APD/GBA (Belgium) - 75/2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 85: | Line 85: | ||
The DPA recalled that pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], personal data must be processed lawfully. This means that the processing must have a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. As the controller had claimed to have legitimate interests pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], with regard to the “free profiles”, to process the information: the DPA proceeded to assess the balance of interests of the controller and the complainants. | The DPA recalled that pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], personal data must be processed lawfully. This means that the processing must have a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. As the controller had claimed to have legitimate interests pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], with regard to the “free profiles”, to process the information: the DPA proceeded to assess the balance of interests of the controller and the complainants. | ||
When it comes to assessing the balance of interests, under CJEU case law ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=221465&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1448401 C-708/18, ECLI:EU:C:2019:1064, para 56]), the controller must take into account the reasonable expectations of the data subject that their personal data will not be processed, when they cannot reasonably expect further processing. In this case, the DPA found, that the complainants could not reasonably expect that their data would be further processed for other purposes, since the contact information of the doctors were published on | When it comes to assessing the balance of interests, under CJEU case law ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=221465&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1448401 C-708/18, ECLI:EU:C:2019:1064, para 56]), the controller must take into account the reasonable expectations of the data subject that their personal data will not be processed, when they cannot reasonably expect further processing. In this case, the DPA found, that the complainants could not reasonably expect that their data would be further processed for other purposes, since, initially, the contact information of the doctors, were published, with their consent, on their own, their group practice's, or hospital's website. | ||
Furthermore, the DPA emphasized that the freedom of enterprise, as recognised in Article 16 of the Charter, is not unlimited and stops where other fundamental rights - such as the right to protection of personal data - begin. Thereafter, it was found that the interests raised by the controller did not override those of the complainants. Consequently, the controller could not invoke a legitimate interest, because the interests of the complainants outweigh the interests of the controller or the third party. | Furthermore, the DPA emphasized that the freedom of enterprise, as recognised in Article 16 of the Charter, is not unlimited and stops where other fundamental rights - such as the right to protection of personal data - begin. Thereafter, it was found that the interests raised by the controller did not override those of the complainants. Consequently, the controller could not invoke a legitimate interest, because the interests of the complainants outweigh the interests of the controller or the third party. |
Revision as of 07:47, 21 June 2023
APD/GBA - DOS-2021-07350 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6(1)(f) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 15(1)(a) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 14.06.2023 |
Fine: | 10000 EUR |
Parties: | n/a |
National Case Number/Name: | DOS-2021-07350 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | GBA (Belgium) (in NL) |
Initial Contributor: | n/a |
Publicly available information of tens of thousands of doctors across Belgium were collected and processed by an online platform provider without a legitimate basis. The interests of the data subjects outweighed the controller’s interests. The controller was fined 10,000 EUR for its GDPR violations.
English Summary
Facts
A provider of an online platform (the controller) collected on a large scale - without consent - publicly available contact data on tens of thousands of doctors. This data was then published on the controller's online platform. The platform distinguished between “free profiles” and “paying profiles” of doctors. With regard to the paying profiles, the doctors and the controller have a contract in place which is not the case in regard to the free profiles.
A group of doctors (the complainants), that did not have a contract with the controller, made an erasure requests under Article 17(1) GDPR to the controller via a registered letter on 25 Oct 2021.
The controller stated that the letter was not received by it at the time, and stated that the letter was sent during a lockdown period during which employees and the manager worked from home. The controller claimed to eventually have received the erasure requests on 13 January 2022, as the letter of the complainants was then found within a pile of mail, whichafter, the controller acted on them on 14 January 2022.
Thereafter, the complainants filed a complaint with the Belgian DPA against the controller. The complainants alleged that the controller breached Articles 5(1)(a), 5(2) and 6 GDPR. Moreover, they claimed that the controller violated the GDPR by deleting their personal data, too late.
The controller claimed that, with regard to "free profiles", it has a legal basis under Article 6(1)(f) GDPR, as the it has legitimate interests to process the data. The claimed interests by the controller were 1) freedom of expression and information under Article 11 of the Charter and the Belgian Constitution, as well as, 2) the controller's economic interest, based on freedom of enterprise.
Holding
The DPA recalled that pursuant to Article 5(1)(a) GDPR, personal data must be processed lawfully. This means that the processing must have a legal basis under Article 6 GDPR. As the controller had claimed to have legitimate interests pursuant to Article 6(1)(f) GDPR, with regard to the “free profiles”, to process the information: the DPA proceeded to assess the balance of interests of the controller and the complainants.
When it comes to assessing the balance of interests, under CJEU case law (C-708/18, ECLI:EU:C:2019:1064, para 56), the controller must take into account the reasonable expectations of the data subject that their personal data will not be processed, when they cannot reasonably expect further processing. In this case, the DPA found, that the complainants could not reasonably expect that their data would be further processed for other purposes, since, initially, the contact information of the doctors, were published, with their consent, on their own, their group practice's, or hospital's website.
Furthermore, the DPA emphasized that the freedom of enterprise, as recognised in Article 16 of the Charter, is not unlimited and stops where other fundamental rights - such as the right to protection of personal data - begin. Thereafter, it was found that the interests raised by the controller did not override those of the complainants. Consequently, the controller could not invoke a legitimate interest, because the interests of the complainants outweigh the interests of the controller or the third party.
Consequently, the DPA held that the controller breached Article 6(1)(f) GDPR with regard to the “free profiles”. As far as “paying profiles” were concerned, the DPA notes that the complaint only concerns the processing of personal data in the context of free profiles with regard to doctors who precisely do not want such agreement (paid profiles) with the controller.
With regard to acting on the complainants’ erasure request on a timely manner, it was noted by the DPA, that during lockdown period, telecommuting was strongly recommended, not mandatory. Therefore, the DPA held that the controller was not unable to follow up on mail. The controller was not found to have taken appropriate measures to facilitate the data subject's right to data erasure, which constitutes a violation of Article 12(2) GDPR. As a result, the right to data erasure was not implemented in a timely manner, in accordance with Article 12(3) GDPR. This non-compliance was found to be the result of the failure to facilitate the exercise of the data subject rights. Consequently, DPA found that there has been a breach of Article 12(2) GDPR.
Eventually, the controller was fined 10,000 EUR for breaching Articles 5(1)(a) and 6(1)(f) GDPR as regards the lawfulness of the processing, as well as, 12(2) GDPR and 17(1) GDPR for not taking appropriate measures to facilitate the exercise of their rights by data subjects.
