoption of the new Code of Ethics would not have rendered these data inaccurate. THE respondent points out that, at the time the sanction of reprimand was adopted, the acts of complainant were deemed objectionable by the Appeals Board. Even assuming that the Complainant's question is relevant, according to the Respondent, it is not certain that the Appeals Board would have judged the facts differently in light of the new provisions of the Code of ethics. It is therefore not excessive to keep track of the sanction disciplinary action, in particular to take it into account in the event of recidivism or to assess the Conditions of eligibility. 53. Finally, the Respondent recalls that the Complainant had demanded in 2020, on the basis of this principle, that “the data be erased or, at the very least, corrected by indicating that the sanction 31 allegedly unlawful was pronounced in contravention of competition law”. Insofar as the complainant does not demonstrate that the disputed data has become inaccurate, excessive or irrelevant, the defendant believes that it does not violate the principle GDPR accuracy. e. Regarding compliance with the principle of lawfulness (Art. 5.1.a of the GDPR) 54. The Respondent considers that the Complainant's reasoning relating to the Google Spain judgment could not apply in this case because the defendant would not have violated any principle of the GDPR in the context of the processing of the disputed data. 29Point 7.2.3 of the complainant's submissions in response; paragraphs 80 to 86; 98 to 101 of the conclusions in reply of the respondent. 30Idem. 31Paragraph 86 of Respondent's Reply Submissions. Decision on the merits 77/2023 – 14/49 55. The Respondent also clarifies that the legitimate interest, as a basis of lawfulness within the meaning of Article 6.1.f of the GDPR is not invoked in the context of the processing of disputed data. For these treatments, the defendant invokes a legal obligation. f. Regarding compliance with Article 10 of the GDPR 56. For its part, the Respondent argues that the purpose of Article 10 of the GDPR is to create a obligation on the part of the legislator: the appropriate safeguards for the processing of judicial sanctions must be provided for by the law of the European Union or of the State member, and not controllers. The defendant announces that in the absence of clear guarantees imposed by the legislator, it nevertheless took the initiative to define reasonable retention periods, to ensure that the data relating to the sanctions disciplinary procedures are accessible only to a limited number of people and to take technicalandorganizationalmeasurestoensureconfidentialityandintegrity of said data. This is why the defendant points out that there can be no question of a violation of Article 10 of the GDPR. g. Regarding compliance with Article 17 of the GDPR 57. The Respondent recalls that the Complainant had initially requested, in her letter of 27 January 2020, the deletion of his disputed data based on the illegality of the sanction (art. 17.1.d GDPR). To the extent that the defendant contested the illegality of the sanction, he did not comply with his request. He also disputes the new arguments provided by the complainant on the grounds that the data processed would always be adequate and relevant, and their reasonable retention period (less than five years after the adoption final sanction). 58. Furthermore, the Respondent raises two exceptions to the right to delete data at personal nature applicable to his situation (see points 41 and 42): the legal obligation to transmit data to databases containing information on the health professionals (article 17.3.b of the GDPR) and the legal defense of their rights (Article 17.3.e of the GDPR). 59. Finally, the defendant assures that the disputed data will be erased anyway, following the adoption of the new Internal Rules (hereinafter “ROI”) in March 2023, subject to compliance with the conditions of a new automatic erasure mechanism minor sanctions handed down more than five years ago .32 I.2.5. The hearing of the parties 32 This is what the defendant asserted during the hearing of January 24, 2023. Decision on the merits 77/2023 – 15/49 60. On October 20, 2022, the complainant expressed her intention to use the possibility of being understood, in accordance with Article 98 of the LCA. 61. On November 28, 2022, the parties are informed that the hearing will take place on January 17 2023. On January 16, 2023, the defendant requested the postponement of the hearing, which the Chamber Litigation accepted with the plaintiff's approval. The parties were then admitted postponement of the hearing to January 24, 2023. 62. On January 24, 2023, the parties are heard by the Litigation Chamber. 63. On February 20, 2023, the minutes of the hearing are submitted to the parties. 64. On February 24, 2023, the Litigation Chamber received comments relating to the trial from the part of the defendant which it decides to take up in its deliberation. On the other hand, the Litigation Chamber receives no comments from the complainant. I.2.6. The imposition of an administrative fine 65. On May 17, 2023, the Litigation Division informed the defendant of its intention to proceed with the imposition of an administrative fine as well as the amount thereof, in order to give the defendant the opportunity to defend himself before the penalty is effectively inflicted. She also asks him to provide her with a balance sheet. 66. On June 2, 2023, the Litigation Division received the defendant's reaction concerning the intention to impose an administrative fine and the amount thereof, as well as the balance sheet defendant's accountant. The defendant argues that the Litigation Chamber bases itself on elements contrary to those appearing in the file and does not understand the context legislation relating to the College of Pharmacists. It also disputes certain criteria applied by the Litigation Chamber to impose an administrative fine. 67. The Respondent raises in particular the absence of mitigating circumstances on its part. According to him, the defendant has taken many initiatives and steps since 2020 in order to bring the processing carried out with the disputed data into compliance. be considered as a mitigating circumstance for the imposition of a fine administration. 68. The Respondent also indicated that the disciplinary sanction pronounced against the complainant has been deleted. The Litigation Chamber notes, however, that it does not provide the evidence. These arguments are discussed in paragraphs 199 to 208 of this decision. Decision on the merits 77/2023 – 16/49 II. Motivation II.1. As for the identification of the disputed data and the controller 69. The Litigation Chamber recalls that Article 4.1) of the GDPR defines data of a nature personal as “any information relating to an identified natural person or identifiable (hereinafter referred to as the “data subject”); is deemed to be a "person identifiable natural" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, a number identification, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, psychic identity, economic, cultural or social; […]”. 70. Processingofpersonaldatameans“anyoperationanytogether operations carried out or not using automated processes and applied to data or sets of personal data, such as the collection, the recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction”. 71. The Litigation Division finds that the sanction imposed on the complainant and all information related to this sanction contains personal data 34 personal within the meaning of the GDPR. Like the parties, the Litigation Chamber emphasizes that the creation of a disciplinary file for a pharmacist, the registration in this file of a disciplinary sanction, or the consultation, communication or even storage of the sanction are, pursuant to Article 4, 2) of the GDPR, as much data processing to personal character. 72. The Litigation Chamber recalls that Article 4.7) of the GDPR defines the person responsible for the treatment as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of treatment; when the purposes and means of this processing are determined by Union law or the law of a Member State, the controller may be designated or the specific criteria applicable to its designation may be provided for by the 33 GDPR, Art. 4.2. 34See in particular CJEU, judgment of 2017, Nowak c. Data Protection Commissioner, §34: ““any information” in the framework of the definition of “personal data”, set out in Article 2(a) of Directive 95/46, reflects the objective of the Union to attribute a broad meaning to this concept, which is not restricted to sensitive information or private, but potentially encompasses all kinds of information, both objective and subjective in the form of opinions or assessments, provided that they “concern” the person in question. » Decision on the merits 77/2023 – 17/49 35 Union law or by the law of a Member State. The concept of responsible processing is an autonomous concept of European law, the assessment of which must be made at the with regard to the following criteria: the determination of the purposes of the data processing concerned as well as the determination of the essential means thereof. According to the Committee European Data Protection Authority, there is, in principle, no limitation as to the type of entity likely to assume the role of data controller. 38 73. Based on the aforementioned elements, the Litigation Division understands that the Order pharmacists, as a professional order in the field of health, has been charged by the Belgian legislator to regulate the pharmaceutical profession. Reason for this mission, the defendant is expected to pursue a mission to regulate access to the profession pharmaceutical, opinion, advice and prevention, but also disciplinary mission. These missions, of public interest, were therefore assigned to the defendant, the Order of Pharmacists, by the legislator. And, even if the activities of the Order and its organs are regulated by legislative and regulatory measures, the defendant has a certain margin freedom to determine the means necessary for the pursuit of these purposes. There Chambre Litigation deduces from this that the Order of Pharmacists is responsible for processing carried out with the disputed data and other data relating to disciplinary sanctions. II.2. Regarding compliance with the principle of lawfulness (Article 5.1.a of the GDPR) 74. The principle of lawfulness is one of the key principles of the GDPR and alone conditions the application other GDPR principles governing the processing of personal data. application of article 5.1.a of the GDPR, any processing of personal data must including being fair, transparent and lawful. To be lawful, any processing of data to personal character must in particular invoke a basis of lawfulness in Article 6 of the GDPR. He it is up to the data controller to determine what is the adequate basis of lawfulness with regard to the purpose of the processing. 75. For these reasons, the Litigation Division will therefore first examine compliance with this principle before addressing the other grievances of the complaint. 76. Article 6(1) of the GDPR lists six bases for lawfulness of processing: in addition to consent (art.6.1.a of the GDPR), the processing of personal data may be necessary for the performance of a contract (art. 6.1.b of the GDPR), for compliance with a legal obligation 35 36 GDPR, Art. 4.7. See for example the decision 63/2022 of the Litigation Chamber of May 2, 2022, available on https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-63-2022.pdf 37European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of controller and processor in the GDPR, version 2.0 of July 7, 2021, points 39 et seq. 38EDPS, op. cit., p. 11. Decision on the merits 77/2023 – 18/49 (art. 6.1.c of the GDPR), the performance of a mission of public interest or relating to the exercise of the public authority (Art. 6.1.e of the GDPR), to the legitimate interests pursued by the controller of the processing or by a third party (Art. 6.1.f of the GDPR), or is necessary to safeguard the vital interests of the data subject (Art. 6.1.d GDPR). 