APD/GBA (Belgium) - 110/2023: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=110/2023 |ECLI= |Original_Source_Name_1=Gegevensbeschermingsautoriteit |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-110-2023.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Orig...") |
mNo edit summary |
||
| Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
On 15 June 2018, a complaint was brought joinyly by two data subjects, employed at a municipal school as teachers, against the municipal authority which acted as the governing body of the school. | |||
The complaint concerned two alleged infringements of the GDPR: | |||
# The publication of a series of Board reports on the school's online platform on 23 November 2017. The reports contained incriminating statements made against the first data subject. | |||
# The publication of the results of a student survey concerning the second data subject. This survey was published on the school's platform on 22 January 2018. | |||
Both the reports and the survey were removed from the online platform before the data subject's had filed the complaint. The reports were taken down on 9 May 2018, and the survey was removed on the same day as its publication (22 January 2018). | |||
On 4 July 2018, the complaint was declared admissible by the Belgian DPA and a formal investigation of the matter was commenced on 11 October 2019. | |||
=== Holding === | === Holding === | ||
The DPA issued a technical dismissal of the orginial complaint as the processing (the publishing and removing of the reports and survey) took place prior to the GDPR's entry into force on 25 May 2018. | |||
However, the | However, the DPA found several violations outside of the scope of the complaint. The DPA found violations of [[Article 5 GDPR|Articles 5(2)]], [[Article 13 GDPR|13(1)(a),]] [[Article 37 GDPR|37(1)(a)]], [[Article 37 GDPR|37(7)]], and [[Article 39 GDPR|39 GDPR]]. | ||
First, the DPA addressed the functioning of the DPO. The available time (120 hours per year) to fulfil the DPO tasks (including all activities of the municipality and another school) is wholly inadequate. The DPO also was not systematically involved in the operations of the school and municipality at all. The DPA found a breach of [[Article 39 GDPR#1|Article 39(1)]] and ordered the controller to create an action plan within 3 months to comply with the GDPR. | First, the DPA addressed the functioning of the DPO. The available time (120 hours per year) to fulfil the DPO tasks (including all activities of the municipality and another school) is wholly inadequate. The DPO also was not systematically involved in the operations of the school and municipality at all. The DPA found a breach of [[Article 39 GDPR#1|Article 39(1)]] and ordered the controller to create an action plan within 3 months to comply with the GDPR. | ||
Revision as of 12:36, 6 September 2023
| APD/GBA - 110/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(2) GDPR Article 13 GDPR Article 37(1)(a) GDPR Article 37(7) GDPR Article 39(1) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 15.06.2018 |
| Decided: | 09.08.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 110/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA declared itself incompetent for facts which fully took place before the entry into force of the GDPR. The DPA also concluded that 120 hours for a DPO responsible for a whole municipality and two schools is wholly inadequate, breaching Article 39(1).
English Summary
Facts
On 15 June 2018, a complaint was brought joinyly by two data subjects, employed at a municipal school as teachers, against the municipal authority which acted as the governing body of the school.
The complaint concerned two alleged infringements of the GDPR:
- The publication of a series of Board reports on the school's online platform on 23 November 2017. The reports contained incriminating statements made against the first data subject.
- The publication of the results of a student survey concerning the second data subject. This survey was published on the school's platform on 22 January 2018.
Both the reports and the survey were removed from the online platform before the data subject's had filed the complaint. The reports were taken down on 9 May 2018, and the survey was removed on the same day as its publication (22 January 2018).
On 4 July 2018, the complaint was declared admissible by the Belgian DPA and a formal investigation of the matter was commenced on 11 October 2019.
Holding
The DPA issued a technical dismissal of the orginial complaint as the processing (the publishing and removing of the reports and survey) took place prior to the GDPR's entry into force on 25 May 2018.
However, the DPA found several violations outside of the scope of the complaint. The DPA found violations of Articles 5(2), 13(1)(a), 37(1)(a), 37(7), and 39 GDPR.
First, the DPA addressed the functioning of the DPO. The available time (120 hours per year) to fulfil the DPO tasks (including all activities of the municipality and another school) is wholly inadequate. The DPO also was not systematically involved in the operations of the school and municipality at all. The DPA found a breach of Article 39(1) and ordered the controller to create an action plan within 3 months to comply with the GDPR.
The controller also failed to publish the contact details of the DPO and to register the DPO at the DPA, which breached Article 37(7). This is mandatory for the controller under Article 37(1)(a) as they are a public instant.
On top of that, the DPA found that no register of data breaches is being kept according to Article 33(5). The controller stated that "no data breaches had taken place since the last one which was registeren". Because the DPA cannot verify whether another data breach took place or not, the DPA found a breach of the accountability principle of Article 5(2).
The DPA also examined the information obligation. The DPA concluded that the controller did not adequately provide information, and the information that was provided was chaotic and confusing. Thus the controller acted in breach of Article 13(1)(a).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/21
Litigation room
Decision on the substance 110/2023 of August 9, 2023
File number : DOS-2018-03496
Subject: Complaint against a municipal secondary school because of the publication of
disciplinary reports on the one hand and a student inquiry on the other
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman, and Messrs. Frank De Smet and Christophe Boeraeve, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (general
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
.
has taken the following decision regarding: .
.
The complainants: Mr. X1, hereinafter referred to as “the first complainant”; Ms. X2 hereinafter referred to as “the second complainant”; .
.
both represented by Mr. Stijn BUTENAERTS, with offices in Leopold
.