Comment
In a case with similar facts, of the German Supreme Court (BGH - VI ZR 60/21), the court came to an opposite conclusion that an online platform collecting and publishing personal data of doctors does not violate the provisions of the GDPR. See a summary of this case on the GDPRHub here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/26 Litigation room Decision on the substance75/2023 of 14 June 2023 File number : DOS-2021-07350 Subject: Processing of personal data on a platform The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainants: Healthcare providers X represented by Mr. Ann Dierickx, office clerk at 3000 Leuven, Mechelsestraat 107-109, hereinafter “the complainants”; The defendant: Y, represented by 'Mr. Emmanuel Cornu and Mr. Eric DeGryse, with offices at 1050 Brussels, Avenue Louise 250/10, hereinafter “de defendant”. Decision on the substance 75/2023 - 2/26 I. Factual Procedure 1. On November 23, 2021, the complainants submit a complaint to the Data Protection Authority against the Defendant. 2. On November 25, 2021, the complaint will be declared admissible by the First Line Service on pursuant to Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG submitted to the Disputes Chamber. 3. On December 10, 2021, in accordance with Article 96, § 1 WOG, the request of the Disputes Chamber to carry out an investigation submitted to the Inspection Service, together with the complaint and the inventory of the documents. 4. The investigation by the Inspectorate will be completed on February 2, 2022, it will be report is appended to the file and the file is reviewed by the Inspector General sent to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and decision that: 1. there is a violation of Article 5 (1) (a) and (2) and Article 6 (1) GDPR; and that 2. there is a violation of article 12, paragraph 1, paragraph 2 and paragraph 3, article 17, article 19, article 24 (1) and Article 25 (1) GDPR. 5. On February 4, 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits. 6. On 4 February 2022, the parties involved will be notified by email of the provisions as stated in Article 95, § 2, as well as those in Article 98 WOG. Also they are informed of the time limits for their to file defenses. The deadline for receipt of the statement of defense from the defendant was hereby recorded on 18 March 2022, this for the statement of reply of the complainants April 8, 2022 and this one for the defendant's rejoinder on April 29, 2022. 7. On 8 February 2022, the complainants will electronically accept all communication regarding the case and ask the complainants for a copy of the file (article 95, § 2, 3° WOG), which was sent to them transferred on February 9, 2022. 8. On February 17, 2022, the defendant electronically accepts all communications regarding the case. The defendant hereby makes a reasoned statement to the Disputes Chamber request to change the procedural language from Dutch to French, as well the defendant asks for a copy of the file (Article 95, § 2, 3 ° WOG), which was given to her transferred on 14 March 2022. Substantive decision 75/2023 - 3/26 9. On February 21, 2022, the Disputes Chamber receives a request from the complainants on the to keep Dutch as the language of proceedings. 10. On March 7, 2022, the Disputes Chamber will inform the parties about the retention of the Dutch as a procedural language in accordance with its language policy, as there is only 1 procedural language. However, the Disputes Chamber states that the parties can turn to it address in the national language of their choice and that the Dispute Chamber will respond to the parties in the language they prefer. The Disputes Chamber makes adjusted terms for this for the parties to submit conclusions about. 11. On March 14, 2022, the Disputes Chamber receives the defendant's objection to the retention of Dutch as a procedural language and that proposed by the Disputes Chamber language arrangement. On the same day, the Disputes Chamber will send adjusted deadlines submit claims to the parties. The deadline for receipt of the statement of defense from the defendant was hereby recorded on 25 April 2022, this for the conclusion of the complainants' reply on 16 May 2022 and those for the defendant's rejoinder on 6 June 2022. 12. After assessing the objection regarding the language of the proceedings of the defendant, the Litigation Chamber on March 22, 2022 the decision regarding the preservation of the Dutch as the language of the proceedings to the parties, with adjusted deadlines for submission. The deadline for receipt of the statement of defense from the defendant was hereby set on 3 May 2022, those for the statement of reply of the complainants on 24 May 2022 and those for the defendant's statement of defense on 14 June 2022. 13. On March 18, 2022, the Disputes Chamber will receive the statement of defense from the defendant. First, the defense alleges a violation of Articles 41 and 42 of the coordinated laws on the use of languages in administrative affairs for the sake of preservation of Dutch as a procedural language. On the merits, the defendant argues that the processing constitutes lawful data processing. Subsequently, the defendant claims that she has proceeded to the deletion of the personal data from the first knowledge of the data erasure request. 14. On 17 May 2022, the Disputes Chamber will receive the statement of reply from the complainants. The The complainants argue that the defendant complied with the rules in the contested processing from articles 5, paragraph 1, a), 5, paragraph 2 and 6 GDPR has not been complied with. indicates that the defendant has belatedly proceeded to a complete removal of the personal data in question violated the provisions of the GDPR. 15. On 13 June 2022, the Litigation Chamber received the statement of rejoinder from the defendant in which she repeats her arguments from the statement of defense and Decision on the substance 75/2023 - 4/26 additionally notes that the complaint was filed on behalf of the practitioners, but the statement of reply was submitted on behalf of Z comm.v. 16. On September 28, 2022, the parties will be notified that the hearing will take place on November 18, 2022. 17. On November 18, 2022, the parties appearing will be heard by the Disputes Chamber. 18. On November 21, 2022, the minutes of the hearing will be sent to the parties transferred. 19. On January 26, 2023, the Disputes Chamber receives some from the defendant remarks with regard to the official report which it decides to include in her deliberation. 20. On 16 May 2023, the Disputes Chamber informed the defendant of its intention made to proceed to the imposition of an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to defend himself, before the sanction is effectively imposed. 21. On June 5, 2023, the Disputes Chamber will receive the response of the defendant to the intention to impose an administrative fine, as well as the amount of them. II. Motivation II.1. Decision on Dutch as a procedural language 22. As already explained, the defendant objected to the Dutch als procedural language. The defendant argues that Dutch should be retained as the language of proceedings is contrary to Articles 41, §1 and 42 of the Royal Decree of 18 July 1966 containing coordination of the laws on the use of languages in administrative matters (hereinafter: SWT). has complied. 23. In view of the above, the question arises which language legislation applies to the procedure before the Litigation Chamber. 24. With regard to the procedural language for the GBA, Article 57 of the WOG in the within the framework of the dispute resolution procedure that "[t]e DPA uses the language in which the procedure is conducted according to the needs specific to the case". Pursuant to this Article 57 WOG, read in conjunction with Article 60 WOG, the procedure conducted in one of the national languages. However, this article 57 WOG is general 1 B.S. August 2, 1966. Decision on the substance 75/2023 - 5/26 formulated and does not provide for any general foreseeable regulation of the procedural language the parties to a multilingual procedure. 25. The Marktenhof has already discussed some elements regarding the language used in the proceedings clarified before the Litigation Chamber. It has determined that the law of 15 June 1935 on the language used in court cases does not apply to the Disputes Chamber: "It is incontestable that the language law of 15 June 1935 does not apply to conducted the procedure before the GBA. In principle, every person/legal entity must oppose those who are prosecuted for a complaint have the opportunity to defend themselves in their own language (and not in that of the complainant).” 