77. Each processing should be justified by a basis of lawfulness mentioned above. When the same processing pursues several purposes, each purpose must be based on a basis of lawfulness. 78. In this case, the defendant mentions that the processing of personal data subject of the complaint is the keeping of a register of disciplinary sanctions. 39 However, the Litigation Division considers this presentation of the facts by the respondent. Indeed, it appears from the documents in the file, including the conclusions of the defendant and the complainant, that the complaint actually targets several processing operations carried out with the disputed data (conservation, consultation, transmission of disputed data). 79. It also appears from the documents in the file that this processing pursues the purposes different, which are as follows: 40 1. Management of a disciplinary file; 41 2. Updating the roll of the Order; 3. Assessing the conditions of eligibility of candidates for election to organs of the 42 defendant; 4. The evaluation of applications to become a training supervisor and the transmission of 43 this assessment to universities; 5. The transmission of the disputed data to a federal database maintained by 44 the FPS Public Health; 6. The transmission of data to a European database on the system 45 IMI; 7. Maintaining a directory of Council case law in order to develop the 46 principles of pharmaceutical ethics; 47 8. Legal defense of the defendant. 39 Respondent's Summary Submissions, p. 9, §21. 40 Defendant's summary conclusions, p.29, §71, where it is indicated that a disciplinary sanction is entered in the file of the pharmacist. 41 Defendant's summary conclusions, page 14, §35, where it is indicated that the table of pharmacists contains in particular disciplinary sanctions. 42 43 Respondent's Summary Submissions, p. 14, §35. Respondent's Summary Submissions, p. 14, §35. 44 Respondent's Summary Submissions, p. 49, §119. 45 Respondent's Summary Submissions, p. 50, §119. 46 Respondent's Summary Submissions, p. 9, §21. 47 Respondent's Summary Submissions, p. 50, §120. Decision on the merits 77/2023 – 19/49 80. Processing for these purposes requiring the storage, consultation or transmission of the disputed data, the Litigation Chamber will examine the bases of lawfulness for each purpose. II.2.1. Management of disciplinary cases 81. On several occasions, the Respondent invokes the management of “disciplinary cases” as purpose of processing the disputed data. 82. First and foremost, for the sake of clarity, the Litigation Division wishes to clarify what it intends in this decision by: - Management of disciplinary cases: all actions taken by the Councils Provincial Councils and Appeals Councils necessary to regulate the behavior of 48 pharmacists with a view to imposing respect for pharmaceutical ethics (ranging from the opening of an investigation, to the investigation of the case, the prosecution, the judgment, the transmission of a file to an appeal body and the assessment of the risk of recidivism 49 in the event of a subsequent procedure). The management of disciplinary cases requires keeping a disciplinary file reflecting the current disciplinary status of a pharmacist and containing the decisions pronounced against the pharmacist; - Disciplinary file: the individual file, specific to each pharmacist, in which finds the disciplinary sanctions or other decisions pronounced against a pharmacist. This file reflects the disciplinary status of a pharmacist. 83. In the present case, the defendant invokes a legal obligation within the meaning of Article 6.1.c of the 50 GDPR for the management of disciplinary cases. To do this, the defendant invokes the article 15 of Royal Decree no. 80, requiring the National Council to keep a directory of case law, the articles of Royal Decree no. 80 instituting disciplinary jurisdiction on the part of the Councils 51 provincial and Appeals Councils, as well as the articles of Royal Decree no. 80 defining the 52 conditions of eligibility for positions in the organs of the respondent. 84. Pursuant to Article 6, paragraph 1, c) of the GDPR, the processing can be considered as lawful when it is necessary "for compliance with a legal obligation to which the person responsible for the treatment is submitted”. As clarified by the Article 29 Working Party, for a controller can rely on article 6.1.c of the GDPR to process data personal data, the controller must be obliged to do so by or under a legislative standard. 48 See not.J.ALARDIN,J.CASTIAUX, Disciplinary law in the case law, Brussels, Larcier, 2014, p. 50: “The action disciplinary has, in fact, for the purpose of research if the holder of a profession has violated the rules of ethics or discipline or has damaged the honor or dignity of his office or profession”. 50 This list is not exhaustive. 51 Respondent's summary submissions, page 43, §103. Royal Decree no. 80, art. 6, 2°, article 12, §1, 1°. 52AR no. 80, art. 8 §1, article 12, §1, 1°, art. 14, §1, 1°, par. 2. Decision on the merits 77/2023 – 20/49 85. In accordance with Article 6.3 of the GDPR, read in conjunction with Article 22 of the Constitution and with Articles 7 and 8 of the Charter of Fundamental Rights of the Union European Union, this legislative standard must define the essential characteristics of a data processing, necessary for the performance of a task in the public interest or falling the exercise of official authority vested in the controller. In the aforementioned provisions, it is emphasized in this respect that the processing in question must be framed by a sufficiently clear and precise standard whose application must be predictable for the people concerned. 53In accordance with Article 6(3) of the GDPR, this standard must define the purpose(s) of the processing. 86. However, the Litigation Division finds that the provisions of Royal Decree no. 80 put forward by the defendant to demonstrate a legal obligation on his part (point 82) do not mention explicitly the management of disciplinary cases. They allow at most Provincial Councils and Appeals Councils to adopt disciplinary sanctions and assess the eligibility of candidates for election. Evaluation of the conditions of eligibility for elections of the defendant's organs does not pursue the same purpose as the management of the cases disciplinary proceedings. The Litigation Chamber finds that Article 15 of AR No. 80 mentioned in effect the keeping of a register of disciplinary decisions at the expense of the National Council but the purpose of which is well defined and does not target the management of disciplinary cases: this register must be used to “adapt, if necessary, the code of ethics with a view to supplementing or to specify its provisions on the basis of this case law”. 87. In the legal provisions invoked by the Respondent, there is therefore no question of the keeping of a disciplinary file or the assessment of the offense. rely on Article 6.1.c of the GDPR to justify the management of disciplinary cases. A hypothetical legal obligation based on Royal Decree no. 80 could only justify part of the processing carried out by the defendant (RD no. 80 only mentions the adoption of sanction and consultation of sanctions in order to determine the eligibility of a candidate for elections). This legal basis, erroneously invoked by the defendant, could not allow data subjects to understand the extent of the processing carried out with personal data relating to disciplinary sanctions. This ignorance on the part of the defendant is therefore not compatible with the obligation to transparency. The defendant will therefore violate Article 5.1.a of the GDPR by invoking a basis of erroneous legality. 88. However, the Litigation Chamber does not conclude that there is no legal basis adequate regarding the processing(s) of data in the context of business management disciplinary. 53 DPA, decision on the merits 47/2022 of 4 April 2022, p. 22, item 106, available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-47-2022.pdf . Decision on the merits 77/2023 – 21/49 89. Indeed, with regard to its missions, it is normal that a professional order such as the Order of pharmacists can keep a disciplinary file of its members up to date in order to continue its disciplinary mission. 90. In accordance with Article 6.1.e of the GDPR, processing of personal data may be necessary for the performance of a mission of public interest or relating to the exercise of the official authority vested in the controller by virtue of a provision legislative. Unlike the legal obligation provided for in Article 6.1.c of the GDPR, the processing necessary for the pursuit of the mission of public interest must not be explicitly described in a legislative provision. Salaries, according to the Chamber Litigation, are based rather on the public interest mission conferred on the head of the treatment. 55 The legal basis must, at least, define the missions of public interest or falling of the exercise of official authority which justify the need for the processing of data to personal character. The purpose of the processing must also be determined in this legal basis .6 91. The notion of “processing necessary for the performance of a task in the public interest” has a broad in scope since it covers not only the processing necessary for the execution of the mission of public interest in the strict sense, but also the processing necessary to the performance of tasks directly related to this mission of public interest, including the processing necessary for the management and operation of the bodies responsible for this mission of public interest. 92. The Article 29 Working Party rightly noted that this legal basis is relevant for: “a professional association, such as a bar association or a professional association doctors, vested with the required public authority, may initiate disciplinary proceedings against some of its members. 57 93. In this case, the management of disciplinary cases involves the processing necessary to the exercise of the quasi-jurisdictional functions of the Provincial Councils and the Councils appeal of the Order. These disciplinary functions are, in accordance with Article 6.3 of the GDPR, exclusively attributed by Royal Decree no. 80 to the Provincial and Appeals Councils of the Order. The assessment of the risks of recidivism in the assessment of the sanction to be adopted is also necessary to pursue this mission. 94. In view of the foregoing, the Litigation Chamber concludes that the treatments of the disputed data consisting of the management of disciplinary cases by the Councils Provincial Councils and Appeals Councils are justified on the basis of Article 6, paragraph 1, e) of the 54 GDPR, art. 6.3. 55C. DE TERWANGNE, The General Data Protection Regulation, p. 136; W. KOTSCHY, The EU General Data ProtectionRegulation (GDPR), p. 336. 56 GDPR, recital 45. 57 Article 29 Working Party, op. cit. p. 23. Decision on the merits 77/2023 – 22/49 GDPR, insofar as said processing is carried out by the competent bodies who is responsible for the performance of disciplinary jurisdictional functions. II.2.2. The establishment and management of the roll of the Order 95. Respondent submits that the disciplinary status must appear on the Order's roll. To do this, the defendant must read the pharmacists' disciplinary file. However, Royal Decree 80 assigns the mission of establishing a list of pharmacists to the Councils 58 and the Royal Decree of 4 July 1970 imposes on the Provincial Councils the procedure to be followed for registration on the roll.9 The set of provincial rolls constitutes the roll of the Order. 96. The Respondent did not explain all the purposes pursued by keeping the scoreboard the Order. It emerges from the aforementioned provisions that registration on the provincial rolls allows the Provincial Councils to control access to the profession by requiring proof of competence on the part of pharmacists and also conditions access to the profession. Of more, the table of the Order, which is the sum of the provincial tables, has a function administrative, by listing all the pharmacists practicing or having the right to practice in Belgium. This list should contain the identification data of the pharmacists as well as than their disciplinary status. 