II-laan 180, 1080 Brussels;
The defendant: The Municipality of Y, represented by its Board of Mayors and
Aldermen, hereinafter referred to as “the defendant”; represented by Mr. Alain BOUTEILLA
mr. Stephanie NGAY-KATALAY, Decision on the substance 110/2021 - 2/21
I. Factual Procedure
1. The defendant is a municipality that acts as the organizing body of the school concerned in the
present file. In some cases, the documents in the file specifically stated the
municipal school as an entity, without being specifically identified as a part
of the defendant as a municipality. As an educational institution, the school has a number of autonomous ones
decision-making powers, which are important during the course of the facts giving rise to it
gave to this procedure. In those cases, where the educational institution on file as
separate entity occurs or is referred to, it is referred to as “school of the
defendant”.
I.1. The complaint
2. On 15 June 2018, the complainants jointly lodge a complaint with the Data Protection Authority
against the defendant. Both complainants are at the time of the facts described in the complaint
employed at the defendant's school.
3. The object of the complaint concerns two alleged infringements of the
provisions of the GDPR, which would involve personal data of the complainants:
- The first alleged infringement concerns the publication on Smartschool of a series of
Board reports, including two reports from the Board of Mayor and Aldermen
dated 12 February 2015 and 30 March 2015 concerning the first complainant, in connection with a
incident that led to his temporary suspension. The reports contain incriminating
statements from two teachers and a student regarding the named first
complainer. At a later stage, an appeal body would decide on temporary suspension
have destroyed. However, the document containing this decision was not published on
Smart school.
- The second alleged infringement concerns the publication of a student survey concerning
the second complainant at Smartschool. The student survey was completed by 48 students and
was created on December 15, 2017. The publication of the student survey took place
on January 22, 2018.
4. Prior to this complaint, the complainants exercised their rights through a lawyer by
to turn to the defendant, and more specifically the defendant's school concerned, per
registered letter of 8 May 2018. The complainants formulated their grievances in this regard
to the facts set forth above. The complainants also requested that the reports
of the first alleged infringement relating to the first complainant within 5
working days would be removed
injury. Decision on the substance 110/2021 - 3/21
5. The defendant's school replied to this registered letter on 22 May 2018. It stated
that the Board of Mayor and Aldermen took note of the
letter from the complainants, and subsequently decided to reserve all rights and without
any detrimental acknowledgment to remove Smartschool's reports (with regard to the
first alleged infringement).
6. The complainants did not consider this answer to be sufficient and subsequently proceeded to submit a
complaint to the GBA. In parallel with this complaint procedure, the complainants wrote on September 5, 2018
again a letter to the defendant asking in particular a number of additional questions.
They first asked whether the then director of the school was obliged by the organizing body
power to put the reports of the college of mayors and aldermen and on Smartschool.
Secondly, the complainants refer to the defendant's regulations, where in the context of the
openness of the board a written request has been made before the
right of inspection (in particular to the reports on disciplinary law) can be exercised. The inspection would
according to these regulations, can also be refused when the protection of the personal
privacy of a person involved in the conduct.
7. The defendant replied to this letter on 18 September 2018 by stating that there was no
order was given to place the lecture reports on Smartschool. The college reports
would only serve as an “internal” working document to the principals of the municipal schools
provided for notice.
8. The complainants finally wrote a final letter to the defendant on 15 October 2018. In here
they argue that it appears from the letter of 18 September 2018 by the defendant that the
lecture reports are sent directly to the principals of all municipal schools,
even if the report has no relevance whatsoever for a municipal school. Cover bearings
emphasize that college reports could contain sensitive information (in this case the
disciplinary proceedings concerning the first complainant), and would therefore be protected under
the privacy legislation and the rules on open government. The complainants then ask
to the defendant how the facts – linked to the two alleged infringements in the complaint to the
GBA – compatible with those last two. Finally, they also ask what the reason is for the
to (systematically) transfer lecture reports that concern one school to all
municipal schools.
9. On 4 July 2018, the complaint was declared admissible by the Data Protection Authority on
pursuant to Articles 58 and 60 WOG. Subsequently, the complaint pursuant to art. 62, §1 WOG
transferred by the First Line Service to the Disputes Chamber.
I.2. The Inspectorate's investigation
10. On 14 November 2018, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG
to request an investigation from the Inspectorate. Decision on the substance 110/2021 - 4/21
11. On November 21, 2018, in accordance with art.96, §1 WOG, the request of the Disputes Chamber
to conduct an investigation submitted to the Inspection Service, together with the complaint and
the inventory of the items.
12. Prior to the Inspection Report, questions were asked by the Inspection Service of the GBA
to both the complainant and the defendant.
13. On October 11, 2019, the investigation will be completed by the Inspectorate, the report will be
attached to the file and the file is transferred by the Inspector General to the
Chairman of the Litigation Chamber (art. 91, §1 and §2 WOG).
The report first contains findings with regard to the subject of the complaint (within
scope). The Inspectorate supports the position of the defendant that the GDPR is impossible
may apply to the first incident, as the facts predate 25 May 2018.
14. The report also contains findings that go beyond the subject of the complaint. The
In general, the Inspectorate determines the following matters.
15. First, with regard to the obligation to document incidents in Article 33(5) GDPR and the
risk-based approach in accordance with Article 32 GDPR, the Inspection Service examined the
manner of handling of both incidents by the defendant. This is how the defendant replies
the question from the Inspectorate whether incidents have been registered in the meantime, that there are “none
incidents have been more”. The Inspectorate states that this is not an answer to the question and that
it cannot therefore be concluded that the school and/or the municipality involved have meanwhile
have initiated an incident registration as required by Article 33(5) GDPR
16. Secondly, with regard to the investigation of incidents within the meaning of Article 33(5) GDPR,
the Inspectorate states that appropriate investigation is necessary in the interests of those involved. The
The Inspectorate, however, states that it has no indications that the incidents were proper
were investigated.