26. The Marktenhof continues: “[t]e GBA, which is an autonomous government service with legal personality, is a central service whose scope covers the entire country within the meaning of the laws of 18 July 1966 on the use of languages in administrative matters. Out of service it is in its relations with the public, individuals and private companies subject to the provisions of Articles 40 to 45 of the aforementioned language laws.”2 27. These articles read as follows: “Art. 41. - § 1. - The central services for their relations with private individuals use of those of the three languages used by those concerned.” “Art.42.-Decentralized services draw up deeds, certificates, declarations, authorisations and licenses in those of the three languages of which the private individual concerned uses asks.” 28. In a recent interim judgment dd. March 8, 2023, the Market Court has determined that there there is disagreement about the applicability of this language legislation to the procedures for the Dispute Chamber. The Marktenhof considers in this regard: “[t]end a create a clearer framework and provide foreseeability for the parties in this regard, the Marktenhof should rule on this, possibly after questioning it Constitutional Court". However, the Disputes Chamber notes that this judgment dates from after the decisions of the Disputes Chamber to use Dutch as the language of proceedings, therefore not taken into account in those decisions. 29. In its judgment dd. July 7, 2021, the Market Court has in any case clearly stated that in in principle every person/legal entity against whom a complaint is being prosecuted, the must have the opportunity to defend himself in his own language (and not that of the complainant). 2 Brussels Court of Appeal, Marktenhof section, 7 July 2021, 2021/AR/320, p. 19-20. 3 Brussels Court of Appeal, Marktenhof section, 8 March 2023, 2023/AR/184, p. 12. Decision on the substance 75/2023 - 6/26 evading the prosecuted party to his or her language may, among other things, be a violation form part of the rights of defence. 30. Since only one official procedural language can apply The Disputes Chamber must therefore decide whether this should be Dutch or French in the present case are.The Litigation ChamberdecidedtoretainDutchasprocedurallanguage.Hereby decision, the Disputes Chamber took into account the following elements: the The defendant's registered office is located in (bilingual) Brussels Capital Region, the articles of association of the defendant are drawn up in Dutch, de the defendant is active throughout the territory of Belgium, and the complainants are Dutch-speaking. The Disputes Chamber points out that it has not taken this into account in this assessment with the objections regarding French as the procedural language formulated by the lawyer of the complainants as stated in the letter dd. February 4, 2022 it was determined that “if a the defendant wishes to file a reasoned objection to the use of this language make it possible to do so within a period of 14 days after the sending of this letter, at preferably via litigationchamber@apd-gba.be or via the contact details above this letter” (own underlining). 31. The Disputes Chamber has also taken the findings into account in this decision of the Marktenhof that any natural or legal person against whom a complaint persecuted must have the opportunity to defend themselves in their own language. The The Disputes Chamber has therefore proposed a regulation by analogy with Articles 41, §1 and 42 SWT. First of all, the Litigation Chamber reminds that these articles only refer to the regulating language use between the private individual and the central government department, that is in this case respectively each party and the Disputes Chamber, by extension the GBA. These articles therefore do not regulate in which language the parties must communicate with each other. The proposed language regime was as follows. By analogy with the above position of the rights of defense of the defendant, states the Disputes Chamber in the first place that both must be able to turn to the Disputes Chamber their own language. The parties were therefore free to submit procedural documents and conclusions to the Litigation Chamber in their language of choice. These procedural documents filed by a party would not, however, be translated by the Litigation Chamber for the benefit of the other party; nor would it be liable for the related costs incurred by the parties with the translation of these documents. The parties also did not have to provide translations of their own provide procedural documents for the other party. Both sides would too simultaneously receive the decision in their preferred language. At the start of the hearing at the Litigation Chamber, the Chairman also stated indicated that the parties could express themselves in the language they preferred. Decision on the substance 75/2023 - 7/26 32. The Disputes Chamber notes that the defendant has submitted claims in Dutch submitted and expressed himself during the hearing in Dutch, as a result of which the Disputes Chamber, in accordance with the above regulation, is also in Dutch until the parties. 33. The Disputes Chamber therefore rules that, in accordance with the case law of the Marktenhof, the rights of defense had not been violated since the defendant could defend itself in its own language, and the Litigation Chamber would also address the parties in their chosen language. This is also evident from the fact that the letters containing the deadlines for submissions received after the first objection of the defendant about the language of the proceedings, by the Disputes Chamber in both languages parties were transferred. II.2. Identity of the complainant 34. The Disputes Chamber notes that the complaint was filed on behalf of a number of individuals appointed professionals who were all represented by the same counselor. The conclusion of reply dd. May 13, 2022 have been filed due to the limited partnership Z of which the professionals who have the complaint be a retired member. 35. The Disputes Chamber finds that comm.v. Z, on whose behalf the submissions of reply were made filed, no party is involved. II.3. Article 5 (1) (a) and (2) and Article 6 (1) GDPR. 36. In its conclusions, the defendant argues that a distinction must be made between the free profiles on the one hand and the paying profiles on the other hand. The Litigation Chamber will first assess the legality of the free profiles and then the legality of the paying profiles. II.3.1. Article 6(1)(f) GDPR (Free Profiles) 37. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data must be lawfully processed. This means that the processing must be done on based on the processing grounds as set out in Article 6 GDPR. 38. The Inspectorate maintains that the defendant has fulfilled the obligations imposed by Article 5(1) a) and has not complied with paragraph 2 of the GDPR and Article 6 of the GDPR. To this end, the Inspectorate applies that the fact that personal data of certain data subjects such as the Complainants are publicly accessible on certain professional websites, does not imply that those data subjects can reasonably expect that those personal data then by the defendant systematically and without their consent on a Substantive Decision 75/2023 - 8/26 large-scale manner be made available to anyone who accesses its website used and processed further. 39. The defendant argues in its conclusions that it does not invoke the authorization for the processing of the personal data, as this is organizationally difficult to achieve. However, the defendant argues that the processing is lawful under Article 6(6). 1, f) GDPR (legitimate interest) with regard to the free profiles. 40. In order to be able to rely on the legal basis of the “legitimate interest”, the to demonstrate to the controller that: 1) the interests it pursues with the processing can be justified be recognized (the “goal test”); 2) the intended processing is necessary for the fulfillment of these interests (the “necessity test”); and 3) the balancing of these interests against the interests, fundamental freedoms and fundamental rights of data subjects in favor of the controller or a third party (the “balancing test”). 4 41. The Disputes Chamber will check whether these conditions have been met with regard to the litigious processing. (i) Is there a legitimate interest? (target key) 42. The first condition is that the defendant pursues the interests of itself or a third party that qualify as justifiable. The interests must be on the date of processing be real, current, and not hypothetical. A legitimate interest must lawful, sufficiently clear, real and not speculative. 