97. The Litigation Chamber judges that the provisions mentioned in point 96 60 contain the essential elements of the treatment. The Litigation Chamber notes however, the personal data accessible on the list does not appear in these provisions. However, the provisions mentioned are satisfactory for allow the defendant to rely on Article 6.1.c of the GDPR in order to proceed with the establishment and management of the roll of the Order. II.2.3. Assessing the eligibility of candidates for election to the organs of the respondent 98. As mentioned previously, AR No. 80 requires the organs of the defendant to take into consideration the sanctions pronounced against the candidates in their elections respective. Thus, for the defendant's bodies, the pharmacist who has 61 incurred a sanction other than that of a warning. 58 59AR no. 80, art. 6, 2°. 60AR of July 4, 1970, articles 21 to 26. Although not explicit, the purpose of such processing is understood, the data controller, as well as the bodies competent, the recipients of the personal data, the categories of personal character necessary for proceed with registration. 61AR n°80, art.8§1, art. 12, §1, 1°, art. 14, §1, 1°, par. 2. Decision on the merits 77/2023 – 23/49 99. This purpose therefore involves consulting the disciplinary status of the candidate pharmacist. 100. Given that the purposes and means of this processing are sufficiently delimited, the Litigation Chamber finds that this processing is justified by a legal obligation meaning of article 6.1.c of the GDPR. II.2.4. The evaluation of applications to become an internship supervisor and the transmission of this assessment to universities 101. The Respondent also mentioned consulting the disciplinary status of the pharmacists in order to provide advice to the universities that have received their application for a position of internship supervisor. Even if this opinion only takes the form of a yes or a no, 62the consultation and drafting of this notice are processing of personal data personnel requiring a basis of lawfulness of Article 6 of the GDPR. The purpose pursued - indicate to universities whether potential future internship supervisors have a suitable profile to train pharmacy students - is different from that of business management disciplinary. 102. However, the Respondent does not advance any basis of legality relating to this purpose. more how this treatment would be compatible with the initial treatment, the management of the cases (point 142). The Litigation Chamber therefore finds that the defendant violated Article 5.1.a of the GDPR by not indicating an adequate basis of lawfulness for these data processing. II.2.5. The transmission of data to the federal database CoBRAH and to the database European data 103. The defendant indicated that he had to transmit to the FPS Public Health certain data relating to registration on the roll and the temporary or permanent withdrawal of the right to exercise pharmacy profession via the federal CoBRAH database. 63 104. The defendant must transmit information relating to the restrictions or prohibitions to practice the profession of pharmacist to the competent authorities who in turn inform the authorities of other Member States via the Internal Market Information System 64 (IMI). 62 Minutes of hearing, p. 13. 63 Coordinated law of 10 May 2015, art. 99.7°. 64 Coordinated law of 10 May 2015, art. 114/1. Decision on the merits 77/2023 – 24/49 105. Given that these processing operations are sufficiently delimited by law, the Chamber Litigation accepts the basis of legality put forward by the defendant, i.e. an obligation legal under article 6.1.c of the GDPR. II.2.6. Maintaining a directory of case law 106. The Respondent wrongly relied on Article 15 of Royal Decree no. 80 to justify, due to a legal obligation within the meaning of Article 6.1.c of the GDPR, the management of disciplinary cases Provincial Councils and Appeals Councils (points 81 to 95). 107. The Litigation Chamber notes, however, that the defendant can rely on this provision of Royal Decree no. 80, but only for the processing of disputed data pursuing the purpose imposed by Article 15, and at the expense of the National Council. Indeed, this article requires the National Council to keep an up-to-date directory of disciplinary decisions pronounced by the National Councils and the Appeals Councils. The only purpose indicated by the legislator for such a repertoire is to develop the principles of ethics pharmaceutical industry and to adapt the Code of Ethics. 108. Therefore, the keeping of such a repertoire of case law by the National Council in order to develop the code of ethics is based on a legal obligation within the meaning of article 6.1.c of the GDPR, namely article 15 of RD n°80. II.2.7. Recognition, exercise or defense of legal rights The defendant further invokes the legitimate interest as a basis of lawfulness within the meaning of Article 6.1.f GDPR to process the complainant's disputed data. 65 II.2.7.3. Position of parties 109. The defendant explains that the complainant has a broader dispute with the Order, in particular the complaint filed with the ABC (point 12) 66and that an action for annulment before the Council of State was introduced by the complainant on March 2, 2020. In this executive, he had to refer to the decision rendered on December 22, 2016 by the Appeals Board and the procedure before the Council of State is still pending. For this last reason, the respondent emphasizes that it will continue to process the disputed data in the proceedings still in progress, in particular before the Council of State, but only within this framework. 67 65 Point 10.2.2 of the complainant's reply submissions; paragraphs 35, 120 and 121 to the rebuttal submissions of the respondent. 66Paragraphs 120 of the Respondent's Reply submissions as well as paragraphs 25 and following with respect to the complaint to the CBA. 67Paragraph 120 of Respondent's Reply Submissions. Decision on the merits 77/2023 – 25/49 110. The complainant explained that the dispute between her and the defendant before the Council of State on the new Code of Ethics: this is a dispute relating to the normative function of the defendant and not to his disciplinary jurisdictional functions. Moreover, "the law organizes carefully the independence of the provincial council and the appeals council in relation to 68 order as drafter of the Code of Ethics”. The complainant adds that the defendant would invoke the need for indefinite storage “(until the death of the pharmacist concerned) ethical sanctions in order to ensure the defense of his rights 69 in justice " . II.2.7.4. Position of the Litigation Chamber 111. The Litigation Chamber notes that, according to Article 6.1.f of the GDPR, the processing of personal data must be “necessary for the fulfillment of the legitimate interest” pursued by the data controller (for completeness: or by a third party). 112. Moreover, recourse to legitimate interest is expressly subject to a criterion additional balancing act, which aims to protect the interest and the rights and freedoms fundamentals of the people concerned. In other words, the legitimate interest pursued by the controller must be weighed against the interests or rights and freedoms fundamental rights of the data subject, the objective of the balancing being to prevent a disproportionate impact on their rights and freedoms. 113. The interest pursued by the data controller, even if it is legitimate and necessary, cannot therefore validly be invoked only if the fundamental rights and freedoms of persons concerned do not prevail over this interest. The Court of Justice of the European Union 70 has clarified that these three conditions – either the pursuit of a legitimate interest by the controller of processing (out of purpose)(a), the need for the processing to achieve the interest lawsuit pursued (necessity test) (b) and the condition that the rights and freedoms of the persons concerned do not prevail over the interest pursued (test of weighting) (c), are cumulative. 114. In this regard, legal defense is a fundamental right enshrined in article 48 of the Charter of Fundamental Rights of the Union. In general, the legal defense can actually be considered a lawful legitimate interest in the context of the application of article 6.1.f. of the GDPR. In accordance with Opinion 06/2014 of the Group of Article 29 on the notion of legitimate interest, this interest must be real and present, or not 68 Point 10.2.2 of the complainant's reply submissions; paragraphs 35, 120 and 121 to the rebuttal submissions of the respondent. 69 In paragraph 120 of its Reply Submissions, the Respondent adds that it has never claimed that the preservation of the data was necessary until the death of the pharmacist concerned in order to ensure the defense of his rights in court. 70CJUE, judgment of December 11, 2019, TK c. Asociaţia de Proprietaribloc M5A-ScaraA, C-708/18, § 44. Decision on the merits 77/2023 – 26/49 71 hypothetical. The Litigation Chamber finds that the interest of the defendant is real and present, because of the proceedings pending before the Council of State. The first requirement is therefore fulfilled. 115. With regard to the second condition, the defendant must show that the treatment is necessary for the exercise of this defense in court. This need to deal with disputed data implies that the legal defense of the defendant before the Council of State be obstructed without the processing of the disputed data. Moreover, one of the corollaries of this criterion of necessity is compliance with the principle of data minimization (article 5.1.c GDPR). 116. In the present case, the Litigation Division notes that the procedure initiated by the plaintiff before the Council of State seeks to annul certain provisions of the new Code of ethics. The defendant indicates that the processing of the data was necessary because it had to mention the decision of the Appeals Council of December 22, 2016 in its conclusions. Legitimate interest, as a basis for lawfulness, would only allow the National Council, as legal representative of the defendant, to process the disputed data in the context of this procedure only. 117. With regard to the third condition, the fact remains that this data processing must also fit in a relevant and proportionate way with the purpose precisely identified with this legitimate interest, namely the legal defense with regard to the dispute before the Board of state. It is therefore still necessary to ensure that the requirements of the weighting test are encountered. The balancing test requires balancing the interests of the controller on the one hand and the fundamental rights and freedoms of the person concerned on the other hand. 118. The Litigation Division is of the opinion that legal defense is a compelling interest that may justify an infringement of the right to the protection of the privacy of individuals 73 concerned. Such an infringement of the plaintiff's right would be justified. Furthermore, the defendant is not a public authority and can therefore invoke a legitimate interest in the framework of the defense of his rights in court. 119. The defendant may therefore invoke the defense of his rights in court as an interest legitimate within the meaning of Article 6.1.f of the GDPR to justify the processing of the data disputed by the National Council. 71 “Article 29” Working Group, Opinion 06/2014 on the notion of legitimate interest to be monitored by the data controller data within the meaning of article 7 of directive 95/46/EC, p. 27. 72 Motion to quash, Exhibit 8 of the Respondent's Inventory. 