17. Thirdly, with regard to the reporting obligation to the supervisory authority within the meaning of
Article 33 GDPR, the Inspection Service states that the incidents were not reported to the
Data Protection Authority.
18. Fourth, with regard to the obligation to provide information within the meaning of Article 13 (specific paragraph 1 point a)
The AVG first suggests to the Inspectorate that the municipality acts as the controller
identifies in its communication to the GBA. The Inspectorate states that there is no
consistent reference to one data controller and one point of contact
(for example, for the position of data protection officer). Now the defendant for
data protection law aspects appeals to an “external e-gov support center” (this
is the company Z ) and the references to the defendant and this support not always clear
were displayed, according to the Inspectorate, this leads to a breach of the information obligation. Decision on the substance 110/2021 - 5/21
19. Fifth, with regard to the designation of a data protection officer
(“DPO”) and the disclosure of his contact details within the meaning of Article 37, paragraph respectively
1, point a) and Article 37, paragraph 7 GDPR, the Inspection Service states as follows: In the privacy statement of the
Defendant's school was referred to a privacy email address of the Defendant (de
municipality), without a specific clarification as to which person or service it concerns. The
The Inspectorate did find out that the position of DPO is performed by the external e-mail
gov support to which the defendant is affiliated.
20. Sixth, with regard to the registration of the DPO with the DPA within the meaning of Article 37(7)
AVG informs the Inspection Service that no DPO has been registered for the defendant.
21. Seventh, in relation to the tasks performed by the DPO within the meaning of Article 39(1) GDPR
the defendant had submitted a number of documents to the Inspectorate. The inspection report
states:
“The Inspection Service has no indication whatsoever that the aforementioned employee of [the
external e-gov support] performs the tasks provided for in Article 39 1. b), d) and e) GDPR
(tasks of supervising compliance with the GDPR, cooperation with the GBA, acting as
contact point for the GBA). . .
In no correspondence between the [defendant] . . . and GBA was indicated as a single
contact with the DPO. If the DPO has already been appointed, the Inspectorate determines that at least the
tasks under Article 39.1 d) and e) were not completed by the DPO.” 1
22. Eighth, with regard to accountability, documentation, and record keeping
of and the investigation of incidents within the meaning of Articles 5(2) and 33(5) GDPR has
In its investigation, the Inspectorate can first determine that the ICT manager of
the municipality was informed about the two incidents. In this regard, the
Inspectorate: “However, it cannot be proven when this happened and in what way, there
according to the [defendant] the notification was made orally . . .” In addition, the defendant could
not explain agreements with regard to the Inspectorate regarding timely reporting and further
following up (or “handling”) incidents that affect personal data protection. Until
finally, there is also no “no evidence of registration, investigation and follow-up of the incidents that have occurred
the director, ICT manager and/or DPO were reported”, according to the Inspectorate.
1
Inspection report, page 12.
2Inspection report, p. 13. Decision on the substance 110/2021 - 6/21
I.3. The conclusions of the parties
23. On 14 October 2019, the Inspectorate's investigation report will be finalized and the
file submitted to the Disputes Chamber. The Disputes Chamber will decide on 12 November 2019
on the basis of art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits.
The Disputes Chamber decides to divide the file on the basis of the report of the Inspectorate
in two separate cases:
1. On the one hand, the Disputes Chamber will make a substantive decision with regard to the
object of the complaint;
2. On the other hand, the Disputes Chamber will take a decision on the merits in response to the
findings made by the Inspectorate outside the scope of the complaint.
24. On November 13, 2019, the parties involved will be notified by registered mail
of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. also become
they pursuant to art. 99 WOG of the deadlines to file their defences
serve.
With regard to the findings relating to the subject matter of the complaint, the ultimate
date for receipt of the defendant's statement of defense set at 13
December 2019, those for the complainant's reply of 31 December 2019 and at
finally these for the statement of defense of the defendant on 17 January 2020.
With regard to the findings that go beyond the object of the complaint, the ultimate
date for receipt of the defendant's statement of defense set at 17 January
2020.
25. On December 16, 2019, the Disputes Chamber will receive the statement of defense from the
defendant as regards the findings relating to the subject-matter of the complaint.
26. The defendant argues, first, as regards the facts, that it is only aware of the former
incident. According to the defendant, it was never informed about the second incident (except for the
notification of the complaint and start of the investigation by the GBA). The resources cited
of the defendant are:
• The incidents fall outside the scope of the GDPR as they are both
took place before the date of entry into force (25 May 2018). The complaint is related
on facts prior to May 25, 2018; so these facts will have to be examined in light
of the privacy law. Therefore, no administrative fine can be imposed for this
according to the defendant;
• The defendant also explains the circumstances surrounding both incidents, as well
its presumed (legal) qualification. Decision on the substance 110/2021 - 7/21
• In conclusion, the defendant states that if the GBA were of the opinion that the complaint was well founded
it requests the favor of the suspension on the basis of Article 100, § 1, 3° WOG.
27. On 30 November 2019, the Litigation Chamber receives the statement of reply from the complainants,
in which with regard to the findings relating to the subject of the complaint alone
means is concluded regarding the applicable law. The complaining party argues
hereby that the GDPR applies to all pertinent facts, and that the defendant does not
makes it plausible that there are legitimate purposes for which the publications on Smartschool are used
account for both incidents. In addition, the complaining party points to, among other things, the lack of
rectification of the elements relating to the disciplinary procedure (the first incident), the
missing pseudonymization measures, as well as the consequences of the events and the
according to them, damage suffered as a result (according to the complainants, “intangible or reputational damage”). Finally
the complainants also ask for compensation and the imposition of “the necessary administrative
fines and sanctions”.
