APD/GBA (Belgium) - 105/2023: Difference between revisions
m (Mg moved page APD/GBA (Belgium) - 105-2023 to APD/GBA (Belgium) - 105/2023) |
|||
Line 78: | Line 78: | ||
This decision concerns two controllers, the ''Belgian City of Kortrijk'' (controller 1) and the ''Belgian FOD Mobiliteit en Vervoer'', the federal service of mobility and transport (controller 2). | This decision concerns two controllers, the ''Belgian City of Kortrijk'' (controller 1) and the ''Belgian FOD Mobiliteit en Vervoer'', the federal service of mobility and transport (controller 2). | ||
On 28 May 2020, the data subject was given a parking fine by controller 1. Specifically, the fine was issued by a public company acting on behalf of Controller 1. This company had a lawful legal basis to use the service DIV (''[https://www.belgium.be/nl/mobiliteit/Voertuigen/inschrijving dienst inschrijving voor voertuigen]'') of controller 2 in order to receive necessary information to identify owners of vehicles. | On 28 May 2020, the data subject was given a parking fine by controller 1. Specifically, the fine was issued by a public company acting on behalf of Controller 1 - AGB Parko. This company had a lawful legal basis to use the service DIV (''[https://www.belgium.be/nl/mobiliteit/Voertuigen/inschrijving dienst inschrijving voor voertuigen]'') of controller 2 in order to receive necessary information to identify owners of vehicles. | ||
On 1 January 2020, the company’s services were integrated into the city services of controller 1 | On 1 January 2020, the company’s services were integrated into the city services of controller 1. The data subject was not informed about this change. However, controller 1 could not rely on the same legal basis(ses) used by AGB Parko, namely deliberation FO No. 02/2016. Such a deliberation originally enabled AGB Parko to use controller’s 2 database to identify owners who owed fees on their vehicles and issue fines'''.''' | ||
On 5 November 2020, the data subject filed a complaint at the Belgian DPA against both controllers. The data subject claimed that both controllers did not have a valid legal basis for sharing of his personal data. | |||
One of the three members of the DPA had stepped down due to a conflict of interest. Therefore, the chair decided to issue the decision alone, since it was not allowed to issue a decision with only two members. | |||
On 4 March 2022, the Belgian DPA issued decision 31/2022. During the hearings for this decision, only the lack of legal basis was discussed. However, the DPA did not only find a violation of [[Article 6 GDPR#1|Article 6(1)]], but also found violations of [[Article 5 GDPR#1a|Articles 5(1)(a),]] [[Article 12 GDPR#1|12(1)]] and [[Article 14 GDPR#1a|14(1)(a) GDPR]], because the controller did not inform the data subject properly. | |||
On 4 | On 4 April 2022, an appeal was filed at the court of appeal. Controller 1. | ||
On | On 26 October 2022, the court annulled decision 31/2022. Among other shortcoming, the court stated that the chair of the DPA should not have issued the decision alone, since this resulted in problems with the legality of the decision. The court also stated that the decision did not adhere to several principles, such as the principle of carefulness, because the controllers were never made aware about their supposed violations of [[Article 5 GDPR#1a|Articles 5(1)(a),]] [[Article 12 GDPR#1|12(1)]] and [[Article 14 GDPR#1a|14(1)(a) GDPR]]. | ||
The court ordered the DPA to investigate the case again to allow both controllers to defend themselves. | |||
On 21 December 2022, following the ruling by the court, the DPA decided to take a(nother) look at the facts of the case. | |||
''First'', during the new procedure, both controllers argued that the DPA was not the competent authority in this case. Instead, the “Vlaamse Toezichtcommissie” was the competent authority. This was the regional data protection authority of the Belgian Region of Vlaanderen. To support its argument, Controller 1 referred to [[Article 57 GDPR|Articles 57(1)(f)]] and [[Article 51 GDPR#1|51(1) GDPR]]. | |||
'' | ''Second'', controller 2 argued that the court had only referred to controller 1 in its order to the DPA. Therefore, according to controller 2, the DPA violated the order of the court by investigating controller 2 as well. | ||
'' | ''Third'', controller 1 stated that its right to a fair trial had been violated because it had not been clear which complaints had been filed against it. According to controller 1, three separate complaints had been filed by the data subject and only one complaint had been discussed by the DPA. The controller referred to documents sent by the data subject on three different dates. | ||
''Fourth,'' controller 1 stated that it used two Belgian ‘beraadslagingen’ (decisions by the respective municipality), as a legal basis to gain access to the DIV system for identification of data subjects as the owner of a vehicle. | |||
''Fourth,'' controller 1 stated that it used two Belgian ‘beraadslagingen’ (decisions by the respective municipality), as a legal basis to gain access to the DIV system for identification of data subjects as the owner of a vehicle. | |||
''Fifth'', during the procedure, both controllers stated that their legal basis for processing had been [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. However, both controllers mentioned this for the first time at the hearing and they never communicated the use of this legal basis to the data subject. | ''Fifth'', during the procedure, both controllers stated that their legal basis for processing had been [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. However, both controllers mentioned this for the first time at the hearing and they never communicated the use of this legal basis to the data subject. | ||
=== Holding === | === Holding === | ||
''First,'' The DPA held that it was the competent authority in this case | ''First,'' The DPA held that it was the competent authority in this case. | ||
'' | ''Second'', the DPA rejected the argument of controller 2 that the court’s order was only directed towards controller 1, and that controller 2 should therefore be excluded from the current proceedings. Among other arguments, the DPA stated that the court had continuously referred to both controller 1 and controller 2 in its judgement. Also, controller 1 would not have been able to issue the fine of the data subject without the personal data that was distributed by controller 2. | ||
'' | ''Third'', the DPA confirmed that the data subject only filed one complaint at the DPA. The different documents that controller 1 referred to were all part of the same complaint. Controller 1 had been given access to all these documents before the decision was issued. Therefore, the right to a fair trial was not violated. | ||
'' | ''Fourth'', the DPA held that controller 1 could not use one of the ‘beraadslagingen’ as legal basis for receiving personal data from controller 2 and provided several reasons. For example, one of the 'beraadslagingen' authorised controller 1 to use the DIV to receive personal data, but not for the purpose of issuing a parking fine through the data subjects taxes. | ||
'' | ''Fifth'', The DPA ruled that controller 1 violated [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 12 GDPR#1|12(1)]] and [[Article 14 GDPR#1a|14(1)(a) GDPR]] due to a lack of transparency. For the data subject, it was not at all clear that controller 1 had requested his personal data from controller 2. | ||
'' | ''Sixth'', the DPA confirmed that controller 1 did not have a legal basis for the processing at the time it requested the information from controller 2. This resulted in violations of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 6 GDPR#1|6(1)]] GDPR. | ||
''Eight'', both controllers violated [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]] because both controllers did not provide any information. Not only did they not disclose the legal basis, but they also did not provide any other information in [[Article 14 GDPR#1|Article 14(1) GDPR]]. Therefore, both controllers did not comply with the principle of transparency [[Article 5 GDPR#1a|(Article 5(1)(a) GDPR]]). | ''Eight'', both controllers violated [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]] because both controllers did not provide any information. Not only did they not disclose the legal basis, but they also did not provide any other information in [[Article 14 GDPR#1|Article 14(1) GDPR]]. Therefore, both controllers did not comply with the principle of transparency [[Article 5 GDPR#1a|(Article 5(1)(a) GDPR]]). | ||
Despite the above violations, the DPA did not impose any sanctions because both controllers had implemented several measures to improve their GDPR compliance. Among other improvements, both controllers had | Despite the above violations, the DPA did not impose any sanctions because both controllers had implemented several measures to improve their GDPR compliance. Among other improvements, both controllers had changed their privacy policy. | ||
== Comment == | == Comment == |
Revision as of 13:07, 4 September 2023
APD/GBA - 105-2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 14(1)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.11.2020 |
Decided: | 01.08.2023 |
Published: | |
Fine: | n/a |
Parties: | City Of Kortrijk FOD Mobiliteit en Vervoer |
National Case Number/Name: | 105-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | Kv33 |
The Belgian DPA determined that the Belgian City of Kortrijk and the Belgian FOD violated several GDPR provisions for sharing personal data in order to issue a parking fine. Both controllers did not have a legal basis for this processing and did not provide adequate transparency to the data subject.
English Summary
Facts
This decision concerns two controllers, the Belgian City of Kortrijk (controller 1) and the Belgian FOD Mobiliteit en Vervoer, the federal service of mobility and transport (controller 2).
On 28 May 2020, the data subject was given a parking fine by controller 1. Specifically, the fine was issued by a public company acting on behalf of Controller 1 - AGB Parko. This company had a lawful legal basis to use the service DIV (dienst inschrijving voor voertuigen) of controller 2 in order to receive necessary information to identify owners of vehicles.
On 1 January 2020, the company’s services were integrated into the city services of controller 1. The data subject was not informed about this change. However, controller 1 could not rely on the same legal basis(ses) used by AGB Parko, namely deliberation FO No. 02/2016. Such a deliberation originally enabled AGB Parko to use controller’s 2 database to identify owners who owed fees on their vehicles and issue fines.
On 5 November 2020, the data subject filed a complaint at the Belgian DPA against both controllers. The data subject claimed that both controllers did not have a valid legal basis for sharing of his personal data.
One of the three members of the DPA had stepped down due to a conflict of interest. Therefore, the chair decided to issue the decision alone, since it was not allowed to issue a decision with only two members.
On 4 March 2022, the Belgian DPA issued decision 31/2022. During the hearings for this decision, only the lack of legal basis was discussed. However, the DPA did not only find a violation of Article 6(1), but also found violations of Articles 5(1)(a), 12(1) and 14(1)(a) GDPR, because the controller did not inform the data subject properly.
On 4 April 2022, an appeal was filed at the court of appeal. Controller 1.
On 26 October 2022, the court annulled decision 31/2022. Among other shortcoming, the court stated that the chair of the DPA should not have issued the decision alone, since this resulted in problems with the legality of the decision. The court also stated that the decision did not adhere to several principles, such as the principle of carefulness, because the controllers were never made aware about their supposed violations of Articles 5(1)(a), 12(1) and 14(1)(a) GDPR.