73 Group 29, “Opinion 06/2014 on the notion of legitimate interest pursued by the data controller data within the meaning of Article 7 of Directive 95/46/EC”, p. 27. Decision on the merits 77/2023 – 27/49 II.2.8. Conclusions on compliance with the principle of lawfulness 120. As noted above, the Respondent relied on a basis of legality inadequate to justify processing relating to the management of disciplinary cases (points 81 to 95). Nor did the defendant invoke a basis of lawfulness to justify the processing relating to opinions given to universities (points 101 and 102). Based on these findings, the Litigation Chamber judges that the defendant violated the principle of legality and transparency of Article 5.1.a of the GDPR. II.3. With regard to Article 5, paragraph 1, e) of the GDPR (principle of limitation of the storage Datas) 121. The principle of limitation of data retention implies that the duration of retention of personal data must be defined and limited. She must not exceed what is strictly necessary with regard to the purposes for which the 74 data is processed. Applying this principle also reduces the risk of the use of such data to the detriment of the data subject. 122. The GDPR does not dictate the retention period of personal data but requires the data controller to adopt, at the very least, retention criteria 75 with regard to the purposes established for each treatment. In principle, the duration of conservation determined by the data controller must be communicated to the 76 data subject at the time the personal data is obtained. 123. The College has established the following criteria to determine the retention period of personal data that it is required to process in general: “The Controller retains Personal Data (i) for as long as that it is necessary or relevant for the purposes indicated above, (ii) for the period during which the law requires it, or (iii) as long as a legal dispute or investigations 77 can take place. » . 124. Given its preponderant role in achieving the other purposes pursued by the defendant, the Litigation Chamber will first consider the retention limit data related to a disciplinary file. 74 75GDPR, recital 39 76 GDPR, art. 5.2. 77 GDPR, art. 13.2, a). Pages 34 to 35 of the Respondent's summary submissions Decision on the merits 77/2023 – 28/49 A. Duration of retention of disciplinary sanctions within the framework of management disciplinary cases 125. Concretely, the Respondent decided to keep the data related to sanctions disciplinary until the death of pharmacists registered on the Order's roll or, at the 78 less,until the end of their career. In order to justify this retention period, the Order to RD n°80 which does not indicate when a sanction becomes obsolete to determine the Conditions of eligibility. Insofar as Royal Decree no. 80 does not explicitly provide for provisions concerning the retention period of data in disciplinary matters, the defendant therefore concluded that the provisions of the Royal Decree required de facto a processing for an indefinite period, thus justifying data retention disciplinary measures until the death or the end of the pharmacists' career. 126. However, as examined previously, these provisions are not relevant to establish treatment involved in the management of disciplinary cases. not relevant to justify this retention period. 127. The management of disciplinary matters, including the keeping of a disciplinary record, is reality based on a mission of public interest (paragraphs 89 to 94). But it would be wrong to interpret the silence of a legislative text as allowing data processing to be unlimited in time. A royal decree imposing a mission of public interest on the meaning of Article 6.1.e of the GDPR must be interpreted in accordance with the GDPR. So the controller cannot shirk its obligations, including that of determine the period necessary for the retention of personal data. He it was therefore up to the defendant to adopt a retention period adequate for the management of the disciplinary cases. 128. The Litigation Division draws a distinction between two types of sanctions: minor sanctions (the warning and the reprimand) and major sanctions (the penalties greater than a reprimand). Such a distinction is also adopted by the respondent. 79 129. In the present case, according to the Litigation Division, the retention of a disciplinary sanction in a file until retirement, regardless of its severity, is excessive and not GDPR compliant. Moreover, the defendant fails to explain the relevance of the conservation of minor sanction until the death or the end of the career of a pharmacist in order, for example, to take recidivism into account in a disciplinary case. 130. With regard to the retention period applied to the complainant's sanction, the defendant also argues that the retention period of the data in question must be 78Page 48 of the Respondent's summary submissions 79See the 2021 Annual Report of the National Council of the Order of Pharmacists, p. 27. Decision on the merits 77/2023 – 29/49 determined from February 5, 2018, when the decision relating to the sanction with regard to the complainant has become effective, i.e. thirty days from the notification of the judgment of the Court of Cassation (point 15). A cassation appeal in disciplinary matters has effectively a suspensive effect on the contested decision. The treatments mentioned previously and involving the complainant's disciplinary status (taking into consideration of the sanction to assess the conditions of eligibility for elections as well as for a post of supervisor, to assess the risk of recurrence, etc.) would not have taken place until after the 5 February 2018. The Complainant did not contest this point. The Litigation Chamber is therefore of the opinion that the start of the retention period of the disciplinary sanction imposed on against the plaintiff is scheduled to begin on February 5, 2018. 131. However, this last point does not change the finding that the Respondent was applying a policy of retention of data related to excessive disciplinary sanctions and intended to apply it to the complainant's disputed data. 132. In conclusion, the Respondent failed to adopt a reasonable retention period for the retention of personal data relating to disciplinary sanctions, and this without taking into consideration the severity of the sanctions adopted. Bedroom Litigation concludes that such a data retention policy personnel violates the principles of retention limitation (Articles 5.1.e of the GDPR). 133. Furthermore, when this decision was adopted, the disciplinary sanction imposed on against the plaintiff will have been adopted more than five years after the judgment of the Court of cassation has become res judicata. The Litigation Chamber considers that a retention period exceeding five years for a minor disciplinary sanction is excessive. 134. The defendant must then adopt a retention limitation policy specific to the needs encountered in handling disciplinary cases. The defendant must adopt fixed retention periods depending on the types of decisions contained in a disciplinary record. B. Duration of retention of disputed data in the context of processing involving disciplinary status other than the management of disciplinary cases 135. Given that the roll of the Order must reflect the disciplinary status of a pharmacist on basis of his disciplinary file, the mention of a disciplinary sanction on the table of the Order must remain published on the list of the Order as long as the disciplinary sanction in the individual disciplinary file. 80 Judicial Code, art. 1121/5, 3°. Decision on the merits 77/2023 – 30/49 C. Duration of retention of a disciplinary sanction in the directory of jurisprudence 136. The Litigation Chamber understands from article 15 of Royal Decree no. 80 that the National Council mission is to establish a directory of disciplinary decisions in order to develop its jurisprudence and not to manage disciplinary files (points 106 and 108). 137. To comply with this legal obligation, the Litigation Division considers that a longer preservation of the disciplinary sanction in this directory will be necessary, but solely for the purpose of fulfilling this specific purpose. II.4. As to Article 5, paragraph 1, b) (purpose limitation principles) 138. The purpose of the processing is based on the fact that each processing of personal data personnel must have a specific, explicit and legitimate purpose. This purpose of processing must be respected, make it possible to determine the relevance of the data collected and must set the retention period for the data. In other words, once the data is collected and processed for a purpose, it is, in principle, no longer possible to use them for processing for a different purpose, subject to the application of article 6.4 of the GDPR. 139. The Litigation Chamber recalls that the purpose limitation principle implies that the controller must, before the start of any processing, determine the purpose of the processing, i.e. the purpose it intends to achieve through the use of the data personal. The purpose must be determined, explicit AND legitimate, so that a person concerned must be able to understand what data will be processed and for what purposes. 140. Further processing of personal data for purposes other than the one(s) for which this data was initially collected is only authorized if subsequent processing is compatible with the purposes for which the character data personal were initially collected, taking into account the link between the purposes for which they were collected and the purposes of the further processing envisaged, the framework in which the personal data was collected, of the consequences possibilities of the further processing envisaged for the data subject and the existence of appropriate safeguards. A compatible purpose is, for example, a purpose that the person concerned may provide or which may be considered compatible by virtue of a legal provision (see article 6.4. of the GDPR). Further processing is however excluded. when the initial processing is based in particular on national law or European law. 141. The Litigation Chamber judges that the purposes presented by the defendant are not sufficiently determined, i.e. specific, or explicit. Indeed, the respondent Decision on the merits 77/2023 – 31/49 justifies the processing of the disputed data under an obligation to manage the "business disciplinary matters", or to keep a directory of case law. This concept is very vague. and would not make it possible to understand the purposes listed in point 79. In addition, the use of a vague notion to define the purposes of such processing also means that these purposes are not sufficiently explicit. 142. The defendant also mentions subsequent processing (in particular the evaluation of conditions of eligibility for a position of internship supervisor) compatible with the initial purpose 81 collection of disputed data (management of disciplinary cases). The defendant does not, however, prove compliance with the conditions for applying further processing compatible with the original purpose. Furthermore, the Litigation Chamber notes that the initial processing of disputed data is based on a mission imposed by law Belgian (see section II.2.1), which excludes further processing with the same data. 143. Consequently, the Litigation Division finds a violation of the principle of limitation of purposes (Article 5.1.b of the GDPR) because the defendant did not sufficiently specify the purposes pursued with the disputed data, rendering the said purposes insufficiently determined and explicit. II.5. As to Article 5(1)(c) (data minimization principle) 144. According to the minimization principle, the data undergoing processing must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The relevance requirement is met if the data present a necessary and sufficient link with the purposes pursued. Furthermore, the principle of data minimization leads to personal data are processed only where that purpose can reasonably be achieved by 82 to the treatment in question. 145. In order to honor the principle of minimization, data controllers may have use of measures such as anonymization, pseudonymization of data 83 (making the person concerned unidentifiable) or the designation of the persons authorized to access the data. 81 82 Respondent's Summary Submissions, p. 30, § 73. 