28. On 17 January 2020, the Litigation Chamber will receive the conclusion of the reply from the defendant for
with regard to the findings relating to the subject of the complaint:
• Respondent reiterates with regard to applicable legislation that the GDPR does not apply
may be based on the facts that took place before 25 May 2018. The facts fall under it
scope of the privacy law;
• With regard to the first and second incident, the defendant raises the same arguments as
set out in its Opinion of 16 December 2019;
• With regard to the authority of the GBA to award compensation, the
Respondent reserves all rights and without any prejudicial acknowledgment in this
because it is not up to the GBA to rule on civil (or criminal)
liability of the defendant.
29. On the same date, the Disputes Chamber also receives the statement of reply from the
defendant with regard to the findings of the Inspectorate outside the scope of the complaint. The
the defendant first of all states in general terms that it can be qualified as a controller
for a variety of "public services", including the provision of education.
The defendant states that privacy and personal data protection are a “priority” subject
forms for her. With regard to the specific findings of the Inspectorate, the
defendant the following:
• With regard to the registration of the incidents (documentation obligation Article 33, paragraph 5 GDPR and
risk-based approach Article 32 GDPR) and the obligation to report to the GBA (Article 33 GDPR):
the defendant points out that she was only confronted with one incident on 15 October
2019, regarding hacking an email box. According to the defendant, this incident was 110/2021 - 8/21
immediately registered in the incident register and within the statutory period to the GBA
reported. A solution was also found and the passwords of all involved
users as well as the passwords of the servers were changed.
• Regarding the investigation of incidents (Article 33, paragraph 5 GDPR): the defendant states that she
documents all personal data breaches in accordance with Article 33 (5) GDPR.
The defendant states that she uses an incident register and that she reports incidents
informs the GBA in a detailed manner. The defendant states: “This shows that
the defendant has implemented an effective procedure that enables it to
quickly detect incidents and respond in the event of a data breach.” In addition, the
the defendant have also developed an information security plant, grafted onto the activities
of the school concerned.
• With regard to the obligation to provide information regarding the name and address of the
controller (Article 13(1)(a) GDPR): the defendant acknowledges in her
concluded that “the original privacy statement was not clear and incomplete”. The
The defendant states that it has made the necessary adjustments – in consultation with the court
external e-gov support point that also provides the DPO – so that the privacy statement can also be improved
being reached. The website of the defendant's school states, according to the defendant,
from now on clearly designate the municipal administration as the controller.
• With regard to the findings regarding the data protection officer: In
In 2015, the defendant approved the award to the e-gov support centre. The award
states the assignment for appointing a service provider for the preparation of a
risk analysis with regard to information security. As for the tasks and functions of
the DPO for (the relevant school of) the defendant, the latter refers to by way of illustration
the advice and presentations prepared and submitted by the e-gov support centre.
• Regarding the accountability / Documentation obligation / Registration and investigation of
incidents (Article 5(2) and 33(5) GDPR): the defendant refers to the previous one
argumentation regarding this finding. The Defendant also adds the extracts from the
register of processing activities in accordance with Article 30 GDPR.
• In conclusion, the defendant states that it has taken numerous actions and important ones
has mobilized financial and technical resources to meet the increased duties of the
to comply with GDPR. The defendant argues that if the GBA were of the opinion that
the defendant does not adequately comply with the obligations of the AVG, albeit in any case the
requests favor of the suspension and this on the basis of Article 100, § 1 3° GDPR. Decision on the substance 110/2021 - 9/21
I.4. The hearing before the Litigation Chamber
29. On April 21, 2023, the Disputes Chamber decides ex officio to organize a hearing in the
present file. This on the basis of Article 52 of the Rules of Internal Order of the
Data Protection Authority.
30. The hearing will take place on 6 June 2023. At the hearing, the two complainants will be in person
present, as is their lawyer. For the defendant, the two lawyers of the defendant are
present, the DPO of the defendant (from the external gov support center), as well as the current director
of the defendant's school in question.
31. At the hearing, the complaining party again explains the grievances. The complaining party points it out
lack of apologies and rectifications.
32. Subsequently, the defendant's lawyer further explains the claims. The lawyer offers
I hereby apologize on behalf of his client.
33. The members of the Litigation Chamber then address a number of questions to the defendant. Here light
the DPO of the defendant admits, among other things, that a pool of privacy experts from the support center
is offered, and that the support center also includes an information security cell. The DPO
also states that for the performance of the tasks there is mainly contact with an IT
employee of the defendant, and that 120 scheduled hours per year are offered for
all activities of the defendant. However, it is emphasized that a number of aspects –
for example knowledge aspects related to municipal privacy statements and the
writing–happen at “group level”. In addition, the DPO admits no direct
contact has taken place with the municipal council itself for DPO-related activities,
and that it is the practice in the case of the Respondent to act as DPO directly to the IT
report employee.
II. Motivation
II.1. The qualification of the defendant as a controller
34. Throughout the proceedings, the defendant identified herself as
controller, and is also always in that capacity regarding the facts
addressed (including by the Inspection Service). This also applies to all processing activities
which runs the school.However, this does not mean that it is absolutely clear that the defendant
as the municipality is in any case the controller in all cases that the
municipal school. Decision on the substance 110/2021 - 10/21
35. In accordance with the law (specifically the Article 4(7) of the GDPR), and to established
3 4
case law of the Court of Justice ,should be assessed factually or a certain
actor (this can be a natural or legal person, but also a public authority, a
agency or other body) the purposes and means of the processing of personal data
determines. The European Data Protection Board (“EDPB”) has clarified this
that the factual control of this actor over the personal data processing is possible, among other things
be derived from a legal provision, but also from a factual influence that the actor has on the
5
processing activity(ies).