The court ordered the DPA to investigate the case again to allow both controllers to defend themselves.
On 21 December 2022, following the ruling by the court, the DPA decided to take a(nother) look at the facts of the case.
First, during the new procedure, both controllers argued that the DPA was not the competent authority in this case. Instead, the “Vlaamse Toezichtcommissie” was the competent authority. This was the regional data protection authority of the Belgian Region of Vlaanderen. To support its argument, Controller 1 referred to Articles 57(1)(f) and 51(1) GDPR.
Second, controller 2 argued that the court had only referred to controller 1 in its order to the DPA. Therefore, according to controller 2, the DPA violated the order of the court by investigating controller 2 as well.
Third, controller 1 stated that its right to a fair trial had been violated because it had not been clear which complaints had been filed against it. According to controller 1, three separate complaints had been filed by the data subject and only one complaint had been discussed by the DPA. The controller referred to documents sent by the data subject on three different dates.
Fourth, controller 1 stated that it used two Belgian ‘beraadslagingen’ (decisions by the respective municipality), as a legal basis to gain access to the DIV system for identification of data subjects as the owner of a vehicle.
Fifth, during the procedure, both controllers stated that their legal basis for processing had been Article 6(1)(e) GDPR. However, both controllers mentioned this for the first time at the hearing and they never communicated the use of this legal basis to the data subject.
Holding
First, The DPA held that it was the competent authority in this case.
Second, the DPA rejected the argument of controller 2 that the court’s order was only directed towards controller 1, and that controller 2 should therefore be excluded from the current proceedings. Among other arguments, the DPA stated that the court had continuously referred to both controller 1 and controller 2 in its judgement. Also, controller 1 would not have been able to issue the fine of the data subject without the personal data that was distributed by controller 2.
Third, the DPA confirmed that the data subject only filed one complaint at the DPA. The different documents that controller 1 referred to were all part of the same complaint. Controller 1 had been given access to all these documents before the decision was issued. Therefore, the right to a fair trial was not violated.
Fourth, the DPA held that controller 1 could not use one of the ‘beraadslagingen’ as legal basis for receiving personal data from controller 2 and provided several reasons. For example, one of the 'beraadslagingen' authorised controller 1 to use the DIV to receive personal data, but not for the purpose of issuing a parking fine through the data subjects taxes.
Fifth, The DPA ruled that controller 1 violated Articles 5(1)(a), 12(1) and 14(1)(a) GDPR due to a lack of transparency. For the data subject, it was not at all clear that controller 1 had requested his personal data from controller 2.
Sixth, the DPA confirmed that controller 1 did not have a legal basis for the processing at the time it requested the information from controller 2. This resulted in violations of Articles 5(1)(a) and 6(1) GDPR.
Eight, both controllers violated Articles 5(2) and 24 GDPR because both controllers did not provide any information. Not only did they not disclose the legal basis, but they also did not provide any other information in Article 14(1) GDPR. Therefore, both controllers did not comply with the principle of transparency (Article 5(1)(a) GDPR).
Despite the above violations, the DPA did not impose any sanctions because both controllers had implemented several measures to improve their GDPR compliance. Among other improvements, both controllers had changed their privacy policy.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/31 Litigation room Decision on the substance 105/2023 of 1 August 2023 File number : DOS-2020-00186 Subject: Identification of number plate following parking ticket followed by assessment notice regarding tax on parking – Reconsideration of decision on the merits 31/2022 of March 4, 2022 The Disputes Chamber of the Data Protection Authority, composed of Mr Dirk Van Der Kelen, acting chairman, and Messrs Frank De Smet and Romain Robert, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The defendants: City of Kortrijk, Grote Markt 54, 8500 Kortrijk, represented by lawyers Bart Martel and Anneleen Van de Meulebroucke, hereinafter “defendant 1”; Decision on the substance 105/2023 - 2/31 FPS Mobility and Transport, Directorate-General for Road Transport and Road Safety, Rue du Progrès 56, 1210 Brussels, represented by counsel Frederic Debusseré and Ruben Roex, hereinafter “defendant 2”. I. Factual Procedure 1. This decision is a reconsideration of decision on the merits 31/2022 of the Litigation Chamber of March 4, 2022 and implements the judgment of the Market Court of October 26, 2022, with roll number 2022/AR/457. 2. This decision should be read in conjunction with decision 31/2022 and contains a review with a view to re-examining the complaint, subject to the considerations of the Market Court. In concrete terms, this means that the Market Court orders that: – the Litigation Chamber, composed differently, pronounces again on the case, considering the door the Marktenhof determined invalid composition with which the decision of 31/2022 was proficient; - if necessary, the defendants are given the opportunity to defend themselves regarding the transparency obligation set out in Articles 5.1 a), 12.1 and 14.1 a) GDPR. 3. On 5 November 2020, the complainant lodged a complaint with the Data Protection Authority against the defendants. The object of the complaint concerns the identification of the license plate belonging to the complainant following a determination by a Parko parking attendant on May 28, 2020 that resulted in a parking ticket and subsequently in a tax assessment notice on it parking. The complainant argues that defendant 1, who has been responsible for the parking policy, although it has joined the deliberation FO no. 14/2016 of 21 January 2016 , but this affiliation took place through an agreement that was not finalized concluded on September 1, 2020 and in which point 13 states that the agreement enters into force on January 1, 2020. The date of entry into force is stated as August 28, 2020. 1 I.e. if this is the Litigation Chamber's reading of the complainant's conclusion. 2Deliberation regarding the one-time authorization to grant the municipalities access to the directory of the DIV for the identification of persons liable to pay a parking fee, tax or parking fee due to the use of a vehicle - Revision of the deliberation FO n° 05/2015 of 19 March 2015 (AF-MA-2015-099) 3https://mobilit.belgium.be/nl/wegverkeer/registration_of_vehicles/data exchange/parking management 4 The membership agreement can be found via the following link: https://mobilit.belgium.be/sites/default/files/DGWVVV/kortrijk_14_2016.pdf 5https://dt.bosa.be/nl/beneficiaries_beraadslaging_fo_nr_142016 Substantive decision 105/2023 - 3/31 According to the complainant, defendant 1 did not have the necessary equipment at the time of the facts authorization to proceed with the identification of his number plate. Defendant 1's safety consultant who was contacted by the complainant referred to the 6 authorization FO No. 18/2015 of May 28, 2015 to verify the number plate identification justify. However, this deliberation concerns the identification and punishment of violators of municipal regulations or ordinances and does not concern a fee or tax. This leads the complainant to the conclusion that both defendant 1 and defendant 2, during have relied on an incorrect authorization for a number of months to inform the holder of a identify number plate via the Service for Registration of Vehicles (DIV), thereby doing so the protection of his personal data would have been violated. The complainant poses the question what legal basis defendant 1 relies on for the period from 1 January 2020 to 1 September 2020 bases to request personal data concerning the holder of a license plate from defendant 2 for the identification of persons affected by the use of a vehicle, parking fee, tax or parking fee and on what legal basis the defendant 2 provided personal data to defendant 1 for that same period . 7 4. On January 18, 2021, the complaint will be declared admissible by the First Line Service on the basis of the articles 58 and 60 WOG and the complaint is settled on the basis of art. 62, §1 WOG transferred to the Litigation room. 5. On February 25, 2021, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it file is ready for consideration on the merits and the parties involved are informed of the provisions as mentioned in article 95, §2, as well as of those in art. 98WOG. They also become on the basis of Art. 99 WOG of the deadlines to file their defences. The deadline for receipt of the statement of defense from the defendants was thereby extended recorded on 8 April 2021, those for the complainant's statement of reply on 29 April 2021 and these for the statement of defense of the defendants on 20 May 2021. 6. On February 26, 2021, the complainant electronically accepts all communication regarding the case, in accordance with Article 98 WOG. 7. On 15 March 2021, the complainant requests a copy of the file (art. 95, § 2, 3 ° WOG), which was given to him transferred on March 23, 2021. 6Deliberation on the granting of a general authorization to the Cities and Municipalities, the autonomous municipal companies and the Brussels Capital Parking Agency to receive by electronic means the personal data from the Registration Directorate of Vehicles (hereinafter the "DIV") for the identification and punishment of violators of municipal bylaws or ordinances (AF- MA-2014-068) 7See also Decision on the substance 81/2020 of 23 December 2020. Decision on the substance 105/2023 - 4/31 8. On 19 March 2021, defendant 2 requests a copy of the file (art. 95, §2, 3° WOG), which he was transferred on March 23, 2021. He also electronically accepts on April 7, 2021 all communication about the case, in accordance with Article 98 WOG. 9. On March 25, 2021, Defendant 1 electronically accepts all communications regarding the case and gives to know that you wish to make use of the opportunity to be heard, accordingly article 98 WOG, as well as a copy of the file (art. 95, §2, 3° WOG) is requested, which will be transferred on April 7, 2021. 10. On April 6, 2021, respondent 2 requests an extension of the submission deadlines, which the Litigation room will be allowed on April 7, 2021. The deadline for receipt of the statement of defense from the defendants was thereby extended recorded on 15 April 2021, this for the conclusion of the complainant's reply on 6 May 2021 and this for the statement of defense of the defendants on 27 May 2021. 11. On 15 April 2021, the Disputes Chamber will receive the statement of defense from Defendant 1. First, defendant 1 disputes the admissibility of the complaint and argues that the Data protection authority, but the Flemish supervisory committee is the competent authority is to judge the complaint. She also puts forward a number of procedural points that the rights of defense would have been violated. As to the substance of the matter defendant 1 that it is the legal successor of AGB Parko and could use it in that capacity making the deliberations of the Sectoral Committee for the Federal Government. It also adds that it has always acted in good faith. 12. On 15 April 2021, the Litigation Chamber will receive the statement of reply from Defendant 2 who also invokes the relevant deliberations of the Sectoral Committee for the Federal Government and the legal succession on the part of defendant 1 to decide that the data of the complainant in the DIV directory could be provided to defendant 1. 13. On 6 May 2021, the Disputes Chamber will receive the statement of reply from the complainant in which it explains that the authorization on the basis of which his personal data were processed in order to may proceed to levy a parking tax, is incorrect and there was no legal basis to do so to process his personal data for that purpose. 14. On 27 May 2021, the Disputes Chamber received the statement of reply from defendant 1 in which the defenses as put forward in the statement of defense are stated resumed, supplemented by pleas regarding additional allegations made by the complainant. 