83 GDPR, recital 39. GDPR, art. 4.5°; This is the “processing of personal data in such a way that they can no longer be be attributed to a specific data subject without recourse to additional information, provided that such additional information is kept separately and subject to technical and organizational to ensure that personal data is not assigned to a natural person identified or identifiable” Decision on the merits 77/2023 – 32/49 146. The Litigation Chamber will examine compliance with the principle of minimization with each purpose pursued. A. Management of the Complainant's Disciplinary Cases 147. As mentioned above in Section II.2.1, the keeping of a disciplinary file is necessary for the exercise of the quasi-judicial functions of the controllers who are the Provincial Councils and Appeals of the Order. When they exercise their function disciplinary authority assigned by AR No. 80, they must process personal data in disciplinary matter, in particular transmitting information allowing the assessment of the recidivism or to pursue disciplinary proceedings at second instance. In this case, the Litigation Chamber was unable to identify and trace the transfer of the disciplinary data between the organs of the Order and regrets that the communication and/or the transmission of disciplinary data to assess the recidivism or the conditions of eligibility within the organs of the Order have not been explained by the defendant. 148. The Litigation Chamber recalls that the principle of minimization also implies a restricted access to personal data. Transfers within the Order must therefore be necessary with regard to the powers of each body. B. Management of the roll of the Order 149. The Respondent also indicated that the Order’s roll “repeated” or “contained” the disciplinary sanctions. The defendant also ensured that such treatment respected the principle of minimization due to its restricted access, which in the future will be even more restricted because only accessible to the instructor and the rapporteur of an instance disciplinary. The Litigation Chamber questions this assertion: the defendant seems to confuse the keeping of a disciplinary file and the keeping of the roll of the Order. 150. With regard to the purpose pursued by the management of the table of the Order with the related data to disciplinary sanctions, it is not necessary that the full sanction be accessible via the consultation of the table of the Order. Only an up-to-date statement of disciplinary status is sufficient to pursue this purpose. C. Development of ethical principles based on case law 151. The defendant had also raised its obligation to maintain a directory of case law. The Litigation Chamber recalls the precise purpose of such a directory that must pursue the National Council: the development of the principles of ethics. 152. In order to comply with the principle of data minimization, the respondent must implement adequate measures to manage this repertoire of case law. The defendant should therefore proceed to the pseudonymization of the personal data included in a decision. Decision on the merits 77/2023 – 33/49 D. Assessment of Eligibility Conditions for Elections to Organs of the Respondent 153. As indicated above, the organs of the defendant will have the obligation to take into account the disciplinary status of a candidate in their elections. The Litigation Chamber notes however, this processing does not require consultation of the file and the sanction entire discipline. A sanction contains a lot of personal data relating to the behavior of the accused. In order to comply with the principle of minimizing data, consultation of the table of the Order, where there is a mention of any sanction, would be sufficient. E. Communication of disputed data to the CoBRAH database and the IMI system database 154. With regard to processing aimed at satisfying the legal obligation of the defendant to transfer data to the mentioned databases, the Litigation Chamber notes that the reprimand is not a measure restricting or prohibiting the right to practice the profession of pharmacist. As such, the communication of the disputed data is not necessary to satisfy the legal obligation of the defendant to transfer to the other Member States via the IMI system of disciplinary sanctions other than restriction or prohibition to practice the profession of pharmacist. Bedroom Litigation adds that Article 114/1 of the coordinated law of 10 May 2015 does not provide for the communication of all the disciplinary data of a pharmacist nor the sanctions disciplinary measures other than the restriction or prohibition to exercise the profession of pharmacist. 155. Moreover, contrary to the defendant, the Litigation Chamber finds that Article 99, 7° 84 of the law of 15 May 2015 provides that the data to be transmitted by the defendant to the database of CoBRAH data are the data relating to the registration on the roll and the withdrawal temporary or permanent right to practice. Based on this provision, it appears that the communication of data relating to disciplinary sanctions not resulting in the removal from the roll or temporary or permanent withdrawal from practice is not necessary for fulfill the obligation established by article 99, 7° of the law of 15 May 2015. 156. The Litigation Chamber notes, however, that the defendant invokes, for the transmission of data to the FPS Public Health, a protocol concluded between the defendant and the FPS Health public.85 This protocol would establish the communication of all sanctions 84 Coordinated law of 10 May 2015, art. 99: “The following services, organizations and persons provide the bank with permanent federal data of health care professionals the following data: […] 7° the Order, with regard to professional addresses as well as data relating to registration on the roll and temporary or permanent withdrawal of the right to practice but without mentioning the reasons justifying this withdrawal; […]” 85 Respondent's submissions, p. 50, §119. Decision on the merits 77/2023 – 34/49 to the FPS Public Health but was not provided by the defendant to the Chamber Litigation and is not freely accessible. 157. The Litigation Division finds that this protocol does not meet the requirements of Article 6.1.c of the GDPR to constitute a legislative provision imposing an obligation legal because this protocol is not foreseeable for the persons concerned (point 84). 158. The Litigation Chamber then concludes that the Defendant violated Article 5.1.c of the GDPR proceeding to the communication of the data relating to the minor sanctions which were not necessary for the purpose pursued II.6. As to Article 5(1)(d) (principle of correctness) 159. The principle of correctness of Article 5, paragraph 1, d) of the GDPR implies that the data collected must “be accurate and, where necessary, kept up to date; all measurements reasonable steps should be taken to ensure that the personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”. In concrete terms, this measure of accuracy translates into specific guarantees which are the rectification of data, the erasure of data which are inaccurate and no longer necessary in relation to the purposes for which they were collected 87 or the limitation of processing for a period allowing the controller to verify the accuracy of the personal data. 88 An additional link to the principle of accuracy, updating data takes on a 89 much more concrete practicality. As soon as an update opportunity arises to the controller, the latter must enter it. 160. The purpose of this principle is to fight against obsolete data whose use is made of it may be irrelevant or even harmful to the data subject. 161. In its Nowak judgment, the Court of Justice of the European Union clarified how the compliance with this principle had to be assessed: "the completeness and accuracy of data to be personal character must be assessed with regard to the purpose for which these data were been collected”. This implies that the data controller adopts measures reasonable to ensure the accuracy of the personal data it processes. Compliance with this principle is assessed with more or less severity depending on the effects 86 GDPR, art. 16 87 GDPR, art. 17.1.a 88 GDPR, art. 18.1.a 89 G.HAAS, GDPR legal guide: the regulations on the protection of personal data, 3rd edition, Edition ENI, 2022, 90 86 to 89. CJEU, judgment of December 20, 2017, Nowak v. Data Protection Commissioner, C-434/16, § 53. Decision on the merits 77/2023 – 35/49 the processing of inaccurate data on the rights and interests of the data subject. This principle of accuracy establishes an obligation of means. 91 162. The GDPR does not define the term “accuracy”. The Article 29 Working Party clarified that: “As a general rule, “accurate” means “accurate with respect to a 92 do " . It follows from this interpretation that the accuracy of subjective information cannot be challenged under the principle of accuracy of the GDPR. However, the border between the 93 objective and subjective character of a datum is not always clear. Therefore, in the within the framework of the processing of a sanction or a formal opinion issued by a disciplinary body, when such an opinion is based on normative texts whose legality has been contested, the processing of the review in question may be challenged under the principle of accuracy. 94 163. As a reminder, the Litigation Division is not competent to determine whether a sanction adopted following the acts carried out by the complainant could be pronounced under of the new Code of Ethics of the Order of Pharmacists. Likewise, the House Litigation does not question the existence of the acts carried out by the complainant which led the French-speaking Appeals Council of the Order to find a breach of the principles essentials of the profession of pharmacist and to sanction it (point 11). 164. However, the Litigation Chamber is surprised that the disciplinary bodies of the Order WERE NOT MORE ALARMED ABOUT A POTENTIAL UPDATE OF THE disciplinary file the adoption of the new Code of Ethics and/or decisions of the ABC within the framework of the management of disciplinary cases. The Litigation Chamber considers that the authorities disciplinary measures of the Order should reasonably foresee – at least after the adoption the new Code of Ethics – updates to disciplinary records, including to verify whether the retained data still reflected an accurate disciplinary status at the regardtothenormativeframeworkoftheprofessionofpharmacist.Inthiscase,thedefendant should have checked whether the sanctions imposed on the complainant on the basis of the old edition of the Code of Ethics would be pronounced again under this new Code and whether, in the light of this review, the maintenance of the disciplinary sanction pronounced against the Complainant still reflected an accurate disciplinary status. 165. In addition, the Litigation Chamber once again reminds the controller that, as indicated above (point 160), the purpose of this principle is to fight against data obsolete whose use may appear irrelevant, or even detrimental to the person concerned. This situation appears to be the case here. 91C. DE TERWANGNE, “Principles relating to the processing of personal data and its legality”, in C. DE TERWANGNE, K. ROSIER (dir.), The General Data Protection Regulation (RGPD/GDPR) – In-depth analysis, Brussels, 2018, p. 111. 92G29, Guidelines relating to the execution of the judgment of the Court of Justice of the European Union in the case “Google Spain and Inc. / Agencia Espanolade Protection de Datos (AEPD) and Mario Costeja Gonzalez”, C-131/12, p. 17. 93C. DE TERWANGNE, op. quoted, p. 111. 94C. DE TERWANGNE, op. cit., p. 112. Decision on the merits 77/2023 – 36/49 since the disputed data, namely the sanction pronounced in 2018 against the complainant on the basis of the old Code, are processed to assess the recidivism and/or the conditions of eligibility of the complainant to the various councils of the Order. 