36. With regard to the facts that fall within the scope of the complaint, it appears that the director of the
school of the defendant itself - whether or not after consultation within the school and with instructions that
were limited to employees of the school – has decided to provide certain documents containing these
person was delivered by the defendant, of his own accord at the Smartschool-
platform. The principal of the defendant's school acted in that sense
without instruction to publish the documents on the part of the defendant. More so, implicitly had
the director can deduce from the contents of the documents that the defendant
documents would rather not be published on Smartschool.
37. None of this in any way implies that the Respondent may not have any processing responsibility
about the facts that occurred within the scope of the complaint. Article 4(7) of
after all, the GDPR stipulates that the purpose and means can be used alone or together with others
be established. This could also be the case if the director does not have an explicit mandate
had to publish the documents and acted on its own initiative, as did the EDPB
confirmed: “Accordingly, an organization can still be controller
even if it does not make all the decisions about the ends and the means.” After all, the fact that a
organization if the defendant did not give general or concrete instructions to protect the integrity of the
to guarantee the documents it supplied, (part of) the
place responsibility for processing on the defendant.
38. Hic et nunc, however, it is not appropriate to define the exact roles and responsibilities in this
to analyze and determine, now that the Disputes Chamber will proceed to a dismissal of the
3 CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat – uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:55;CJEUJudgementof13May2014,GoogleSpainSLt.AgenciaEspañola deproteccióndeDatos(AEPD) and Others,C-131/12,
ECLI:EU:C:2014:317, in particular par.34;CJEUJudgementof5June2018,UnabhängigesLandeszentrumfürDatenschutzSchleswig-
Holstein v
Wirtschaftsakademie Schleswig-HolsteinGmbH, C-210/16, ECLI: EU:C:2017:796, in particular para. 35.
4 L. A. BYGRAVE & L. TOSONI, “Article 4(7). Controller” in The EU General Data Protection Regulation. A Commentary, Oxford
University Press, 2020, 14.
5
EDPB, Guidance 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0),
available in Dutch at: https://edpb.europa.eu/system/files/2022-
02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 25 et seq.
6EDPB, Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0),
available in Dutch at: https://edpb.europa.eu/system/files/2022-
02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 31. Substantive decision 110/2021 - 11/21
elements within the scope of the complaint. However, outside the scope of the complaint there are
determinations made by the Inspectorate that expressly relate to the
the defendant as controller.For that reasonthere is no doubt that
the defendant acts as controller for those elements, including for
activities related to her school.
II.2. With regard to the findings within the scope of the complaint
39. Based on the elements in the file known to the Litigation Chamber and on the basis of the
powers assigned to it by the legislator pursuant to Article 100§1 WOG
the Litigation Chamber about the further follow-up of the file; in this case, the Disputes Chamber
about to dismiss part of the complaint in accordance with Article 100, §1, 5° WOG,
based on the following justification.
40. In the event of a dismissal, the Litigation Chamber must gradually investigate and substantiate:
- Whether there is insufficient prospect of a conviction, followed by a technical dismissal;
- Whether a successful conviction would be technically feasible but on grounds, up to it
general interest, a (further) follow-up is undesirable, after which a
policy follows.
In the event that more than one ground is dismissed, the grounds for dismissal (resp. technical
dismissal and policy dismissal) should be dealt with in order of importance.
41. In the present case, the Disputes Chamber considered it technically impossible to follow up
to certain elements of the file that are based on the complaint, and decides to proceed
to a technical dismissal based on the motives set out below.
42. Based on the findings in the investigation by the Inspectorate in this case (cf. appendix), it appears that
the Litigation Chamber has no jurisdiction ratione temporis, there on the basis of the facts and the in the complaint
The grievances put forward show that the complaint relates to processing operations that started before
May 25, 2018 (the date on which the GDPR came into effect), and the processing involved as well
ended before that date.
43. It is true that the complaint was initially admissible by the GBA's First Line Service
declared, and that an investigation by the Inspectorate subsequently also took place with
regarding the facts. This does not alter the fact that the Disputes Chamber has always ruled that
are not authorized to act for acts that only take place before 25 May
2018.
44. In order for the Disputes Chamber to be competent, it is necessary that the GDPR applies to
the processing operations that are the subject of the complaint. According to art. 4 (2) GDPR means it
processing of personal data: “any operation or set of operations relating to Decision on the substance 110/2021 - 12/21
to personal data or a set of personal data, whether or not carried out via
automated procedures, such as collecting, recording, organizing, structuring,
store, update or change, retrieve, consult, use, provide by means of
forwarding, distributing or otherwise making available, aligning or combining,
blocking, erasing or destroying data”.
45. The processing operations in this case and their timing can be summarized as follows:
- Heteersteincident: a publication of personal data on Smartschool on 23 November
2017 at 10:58 am. It concerns a publication of a series of college reports, including
two reports dated 12 February 2015 and 30 March 2015 and that the first complainant
concern. The report dd. February 12, 2015 concerns information about the disciplinary investigation that
was initiated in the head of the first plaintiff and contains incriminating statements. Inquiry from
the complainant to remove the reports, they were removed from Smartschool at 9
May 2018;
- The second incident: a publication of a student survey dated. December 15, 2017 on
Smartschool (date of publication: January 22, 2018). Second complainant would be the publication
that same day and immediately sent an e-mail to the
then director. This is apparent from communication between the Inspectorate and the complainants
that same day the published student survey was removed.