43. The defendant puts forward three different interests: a. the interest of a third party (the potential patient): namely increasing the access to health care for patients and their free choice facilitating health care providers through the right to freedom of expression, viz granting the opportunity to write reviews about the healthcare provider (in the case of paying profiles) on the one hand, the possibility to take note 4 CJEU, 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rigas pašvaldības SIA 'Rīgas satiksme', C-13/16; ECLI:EU:C:2017:336, para. 28-31 and CJEU Judgment of 11 December 2019, TK v/ Asociaţia deProprietariblocM5A-ScaraA,C-708/18,ECLI:EU:C:2019:1064,para. 40-44. See also previous decisions in the same way of the Disputes Chamber, including 21/2022 of February 2, 2022. 5 Some questions about the legitimate interest are supposed to be answered by the Court of Justice of the European Union in case C-621:22 (KoninkijkeNederlandse Lawn Tennisbond v. Autoriteit Persoonsgegevens. 6 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 44. 7 Opinion 06/2014 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC, 9 April 2014, Article 29 Data Protection Working Party, p.31. Decision on the substance 75/2023 - 9/26 of these reviews on the other hand. As for the interest of the potential patient the defendant argues that through the platform it enables patients to easy to find and contact a healthcare professional record with him/her by sharing not only useful, but even necessary information. The defendant argues that this contributes to the law of each patient to access health care, as well as his right to free choice of the professional he wishes to consult, as guaranteed by Article 6 of the Law of 22 August 2002 on the rights of patients. Secondly, the platform also allows patients to express an opinion sharing about the healthcare provider (with a paying profile). It justified interest here is to implement Article 11 of the Charter of the Fundamental rights of the European Union in conjunction with Articles 19 and 25 of the Constitution in which the right to freedom of expression is guaranteed. b. the interest of the data subjects (i.e. the healthcare professionals in the healthcare), namely attracting new patients and creating of appointments via the platform; and c. the defendant's own economic interest, based on the freedom of entrepreneurship. 44. With regard to this first condition, the Litigation Chamber is of the opinion that the platform which is controlled by the defendant an interest of the controller, the healthcare providers and a general interest of the patients of the platform. 45. First of all, the collection of data about healthcare providers can be regarded as an expression of freedom of information under Article 11 of the Charter of the fundamental rights of the EU (hereinafter: Charter), both in its active and passive dimension, namely actively adding the data as well as consulting the facts. In addition, there is also a social desirability of the platform. Thanks to this platform, patients can make a more informed choice about their treatment healthcare providers. The right of users to spread opinions is also one fundamental right enshrined in Article 11 of the Charter. 46. Next, the interest of the data subject is to gain more visibility and easy to find, also an interest that can be regarded as legitimate. 47. Finally, the operation of the platform also forms part of the provisions of Article 16 of the Charter enshrined fundamental right of entrepreneurship of the controller. In this case, the Litigation Chamber determines that the defendant within the framework of the exercise of its commercial activities interests. Decision on the substance 75/2023 - 10/26 48. In view of the above, the Litigation Chamber finds that the defendant meets the first condition has been met a priori. (ii) Is the processing necessary? (necessity test) 49. The Court of Justice has ruled on this, inter alia, in the TK judgment condition of necessity: “With regard to the second condition of Article 7(f) of Directive 95/46, namely that the processing of personal data must be necessary for the protection of the legitimate interest, the Court recalled brought that the exceptions to the protection of personal data and the its limitations must remain within the limits of what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 30 et seq. cited case law). In assessing this condition, the referring court must verify whether it legitimate interest of the data processing that is pursued with the video surveillance at issue in the main proceedings and which essentially consists of the to ensure the safety of goods and persons and to prevent criminal offences cannot reasonably be achieved as effectively with others means that are less detrimental to fundamental freedoms and rights of the data subjects, in particular the right to respect for the private life and the right to protection of personal data as guaranteed 8 by Articles 7 and 8 of the Charter.” 50. The Court of Justice also notes that the condition relating to the necessity of the processing, moreover, must be examined in conjunction with the principle of 'minimum data processing' laid down in Article 6(1)(c) of the Directive 95/46. According to that provision, personal data must be 'adequate, relevant and are not excessive [...] in relation to the purposes for which they are collected or for which they are subsequently processed”. 9 The Court of Justice has also clarifies that if there are realistic and less invasive alternatives, the treatment is not "necessary". 51. This case law formulated in relation to Article 7(e) of Directive 95/46/EC remains relevant to this day. Article 6(1) of the GDPR takes over the wording from Article 7 of Directive 95/46/EC. 8 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, C-708/18, ECLI:EU:C:2019:1064, para 46-47. 9 CJEU,11December2019,AsociațiaDeProprietariBlocM5a-ScaraA,C-708/18,C-708/18,ECLI:EU:C:2019:1064,para46. 10CJEU, 9 November 2010, Volker & Markus Schecke GbR and Hartmut Eifert v. Land Hessen, , merged affairs C‑92/09 and C‑93/09, ECLI:EU:C:2010:662. Decision on the substance 75/2023 - 11/26 52. In this context, the defendant refers to the personal data stated on the platform are exclusively professional and public data, which also apply to others professional websites can be found. In addition, the defendant also has the e-mail addresses of the complainants that are only used internally to be involved inform the professional via the so-called performance mails. Finally, the the defendant that there are several such professional websites that association of professionals, such as the websites of the Order of Doctors or of the Psychologists Committee. 53. The Litigation Chamber notes that the second condition also appears to be met, since the surname, first name, specialty of the healthcare providers involved are necessary to enable users of the website to contact them. (iii) Balancing of Interests 54. Finally, the interests or fundamental rights of the data subject should not be overridden outweigh the interests of the controller or the third party around them to be able to successfully rely on Article 6 (1) (f) GDPR, which must always be assessed in the light of the specific circumstances of the case. The Court of Justice notes that the seriousness of the infringement, nature of the personal data involved, the nature and concrete manner of processing of the data concerned and the reasonable expectations of the data subject that his personal data will not be processed if he has no reasonable need for further processing 12 processing can be expected. 55. As regards the balancing of interests, the defendant argues that only an absolute minimum of professional data of the data subjects are processed, that these personal data are not sensitive in nature and that these personal data are already public available on the websites of third parties, or by some data subjects on their own website. The defendant argues that it is within the reasonable expectations of the person concerned falls that their personal data is processed by a platform such as that of the defendant, in view of the fact that the complainants themselves are involved in the establishment of such a platform. The defendant points out that the legitimate interest pursued by its pursuit does not differ from the legitimate interest of similar ones platforms. The defendant argues that its platform is more easily accessible to the patients, since it is an easily navigable database in which care providers are selected all kinds of specializations of the health sector are included. 