166. The Litigation Chamber finds that the defendant has, despite the adoption of the new Code of ethics, continued to process the disputed data of the complainant without even consider a potential update of her disciplinary file since the complainant does not still could not stand for election to the organs of the defendant. On the other hand, the facts at the origin of the sanction could expose it, within the framework of new procedures disciplinary measures, to a more severe sanction due to a recidivism. When requesting deletion of the complainant in 2020, such damages should have motivated the Board provincial to re-examine the relevance of maintaining the disciplinary sanction of the complainant in his disciplinary file, for which he was responsible. In its conclusions and when of the hearing, the defendant could not moreover affirm that such a sanction would be pronounced again after the adoption of the new ROI, proving that the revaluation of the continuation of the disciplinary sanction in the complainant's file was not examined. 167. This evaluation on the part of the Provincial Council should not be understood as an second chance of an appeal against the decision to cancel the sanction. It aims to assess the relevance of updating the disciplinary status of a pharmacist by determining whether the presence of a disciplinary decision is always relevant in his disciplinary file. This update of the disciplinary file does not entail the cancellation of the decision disciplinary in the case law of counsel for the respondent. 168. In light of the foregoing, the Litigation Division finds that the defendant has not mobilized sufficient resources to respect the principle of accuracy. By not having re-examined the complainant's disciplinary file after the adoption of the new Code of Ethics, despite the prejudices raised by the complainant and the serious indications of the lack of merit in maintaining such a sanction, the defendant violates Article 5(1)(d) GDPR. II.7. Regarding the violation of Article 10 of the GDPR 169. Regarding the processing of personal data relating to convictions criminal offenses and offences, Article 10 of the GDPR specifies that “any complete register of criminal convictions can only be held under the control of public authority”. THE GDPR requires that such processing, when not carried out under the control of public authority, are governed by Union law or by the law of a Member State which provides appropriate safeguards for the rights and freedoms of data subjects. Decision on the merits 77/2023 – 37/49 170. In order to delimit the material scope of the GDPR, the Litigation Chamber verifies if the processing of ethical sanctions is not included in the processing of personal data excluded from the scope of the GDPR. Indeed, article 2, paragraph 2, d) of the GDPR 95 excludes from the material scope of the GDPR the processing of data protected by Directive 2016/680 of April 27, 2016 (hereafter the Police Directive- 96 Justice) . 171. To fall within the scope of the Police-Justice Directive, data processing data must meet two cumulative conditions. On the one hand, it must pursue one of the er purposes mentioned in Article 1, namely the prevention and detection of offenses criminal proceedings, investigations and prosecutions in this area or the execution of criminal sanctions . 97 On the other hand, the processing, whatever its purpose, must be implemented by an authority competent within the meaning of Article 3(7) of the Police-Justice Directive. 98 172. Conversely, Article 10 of the law of 30 July 2018 on the protection of persons with regard to the processing of personal data (hereinafter “framework law”) specifies that the entities referred to in Article 10 of the GDPR, and therefore which are not authorities authorities within the meaning of Article 3.7 of the Police-Justice Directive, may be legal persons governed by public law, provided that the management of their own litigation requires it. The Litigation Chamber considers that the Order of Pharmacists corresponds to this definition, due to its findings in Section II.1. The defendant is therefore excluded of the personal scope of the Police-Justice Directive and Article 10 of the GDPR can potentially be applied to it. 173. The Litigation Division must still determine whether a disciplinary sanction can be considered as a criminal conviction, a concept which is not defined by the GDPR. therefore turn to the Police-Justice Directive. According to recital 13 of the directive Police-Justice, the concept of criminal offense is an autonomous concept of EU law 95 Article 2.2.d): “[…]2. This Regulation does not apply to the processing of personal data carried out: […] (d) by competent authorities for the purposes of the prevention, detection, investigation and prosecution of criminal offences. prosecution or execution of criminal penalties, including protection against security threats public and the prevention of such threats. » 96 Directive 2016/680 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention and detection criminal offences, investigation and prosecution thereof or the execution of criminal penalties, and to the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. 97 Police-Justice Directive, art. 1.1. 98Article 3.7 of the Police-Justice Directive: ““competent authority”: (a) Any public authority competent for the prevention and detection of criminal offences, investigations and prosecution or execution of criminal penalties, including protection against security threats public and the prevention of such threats; Or b) Any other body or entity to which the law of a Member State entrusts the exercise of official authority and prerogatives of public power for the purposes of prevention, investigation and prosecution of criminal offences. matter or execution of criminal sanctions, including protection against threats to public security and prevention of such threats; » 99 st Framework law, art. 10, §1: “In execution of Article 10 of the Regulation, the processing of personal data relating to convictions offenses and criminal offenses or related security measures is carried out: 1° by natural persons or by legal persons governed by public or private law, provided that the management of their own litigation requires it; […]” Decision on the merits 77/2023 – 38/49 European Union and in accordance with the interpretation of the Court of Justice of the European Union (here after "CJEU"). To assess the criminal nature of a sanction, the CJEU 100 adopted the same criteria as the European Court of Human Rights in its judgment Engel 101: the first is the legal qualification in domestic law of the sanction, the second, the nature of the offense itself and, the third, the degree of severity of the sanction 102. 174. On the basis of these elements, the Litigation Division finds that a disciplinary sanction is not considered criminal in nature under Belgian law. This criterion is not however not determinative 10. The nature of the offence, as targeted by sanctions major, has repressive objectives against behavior deemed to be contrary to the essential principles of the profession, with the aim of preserving the interests generals of society, such as public health. The severity of a disciplinary sanction major, by prohibiting the exercise of a professional practice, would likewise high enough to meet the third condition set out in case law of the ECHR. The second and third conditions are therefore met for sanctions majors. But this is not the case for a minor sanction such as a reprimand. Therefore, the Litigation Chamber concludes that Article 10 of the GDPR does not apply to processing carried out on the data of the complainant. II.8. As to the request for erasure of the complainant's data and the breach of GDPR article 17 II.8.1. On the violation of Article 17 in 2020 175. First of all, with regard to the request for erasure submitted by the complainant in January 2020, the Litigation Chamber finds that its request was mainly based on the fact that, according to the complainant, the sanction adopted in 2016 was to be considered illegal following the decisions of the ABC and the adoption of the new Code. There Litigation Chamber is not competent to rule on the legality of the sanction in question with regard to competition law or pharmaceutical ethics current. It cannot therefore find a violation of Article 17.1.d committed by the defendant when he indicated that the sanction adopted was not illegal, and therefore the subsequent processing of the data of this sanction either. 104 100 101 CJEU (gde ch.), June 5, 2012, judgment Prokurator Generalny v Łukasz Marcin Bonda, C-489/10, § 37. ECHR, June 8, 1976, judgments Engelet autres c. Netherlands, 5100/71, 5101/71, 5102/71, 5354/72, 5370/72, § 80-83. 10 See, incense, CJEU, 5 June 2012, Bonda, C‑489/10, §37; CJEU, 20 March 2018, judgment GarlssonRealEstatee.a., C‑537/16, § 28, as well as CJEU, 2 February 2021, Consob judgment, C‑481/19, § 42. 10 CJUE, 22 June 202, Latvijas Republikas Saelma, C-439/19, § 88. 104 If the defendant was not required to erase any reference to the disputed data and stop all processing involving this disputed data, at least he should then have examined the accuracy of the complainant's disciplinary status (Section II.6). Decision on the merits 77/2023 – 39/49 176. Moreover, as of 2020, the complainant also raised the lack of an adequate policy of duration of preservation on the part of the defendant was lifted that her sanction had been preserved for excessive duration. Erasure therefore had to be applied due to processing unlawful in accordance with Article 17.1.d of the GDPR. The Litigation Chamber cannot however, to follow the complainant's reasoning. A shelf life of less than four years for a minor disciplinary sanction does not seem a priori excessive Litigation Chamber. And only the absence of a retention period policy for disputed data is not an offense serious enough to warrant erasure disputed data requested. The Respondent therefore did not violate Article 17.1.d when his refusal to comply with the complainant's request in 2020. II.8.2. On the application of the right to erasure as provided for in Article 17 of the GDPR 177. In its complaint filed in 2022, the Litigation Chamber notes that the complainant invokes Article 17, paragraph 1, a), d) and e) of the GDPR to request the erasure of these disputed data. The complainant's request seeks to erase the disputed data from the individualfileofthecomplainant.Basedontheconclusionsofthecomplainantandhercomplaint, the Litigation Chamber understands that the complainant wishes that the disciplinary sanction pronounced in 2016 be removed from his disciplinary file and that, consequently, the processing in connection with his disciplinary status (more particularly the evaluation of conditions of eligibility for elections to the organs of the defendant and for the status of master of internship) come to an end. 178. Pursuant to Article 17(1)(d) of the GDPR, a data subject may request this deletion when the processing of his data is unlawful. This provision is between otherviolation of the principle of lawfulness of article 5.1.a of the GDPR. the scope of this provision and specified that unlawful processing may result from other situations in which the data is “inadequate, irrelevant or excessive to the with regard to the purposes of the processing, that they are not updated or that they are kept for a period exceeding that necessary, unless their retention is required for historical, statistical or scientific purposes. »0. This interpretation is also confirmed by the European Data Protection Board: “the notion of processing unlawful must be interpreted in the light of Article 6 of the GDPR relating to the lawfulness of the processing. Other principles established by the GDPR (such as the principles referred to in Article 5 or in 106 other provisions of Chapter II) may favor this interpretation”. 10 CJEU, judgment of May 13, 2014, Google Spain SL and Google Inc, C-131/12, §92. 10 EDPS, Guidelines 5/2019 on the criteria for the right to be forgotten under the GDPR in the context of search engines p. 10 §35-36. Decision on the merits 77/2023 – 40/49 179. In view of all the foregoing considerations, the Litigation Chamber finds that the defendant fails to demonstrate compliance with the principle of purpose limitation and minimization of data (see sections II.4 and II.5) or compliance with the principle of accuracy (see section II.6) in the context of the processing carried out with the data The Litigation Chamber then declared the processing of disputed data illicit. 