46. The Disputes Chamber establishes that the aforementioned processing took place before the
entry into force of the GDPR on May 25, 2018. In addition, the findings of the
Inspectorate that the processing of personal data related to both incidents is not
more took place after the entry into force of the GDPR on May 25, 2018. The publications became
after all, removed from Smartschool on May 9, 2018 and January 22, 2018. Based on the
The inspection report and the documents cannot be determined by the Disputes Chamber that after 25 May 2018
processing has taken place that relates to the subject of this complaint.
8
47. In view of the foregoing, the Disputes Chamber proceeds to a technical dismissal as a result of which
no further action can be taken on this complaint as there is no infringement
on the GDPR. For the sake of completeness, the Disputes Chamber states that it does not fall within its powers
should award damages.
7See Article 99 GDPR.
8 See point 3.1.1.4 of the Dispute Chamber's Dismissal Policy, published on its website on 16 June 2021,
(https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-19-2020.pdf). Decision on the substance 110/2021 - 13/21
II.3. With regard to the findings outside the scope of the complaint
48. Notwithstanding the technical dismissal with regard to the subject matter of the complaint, the
Litigation Chamber the findings of the Inspectorate outside the scope of the complaint.
49. After all, it cannot be ruled out that a complaint will give rise to a more integral and
substantial control by the Inspectorate in the event of a complaint, it also confirmed
Markthof. 9
50. In this context, the Disputes Chamber acknowledges – in a positive sense – the cooperation of the
defendant during the entire procedure before the Data Protection Authority, whereby
the defendant acknowledges in a constructive manner on the one hand that certain errors occurred in
the past or that certain aspects (for example, with regard to the privacy policy and
the privacy statement) were not fully compliant with the law, and on the other hand
indicates how it has adjusted this or would adjust it for the future.
Reference is made here, among other things, to the incident registration and the investigation of incidents (see also
infrastructure).
51. Nevertheless, the Disputes Chamber generally notes that there are a number of elements in the
file point to a structural lack of attention and resources for
data protection law safeguards. Although an external e-gov support is necessary
expertise (in this respect using pools of experts) for the exercise of the
DPO-related tasks and an external DPO provides, the available time and (personnel)
resources needed to properly perform the tasks are too limited.
II.3.1. The designation of the DPO and the performance of the duties of the DPO provided for by law
DPO (article 37 and article 39 GDPR)
II.3.1.1. With regard to the appointment of an officer for
data protection in accordance with Art. 37 GDPR
52. In its report, the Inspectorate pointed out a number of ambiguities regarding the identity of
the DPO:
- The complainants' lawyer stated that there is no data protection officer
was appointed;
9“Companies . . . however, should be aware that one particular incident . . . may lead to an integral inspection and
substantial control of a company or organization's GDPR compliance, which in turn can lead to sanctions
due to non-compliance with certain GDPR obligations that were not initially the trigger of the inspection.” Cf. Judgment of 14 June
2023, Brussels Court of Appeal (Chamber 19A, Section Marktenhof), no. 2023/4583, 29-30. Decision on the substance 110/2021 - 14/21
- Article 4.2.6. of the school regulations stated that the municipal council has an extra
consultant to act as information security consultant and
data protection officer;
After June 2, 2019, this provision was deleted from the regulations, without clarification
why this deletion was necessary;
- Reference was also made to an employee of Z who would have been referred to as DPO.
Z. It provides “objective advice” through its DPOs, according to its website.
According to the Inspectorate, there were a number of remaining ambiguities regarding the
appointment of an employee of the external e-gov support center as DPO:
- No appointment decision was made by the Board of Mayor and Aldermen
provided so that the GBA can verify from what date the defendant gave an order
to Z, whether this assignment is temporary, and which tasks were or were not included in the
services;
- No registration code was provided for the registration of the DPO;
- The GBA received no further information about the competences of the aforementioned
employee of the e-gov support center as required by Article 37(5) GDPR;
- According to Article 37(3) GDPR, a controller can be a DPO
to various agencies and bodies. The GDPR does require that the
controller hereby enter the “organizational structure and size”.
takes into account. The question is whether in this concrete case the DPO of a municipality with
15,000 to 20,000 inhabitants can also be sufficiently independent and competent
function as DPO of both two municipal schools and the municipal council. The
processing is carried out within the context of a comprehensive school
3,000 to 4,000 students that exceeds the municipality, which may have consequences for
the handling of incidents and the more efficient use of resources, including the
teachers' affection;
53. With regard to the appointment of the DPO, the defendant refers to the award contract for the e-
govsupport(piece5piecesbundleofrespondent).piece6ofdefendantprovesconcretethe
appointment of a DPO for the defendant, as approved at a hearing held by her
City Council of 25 November 2019. Document 7 shows that the defendant has an application
filed for female worker approval at the e-gov support center as
security consultant at the Flemish supervisory committee for the electronic administrative
data traffic (hereinafter “VTC”).
54. The Litigation Chamber refers to Article 37(1)(a) GDPR which states that
controllers are obliged to notify a data protection officer Decision on the substance 110/2021 - 15/21
to indicate in the event that the processing is carried out by a public authority or
public authority, which is the case here. From the documents submitted by the defendant
be deduced that the defendant had not appointed a DPO before 25 November 2019 . Since there
was already an obligation for the appointment of a DPO since the entry into force of the GDPR
(May 25, 2018), it is therefore not acceptable that the defendant only a year later a DPO
appoints.