15. On 27 May 2021, the Disputes Chamber received the statement of reply from defendant 2 in which he again cites the defenses as in his statement of defense, with the Decision on the substance 105/2023 - 5/31 addition that he denies being a defendant in these proceedings and raises that the principles of good governance would have been violated. 16. On 8 July 2021, the parties are informed that the hearing will take place on 29 October 2021. 17. On October 29, 2021, the defendants will be heard by the Disputes Chamber. became the complainant duly summoned to participate in the hearing, but did not appear. 18. Following the hearing that took place, the Disputes Chamber requests on October 29, 2021 both defendants to take a position on the next one: How do the deliberations referred to in the documents of the case relate as well during the hearing turned to the GDPR? More specifically, after the entry into force of the GDPR there will be a sufficient legal basis for the City of Kortrijk to collect data on the basis of a deliberation questions to the DIV on the one hand, and for the FPS Mobility and Transport, Directorate General Road Transport and Traffic Safety to disclose data on the basis of a deliberation on the other hand, this in the light of article 6.1.ejuncto 6.3 GDPR (legal basis of public interest) and article 24 GDPR (accountability). The complainant will also be notified on the same date. 19. On 8 November 2021, the minutes of the hearing will be submitted to the parties. 20. On November 15, 2021, the Disputes Chamber will receive some comments from the defendant 1 with regard to the official report, which it decides to include in its deliberations. 21. On November 16, 2021, the Disputes Chamber received a number of comments from respondent 2 with regard to the official report, which it decides to include in its deliberations. 22. On November 16, 2021, defendant 2 will submit his argumentation to the Court's question as it was addressed at the hearing, as well as in the subsequent letter dated October 29, 2021. This is essentially limited to stating that they are federal public service on the grounds that the legislator is presumed to have higher legal standards such as did not want to violate EU law, and on the basis of the principle of legal certainty there may assume that the legal instruments provided by Belgian legislation and regulations be in compliance with the GDPR. It does not consider it its task or competence as FPS Mobility and Transport to question, defend or not apply those legal instruments. 23. On November 15, 2021, respondent 1 asks for clarification regarding the aforementioned question from the Litigation Chamber, as well as a postponement is requested to take a position. Decision on the substance 105/2023 - 6/31 24. On November 24, 2021, the Disputes Chamber will explain the scope of the question to defendant 1 and authorizes it to make its point of view known by 8 December 2021 at the latest. 25. On December 8, 2021, defendant 1 submits his argumentation to the disputes chamber asked question as it was offered during the hearing, as well as in subsequent letters dated October 29, 2021 and November 24, 2021. Respondent 1 indicates that it cannot meet the request of the Disputes Chamber to provide an answer for which the following reasons are given: incompatible with the rights of defence and general principles of good administration, not pertaining to a controller to ensure compliance with Belgian regulations on processing of personal data with the GDPR, and exceeding the saisine of the Litigation room. 26. The hearing on 29 October 2021 took place with three sitting members. Between the hearingsanddeliberationonthedecisionhasoneoftheseatinformedthemembers to withdraw from the case, with reference to Article 43 of the WOG. As a result and since theWOdoes not allow a decision by two members, this decision is taken by the chairman Hielke Hijmans, sitting alone (Article 33, §1, paragraph 3 WOG). 27. On March 4, 2022, the Disputes Chamber rules in its Decision on the merits 31/2022 as follows: “the Disputes Chamber of the Data Protection Authority decides, after deliberation, to op based on art. 100, §1, 9° WOG, to order the defendants that the processing is in accordance is brought with articles 5.1, a); 12.1. and 14.1 a) GDPR, as well as Articles 5.2 and 24 GDPR, and within a period of two months, and the Data Protection Authority about this within the same period.” 28. On April 4, 2022, the Litigation Chamber receives notification of a summons against the GBA to appear on April 27, 2022 before the Marktenhof. 29. The introductory hearing before the Market Court will take place on 27 April 2022, at which the conclusion deadlines for the parties are laid down both for the procedure to suspend the enforcement of the contested decision, as well as for the procedure on the merits. Alsobecomesthecase set for oral argument on 22 June 2022 for the stay proceedings and on 21 September 2022 for the proceedings on the merits. 30. On 27 July 2022, the Marktenhof will issue an interim judgment in which the defendant's request 1 to order the lifting of the provisional enforceability of the orders of the decision of the GBA of March 4, 2022 until the Market Court has ruled on the merits and to 8https://www.dataprotectionauthority.be/publications/tweenarrest-van-27-juli-2022-van-het-marketshof-ar-457.pdf Decision on the merits 105/2023 - 7/31 say rightly that any implementing measure that has already been taken will be immediately reversed to be made is declared unfounded. 31. On October 26, 2022, the Marktenhof will issue a judgment. The judgment mainly contains the following points for attention: • Annulment of decision on the merits no. 31/2022 of 4 March 2022 of the Litigation Chamber. • The Marktenhof states that there is a problem of legality and substantive motivation because the chairman of the Litigation Chamber after the decision to sit with three members in accordance with Article 43 RIO , has taken a new decision to single-handedly decide on the merits as a conflict of interest has arisen on the part of one of the sitting members established between the hearing and the deliberation on the decision. Furthermore, it states Marktenhof that the annulled decision is not in accordance with the principle of due care, the fair play principle, the duty to hear and the right to adversarial due to no time before the summary conclusion the defendants were notified that they had committed infringements of the obligation of transparency stipulated in Articles 5.1 a), 12.1 and 14.1 a) GDPR. 32. Following the judgment, the Litigation Chamber decides on 21 December 2022 to proceed to the resume the file with a view to making a new decision. The consideration that This is based on the fact that, notwithstanding the annulment of the aforementioned decision by the judgment of the Marktenhof, is still caught by the initial complaint submitted on November 5, 2020 as declared admissible on January 18, 2021. To this end, proceeded to reopen the debates and set new deadlines for conclusion, so that parties can take a position on: • the legal basis on which the City of Kortrijk adheres for the period from 1 January 2020 to 1 September 2020 bases personal data concerning the holder of a to request a number plate from the FPS Mobility and Transport for the identification of persons who, through the use of a vehicle, parking fee, tax or owe parking fees and on what legal basis the FPS Mobility and Transport 9The judgment is available on the website of the Data Protection Authority via the following link: https://www.dataprotectionauthority.be/publications/arrest-van-26-oktober-2022-van-het-marketshof-ar-457.pdf 10Art. 43 Rules of internal order: The files submitted to the litigation chamber are distributed by its chairman among the members of the litigation chamber. The member to whom the file has been assigned sits alone. The disputes chamber sits with three members if the chairman so decides. He makes that decision taking into account the nature of the complaint and the violation of the basic principles of the protection of personal data. However, the member to whom a file has been assigned may, taking into account the circumstances described in the previous paragraph, ask the chairman to sit with three members. The chairman provides support by appointing officials from the administration of the GBA who are part of it secretariat of the litigation chamber. Decision on the substance 105/2023 - 8/31 provided personal data to the City of Kortrijk for this purpose during the same period (art. 6 GDPR), and • to specify whether there is a sufficient legal basis after the entry into force of the GDPR for the City of Kortrijk is to request information from the DIV on the one hand, and for the FPS Mobility and Transport, Directorate-General for Road Transport and Road safety to disclose data on the basis of a consultation, on the other hand, this in light of article 6.1.e in conjunction with 6.3 GDPR (legal basis of public interest) and article 24 GDPR (accountability)), • and also how the complainant was informed about the identity of the controller and the legal basis in light of the principle of lawfulness, fairness and transparency ((articles 5. 1, a) GDPR , 12.1 GDPR and 14.1 a) and c) GDPR) and how the accountability obligation was fulfilled (art 5.2 GDPR and 24 GDPR). The parties are notified of the following deadlines for conclusion: • the deadline for the complainant's statement of reply is set at 24 January 2023; • the deadline for the statement of defense of the defendants is set at February 28, 2023; The date of the hearing is also set for March 22, 2023. 33. On January 24, 2023, the Disputes Chamber receives from the complainant the conclusion in which these are explains its position on the three points as included in the letter from the Litigation Chamber dated December 21, 2022. 34. On February 28, 2023, the Disputes Chamber receives the conclusion of defendant 1 from answer, as well as the answer of defendant 2 to the requested information. 35. On March 22, 2023, the parties, represented by their lawyers, will be heard by the Litigation room. 11 In this regard, see also Decision on the substance 81/2020 of 23 December 2020 12Article 5.1 a) GDPR. Personal data must: a) processed in a manner that is lawful, fair and transparent in relation to the data subject (“lawfulness, fairness and transparency”); […] 13 Article 12.1 GDPR. Decision on the substance 105/2023 - 9/31 36. On 5 April 2023, the minutes of the hearing will be submitted to the parties in accordance with Article 54 of the Internal Rules of Procedure. Both defendants deliver on 12 April 2023 the Litigation Chamber their comments regarding the official report, which they decides to include it in its deliberations. II. Motivation a) Competence of the Data Protection Authority 37. The Marktenhof, in its judgment of 26 October 2022, rejected decision on the merits no. 31/2022 of 4 March 2022 nullified on procedural grounds, but ruled in the same judgment that the plea invoked by the defendant1 in which the jurisdiction of the GBA is contested to monitor compliance with the GDPR by municipalities and only the Flemish supervisory committee for the processing of personal data is authorized to supervise the processing of personal data by Flemish municipalities and to handle complaints in that regard in accordance with Article 10/1, §1, and Article 10/7, §4, of the Decree of 18 July 2008 on the electronic administrative data traffic, fails by law. The complete destruction of the decision on the merits no. 31/2022, but at the same time the confirmation by the Market Court that the GBA, and therefore the Disputes Chamber, is indeed competent to take cognizance of a complaint about the processing of personal data by a Flemish municipality leads to the Disputes Chamber to resume its previous decision unchanged with regard to this part. 38. The defendants argue that the Data Protection Authority, including its bodies, including the Disputes Chamber, would be without jurisdiction in this case. The After all, the defendants argue that the Flemish Supervisory Commission is authorized to carry out supervision practice compliance with (constitutional) legal and other regulatory provisions personal data protection carried out by an authority as referred to in Article 10/1, §1 of the Decree of 18 July 2008 on electronic administrative data traffic (hereinafter: the “decree of 18 July 2008”) when this supervision is part of a state competence. 