180. This unlawful processing involves serious offences, including the violation of several essential principles of the GDPR and, therefore, the complainant is entitled to request the erasure of the disputed data from his disciplinary file pursuant to Article 17, paragraph 1, d) of the GDPR. 181. The retention of the disputed data in the complainant's disciplinary file, retained for more than five years at the time of the adoption of this decision, is no longer relevant. 182. The Litigation Chamber notes that the defendant raises two exceptions to the right deletion of personal data applicable to his situation: the processing is necessary to comply with a legal obligation (article 17.3.b of the GDPR) and to defend his legal rights (article 17.3.e of the GDPR). 183. Among the legal obligations invoked, the Respondent mentions the provisions of Royal Decree #80. As expressed by the Litigation Chamber above, article 15 of RD n°80 indeed mentions the keeping of a register of disciplinary decisions but whose purpose is well-delimited: “to adapt, if necessary, the code of ethics with a view to supplementing or specify the provisions on the basis of this case law”. This specific treatment has not linkwiththemanagementofdisciplinarycasesanddoesnotrequirethemaintenanceofdata contentious in his disciplinary file. 184. Moreover, the mission put forward by the defendant to keep the roll of the Order cannot be opposed to the request for erasure: the personal data included in the table of the Order must reflect the disciplinary status of a pharmacist, which depends on a updated disciplinary record. In reality, the erasure of the disputed data from the file disciplinary action should lead de facto to the erasure of the mention of the sanction on the table of the Order. Regarding the other purposes pursued with the disputed data (evaluation of the conditions of eligibility for elections and for the status of internship supervisor), the same reasoning can be applied to them: the cancellation of a disciplinary sanction should logically lead to the cessation of these treatments. 185. With regard to the other legal obligations put forward by the Respondent, which consist in communicate personal data relating to all sanctions disciplinary orders, whether minor or major, to two databases Decision on the merits 77/2023 – 41/49 under the coordinated law of 10 May 2015, as mentioned above, the disputed data in question are not relevant to achieve these purposes (points 155 at 157). The defendant cannot therefore set up these two legal obligations against the request erasure of the complainant. 186. With regard to the exception raised to defend its interests in court (Article 17.3.e of the GDPR), the Litigation Chamber found that the defendant could use the data disputes before the Council of State. disputed data by the National Council, the only body empowered to represent the respondent. It does not require the contentious data to be kept in the file disciplinary proceedings against the complainant, held by the competent Provincial Council. 187. In conclusion, on the basis of the elements noted above, the Litigation Division orders the defendant to erase the disputed data from the disciplinary file of the complainant. 188. The Litigation Chamber recalls that the data controller is required, in accordance with Article 19 of the GDPR, by a notification obligation with regard to erasure of personal data. The controller notifies the each recipient to whom the personal data has been communicated erasure of personal data carried out in accordance with Article 17.1 of the GDPR, unless such communication proves impossible or requires efforts disproportionate. The controller provides the data subject with information on these recipients if the latter so requests. II.9. As for the adoption of new internal regulations and violations of GDPR articles 23, 35 and 36 II.9.1. Position of parties 189. The defendant announced the adoption of the new ROI of the National Council. put in place mechanisms for erasure and rehabilitation. They aim to erase the sanctions minor and major disciplinary actions, with respective procedures. According to the defendant, this new ROI would make it possible to respond to the complainant's grievance. 190. The complainant points out that each organ of the Order has been granted the power to establish its own ROI to regulate its internal functioning: each of the provincial councils (art. 5 AR n°80), each of the appeal boards (art. 12 AR n°80) and the National Council (art. 14 AR no. 80). The complainant emphasizes that the ROI of the National Council aims, like all the ROI of the other bodies of the order, to regulate the internal functioning of the Council national, and not to create rules of law enforceable against other counsel and pharmacists. Decision on the merits 77/2023 – 42/49 191. The Complainant is surprised that the Respondent has – to complete the current legal framework – amended the ROI of the National Council to comply with the provisions of the GDPR, which would violate Articles 23, 35 and 36 of the GDPR and Articles 6 and 13 ECHR. 192. With regard to the status of the new ROI adopted on September 22, 2022, the complainant regrets that the defendant does not communicate the entirety of the new ROI but only excerpts, nor the complete deliberation of September 22, 2022. She adds that no one can say that this new ROI will actually be in effect one day. 193. With regard to the content of the new ROI, the plaintiff is surprised that the defendant be set aside from the recommendations (adoption of a formal law) which he nevertheless requested from the share of ODA in 2020 and completed the current legal framework by modifying the ROI of National Council to comply with the provisions of the GDPR, which would violate Article 23 of the GDPR. 194. The Respondent contests the violations alleged by the Complainant arising from the adoption of this king. Articles 23, 35 and 36 of the GDPR establish obligations on the part of the authorities of the Member States, and not on the part of the data controllers. II.9.2. Position of the Chamber 195. The Litigation Chamber finds that each organ of the Order is competent to adopt its own ROI. Unlike the National Council 107, each Provincial Council 108 and each Appeals Council 109establish their own ROI which they submit to the Council National which definitively adopts the text. 196. In view of all the foregoing considerations, the Litigation Chamber concludes that the National Council is not empowered to adopt a ROI applicable to all bodies. The National Council could not then impose its ROI on the defendant's other bodies, namely the Provincial Councils and the Appeals Councils. Therefore, the Litigation Chamber excludes from its examination the new ROI proposed by the defendant and ultimately excludes from the analysis the alleged violations of Articles 23, 35 and 36 of the GDPR as well as Articles 6 and 13 of the ECHR alleged by the complainant. III. Corrective measures and sanction 197. In addition to the corrective measures aimed at bringing the processing into compliance with Articles 5.1.a, 5.1.b, 5.1.c, 5.1.b and 5.1.e of the GDPR and to comply with the request for erasure of data 10AR no. 80, art. 14, §2. 10AR no. 80, art. 5, paragraph 1. 10AR no. 80, art. 12 and 13. Decision on the merits 77/2023 – 43/49 litigation of the plaintiff of her disciplinary file, the Litigation Chamber decides also to impose an administrative fine of 30,000 Euro, the purpose of which is not to put an end to an offense committed but also to effectively apply the rules of the GDPR. As is clear from recital 148, the GDPR provides that sanctions, including administrative fines, be imposed for any violation serious - therefore including the first observation of a violation -, in addition to or instead of the appropriate measures that are imposed. 110The Litigation Chamber demonstrates hereinafter that the violations of the principles of Article 5 of the GDPR committed by the defendant are by no means minor violations and that the fine would not constitute a disproportionate burden on a natural person within the meaning of recital 148 of the GDPR, two cases in which a fine could be waived. The fact that this is a first finding of a violation of the GDPR committed by the defendant does not affect the possibility for the Contentious Chamber to impose an administrative fine. Bedroom Litigation imposes an administrative fine pursuant to Article 58.2 i) of the GDPR. The instrument of the administrative fine is in no way intended to put an end to violations. To this end, the GDPR and the LCA provide for several corrective measures, including the orders cited in article 100, § 1, 8° and 9° of the LCA. 111 198. Having regard to Article 83 of the GDPR, the case law of the Court of Markets as well as the criteria 112 set out in the EDPB guidelines on the calculation of administrative fines, the Litigation Chamber justifies the imposition of an administrative fine in a concrete : - The faulty behavior of the defendant: The observed infringement relates to the principles basis for the processing of data provided for in Article 5 of the GDPR. However, these principles have been in effect since May 25, 2018. The Respondent admitted to conducting a reflection on an adaptation of its data protection policy, since 2020. However, a reflection is not enough and should materialize in measures to bring the processing carried out into compliance with the disputed data. This reflection has not yet solved the problems 11 Recital 148 provides the following: "In order to reinforce the application of the rules of this Regulation, sanctions including administrative fines should be imposed for any violation of this Regulation, in addition orinsteadoftheappropriatemeasuresimposedbythesupervisoryauthoritypursuant totheseregulations. minor or if the fine may be imposed constitutes a disproportionate burden on a natural person, a a call to order may be issued rather than a fine. However, due consideration should be given to the nature, seriousness and duration of the violation, the intentional nature of the violation and the measures taken to mitigate the damage suffered, the degree of liability or any relevant violation previously committed, the manner in which the supervisory authority became aware of the violation, compliance with the measures ordered against the person responsible for the treatment or the processor, the application of a code of conduct, and any other aggravating or mitigating. The application of sanctions, including administrative fines, should be subject to procedural safeguards appropriate in accordance with the general principles of Union law and the Charter, including the right to protection effective jurisdiction and due process. [proper underline] 11 Brussels Court of Appeal (Cour des Marchés section), X c. DPA, Judgment 2020/1471 of February 19, 2020. 