55. Regarding the disclosure of the contact details and the sharing of these contact details
with the supervisory authority, the Disputes Chamber states that at the time of the
investigation of the Inspectorate failed to provide any evidence of a registration of the DPO with
the GBA.
56. For all these reasons, the Litigation Chamber finds a violation of both Article 37 paragraph 1, point a) and
Article 37 (7) GDPR, as the mandatory designation of the actual DPO was not done correctly
(according to the missing designation decision or other administrative decision in this regard), and also
was not correctly reported to the Data Protection Authority.
II.3.1.2. With regard to the duties of the data protection officer
in accordance with Art. 39 GDPR
57. The Disputes Chamber notes that a number of problems existed and continue to exist with
with regard to the data protection officer and (the possibility of) exercising it
of certain tasks by that person.
58. The core of several problems that the Inspectorate was able to identify, therefore, seems to be
back to the fact that the DPO – or at least the service that carries out the DPO tasks de facto
- in this case does not receive sufficient resources to inform the controller
advise to take the necessary data protection law safeguards that serve
to be provided to support and strengthen those concerned in their rights, on the one hand, and infringements
on data protection related legislation on the other hand.
59. It appears from the findings of the Inspectorate in this matter that the Inspectorate has not found any
finds or receives instructions that indicate that the tasks within the meaning of more specific article
39 (1) points b), d) and e) GDPR are correctly observed. There is also a lack of clarity
to find agreements, according to the Inspectorate, between the board of the defendant and the
10
For the definition of "government", see Article 5 of the framework law of 30 July 2018 on the protection of natural
persons with regard to the processing of personal data whereby government is defined as 1° the Federal State, the
federated states and local authorities, 2° the legal entities under public law belonging to the Federal State, the federated states or local
depending on governments, 3° the persons, whatever their form and nature, who have been established for the specific purpose of meeting needs
of general interest that are not of an industrial or commercial nature; and have legal personality; and of which either the
activities are mainly financed by the authorities or institutions referred to in the provisions under 1° or 2°, either the
management is subject to supervision by these governments or institutions, or the members of the governing body, executive
body or supervisory body are designated for more than half by these governments or institutions. 4° the associations
consisting of one or more authorities as referred to in the provisions under 10, 2° or 3°. Decision on the substance 110/2021 - 16/21
external e-gov support. What's more, it appears from the file that there is no direct contact whatsoever
between the defendant's board and the external e-gov support centre. Only with the IT
responsible of the defendant, there would be structural contact.
60. Superfluously - but without this having any impact on the assessment of the determination of
theInspectionserviceoutsidescope–maybeadjustedthateventhefactswhicharewithinthescope
of the complaint took place indicate situations with a suboptimal structural approach and care
for data protection.
61. Although the defendant rightly stated at the hearing that the file had a long lead time
knows, her statements – and those of her DPO – at the hearing show that the structural
data protection deficiencies still exist:
a. The number of hours that the external DPO has available to perform the tasks that the
GDPR provides is completely insufficient to meet the requirements of the GDPR.
It is said to be 120 hours on an annual basis for the entire municipality and
all its services.
b. The DPO (still) has little or no contact with the municipal council of the
defendant, let alone that the municipal council structurally consults or invites her
to provide advice. However, the defendant is a public authority,
where the legislator in the Article 37 (1) point a) GDPR explicitly designates a
data protection officer, which indicates that the legislator has the
function is paramount in the context of government services, and a DPO should access
have access to the highest level of management so that the tasks can be properly carried out
become.
c. In addition, the defendant itself states in its conclusion that, as a municipality, it can do much more
offers more than just education, which means that they have a large number
processes personal data of a large number of data subjects. She refers to
social and cultural services, but also sports, youth, housing and
11
environment. This may also concern sensitive personal data. The limited
time commitment and limited access to governance for the DPO is in this context
problematic.
d. The defendant acts as a controller for the activities of the
involved school (and other educational institutions), but in principle only offers access
by the DPO to its IT manager. In case of incidents there would be
consultation with the employees or responsible persons involved. A whole
number of data protection aspects are ignored
IT-related aspects, whereby incidents must be dealt with at a more structural level
1 Reply statement of the defendant, p. 5. Decision on the substance 110/2021 - 17/21
investigated, analyzed and rectified. This is how a DPO who has no access
to certain institutions (which are the responsibility of the defendant)
due to a lack of contact points at those institutions and a lack of time to act on their own
initiative to establish contacts with such institutions, it is difficult for the
data protection law related risks of such institutions on a
adequately identify and address (and help mitigate where necessary).
62. Each of the elements listed in the preceding paragraph gives rise to an infringement
to be set at Article 39(1) GDPR, given that these points show that the
controller insufficient the adequate performance of tasks by the DPO
guarantees. The Disputes Chamber therefore argues - partly on the basis of the findings of the
Inspectorate on this point – note that the defendant has set out in this provision
has not fulfilled its obligations, and that it does not sufficiently guarantee that its DPO fulfills its tasks
can properly perform, as these tasks are listed in Article 39(1).
63. For that reason, the Litigation Chamber orders that the defendant draw up an action plan within three months
(infra), whereby the defendant takes into account the infringements in the present case
decision, taking into account, in particular, the specific
aspects of its services as well as specific contact points in this regard.
II.3.2. Findings of the Inspectorate regarding the follow-up, documentation and
reporting incidents (Articles 5 (2), Article 32 and Article 33 GDPR)
64. The obligation to take security measures - with attention to the risks involved
–which a controller should assume for certain processing activities
contained in Article 32 GDPR. The registration and reporting obligation of incidents related to
personal data is contained in Article 33 of the GDPR. Accountability for a
controller is contained in Article 5(2) of the GDPR.