11 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 56. 12 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 57 and 58 ; Opinion 06/20214 on the concept of “legitimate interest of the data controller” in article 7 of Directive 95/46/EC, 9 April 2014, Article 29 Data Protection Working Party, p. 50 et seq. can be consulted via https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Decision on the substance 75/2023 - 12/26 56. The Disputes Chamber is of the opinion that there has been a serious breach of the fundamental rights of data subjects. The defendant collects on a large scale – without consent – personal data of tens of thousands of professionals in the healthcare. This data is then published on the platform of the defendant from which it derives commercial profits. As for the nature of the contact details, the Disputes Chamber notes that these are indeed public facts. The public nature of the personal data does not prevent the processing continues to require appropriate safeguards. The fact that personal data for being publicly available is a factor that can be taken into account in the assessment especially if its disclosure was accompanied by a reasonable expectation of further use of the data for certain purposes. 13In this context, the Litigation Chamber that the disputed processing is not within the reasonable expectations of the person falls. 14 The contact details of the professionals published on their own website or that of their group practice or hospital, with their consent to that processing. It is not within their reasonable expectation that this data is further processed for other purposes, such as the publication of this personal data by commercial parties (in this case based on commercial interest of the defendant). 57. When balancing interests, the Litigation Chamber also takes into account the principle of data minimization. In this context, the Disputes Chamber refers to the retention periods of these personal data determined by the defendant. In the privacy policy states the defendant the following: “[The Respondent] will store the personal data it collects in electronic and/or keep the printed form for the time absolutely necessary to comply with the the aforementioned processing purposes and for as long as such retention becomes necessary deemed for us to comply with our legal obligations or to comply with our legal obligations defend interests in court.” 58. This wording allows the controller to process these personal data indefinitely, and possibly even indefinitely. Considering it The Disputes Chamber therefore concludes above that the processing is not in proportionate to the goal. 59. The Litigation Chamber therefore also concludes that the service provided by the defendant exists from the collection of personal data from public sources and the processing thereof 13Article 29 Working Party, Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, p.3, available at https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp217_en.pdf. 14 See also decision on the merits 84/2022 dd. May 24, 2022, available at https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-84-2022.pdf. Decision on the substance 75/2023 - 13/26 on its platform. For the collection and processing of that personal data, the defendant did not ask for consent, although the consent was the most constitutes an appropriate legal basis to the extent that the processed personal data relates have on individual natural persons. The freedom of enterprise as recognized in Article 16 of the Charter of Fundamental Rights of the European Union is not unlimited and upholds where other fundamental rights – such as those protected in Article 8 of the Charter right to protection of personal data – start. Consequently, the Litigation Chamber considers that the interests raised by the defendant do not prevail over those of The involved. 60. Under these circumstances, the Litigation Chamber is of the opinion that the defendant is not can successfully invoke a legitimate interest. Consequently, there is one infringement of Article 6 (1) f) GDPR with regard to the free profiles. II.3.2. Article 6(1)(b) GDPR (paying profiles) 61. With regard to the paying profiles, the processing is lawful according to the defendant based on Article 6(1)(b) GDPR (execution of a contract). The professionals can choose to enter into an agreement with the defendant. Within the framework of this agreement, these professionals can oppose payment participate in the shaping of their profile on the platform by eg adding a CV or by indicating which languages they speak. In addition, there are one series of other benefits such as better visibility on the platform, a management instrument to save time when making agreements, an instrument to send appointment reminders, etc. 62. The Disputes Chamber finds that the complaint and the inspection report only concern have on the processing of personal data in the context of free profiles after all, concerns doctors who do not want to conclude such an agreement with the defendant. The Disputes Chamber will therefore not proceed to the assessment of the lawfulness of the data processing in the context of the paying profiles. II.4. Article 12(1),(2) and (3), Article 17, Article 19, Article 24(1) and Article 25(1) AVG 63. Article 12 (1) GDPR stipulates that the controller must take appropriate measures must take in order for the data subject to receive the information in connection with the processing in a concise, transparent, intelligible and easily accessible form and in clear and simple task. Article 12 of the GDPR regulates the way in which the data subjects receive their be able to exercise rights and stipulates that the controller shall exercise them of those rights by the data subject (Article 12(2) of the GDPR), and him without delayin any eventwithin one monthafterreceiptoftherequestinformationDecision on the substance 75/2023 - 14/26 give information about the measures taken in response to his request (Article 12, par 3 GDPR). 64. A data subject should have the right to request the erasure of his or her personal data if they are processed in violation of the GDPR. Article 17 (1) GDPR sums up a number of cases in which the data subject has the right to without unreasonable delay in having his personal data deleted by the controller, such as in the situation where personal data is unlawful have been processed. 65. Article 24 GDPR requires the controller, taking into account the nature, scope, context and purpose of the processing, appropriate technical and takes organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. 66. Article 5(2) and Article 24 GDPR impose general accountability obligations and compliance requirements to data controllers. More specifically, these require provisions of controllers that they take appropriate measures to prevent any violations of the rules of the GDPR in order to protect the right to to ensure data protection. 67. Finally, Article 19 GDPR stipulates that the controller must inform each recipient to whom personal data has been disclosed, of any deletion of personal data in accordance with Article 17 (1) of the GDPR, unless this proves impossible or disproportionate effort. II.4.1. Findings in the Inspection Report 68. The Inspectorate finds that there is a violation of the above articles and refers to the following elements: a. the defendant did not provide the Inspectorate with any supporting documents how the request to remove the complainants was answered; b. the defendant did not provide any supporting documents to the Inspectorate that on January 14, 2022, the necessary steps were effectively taken to reduce the delete personal data of the complainants; c. the defendant did not provide any supporting documents to the Inspectorate that it was effectively unable to comply with the request for removal of the complainants was sent by registered mail. Decision on the substance 75/2023 - 15/26 II.4.2. Defendant's position 69. The defendant disputes this finding and maintains, in essence, that it is indeed an effect has given to the complainants' data erasure request on 14 January 2022. Om to begin with, the defendant points out that it only became aware of it on 13 January 2022 of the data erasure request of the complainants. The registered letter dd. 25 October 2021 addressed to the registered office and delivered there on October 26 2021 was not received by (an employee of) the defendant. The the defendant's business manager, to whom the letter was addressed, has it receipt not signed. In this context, the defendant argues that in Belgium that was currently in a lockdown period with mandatory homework, so that the employees and the defendant's business manager could not receive the registered letter to take. The defendant therefore argues that the actual knowledge of the request for data erasure took place on January 13, 2022 and that it was being implemented given to that request on January 14, 2022. The defendant puts forward various claims in this regard documents, such as a statement from the employee who provided the personal data has removed. In addition, the defendant also takes screenshots of the internal management platform which states that on January 14, 2022, this data has the status “removed from [defendant]". 