112 EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.0, p.17-25, available at https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf Decision on substance 77/2023 – 44/49 evident by the plaintiff and of which the defendant knew of the existence and its potential damage for several years. Consequently, the Chamber Litigation finds the defendant's behavior negligent. This finding allows him to consider the imposition of an administrative fine. 113 - The seriousness of the breach: the provisions breached are at the heart of the GDPR: the basicprinciplesforprocessingunderArticle5GDPR.Violationsof aforementioned items carry the highest fines of section 83.5 GDPR. In addition, the processing in question concerns the management of sanctions disciplinary proceedings against pharmacists. therefore likely to cause harm to the persons concerned. The defendant being mandated by law to pursue a mission of public interest at the national level, the processing operations in question are also national in scope and may affect all pharmacists practicing in Belgium given that the offenses stem from gaps in the overall privacy policy of the defendant, and not an isolated case. - As for the level of damage suffered, the plaintiff advances a non-pecuniary damage in due to damage to the reputation as well as a possible refusal of approval by the master internship and non-eligibility with the various organs of the defendant. These damage can reach all the persons concerned having been sanctioned by the defendant. The Litigation Chamber does not have the exact number of pharmacists who have been or are subject to a sanction disciplinary.15The Chamber therefore finds that a moderate number of persons concerned may potentially suffer moderate damage due to the observed violation. - The duration of the violation: the Litigation Chamber finds that the defendant has a inadequate data protection policy, in particular with regard to 113 See in particular the opinion of Advocate General N. EMILIOU in case C-683/21, §77-78, for whom the finding of a Due diligence is a minimum requirement for imposing an administrative fine. See in particular recital 75 of the GDPR. 11As an example, according to the 2021 Annual Report of the National Council of the Order of Pharmacists, 44 sanctions were pronounced in 2021, figures up on previous years. The Litigation Division deduces from this that it there is a moderate number of pharmacists for whom the defendant maintains a disciplinary file. Decision on the merits 77/2023 – 45/49 the application of the principles of legality, minimization of data, limitation of purposes and limitation of storage, since at least February 5, 2018, the adoption of the sanction against the complainant. The violation of these principles for which the Litigation Chamber is competent therefore lasts since May 25 2018. Regarding the violation of the principle of accuracy, the Litigation Chamber notes that the Respondent adopted a new Code of Ethics in January 2020, Code that should be more liberal towards new advertising methods. There complainant also challenged the merits of her sanction on January 27, 2020 by sending a formal notice to the defendant. In 2023, the defendant had no verified the relevance of maintaining the complainant's sanction with regard to the new provisions of the Code of Ethics. The Litigation Chamber therefore considers that this part of the infringement began in January 2020. - On the absence of mitigating circumstances: the Litigation Chamber that the initiatives mentioned by the defendant are not in order to mitigate the fine imposed. Indeed, the GDPR was adopted in 2016, and came into force in 2018. Compliance with the principles of the GDPR should have been achieved from the entry into force of the GDPR. Moreover, in the light of the findings of this decision, these efforts were not sufficient to resolve the subject matter of the complaint. - The necessary deterrent effect in order to prevent new violations: The defendant considers that its data protection policy is not illegal. In order to justify possible breaches of the GDPR, the defendant argued that he was not his responsibility to solve this problem, but the legislator. Such a position demonstrates a misunderstanding of the importance of legislation in with regard to the protection of personal data, in particular basic principles of data processing. The Litigation Chamber considers therefore, recourse to an administrative fine is necessary. All of the elements set out above justify an effective, proportionate sanction and dissuasive, as referred to in Article 83 of the GDPR, taking into account the assessment criteria that it contains. The Litigation Chamber draws attention to the fact that the other criteria of Article 83.2 of the GDPR are not, in this case, such as to lead to another fine Decision on the substance 77/2023 – 46/49 administrative than that defined by the Litigation Chamber within the framework of this decision. 199. In response to the Sanction Form, Respondent submits in summary that the Litigation Chamber is based on elements contrary to those appearing in the documents of the file and demonstrates a lack of understanding of the legislative framework, the role and the competences of the order. The Respondent advances arguments on the merits to illustrate its point. folder. The Litigation Division considers that the reasoning for this decision responds to the arguments put forward by the defendant in its reaction. 200. With regard to the criteria taken into consideration for imposing a fine administrative, the respondent argues that: i. The Litigation Division indicated that the duration of the offense should be calculated at from December 22, 2016 but that it was competent only from May 25 2018. However, according to the defendant, the date of December 22, 2016 should not be taken taken into account, given that the sanction only became effective from the 5 February 2018. Moreover, even if the Litigation Division is only competent to from May 25, 2018, it does not take into account the measures taken by Order to address data retention issues. ii. The Litigation Chamber indicated that the defendant should have taken initiatives as soon as the GDPR comes into force, and that the solution to the problems of data protection could not be the sole responsibility of the legislator. According to him, the defendant assumed its responsibilities, going so far as to adopt countermeasures legem, in order to bring the processing carried out into compliance with the principles of GDPR. iii. The defendant disputes the characterization of his behavior as “negligent”. Contrary to what the Litigation Chamber wrote in its form, the the defendant's reflection began as early as 2020 (and not in 2023), as demonstrated documents in the file. The defendant would be the only order, among the professions regulated, to have taken concrete measures to remedy this problem. iv. The defendant argues that the moral damage suffered by the plaintiff is not sufficiently proven, and is based only on the statements of the complainant. v. The defendant indicates that he is not responsible for the negative opinions given by the universities due to the existence of a disciplinary sanction, or the non- eligibility of candidates to the organs of the Order. According to the defendant, it is the legislator who has provided for ineligibility without time limit. vi. The Litigation Chamber is not competent to decide whether a sanction discipline is warranted or not. Decision on the merits 77/2023 – 47/49 vii. The Litigation Chamber takes no mitigating circumstances in consideration. er viii. The sanction imposed on the complainant was canceled on March 1, 2023, following the adoption of the new ROI of the National Council. 201. The elements of the sanction form taken into consideration by the Litigation Division are discussed below. 202. The Litigation Division took into consideration the Respondent's remarks regarding the effective date of the disciplinary sanction, and therefore of the start date of the processing carried out with the disputed data: the sanction became effective on February 5, 2018. This change of date, however, has no influence on the relevant duration of the infringement of the GDPR, which started on May 25, 2018. 203. As to the arguments put forward in point 200, i. and ii., the measurements shown were not still adopted when the debates were closed. No tangible proof of adoption of such measures was brought before the Litigation Chamber. even reflections began in 2020, the GDPR requires compliance of all processing, etc from May 25, 2018. A reflection that did not resolve the subject of the complaint before the closure of the debates cannot exonerate a data controller of his breaches of the GDPR. 204. As for the moral damage suffered, recital 75 of the GDPR indicates that the supervisory authorities must take into account not only the damage suffered, but also the risks damages. The data processed by the defendant relating to disciplinary sanctions, an absence of retention limits for such data is highly likely to stigmatize the persons concerned whose disciplinary, minor or major, kept in a disciplinary file and processed without time limit. 205. The respondent is the controller of the processing mentioned in this decision. He It is therefore up to the defendant to apply the principles of the GDPR to such processing. The argument in point 200, v., is irrelevant. 206. If the Litigation Chamber is not competent to rule on the legality or advisability of adopting a disciplinary sanction, it is however appropriate for issues relating to the processing of data contained in these sanctions. 207. As for the assessment of mitigating circumstances, the steps taken by the defendant did not prove to be effective in the eyes of the Litigation Chamber. However, the EDPS guidelines indicate that the measures undertaken by a respondent must be examined with regard to their effectiveness and their time frame for adoption. find that the measures put forward by the defendant had not yet been adopted 11EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.0, p. 27, § 76. Decision on the merits 77/2023 – 48/49 at the close of the debate. Moreover, the defendant's reflection spanned from 2020 to 2023. The Litigation Chamber does not claim only a compliance of processing made by the defendant is an easy task and does not dispute the difficulties by the health crisis. But the GDPR having entered into force as of May 25, 2018, this The process should therefore have started much earlier. 208. As to the cancellation of the disciplinary sanction on March 1, 2023, the Respondent does not no concrete evidence. Moreover, if this deletion took place, it was carried out after the closure of the debates. 209. On the basis of all the elements set out above, the Litigation Chamber decides to adjust the proposed penalty from 50,000 euros to 30,000 euros. The shortcomings identified justify an effective, proportionate and dissuasive sanction referred to in Article 83 AVG, taking into account the evaluation criteria set out therein. The Litigation Chamber considers that a lower fine would not meet the criteria required by Article 83, paragraph 1 of the AVG, according to which the administrative fine must not only be proportionate, but also effective and dissuasive. IV. Publication of the decision 210. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority data. However, it is not necessary for this purpose that the identification data of the complainant are communicated directly. 211. In this case, the Litigation Chamber decides to publish this decision with identification of the defendant's data. 212. The Litigation Chamber specifies that this publication with identification pursues several goals. 213. It pursues, as far as the defendant is concerned, an objective of general interest. The identification of the defendant is moreover necessary for the proper understanding of the decision and therefore, the materialization of the objective of transparency pursued by the policy of publication of decisions of the Litigation Chamber. Decision on the merits 77/2023 – 49/49 FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation: - Pursuant to Article 100, §1, 13° and 101 of the LCA, to impose an administrative fine €30,000 to the defendant for violations of articles 5.1.a, 5.1.b, 5.1.c, 5.1.d, 5.1.e GDPR. er - Pursuant to Article 100, §1, 6° of the LCA, to comply with the request of the complainant, i.e. to erase the data relating to his disciplinary sanction from his disciplinary record. - Pursuant to Article 100, §1, 9° of the LCA, to order compliance of the treatment, more particularly with articles 5.1.a, 5.1.b, 5.1.c, 5.1.d and 5.1.e of the GDPR. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 118 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (se). Hielke H IJMANS President of the Litigation Chamber 117 The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, residence of the applicant, as well as, where appropriate, his qualifications and his national register number or number business; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary of the grounds of the application; (5) the indication of the judge who is seized of the application; 6° 118 signature of the applicant or his lawyer. The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.