39. As already explained in its decision 15/2020 of 15 April 2020 15 , the Data Protection Authority (“DPA”) competent to handle this case. 14Cf. Article 10/1 of the Decree of 18 July 2008 “regarding electronic administrative data traffic”, as inserted by Article 20 of the Decree of 8 June 2018 “adapting the Decrees to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general data protection regulation)” (hereinafter the “GDPR Decree”). B.S. June 26, 2018. 15 https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-15-2020.pdf , §§ 32-35 and 66 and next one. See also Decision 23/2022, § 6, https://www.dataprotectionauthority.be/publications/zonder-gevolg-nr.-23- 2022.pdf Decision on the substance 105/2023 - 10/31 Regulatory Powers on Personal Data Protection 40. First of all, the Litigation Chamber emphasizes that the GDPR is a regulation that directly applicable in the Union and may not be transposed into national law by the Member States. Provisions from the GDPR may also not be specified in national regulations, except on the points where the AVG expressly makes this possible. The data protection has therefore in principle become a matter of European law. 16 41. The issuance of any regulatory provisions on personal data by the federal or state government must therefore take place within the framework that has been established by the GDPR. In this regard, the Litigation Chamber refers to article 22 of the Constitutional case law on this matter of the Constitutional Court, which states that the right to respect for the private life, as guaranteed in Article 22 of the Constitution (as well as in treaties), a wide scope and, inter alia, the protection of personal data and personal data information includes. 17 42. With regard to the right to respect for private life, Article 22 of the Constitution provides that: “Everyone has the right to respect for his private and family life, except in cases and under the conditions laid down by law. The law, decree or rule referred to in Article 134 shall ensure the protection of that right.” 43. Since article 22 of the Constitution dates from after the state reform of 1980, the The word “law” in that provision means a federal law. Restrictions on the by that rights guaranteed by a constitutional provision cannot, in principle, therefore be granted by a decree or a ordinance be established. This would mean that an interference in private life - including understood the processing of personal data – cannot result from decrees or 18 ordinances. 44. Since such an interpretation limits the powers of the Communities and Regions would erode, have, among others, the Constitutional Court and the Legislation Department of the Council of State held that imposing general restrictions is a matter for the federal legislature reserved matter. In that case, the sub-areas retain the possibility to, within their 16 See e.g. C. KUNER, L.A. BYGRAVE and C. DOCKSEY (eds.), The EU General Data Protection Regulation: A Commentary, Oxford University Press, 2020, 54-56. 17See e.g.GwH,no.29/2018,15March2018,B.11;no.104/2018,19July2018,B.21;no.153/2018,8November2018,B.9.1.See alsoA.ALEN and K. MUYLLE, Handbook of Belgian Constitutional Law, Kluwer 2011, p. 917 ff. 18A. ALEN and K. MUYLLE, Handbook of Belgian Constitutional Law, Mechelen, Kluwer, 2011, 91EYBROUCK and S. SOTTIAU, De federal powers, Antwerp, Intersentia, 2019, 122; ANDE LANOTTE, G. GOEDERTIE, Y. AECK, J. OOSSENS and T. DE PELSMAEKER , Belgian Public Law, Bruges, die Keure, 2015, 449. Decision on the merits 105/2023 - 11/31 powers, to provide specific restrictions, provided they are general federal 19 respect legislation in this regard. 45. In short, the Litigation Chamber finds that the federal government and the communities and the regions are empowered to issue general and specific rules respectively on the protection of private and family life and this only on the points where the AVG allows this and within the rules of the AVG that are directly applicable in the Belgian legal order. 20 Also where specific rules on the protection of personal data are set by the federal governments, within the space that the AVG allows for this, the general rules arising from federal legislation on personal data protection te are respected. Supervisory authorities in the context of personal data protection 46. The defendant refers to Article 57(1)(f) GDPR and Article 51(1) GDPR from which it follows that all member states determine which public authority will carry out the supervisory tasks and that it it is possible to designate more than one supervisory authority. 47. Following the GDPR, the law of 3 December 2017 establishing the Data Protection Authority (hereinafter: “WOG”) adopted. The GBA was thus established on the basis of Article 4, §1, first paragraph WOG. It is true that, as Article 4, § 1, second paragraph WOG expressly confirms, also the federal states themselves data protection authorities, as already indicated by the Council 22 van State in its advice no. 61.267/2/AV of 27 June 2017 (see below). In implementation of this article the Flemish legislator has established the Flemish Supervisory Commission (hereinafter: “VTC”) by Article 10/1 23 of the decree of 8 June 2018. 19 Arbitration Court, no. 50/2003, 30 April 2003, B.8.10; no. 51/2003, 30 April 2003, B.4.12.; no. 162/2004, 20 October 2004 and 16/2005, 19 January 2005;GwH,October 20, 2004,February 14, 2008;Adv. RvSnr.37.288/3of15July2004,Parl.St.Vl.Parl.2005-2006,nr.531/1: “[…] the Communities and the Regions [are] only competent […] to impose specific restrictions on the right to respect for to allow and regulate private life insofar as they adapt or supplement the federally determined basic standards, but […] they [are] not authorized … to affect those basic federal standards.” 20J. VAN PRAET, The latent state reform, Bruges, die Keure, 2011, 249-250. 21 B.S. January 10, 2018. 22Adv.RvS no. 61.267/2 of 27 June 2017 on the draft law 'reforming the Commission for the protection of privacy', rn.7.1-7.2.See also bv.Adv.RvS, no.66.033/1/AVof3June2019on a draft decision of the Flemish Government of 10 December 2010 "implementing the decree on private job placement, with regard to the introduction of a registration obligation for sports agents', 4; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decision of the Flemish Government 'containing further rules for the processing, storage and probative value of electronic data on allowances under family policy', 6-7. 23B.S. 26 June 2018. Decision on the substance 105/2023 - 12/31 Supervisory powers of the supervisory authorities 48. In view of the competing powers set out above personal data protection, Article 141 of the Constitution instructs the legislator procedure to avoid conflicts of competence between legislative standards. 24 This task was entrusted to the legislation section of the Council of State. Regarding the powers of the aforementioned supervisory authorities refer to the Disputes Chamber to advice no. 61.267/2/AV of 27 June 2017 of the Legislation Division of the Council of State which was issued in response to the preliminary draft that led to the WOG. In this In its opinion, the Council discussed in detail the rules that divide competences with regard to the supervision of data protection. 25 49. In the preliminary draft referred to above, the Council of State stated that the federal government should have a supervisory authority with “general authority (…) over all processing of personal data, including those that take place in matters for which the Communities and the Regions are competent”. Such an arrangement is without prejudice to the competence of the Communities and Regions, […]”, said the Council of State. 27 Consequently, according to the Council of State, the regional supervisory authorities can only be empowered to monitor the specific rules they have issued for data processing in the context of activities that fall within their competence, and this of course only insofar as the GDPR still allows Member States to adopt specific provisions and the provisions of the WOG are not prejudiced. The Council confirms this van State stated its position in advice no. 37.288/3 of 15 July 2004, as cited in advice no. 61.267/2/AV of 27 June 2017, in which the Council of State considered the following about the competence of the Commission for the protection of privacy, the predecessor of the GBA: “The authors of the draft rightly assume that the legislature cannot detract to the powers of the Commission for the Protection of Privacy, established by the law of 8 December 1992. In implementation of the directive, the federal legislator has establish a supervisory body, which has general authority over all 24 Article 141 Constitution: “The law establishes the procedure to settle the conflicts between the law, the decree and the provisions referred to in Article 134, as well as between decrees and between the rules referred to in Article 134.” 25 Ibid., 8, p. 28-45. 26Ibid., 8, marg. 5, referring to Adv.RvS, no. 37.288/3 of 15 July 2004 on a preliminary draft decree 'concerning the health information system,” Parl.St. Vl. Parl. 2005-06, no. 531/1, 153 ff. 27 Ibid., 8, mar. 6. Decision on the substance 105/2023 - 13/31 processing of personal data, including those that take place in matters for which the communities and the regions are competent.” 28 50. In short, the GBA, as a federal supervisory authority, is the competent authority for supervision abide by the general rules, including the mandatory provisions of the GDPR that do not contain any further need national implementation. 29 This is also the case if the data processing relates has on a matter that falls under the competence of the communities or the regions and/or if the controller is a public authority that falls under the communities or the regions, such as a municipality, even if the federal state itself has one supervisory authority within the meaning of the GDPR. 51. In view of the above, the Disputes Chamber concludes that in order for a federal state supervisor would be competent, it is by no means sufficient that the data processing relates has on a federal state matter, in this case the matter of the additional traffic regulations. The federal state in question must also, within the space that the GDPR still leaves for the member states, have issued specific rules for the processing of personal data in the framework of that matter. It is only the supervision of compliance with those specific state rules that can be entrusted to the state supervisor. 52. The Litigation Chamber emphasizes that the notion of 'specific rules' should not be interpreted too broadly. the cited advice of the Council of State shows that the term 'specific rules' refers to specific restrictions or special guarantees, which deviate from or go beyond the general ones provisions, warranties and limitations contained in or arising from the GDPR or the federal law. In other words, the mere fact that the Länder (by decree or decree) Implementing or confirming a general rule does not mean that rule defines the character gets from a ‘specific rule’. There is only a specific rule when the Länder, using the space that the GDPR leaves for this, additional safeguards or restrictions Set up. 53. In addition, any limitations of an authority's powers for the data protection under the GDPR would only be possible if at the level of a state a supervisor would have been established that meets all the requirements under the European Treaties are assigned to the supervisor, which also includes all tasks and 28Adv. Stainless steel. no. 37.288/3 of 15 July 2004. 