70. The defendant further states that there is a memorandum in the intern with regard to almost all complainants management platform is included reminding that she will not be in touch again with the relevant professional. In this respect, the defendant refers to the Guidelines 5/2019 “on the criteria for the right to be forgotten in the search engine matters under the GDPR”. 15 To the extent that one can the defendant consider it a search engine for healthcare professionals, can a request addressed to it can also be regarded as a request for delisting, whereby complete deletion of data does not take place and the search engine is therefore useful can give to the request of the complainants never to be contacted again. The the defendant states that, pursuant to the conclusions of the reply dd. May 13, 2022, also this note has removed and provides evidence to this effect. This results in the defendant can no longer guarantee that the complainants will never be contacted again, because, now that this information no longer exists, they can no longer know that the practitioner is in issue has requested never to be contacted again. 71. Next, the defendant argues that it cannot be criticized for not having the has taken the necessary technical and organizational measures, in view of the 15EDPB, Guidelines 5/2019 on the criteria for the right to be forgotten in the search engine business pursuant to the GDPR, dd. July 7, 2020, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation _nl.pdf. Decision on the substance 75/2023 - 16/26 notification system to the Google search engine that the defendant has integrated into its internal management platform. This notification procedure is triggered as soon as a employee processes the request for data erasure on the management platform. The actual removal by the search engine (of the search results related to the) personal data is normally done after 15 days, depending on the priorities/capacities of the search engine, this may take longer in certain cases. It the fact that the results can still be found on Google is due to a reactivity problem with Google itself and not with the defendant. 72. Finally, the defendant claims that it has not fulfilled the obligations arising from Article 12(1)(2) and paragraph 3 GDPR has complied. She actually has the request for data erasure received on January 13, 2022, it complied with it on January 14, 2022 and it informed those involved on 7 February 2022. The same applies for the additional request to delete the internal note mentioned above. This one has received by the defendant through the conclusions of the reply dd. May 13, 2022, she has this implemented on May 17, 2022 and on May 23, 2022, it advised the lawyer of the concerned are hereby informed. In this context, the defendant notes that the list of those involved in the complaint was more limited in number than the letter dd. October 25, 2021. Op May 13, 2022, via the statement of defense, the defendant learned that in the registered write dd. October 25, 2021, 5 other professionals were also mentioned of which it had not yet deleted the data. The defendant has in good faith always complied with all requests for data erasure that it has received. 73. In a secondary order, the defendant argues that there is no error, nor negligence. After all, the complainants themselves decided to cancel their request by email during the lockdown period send by registered mail. However, the defendant sends to the professionals whose e-mail address she has, a performance mail in which she are informed about the statistics of their profile, and through this mail they also receive access to their profile where they can change or delete their data to ask. The relevant healthcare practitioner can use a button at the bottom of the performance mail unsubscribe from the emails. A request for data erasure can also be sent to the e-mail address mentioned above in the privacy policy. The defendant argues therefore more efficient and reliable options were available to the complainants, thenonly a request by registered letter.The reference to decision 74/2020of the Disputes Chamber by the Inspectorate is therefore incorrect, since the defendant offers data subjects various options for exercising their rights. 74. Only after receipt of the letter from the Inspection Service dated 13 January 2022 in the building where its offices are located, the defendant was able to take note of the registered letter dd. October 25, 2021 after finding it in a pile of advertising mail. The letter was there Decision on the substance 75/2023 - 17/26 apparently deposited by a third party, a neighbor or the postman himself, and the the defendant cannot be held liable. 75. Finally, the defendant argues that it was under no obligation to comply with the request for data erasure, since none of the cases from Article 17, paragraph 1a)-d) GDPRop apply in this case. In addition, Article 17(3)(a) GDPR provides for an exception to the right to data erasure insofar as the processing is necessary for the right to freedom of expression and information. II.4.3. Review by the Litigation Chamber 76. In section II.3, the Litigation Chamber has determined that the personal data of the complainants were processed unlawfully with regard to the free profiles. The defendant served therefore pursuant to Article 17 (1) (d) GDPR to delete the personal data, if that was requested. 77. Based on the above, the controller must make an arrangement to enable data subjects to exercise their rights easily and simply to practice. A controller is not allowed any unnecessary thresholds raise for data subjects to exercise the aforementioned rights. When a controller has a policy that prevents the exercise of the said interferes with rights and actively propagates this policy, there may be violation of article 12, second paragraph, of the GDPR. 78. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR: “There should be arrangements in place to enable the person concerned to exercise his rights under this Regulation, such as mechanisms to request, in particular, access to and rectification or erasure of personal data and, if applicable, to obtain it free of charge, as well as to to exercise the right to object. [...]” 79. In view of the above, the Disputes Chamber concludes that the defendant indeed provides variousopportunitiestoperformtherighttodatawipe.Hereby the Disputes Chamber notes that the possibility to delete the data via the profile implies that the data subjects should make use of the unlawful createdprofiletodeletethisprofile,whichcannotbetheintention. The same can be said about the unsubscribe button in the performance mails. The defendant points Please note that the data erasure request can also be sent to the email address stated in the privacy policy. However, it is more difficult to receive an e-mail check. The Litigation Chamber points out that the defendant writes in its privacy policy that data subjects can exercise their rights by writing to the mentioned e-mail e-mail address or the stated postal address. Consequently, the data subjects must also be able to use Decision on the substance 75/2023 - 18/26 making a registered letter, whether or not with acknowledgment of receipt, since this is a very common means of official and formal communication and those involved guarantees that it will be received by the recipient. 