29 See also BV Adv.RvS, no. 66.033/1/AV of 3 June 2019 on a draft decision of the Flemish Government of 10 December 2010 'for the implementation of the decree on private job placement, with regard to the introduction of a registration obligation for sports agents', 5; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decree of the Flemish Government 'containing the further rules for the processing, storage and probative value of the electronic data concerning the allowances in the framework of family policy', 7. Decision on the substance 105/2023 - 14/31 authority from the supervisory authority. In this connection, they refer in particular to the Articles 51 to 59 of the GDPR. 54. The Litigation Chamber notes that the disputed processing operations were carried out on the basis of three 30 general deliberations granted by the sectoral committee set up by the Commission for the Protection of Privacy (hereinafter: “CPP”). TheCBPL end sectoral committees were abolished by the law of 30 July 2018 on protection 31 of natural persons with regard to the processing of personal data. The authorizations and the relevant processing of personal data by the defendant in the within the framework of the relevant authorizations, namely the communication of data from the Crossroads database of the vehicles - in particular the registration plate - to the applicant controller in the context of its additional powers parking regulations, must therefore be checked against the new legal since 25 May 2018 framework, in particular the provisions of the GDPR. 55. Within the current legal framework, and in particular pursuant to Article 35/1 of the Law of 15 August 2012 on the creation and organization of a federal services integrator and the law 32 of September 5, 2018 establishing the Information Security Committee, it is Information Security Committee (hereinafter: “ICC”), in particular authorized to hold deliberations regarding certain communications of personal data, including the notice of data contained in the Crossroads Bank for Vehicles. Article 35/1, § 4, of the Federal Law Service Integrator specifies that “the deliberations of the Information Security Committee with reasons and [have] a general binding scope between the parties and towards third parties”. Based on the same article, the Data Protection Authority can deliberation of the Information Security Committee at all times, regardless of when it became granted, check against higher legal standards, such as the GDPR. Consequently, the Litigation Chamber authorized to assess whether the authorizations and the processing based on this are performed comply with the obligations as provided for in the GDPR. 56. In view of the above, the Disputes Chamber concludes that this case does not concern an assessment of a data processing by an authority in accordance with article 10/1, §1 of the decree of 18 July 2008 on electronic administrative data traffic to a specific rule issued by the state government within its state jurisdiction. As 30 Deliberation FO no. 02/2016 of 21 January 2016, Deliberation FO no. 14/2016 of 21 January 2016 and Deliberation FO no. 18/2015 of 28 May 2015. 31Article 280 Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. 32B.S. 28 August 2012. Decision on the substance 105/2023 - 15/31 the permissions in question have been shown to be general in nature and the testing against the GDPR of these authorizations together with the personal data processing carried out on the basis thereof have been carried out thus belong to the Disputes Chamber. b) Controllers 57. Respondent 2 believes that it can be deduced from the judgment of the Marktenhof of 26 October 2022 that the current decision can only concern defendant 1, because the Court is in the ruling part has ordered the re-examination of the complaint 'against the City of Kortrijk' (i.e. defendant1). Because the new procedure for the Disputes Chamber with the letter of December 21, 2022 to reopening the debates was addressed to both Defendant 1 and Defendant 2, casts Defendant 2 argues that the Disputes Chamber thus exceeds the order of the Market Court. 58. The Disputes Chamber refutes this by pointing out that the appeal before the Marktenhof against decision on the merits 31/2022 was brought by only defendant 1, with admittedly forced intervention of defendant 2 in order to make its views known and the to declare the judgment common to her without making any claims as to her subjective rights configure. It is therefore self-evident that the operative part of the judgment is only pronounces on "the story set by the City of Kortrijk" and "recommends the Disputes Chamber of the Data Protection Authority, composed differently, the complaint against the City of Kortrijk again with due observance of the considerations of the Marktenhof”. The Marktenhof can after all, refrain from ruling on any appeal lodged by the defendant2, this in the absence of an appeal filed by defendant 2. Moreover, the Marktenhof does not state at any point in the judgment that Defendant 2 has not acted as controller within the meaning of Article 4. 7) GDPR. However, it is the opposite case, since the judgment refers again and again to 'the City of Kortrijk and the FPS'. The decision should therefore be that pursuant to annulment of decision no. 31/2022 relating to both defendants and the statement in common with regard to defendant 2 of the judgment pursuant to the appeal lodged by defendant 1, the proceedings before the Litigation Chamber pursuant to the order of the Marktenhof relates to both defendants. 59. Although Defendant 2 continues to insist that it was not targeted by the complaint and that it was only addressed against defendant 1, the Disputes Chamber cannot follow that argumentation. After all, it is one factually given that defendant 1 has submitted the assessment notice regarding the parking tax – which is the actual reason for the complaint – could not have been directed to the complainant without it the provision by defendant2 to defendant1 of the identification data of the complainant The complainant therefore quite rightly raises the question on which legal basis defendant 1 relies period from January 1, 2020 to September 1, 2020 to process personal data concerning the holder of a license plate to be requested from defendant 2 for the identification of persons who are Decision on the substance 105/2023 - 16/31 due to the use of a vehicle, parking fee, tax or parking fee and on what legal basis defendant 2 for that same period to defendant 1 provided personal data. Not only had, according to the complainant, defendant 1 should not request personal data from defendant 2, but should have been defendant 2 not be allowed to provide personal data to defendant 1 at the moment that the latter is such request was addressed to defendant 2. In other words: the processing of the identification data of the complainant by the defendant 1 in order to send him a tax assessment notice regarding the parking, was not possible without prior provision by defendant 2 of this identification data to Defendant 1. Defendant 2 believes that its argumentation is supported can find in the request of the complainant to impose a sanction on defendant 1, but ignores the substantive account of the facts of the complainant, which unmistakably shows that Defendant 1 was unable to process the complainant's identification data until they were provided by the defendant 2. The decision should therefore also be that both the City of Kortrijk (respondent 1) if the FPS Mobility and Transport (defendant 2) must be regarded as defendants. c) Rights of defense and principles of good administration Prior 60. The Marktenhof states in its judgment that both in the conclusions and during the hearing of the Litigation Chamber's debate has been limited to the question of the legal basis stipulated in Article 6.1 GDPR and that the Dispute Chamber, if this was its reading of the complainant's conclusion, Defendant 1 and Defendant 2 should have been informed in writing of the fact that they were by that terms were also accused of violations of Articles 5.1 a), 12.1 and 14.1 a) GDPR in order to respect the principle of due care, the fair play principle, the duty to hear and the right to to respect contradiction. Having regard to the complete annulment of the decision on the merits 31/2022, the Disputes Chamber also resumes its considerations regarding the rights of defense and principles of good administration prior to the decision on the merits 31/2022 were raised with the addition of its new recitals after the resumption of the dossier and the conclusions received in the context of the reopening of the debates, as well as her considerations on the legal basis, supplemented by its considerations on the transparency duty. The complaint 61. Defendant 1 asserts that the rights of defense would have been violated because it did not it would be clear against which complaint it should defend itself. Defendant 1 maintains that there are three complaints would have been submitted by the complainant and refers to the documents submitted by the complainant were transferred on 10 August 2020, 5 November 2020 and 7 December 2020. Substantive decision 105/2023 - 17/31 62. In this regard, the Disputes Chamber notes that the complainant has tried for the first time to file his complaint to be filed on August 10, 2020, but since the complaint only contains the last page of the complaint form – which only concerned the date of the complaint, the signature as well as the name and contains the complainant's first name – did the complainant submit the full complaint form on 5 November 2020. Subsequently, documents were provided by the complainant on 6 December 2020 substantiation of his complaint filed on November 5, 2020. Contrary to what Defendant 1 states, the complainant has thus lodged a single complaint, namely that which was lodged on complete manner dated November 5, 2020. This complaint was therefore enclosed with the letter sent on 25 February 2021 was communicated to the parties to establish the calendar of conclusions and with the request to file defenses. It is only after the complaint became complete submitted and the complainant has provided the necessary supporting documents that the complaint has been accepted by the First-line service could be declared admissible, as was done. In addition, has Defendant 1 received a copy of the file, making all elements available to him had to defend himself. 63. Respondent 1 argues in the statement of 28 February 2023 that both the letter dated 21 December 2022 of the Disputes Chamber with questions to the parties and to reopen the debates, if the subsequent conclusion of the complainant which, according to defendant 1, would be additional allegations are inadmissible due to an unauthorized extension of the powers of the Litigation room. Defendant 2 also argues that the question asked by the Disputes Chamber whether there after the entry into force of the GDPR is a sufficient legal basis to be based on a deliberation to disclose data, in light of article 6.1 e) in conjunction with 6.3 GDPR and article 24 AVG, is not part of the complainant's complaint. 64. The Disputes Chamber points out that the judgment of the Marktenhof of 26 October 2022 expressly determines the following: “After all, it cannot be deduced from those very brief terms that the complainant is Stad Kortrijk and accused the FPS of violations of the duty of transparency set out in Articles 5.1 a, 12.1 and 14.1 a GDPR. In any case, these articles from the GDPR are not mentioned there and the Litigation Chamber, if this was her reading of the complainant's conclusion, City of Kortrijk and the FPS must inform them in writing of the fact that they have been accused of that wording violations of those relevant articles of law.” 65. Well, in the reading of the Litigation Chamber - of the complaint and the conclusion of the complainant - the complainant that he remained completely in the dark about the legal basis on which the processing of the personal data concerning him is based. Since it totally it is unclear to the complainant on what legal basis the defendants are personal data process, it follows ipso facto that regarding that legal basis and the identity of the controller, in particular defendant1 who invokes legal succession, also Decision on the merits 105/2023 - 18/31 the required transparency is lacking. Since the defendants are in their submissions prior to the decision on the merits no. 31/2022 have invoked the existence of deliberations as a legal basis coupled with the principle of legal succession on the basis of defendant 1, the Disputes Chamber has therefore logically asked whether a deliberation may be a sufficient legal basis in light of the GDPR. 66. In view of the above quote from the judgment of the Marktenhof and the fact that the Marktenhof the Disputes Chamber orders that the complaint be re-examined, with due observance of the considerations of the Market Court, the Disputes Chamber complied with the judgment by submit the three questions as included in the letter of 21 December 2022 to the parties to take a position on this. In no way does the Litigation Chamber go to her jurisdiction, contrary to what the defendants try to claim. The three questions are precisely set up very precisely to within the contours of the present complaint to find out the legal basis stipulated in the GDPR, as well as to determine the extent to which the defendants are involved provide transparency regarding that legal basis and the identity of the controller. 67. Respondent 1 still maintains in its statement of 28 February 2023 that it is from several non- coordinated complaint forms, e-mails and letters should deduce which infringements her would be charged factually and legally, this in order to attempt to make the complaint inadmissible declared, or at least rejected as unfounded. The Disputes Chamber points this out that the complaint was submitted by a citizen for whom it is not a requirement that the complaint indicates legal provisions which, according to the complainant, have been infringed. It is 33 however, from subsequent proceedings and documents, including the decision on the merits 31/2022 and the letter of 21 December 2022, it is absolutely clear what the defendants are against should defend. That the defendants, including defendant 1, do indeed have a have a full understanding of the possible infringements that they are charged with also emerges from the detailed explanation of the defendants regarding the merits of the complaint. 68. The Disputes Chamber adds that it complies with the judgment of the Court on all points Marktenhof of October 26, 2022 by making the current decision in a different composition than those in the decision on the merits 31/2022 taken on March 4, 2022. In this regard, defendant 1 must reserve all rights with regard to the letter of 21 December 2022 addressed by the Litigation Chamber to the parties to which they have been informed of the new composition of the seat of which Mr. Hielke Hijmans, who as sole chairman of the Litigation Chamber took the decision on the merits 31/2022, did not participate 33Marktenhof judgment 2022/AR/292 Decision on the merits 105/2023 - 19/31 matters. The fact that the aforementioned letter was signed by Mr. Hielke Hijmans brings Defendant 1 undertakes to reserve all rights in this respect. 69. The Disputes Chamber emphasizes that the chairperson of the Disputes Chamber by acting in this way act, has merely implemented Article 43 of the Rules of Procedure. It is after all, the chairman of the Litigation Chamber who decides on the distribution of the files among the members of the Disputes Chamber and it is he who decides that the Disputes Chamber will sit with three members. This decision of the chairman of the Litigation Chamber is strictly necessary for the composition of the seat and, as such, to comply with the order of the Markenhof to re-examine the other composition of the complaint, which then happened and this like imposed without any intervention by Mr. Hielke Hijmans. Decision on admissibility and decision on readiness for treatment on the merits 70. Respondent 1 argues that the 'alleged' decision of the First Line Service, according to her, does not contains clarification of the facts or the alleged infringements. Defendant 1 also believes in the letter of the Disputes Chamber dated February 25, 2021, it is not possible to deduce which the alleged infringements, nor what the possible sanctions would be. Defendant 1 adds that it it is unknown to her that there is still no actual decision of the Frontline Service, as well as that it was not notified of any decision of the Dispute Chamber regarding readiness preliminary treatment on the merits. This leads defendant 1 to the conclusion that the rights of defense have been violated, as well as the principles of good administration. 71. The Disputes Chamber clarifies that the decision of the First Line Service to admissibility of the complaint is included in an e-mail addressed to the Disputes Chamber and the relevant e-mail forms an integral part of the administrative file. As a result, the Disputes Chamber has the procedure for treatment has commenced on the merits. The Litigation Chamber brings the parties (both complainant, as defendants) in a single letter informed of both the admissibility of the complaint in accordance with Article 61 WOG – this provision sensu stricto requires that only the complainant be notified is made of the admissibility of his complaint –, as the commencement of the procedure grounds containing all information in accordance with Article 98 WOG in conjunction with Article 95, §2 WOG. 72. With regard to the decision on admissibility, as well as the decision that the file is ready is for consideration on the merits, the Disputes Chamber therefore refers to the e-mail dated 25 February 2021 with the letter and accompanying documents attached thereto, in which the parties be expressly informed of the fact that the complaint will be lodged by the First-line service was declared admissible and the Disputes Chamber decided that the file is ready for treatment. This means that the letter with conclusion calendar as as such shall serve as notice to the parties, both of the decision on admissibility and regarding readiness for treatment on the merits, so that both article 61 WOG and article 98 WOG in conjunction with Article 95, § 2 were respected. Decision on the substance 105/2023 - 20/31 Insofar as defendant 1 raises that neither the decision of the First Line Service regarding admissibility, nor the decision of the Disputes Chamber regarding readiness for indicate the grounds on which the treatment is based on, the Litigation Chamber must do so to point out that the aforementioned decisions on the one hand of the Primary Service, and on the other hand of the Litigation Chamber are not final decisions, but merely decisions that precede the final decision of the Litigation Chamber. The decision on admissibility of the complaint is one decision taken by the First Line Service based on the submitted documents checked whether Article 58(1) 34and Article 60(2) 35 WOG have been complied with. The letter with conclusioncalendarcontainsallinformationprescribedbyArticle 98WOGeis precise directed to based on the defenses filed by the parties, respecting the rights of defence, to motivate the decision of the Litigation Chamber. The current decision must be justified as such. 73. Respondent 1 also argues that it is unknown to her why the Disputes Chamber does not have decided to follow up on the complaint in a different way. The Disputes Chamber emphasizes that there is there is in no way a negative obligation to state reasons, so that it is not obliged to do so explain why it would not have used the other options provided for article 95, §1 WOG. d) Legal basis for transparency obligation 74. The complainant asks what legal basis defendant 1 relies on for the period from 1 January 2020 until September 1, 2020 to process personal data concerning the holder of a number plate request from defendant 2 for identification of persons affected by the use owe a parking fee, tax or parking fee for a vehicle and on what legal basis the defendant 2 has provided personal data to the defendant 1 for that same period provided. 34Article 58. Anyone can submit a complaint or request to the Data Protection Authority in writing, dated and signed. […] 35Article 60. […] A complaint is admissible when: -it is drawn up in one of the national languages; - contains a statement of the facts and the necessary indications for the identification of the processing to which it relates; -it falls within the competence of the Data Protection Authority. […] Decision on the substance 105/2023 - 21/31 Deliberation and legal succession 75. Defendant 1 invokes deliberation FO no. 02/2016 of 21 January 2016, as well as 36 deliberation FO no. 18/2015 of 28 May 2015 37to state that they already have their own access to the DIV directory for the identification of persons who, through the use of a vehicle parking tax. 76. As defendant 1 itself points out, the beneficiaries of deliberation FO no. 02/2016 are the private concession holders of the Flemish cities and municipalities, as well as the municipal ones independent agencies. As an autonomous municipal company, AGB Parko is an external company independent agency from defendant 1, and AGB Parko was in that capacity on 5 May 2015joineddeliberationFOnr.17/2010,whichwasreplacedbydeliberationFO no. 02/2016, but in which deliberation FO no. 17/2010 is maintained with regard to the validity of the approved individual commitments, including those of AGB Parko. This means that AGB Parko is a beneficiary of deliberation FO No. 02/2016 and is thus authorized to collect identification data on behalf of the Vehicle Registration Department (DIV). received from the holders of a registered vehicle who owe a fee or tax. Defendant 1 herself could not join this authorization, as she does not fall under the category of possible beneficiaries of that particular deliberation. 77. Defendant 1, on the other hand, is a beneficiary of deliberation FO No. 18/2015, but this concerns the authorization to obtain personal data for the identification and punishment of violators of municipal bylaws or ordinances within the framework of the law of 24 June 2013 on municipal administrative sanctions. This means that defendant1 can obtain data from the DIV on the basis of this deliberation, but limited to imposing municipal administrative sanctions and therefore not for levying of a parking tax, as in the present case. 78. Based on these elements, the Litigation Chamber finds that the defendant1 is trying to demonstrate that they at the time of the facts that are the subject of the complaint about an authorization to had access to the DIV directory for the identification of persons, in this case the complainant, who due to the use of a vehicle, you owe a parking fee, tax or parking fee on the one hand to rely on a deliberation of which defendant 1 is not himself the beneficiary (Deliberation FO no. 02/2016) and on the other hand a deliberation of which defendant 1 admittedly 36Deliberation concerning the one-off authorization and amendment, for what the private concessionaires of the Flemish cities and municipalities and the Flemish municipal autonomous agencies, of the deliberation FO no. 17/2010 of 21 October 2010 37 Deliberation on the granting of a general authorization to the Cities and Municipalities, the autonomous municipal companies and the Brussels-Capital Parking Agency to receive the personal data from the Management by electronic means Registration of Vehicles (hdern"DIV") for the identifiers and the punishment of offender of municipal rules or regulations Decision on the substance 105/2023 - 22/31 beneficiary, but does not authorize him to obtain data for the levying a parking tax (Deliberation FO no. 18/2015). 79. Such argumentation in which defendant 1 combines the two aforementioned deliberations to then proceeding to assert that it was authorized to disclose the identification data of the request the complainant from DIV in order to be able to pay the parking tax owed to him however, cannot be accepted, as explained below. 80. To the extent that defendant 1 argues that in view of the dissolution and liquidation of AGB Parko with effect from 1 January 2020 and its incorporation into the city services, from that moment the rights and obligations, including those as determined in deliberation FO no. 02/2016, has taken over as the legal successor of AGB Parko, the Disputes Chamber set on the basis of article 244, §3 of the decree of 22 December 2017 on the local 38 Board that Defendant 1 was by operation of law the legal successor of AGB Parko, as confirmed in the decision of the municipal council of the defendant 1. 39 81. With regard to legal succession, defendant 1 refers to Opinion no. 14/2004 and the Commission recommendation no. 03/2015 40 for the protection of privacy in which the principle is assumed that the legal successor does not apply for a new authorisation subject to the purpose for which the legal successor uses the relevant personal data processed, remains unchanged and can thus use the authorization as it was granted to his legal predecessor. 82. However, the Litigation Chamber should note that in recommendation no. 03/2015, as a condition for take-over of the existing authorization by the legal successor - so without a new one must apply for authorization - it has been included that the relevant sectoral committee must be able to assess whether the applicant who wishes to continue using the existing authorization is indeed the legal successor. In addition, the sectoral committee should be able to assess whether the the legal successor offers sufficient guarantees in the field of security. Defendant 1 refers to this 38Art. 244, § 3. The rights and obligations of the dissolved autonomous municipal company are taken over by the municipality. 39Opinion No. 14/2004 of 25 November 2004 on the request for an opinion from the Chairman of the Board of Directors of the Federal Public Service Personnel and Organization with regard to the Royal Decree of 29 January 1991 by which certain employees of the Ministry of the Interior and Public Service access to the National Register of the natural persons and authorization to use the identification number of that register are granted: can this be done royally decision suffices as a legal basis to assign the Directorate-General e-HR of the Federal Public Service Personnel and Organization have access to the information data of the National Register of Natural Persons and the National Register number to be used for the fulfillment of the tasks related to the implementation of Royal Decree No. 141 of December 1982 establishing a database on public sector employees. 