80. The defendant argues that the registered letter was sent during a lockdown period during which the employees and the manager worked at home. The Litigation Chamber notes that teleworking was strongly recommended in the period October 2021, and not mandatory. The defendant was therefore not unable to organize itself to perform certain activities, such as tracking mail. The Dispute Room finds that the defendant has not taken the appropriate measures for the right to facilitate data erasure of the data subject, which constitutes a violation of Article 12, paragraph 2 GDPR. 81. Due to the lack of facilitation of the exercise of the right to erasure, the right to erasure was not exercised in time, in accordance with Article 12 (3) GDPR. The Litigation Chamber finds that this non-compliance is the result of inadequate facilitation of the exercise of the rights, and that the the defendant soon after receipt of the letter from the Inspectorate dated. January 13, 2022 acted as well as for subsequent requests soon after becoming aware of them has. 82. The Inspectorate also finds a violation of Article 19 GDPR, but justifies this determination not. Nor does she submit documents in this regard. The Dispute Room therefore considers this infringement to be unproven. 83. In view of the above, the Disputes Chamber concludes that there has been an infringement to Article 12 (2) GDPR. II.5. Sanctions and corrective measures II.5.1. General 84. On the basis of the documents in the file, the Disputes Chamber establishes that there is following infringements: a. Article 5, paragraph 1, a) j° Article 6, paragraph 1, f) with regard to the lawfulness of the processing of personal data; and b. Article 12 (2) GDPR j° Article 17 (1) GDPR for not taking the appropriate measures to facilitate the exercise of their rights by data subjects. 16https://www.info-coronavirus.be/nl/news/occ-2610/. Decision on the substance 75/2023 - 19/26 85. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° to order a suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° to order that the data subject's requests to exercise his rights be complied with to practice; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° rectification, restriction or deletion of data and notification to recommend it to the recipients of the data; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or to recommend an international institution; 15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. II.5.2. Established infringement of Article 5(1)(a) j° Article 6(1)(f) and Article 12(2) GDPR in conjunction with Article 17 (1) GDPR. II.5.2.1. Administrative fine 86. In accordance with Article 101 WOG, the Disputes Chamber decides an administrative one impose a fine on the defendant for the following infringements: o Article 5, paragraph 1, a) j° Article 6, paragraph 1, f) with regard to the lawfulness of the processing of personal data; and o Article 12 (2) GDPR j° Article 17 (1) GDPR for not taking the appropriate measures to facilitate the exercise of their rights by data subjects. 87. For a violation of Articles 5 and 6 of the AVG, the Disputes Chamber can, on the basis of Article 83, fifth paragraph, a) GDPR Not to impose an administrative fine up to EUR 20,000,000 or for a company up to 4% of the total worldwide annual turnover in the previous financial year, Decision on the substance 75/2023 - 20/26 if this number is higher. A violation of the aforementioned provisions therefore gives in accordance with Article 83 (5) GDPR gives rise to the highest fines. 88. For a violation of Article 17 GDPR, the Disputes Chamber can, on the basis of Article 83, paragraph 5, b) AVG Also impose an administrative fine up to an amount of 20,000.00 EURorforacompanyupto4%ofthetotalworldwideannualturnoverintheprevious fiscal year if that figure is higher. 89. The Disputes Chamber considers it appropriate to impose an administrative fine amount of EUR 10,000 (article 83, paragraph 2, article 100, §1, 13°WO and article 101WOG). fine is imposed for both the infringement of Article 5(1)(a) j° Article 6(1)(f) GDPR and the infringement of Article 12 (2) GDPR and Article 17 (1) GDPR. 90. It should be pointed out in this context that the administrative fine does not matter aims to end unified transgression, but requires a strong enforcement of the rules of the GDPR. After all, as can be seen from recital 148 GDPR, the GDPR states First of all, in the event of any serious infringement – including the first finding of an infringement – penalties, including administrative fines, in addition to or instead of appropriate ones 17 measures are imposed. The Disputes Chamber then demonstrates that the infringements that the defendant has committed on the aforementioned provisions of the GDPR by no means minor infringements, nor that the fine would impose a disproportionate burden on a natural person as referred to in recital 148 GDPR, where in either case a fine may be waived. The fact that it is an initial determination of a the defendant committed an infringement of the GDPR, does not affect this in any way to the possibility for the Disputes Chamber to make an administrative decision impose a fine. The Disputes Chamber will impose the administrative fine application of Article 58(2)(i) GDPR. The instrument of administrative fine has in no way intended to terminate infringements. To this end, the GDPR and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9° WOG. 17 Recital 148 provides: “In order to strengthen enforcement of the rules of this Regulation, penalties should be including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of appropriate measures imposed by the supervisory authorities pursuant to this Regulation it concerns a minor infringement or if the expected fine would place a disproportionate burden on a natural person, a reprimand can be chosen instead of a fine. However, it must be taken into account be taken into account the nature, seriousness and duration of the infringement, the intentional nature of the infringement, with harm reduction measures, with the degree of responsibility, or with previous relevant infringements, with the manner on which the breach has come to the knowledge of the supervisory authority, with compliance with the measures that were taken against the controller or processor, with adherence to a code of conduct and with any other aggravating or mitigating factors. Imposing punishments, including administrative ones fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective remedy and due process. Decision on the substance 75/2023 - 21/26 91. In determining this amount, the Litigation Chamber bases itself on the 2021 annual report which was deposited with the national bank on 8 July 2022 showing that the turnover was 605,865 amounts to EUR. The amount roughly corresponds to 4% of this annual turnover. 92. Taking into account Article 83 GDPR, the case law of the Marktenhof, as well as the criteria set out in the EDPB guidelines on the calculation of the 19 administrative fines, the Litigation Chamber motivates the imposition of a administrative fine in concrete terms, taking into account the following when assessing elements: Severity of the violation (Article 83(2)(a) GDPR) 93. The Litigation Chamber has established that, with regard to the free profiles, personal data of tens of thousands of professionals throughout Belgium collected and processed without lawful basis. The defendant cannot successfully invoke Article 6 (1) (f) GDPR (legitimate interest) as they do not meets the conditions as developed by the European Court of Justice Union. The defendant collects data from various types of sources without this within the reasonable expectation of the healthcare professionals involved. Although the interests pursued by the defendant are legitimate, and the processed personal data are limited to what is necessary to the litigious processing, they do not prevail over those of the data subjects. The number of data subjects (Article 83 paragraph 2, a) GDPR) It involves tens of thousands of healthcare professionals, geographically spread throughout Belgium. Negligent or intentional nature of the breach (Article 83(2)(b) GDPR) 94. As to whether the infringement was intentional or negligent was committed (article 83.2.b) of the GDPR), the Litigation Chamber reminds that "not intentionally” means that it was not the intention to commit the infringement, although the the controller had not complied with the duty of care pursuant to the law rested upon him. In this case, the Disputes Chamber rules that the infringement is not of is intentional in nature, because the defendant has indeed made an analysis in order to determine which legal basis would be most appropriate in the present case. There is consequently no - apparent - intention to violate the GDPR on the part of the defendant. This turns out among other things from the argument of the defendant in which it argues that the applicability of consent as a legal basis (Article 6(1)(a) GDPR) was examined for the 18Brussels Court of Appeal (Marktenhof section), X t. GBA, Judgment 2020/1471 of 19 February 2020 19Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 Mon 2022 (version for public consultation). Decision on the substance 75/2023 - 22/26 intended processing, but was found to be less suitable. In this context, the Litigation Chamber, however, notes that the defendant has the contact details of the data subjects – because they were collected to be placed on the platform places – and that, as described in this decision, there is no doubt that consentis the only proper legal basis for this processing simply asked. After all, the defendant could use one standard requestwith limited individualization as the case may be.TheLitigation Chamber therefore considers that the infringement was committed through negligence. The duration of the breach (Article 83(2)(a) GDPR) 95. The Litigation Chamber also refers to the duration of the infringement, namely since 25 May 2018 to date as it has not yet been terminated. This means that it is long-term and structural violation of a basic principle (lawfulness) of the GDPR. Aggravating circumstance (Article 83(2)(k) GDPR) 96. The Litigation Chamber also takes into account the fact that the defendant made a profit that arises from the unlawful processing as an aggravating circumstance. Mitigating circumstance (Article 83(2)(k) GDPR) 97. The Litigation Chamber also takes into account the fact that the defendant has never before was the subject of an enforcement procedure of the DPA (article 83, paragraph 2, e) GDPR). 98. The Litigation Chamber notes that the defendant has swiftly implemented the right to erasure as soon as it has become aware of the request in question of the data subject. With regard to the inadequate facilitation of the right to data erasure of the complainants, the Disputes Chamber is of the opinion that no additional fine must be imposed. The categories of personal data affected by the breach (Article 83(2) g) GDPR As far as the contact details of the data subjects are concerned, these are public personal data and no personal data of a special nature. Conclusion 99. The whole of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the certain assessment criteria. The Litigation Chamber points out that the other criteria of art. 83.2. AVG in this case are not of a nature that they lead to another administrative fine than that which the Disputes Chamber has in the context of this decision established. Decision on the substance 75/2023 - 23/26 100. In summary, the defendant argues in its response to the sanction form that: (i) the seriousness of the offense cannot be deduced from the possibility of it providing reviews on free profiles, as that option does not exist; (ii) the number of people involved cannot be taken into consideration when determining the fine, as the fulfillment of the interests pursued by the defendant requires the largest possible number of data subjects and the Litigation Chamber recognizes this the interests pursued are justified (iii) the duration of the alleged infringement cannot be taken into consideration the determination of the fine, now that the defendant could reasonably assume at all times that there was no infringement, in view of authoritative foreign case law with relating to an identical situation; (iv) the defendant cannot be accused of negligence as it chose not to provide data processing on the basis of consent, not because this is practically impossible would be, but because an analysis showed that the legitimate interests of a provided a more appropriate basis for the purposes of the intended processing; (v) the processing of data by the defendant never reached the stated 'large negative consequences' can have (and has never had) for those involved (financial and reputational damage), which the Disputes Chamber deduces from the review option of profiles, since this option does not exist for the (free) profiles of those involved; (vi) the personal data in the reviews has no potential financial consequences for the data subjects may have since these reviews do not exist on their free profiles. 101. The elements from the sanction form used by the Litigation Chamber additional considerations are discussed below. 102. As the defendant notes in the sanction form, the review option is indeed not present for the free profiles. This aspect is therefore no longer included in the the Litigation Chamber's consideration of the seriousness of the breach and its potential consequences of the data subjects in the context of the consideration of the administrative fine. 103. As for the argument that the number of people involved should not be taken into account the Disputes Chamber notes that the interest pursued is indeed a broad one possible database required. As already explained, the target test is only one of the three conditions for a successful appeal to Article 6 (1) f) GDPR. The illegitimate processing therefore concerns a large number of persons. Decision on the substance 75/2023 - 24/26 104. As to the argument that the duration of the infringement and its negligent nature, the defendant refers to German case law whereby a platform similar to that of the defendant was considered to be in comply with the GDPR. The Litigation Chamber takes note of this, but also refers to a previous decision dated 24 May 2022 on its website regarding a similar referral website. The Disputes Chamber ruled in this decision that such processing does not fulfill the conditions for a successful appeal to Article 6(1)(f) GDPR. The Disputes Chamber takes account of the relatively recent developments character of this decision. 105. On the basis of all the elements set out above, the Litigation Chamber to adjust proposed sanction from EUR 20,000 to EUR 10,000. The established infringements warrant an effective, proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account the provisions therein assessment criteria. The Disputes Chamber is of the opinion that a lower fine in the the present case would not meet the requirement of Article 83(1) of the GDPR criteria, according to which the administrative fine is not only proportionate, but also must be effective and deterrent. II.5.2.2. Stop order 106. Pursuant to Article 100, paragraph 1, 8° and 9° WOG, the Litigation Chamber also orders to the defendant to terminate the violation of article 5, paragraph 1 j ° article 6, paragraph 1, f) GDPR and keep it terminated. The defendant can comply with this by processing personal data of healthcare professionals with regard to the to terminate free profiles on its platform or by, for example, consent, in accordance with Article 4, 11) of the GDPR to be obtained from the data subjects for the processing of personal data. II.5.3. Other grievances 107. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the Inspectorate because, based on the facts and the documents in the file, they do not belong to the conclude that there has been a breach of the GDPR. These grievances and findings of the Inspectorate are therefore regarded as manifestly unfounded within the meaning of Art. 57(4) GDPR. 20 Substance decision 84/2022 of 24 May 2022, which can be consulted at https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-84-2022.pdf. 21 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 75/2023 - 25/26 III. Publication of the decision 108. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - pursuant to Article 58, paragraph 2 GDPR and Article 100, §1; 13° WOG an administrative one to impose a fine of EUR 10,000 for the infringement of Article 5, paragraph 1, a) j° Article 6, paragraph 1, f) GDPR and the violation of Article 12, paragraph 2 in conjunction with Article 17, paragraph 1 GDPR; - on the basis of Article 100, §1, 8° and 9° WOG order the violation of Article 5, paragraph 1, a) j° terminate and keep terminated in Article 6 (1) f) GDPR, and then in a provide a valid legal basis for the processing of the personal data; - to dismiss the other grievances pursuant to Article 100, §1, 1° WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition listed in Article 1034ter of the Judicial Code and must contain .The 22 a contradictory petition must be submitted to the Registry of the Market Court 22 The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. Decision on the substance 75/2023 - 26/26 23 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 23 The application with its annex is sent, in as many copies as there are parties involved, by registered letter sent to the clerk of the court or deposited at the clerk's office.