40 Recommendation no. 03/2015 of 25 February 2015 on the procedure to be followed with regard to authorisations, by both the sectoral committees, the regional service integrators and the regional administrations in the context of the subsequent transfers of competence of the Sixth State Reform. Decision on the substance 105/2023 - 23/31 itself to Deliberation FO no. 31/2015 of 10 December 2015 41 in which reference is made to Opinion No. 14/2004, but fails to demonstrate that such notification of legal succession is happened, so that there is no assessment of the aforementioned conditions occurred. However, these conditions are also expressly included in recommendation no. 42 03/2015 , but were not respected by defendant 1 who has no legal succession reported and has also failed to demonstrate that it offers the necessary safety guarantees as regards the deliberation FO no. 02/2016. It follows that Defendant 1 is therefore not validly sued can rely on deliberation FO no. 02/2016 to obtain data from defendant 2 with with a view to levying a parking tax at the expense of the complainant. 83. Regarding Opinion No. 14/2004 and Recommendation No. 03/2015, the Litigation Chamber states that this although they are not directly legally enforceable, they should be tested against the current legal context, which means that it must be verified whether the requirements stipulated by the GDPR are complied with, in particular in view of the obligation of transparency (articles 5. 1, 43 44 45 a) AVG , 12.1 AVG and 14.1 a) AVG ) which requires that the data subject personal data are processed in a transparent manner. 84. It appears from the factual elements of the file that it was completely unclear to the complainant that Defendant 1 has requested his data from Defendant 2 solely as being the legal successor of AGB Parko, since Defendant 1 has not provided any form of transparency in this regard, which meant that it was therefore not possible for the complainant to make a simple claim accessible and understandable form of the processing of the data concerning him 41 Deliberation FO no. 31/2015 of 10 December 2015 regarding the application of the Flemish Tax Authorities (“VLABEL”) to be legal successor of the Department of Finance and Budget of the Flemish government to be able to use the authorization that was granted by deliberation FO Nos. 39/2013 and 40/2013 of December 12, 2013: “The investigation of the committee can therefore be limited to verifying whether the applicant is the legal successor of the Finance Department and Budget of the Flemish government, specifically with regard to the purposes/tasks that were the subject of deliberations FO Nos. 39/2013 and 40/2013. In addition, the Committee also examines whether the applicant offers sufficient guarantees in terms of the data security.” 42“In the context of a transfer of competence, it is important to specify which body takes over the competence, or with the transfer the same purposes or only part of them, as well as providing information regarding security.” 43 Article 5.1 a) GDPR. Personal data must: a) processed in a manner that is lawful, fair and transparent in relation to the data subject ('lawfulness, fairness and transparency”); […] 44 Article 12.1. AVG. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 information referred to and the communication referred to in Articles 15 to 22 and Article 34 in relation to the processing in a in a concise, transparent, intelligible and easily accessible form and in clear and plain language, in particular when the information is specifically intended for a child. The information shall be in writing or by other means, including, if appropriate, by electronic means, provided. If requested by the data subject, the information may be communicated orally, provided that the identity of the data subject is proven by other means. 45 Article 14.1. AVG. Where personal data have not been obtained from the data subject, the controller shall provide the data subject the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller; […] Decision on the substance 105/2023 - 24/31 personal data by the defendant 1. In view of the total lack of providing the necessary transparency with regard to Defendant 1, Defendant 2 also did not have the correct one information, so that the latter therefore also stated to the complainant on 15 February 2021 that the communication by defendant 2 of the data of the complainant to defendant 1 took place pursuant to deliberation 18/2015 on municipal administrative sanctions and that defendant 1 at the time of the levying of the parking tax in respect of the complainant about none legal basis for parking management. The Disputes Chamber decides on the basis of the above that defendant 1 at the time of the facts infringed Article 5. 1, a) GDPR, article 12.1 AVG and article 14.1 a) AVG committed because the complainant was not informed on the one hand the legal succession of AGB Parko by defendant 1, as a result of which the latter has the has acquired the status of controller with regard to the data processing as described in deliberation FO no. 02/2016, and on the other hand the resulting ensuing data processing on the part of the defendant 1. Deliberation and GDPR 47 85. Since the GDPR has become applicable, each controller has to comply with all principles included. More specifically, a controller to rely on one of the six legal bases listed in Article 6 of the GDPR. In the public sector, the legal basis of Article 6.1.c) (processing is necessary to comply with a legal obligation on the controller rest) or Article 6.1.e) (processing is necessary for the fulfillment of a task of public interest or of a task in the context of the exercise of the public authority vested in the controller). In such cases, the processing must be based on a legal provision that meets the requirements of Article 6.3 GDPR. 86. The deliberations relied on by the defendants were granted by the Sectoral Committee of the Federal Government, which has ceased to exist pursuant to Article 109 WOG. This takes although it does not alter the fact that, in accordance with Article 111 WOG, it remains possible to join the aforementioned general authorisations, provided that the person requesting accession submits a written and signed declaration of commitment in which he confirms that he agrees to the terms of the relevant deliberation, to the Information Security Committee, being the body which was established by the legislature to provide deliberations regarding the exchange of personal data or the use of the National Register number. 46See below under marginal nos. 87 ff. 47 The GDPR has been applicable since 25 May 2018 (article 99.2 GDPR). Decision on the substance 105/2023 - 25/31 a) With regard to Defendant 1 87. Defendant 1 has yet, albeit late - i.e. after the facts that are the subject of the complaint –, affiliated with deliberation FO No. 14/2016 of 21 January 2016, as a result of which it defendant 2 can obtain notification of personal data included in the DIV- directory for the identification of the complainant with a view to levying the parking tax. 88. Not only did entry to deliberation FO No. 14/2016 only take place on 28 August 2020, so well after Defendant 1 has requested the details of the complainant from Defendant 2 and also has gotten. Defendant 1 believes that it can claim that in the context of this accession agreement concluded on September 1, 2020 between defendant 1 and defendant 2, in which is provide that it takes effect retroactively on 1 January 2020, is fully legally valid and relies on deliberation FO no. 02/2016 in its capacity as legal successor stating that the Accession Agreement, upon deliberation FO No. 14/2016, merely constitutes a legal confirmation of a factual situation, since since 1 January 2020 it has been regarded as legal successor believes that it can derive rights from deliberation FO no. 02/2016, of which it claims that it is almost identical to deliberation FO No. 14/2016. 89. The Disputes Chamber can only establish that at the time of the facts, defendant 1 nor op based on legal succession (see above, marginals 52 - 61), nor on the basis of deliberation FO no. 14/2016 in the absence of timely accession thereto, was authorized to file with defendant 2nd request personal data of the complainant with a view to his identification in the context of a parking tax. The retroactive effect of the accession agreement is thereby complete irrelevant. With regard to the Accession Agreement, it should be noted that, in contrary to what defendant 1 states, can indeed be done by the Disputes Chamber assessed to the extent that it has an impact on the data processing of third parties that are not a party to that agreement, including in this case the complainant. It is certain that at the time of the facts that occurred on 28 May 2020, it was completely unclear to the complainant the defendant 1 would still conclude an accession agreement on 1 September 2020 in the future during deliberation FO no. 14/2016, as a result of which the complainant did not have access at the time of the facts about the information to which he is entitled in accordance with Articles 5.1, a), 12.1 and 14.1 a) GDPR. The Disputes Chamber also notes that deliberation FO no. 14/2016 as such itself also already requires that the persons involved, including the complainant, serve clearly in all cases to be informed of the name of the controller, in this case defendant 1, the purpose of the processing, the origin of the data collected and the existence of it right to access and correct the data. The deliberation adds that a 48Deliberation regarding the one-time authorization to grant municipalities access to the directory of the DIV for the identification of persons liable to pay a parking fee, tax or parking fee due to the use of a vehicle - Revision of the deliberation FO n° 05/2015 of 19 March 2015 Decision on the substance 105/2023 - 26/31 clear provision of information is also particularly important in situations where it less reasonable expectations of the data subjects that his/her personal data processed.It is undeniable from the facts that the complainant did not have this information as a result of which he also had no knowledge of the legal basis on which the processing of his personal data would be based. As already mentioned with regard to the legal basis (see marginal 85) answers national regulations on deliberations, together read with the deliberations themselves, meet the requirements of Article 6.3 GDPR and must therefore be regarded as a specific regulation within the meaning of Article 6.2 GDPR, but this does not count that, at the time of the facts, defendant 1 was not involved in deliberation FO no. 14/2016, which means that defendant 1 was not a beneficiary of this deliberation and could not be a basis for requesting the data of the complainant from defendant 2. Also here is there therefore an infringement of Article 5 at the time of the facts. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR. 90. In addition, a controller, in this case Defendant 1, cannot suffice with it to have an authorization and to proceed solely on the basis of the relevant deliberation of the assumption that you have the right to the personal data recorded in that authorisation After all, the controller has been there since the GDPR became applicable obliged to comply with the obligations imposed on him therein and thus the deliberation of which he wishes to test against the higher legal standard in order to verify whether the concerning deliberation permitted communication of personal data is in accordance with the GDPR. In this sense, the Chamber of the Federal Government of the Information Security Committee has also op August 28, 2020 Defendant 1 expressly pointed out that her accession to deliberation FO No. 14/2016 does not release it from its obligations to comply with the GDPR. 91. However, it appears from the defense of Defendant 1 that she has completely changed her method of data processing has aligned itself with the relevant deliberations by being as set out in its conclusion relied entirely on the opinion of defendant 2 regarding the application of the three deliberations 49 on which it relies. For example, Defendant 1 indicates that both before and after the collapse of AGB Parko in the city services has inquired with defendant 2 whether there additional formalities had to be fulfilled. The Litigation Chamber finds that the defendant 49 Deliberation FO no. 02/2016 of 21 January 2016 concerning the one-off authorization and amendment, as far as the private concessionaires of the Flemish cities and municipalities and the Flemish municipal autonomous agencies, of the deliberation FO no. 17/2010 of 21 October 2010 Deliberation FO no. 18/2015 of 28 May 2015 on the granting of a general authorization to the Cities and Municipalities, the autonomous municipal companies and the Brussels-Capital Parking Agency to process the personal data electronically received from the Directorate of Registration of Vehicles (the "DIV") for the identifiers and the penalty of violators of municipal regulations or ordinances Deliberation FO no. 14/2016 containing the one-time authorization to grant municipalities access to the directory of the DIV for the identification of persons who owe a parking fee, tax or parking fee due to the use of a vehicle are - Revision of the deliberation FO n° 05/2015 of 19 March 2015 Decision on the substance 105/2023 - 27/31 1 did indeed address defendant 2 on 2 December 2019. Respondent 1 states that it takes up the parking policy itself again and already has an agreement with the Crossroads Bank Vehicles in function of an identification of holders of a license plate that cities and municipalities, … owe a parking fee, tax or money, citing to deliberation FOnr. 18/2015 – as according to defendant 1 – revised by deliberation FOnr. 14/2016. In this respect, the Disputes Chamber must also establish that defendant 1 wrongly establishes a connection between, on the one hand, deliberation on FO no. 18/2015 and that of municipal administrative sanctions and to which it has acceded, and, on the other hand, deliberation FO No. 14/2016 which concerns parking fees, taxes and fees and of which they do not have the beneficiary. Respondent 1 therefore misrepresents the facts by stating that deliberation FO no. 18/2015 would have been revised by deliberation FO no. 14/2016. Defendant 2 then fails to notice this and states that defendant 1 should not take any further action. On 26 June 2020 Defendant 2 confirms again that Defendant 1 has access to the directory of the DIV, without specifying, however, on what deliberation that access is based. 92. Defendant 1 hides behind the fact that, despite two previous confirmations because of defendant 2, did not have the correct authorization to consult the DIV- directory for penalizing infringements of the urban fee regulations regarding parking, but that the absence of the authorization in question is based on a misunderstanding. She adds admitted that the city could and should rely on the correctness of the message issued by DIV in which 50 it was confirmed in writing that the required authorization from the city was in order . 93. It is only at the moment that Defendant 2 deems it appropriate that Defendant 1 joins deliberation FO no. 14/2016 that defendant 1 actually does this, however for quite some time after the facts presented by the complainant have occurred. 94. Defendant1 then also tries to shift its own responsibility onto the Sectoral Committee for the Federal Government and FPS Policy Support. Respondent 1 thus claims that the Sectoral Committee for the Federal Government has given the impression that it was as a city joined deliberation FO No. 17/2010 – as later revised by deliberation FO No. 02/2016 – by naming the city as a beneficiary in the approval of the declaration of commitment during the deliberation of FO no. 17/2010, as well as because the FPS Policy and Support Defendant 1 would have been listed in the list of beneficiaries on its website. 95. However, this argument is by no means convincing, since the possible beneficiaries of deliberation FO nr.17/2010 – later deliberation FO nr.02/2016 – in no case the municipality itself can be, but only the private concessionaires and municipal privatized 50Decision of the Board of Mayor and Aldermen dated 22 February 2021 regarding the objection regarding tax on the parking, as submitted by the complainant. Decision on the substance 105/2023 - 28/31 agencies. The entry to which respondent 1 refers is: “Parko AGB/Stad Kortrijk”, where the mention of the name of the cities only gives an indication of the actual value beneficiary, in particular AGBParko, is active. Defendant1 cannot possibly deduce from this that she herself beneficiary with regard to this deliberation, given the clear in the deliberation defined target group of possible beneficiaries, which do not include municipalities. 96. It follows from all of the above elements that the Disputes Chamber has found an infringement of the Articles 5.2 and 24 GDPR in respect of defendant 1 must be determined at the time the facts occurred. b) In relation to Defendant 1 and Defendant 2 97. A controller is obliged to comply with data protection principles and must be able to demonstrate compliance with these principles (accountability - article 5.2 GDPR). Defendant 1 is a data controller in relation to the personal data which they request and obtain from defendant2. Respondent2is also a controller with regard to the personal data it provides to Defendant 1. Although Defendant 2 denies that he is the Defendant because the complaint would only are directed against Defendant 1, there is no doubt whatsoever about the fact that the Complainant not only against Defendant 1, but also against Defendant 2 because of the finding that the complainant expressly states that his privacy was violated because both defendant 1, and Defendant 2 used an incorrect authorization as the basis to identify him to the on the basis of his license plate via the DIV directory for which defendant 2 de controller. There can be no doubt that the complainant does not act alone against Defendant 1, but also against Defendant 2, since the identification of the holder of the number plate is only possible if defendant 2 provides the necessary personal data for this purpose to the defendant 1. In other words: the identification of the complainant on the basis of his number plate is only possible if defendant 1 requests the identification data from Defendant 2 and Defendant 2 subsequently also provide the Defendant with identification data 1. Without the provision by defendant 2 of the identification data concerning the complainant to Defendant 1 was simply an identification of the complainant based on his number plate not been possible. It is therefore in this sense that the complainant, as evidenced by the documents of the file, turns several times to defendant 2. The complaint particularly concerns identification on the basis of the number plate of the vehicle registered in the name of the complainant therefore undeniably directed against both Defendant 1 and Defendant 2. 98. Both defendants base their claims on the actions performed by each of them data processing (defendant 1 with regard to the processing of the requested and data obtained from defendant 2; defendant 2 with regard to the provision of the data to the defendant 1) on Article 6.1 e) GDPR. Article 6.1 GDPR which is the concretization of the Substantive Decision 105/2023 - 29/31 lawfulness principle, as referred to in Article 5.1a) GDPR, prescribes that all processing must be are based on a legal basis. This means that before starting the processing activities the controller must determine which of the six legal bases applies and for what specific purpose. It appears from the file not that the complainant was informed of the legal basis on which the defendants relied currently appealed in the proceedings before the Disputes Chamber, in particular the necessity of the processing for the ‘performance of a task in the public interest’ (article 6.1 e) GDPR). This legal basis is only invoked after the facts and therefore after the processing of the personal data has taken place. Consequently, the defendants have the personal data of the complainant is processed against its expectations and thus without any information being provided by the defendants prior to data processing. The Disputes Chamber notes this Please note that this provision of information does not only concern the legal basis (article 14.1 c) GDPR), but all information as stipulated in Article 14.1 GDPR in order to comply with the transparency principle (Article 5.1 a) GDPR) to fulfill. 99. Both defendants simply relied on the deliberations granted by the Sectoral Committee for the Federal Government without any review against the requirements of the GDPR requirements since its entry into force. 100. Based on the factual elements of the file, it appears that neither Defendant 1 nor Defendant 2 has complied with its accountability in relation to the principle of legality, fairness and transparency, which the Disputes Chamber decides that at the time of the facts became an infringement of Articles 5.2 and 24 GDPR on the part of both defendants committed. 101. With regard to the above-mentioned infringements of the legal basis, the obligation of transparency and the accountability, the Litigation Chamber takes into account the circumstances invoked by defendant 1, where it is decisive that the current privacy statement of Defendant 1 contains a full list of authorizations under which Defendant 1 may consult personal data at defendant 2, with particular access to deliberation FO no. 14/2016. In the meantime, the invoices for collecting parking fees have been paid supplemented and now also contain information about the processing of personal data. Defendant 1 has thus shown that he pays the necessary attention to provision of information, in particular regarding the legal basis and the identity of the controller, with the defendant 1 making every effort to obtain similar 51In accordance with Article 13(1)(c) and/or Article 14(1)(dc), the controller must notify the person concerned. Decision on the substance 105/2023 - 30/31 prevent future breaches of the GDPR. This is therefore decisive for the sanction that the Disputes Chamber imposes in this decision. 102. Defendant 2 also refers to its privacy statement, which contains information about the legal bases and identity of the controller. Notwithstanding the defendant2 the complainant had informed by e-mail of 15 February 2021 that at the time of the facts there were no protocol agreement in accordance with article 20 of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data and defendant 1 was also not a beneficiary of deliberation FO no. 14/2016, which means that was also not a legal basis, respondent 2 now dismisses this as 'legally incorrect'. Defendant 2 remains, Just like Defendant 1, Defendant 2 defends this by operation of law at the time of the facts had taken over all rights and obligations of AGB Parko. Given the position of the Litigation Chamber in this regard, as set out in this decision, cannot be this reasoning followed. However, in the current context in which the situation has been clarified between Defendant 1 and defendant 2 to prevent similar facts from happening again, the Disputes Chamber also holds take this into account when determining the sanction to be imposed by it. III. Publication of the decision 103. Considering the importance of transparency with regard to the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is however, it is not necessary for the complainant's identification data to be obtained directly disclosed, however, stating the identification data of the defendants having regard to the public interest of this decision, on the one hand, and the inevitable re-identification of the defendants in case of pseudonymisation, on the other hand. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to op pursuant to Article 100, §1, 5° WOG, to order a disqualification for the violation of Article 5.1, a), Article 5.2, Article 6, Article 12.1, Article 14.1 a) and 24 GDPR. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Decision on the substance 105/2023 - 31/31 Such an appeal may be lodged by means of an inter partes petition that the conditions referred to in Article 52 1034ter of the Judicial Code . The petition in contradiction must be submitted to the Registry of the Market Court in accordance with Article 1034quinquies of the Ger.W. , or via the e-Deposit computer system of the Ministry of Justice (article 32ter of the Ger.W.). (get). Dirk Van der Kelen Acting Chairman of the Litigation Chamber 52 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 53 The petition with its appendix, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited with the clerk of the court.