65. In its inspection report, the Inspection Service describes the way in which both incidents were handled
by (the school of) the defendant. Taking into account the fact that the Litigation Chamber rationale
temporis is not authorized to rule on facts that took place before May 25, 2018, can
they make no statement about the way in which the two incidents that took place before were handled
the date of entry into force of the GDPR.
The Litigation Chamber is aware of the fact that the legal predecessor of the GBA (the Commission
for the protection of privacy, hereinafter referred to as “CPPL”), since June 10, 2014, provided
in a report form via which personal data breaches (outside the
telecom sector because there was already a statutory notification obligation for this) could be Decision on the substance 110/2021 - 18/21
reported. The CBPL had also stated in a press release that it is “more than advisable” to
using this report form. However, the Litigation Chamber points to the optional character
of the notification obligation before the entry into force of the GDPR.
66. The Inspectorate also stated that the communication with the defendant shows that she
during a certain period after 25 May 2018 still did not register any incidents.
The Disputes Chamber considers itself competent to rule on this, since the GDPR does
finds application. Proper registration of incidents is of great importance, especially in the light
of the size of the educational institution (with 3,500 to 4,000 pupils), but also in the light
of the risk-based approach under Article 32 GDPR. In this case, there is also one
processing of sensitive personal data within the meaning of Article 9 GDPR (e.g. data about
(mental) health and sexually transgressive behaviour,…). The processing also concerns
data of vulnerable natural persons (particularly minors) 14 and it concerns a
processing of data the processing of which involves a higher risk in view of the
rights and freedoms of the persons concerned (performance, evaluations and any
disciplinary assessments of teachers,…).
67. The defendant clarifies in its Opinion dd. January 17, 2020 that they have been since the entry into force
of the GDPR has only had to deal with one incident. This was a case of
hacking of one email address, where the data of possibly 500 people could have been leaked.
The defendant states that this incident was immediately registered in the incident register and became
reported to the GBA within the legal term. She hereby submits evidence to this effect
to substantiate the argument. This shows the registration of the incident in the incident register, the
reporting this incident on October 16, 2019 and the solution found (namely the change of
the passwords of all affected users before October 17, 2019).
68. Due to a lack of evidence, the Litigation Chamber cannot verify whether the defendant has effectively but too
experienced one incident since the entry into force of the GDPR. In addition, the
Litigation Chamber also cannot verify since when the defendant actually uses one
incident register. The Disputes Chamber can only rule that the defendant with regard to the one
incident that took place after the entry into force of the GDPR, the obligations in Article
33 GDPR has correctly complied.
69. This does not alter the fact that the defendant had answered the Inspectorate's question incorrectly
of 6 September 2019 when she asked whether incidents have been registered with
with a view to the notification obligation under the GDPR. The defendant replied that “there is none
incidents have been more”. This may indeed be correct since the defendant in its conclusion
12https://www.dataprotectionauthority.be/citizen/authority-lancet-notification forms-for-data leaks.
13See Appendix 6 to the Inspection Report.
14Recital 75 GDPR. Decision on the substance 110/2021 - 19/21
of January 17, 2019 indicates that there was only one incident after the entry into force of the GDPR
(namely on October 16, 2019). However, it could not be deduced from this answer that the defendant
now has an incident registration that meets the requirements of Article 33, paragraph
5 GDPR. Because the defendant cannot adequately justify that it has fulfilled the obligation to
has complied with adequate registration of incidents, the Disputes Chamber establishes a breach
to accountability within the meaning of Article 5 (2) GDPR. However, there are not enough
elements present in the file to establish an infringement of either Article 32 or Article
33 GDPR.
II.3.3. Findings of the Inspectorate regarding the obligation to provide information (Article 13(1)
point a) GDPR)
70. Article 13(1)(a) of the GDPR requires the controller to provide information
provided to the data subject about the identity and contact details of the
controller and, where applicable, of the representative of the
controller.Instructionsofthedataprotectiongrouparticle29about
the information requirement was stated that this information serves for easy identification
of the controller and preferably also other forms of communication with
enable the controller. 15
71. The Inspectorate points out to the Disputes Chamber a combination of indications from which the
At the time of the Inspectorate's investigation, it appears that the defendant has fulfilled its obligation to provide information
violates regarding the designation of the controller:
- For example, there are different provisions in different documents that each time
refer to other people and services.
- The school regulations of the school at issue do not contain any clarifications as such.
- The “Privacy Policy” link on the website of the school at issue: The user becomes
automatically redirected to the “privacy statement [municipality]” on the website of the
defendant.
- Point 2 in the privacy statement “who can you turn to for questions” refers to the
municipal government . However, this privacy statement also states “With questions about it
The privacy policy and the measures taken can be found at the general
director V via the e-mail address […] for both the municipality and the OCMW and/or at our
data protection officer at the email address […]”.
15Data Protection Working Party Article 29, Guidelines on Transparency under Regulation (EU) 2016/679, 11 April
2018, p. 41. Decision on the substance 110/2021 - 20/21
72. The defendant admits in its conclusion that the original privacy statement was unclear and
was incomplete with regard to the information obligation under Article 13(1)(a) GDPR. On 22
however, this was rectified in November 2019 with the publication of a new privacy policy on the
website of the defendant's school. In this new privacy policy it is now made clear in Article 2
the municipality of the defendant is appointed as the controller. It
rectifying the infringement of Article 13 (1) point a) GDPR, however, does not alter the fact that in the
an infringement may have occurred in the past.
73. In view of the foregoing considerations, the Disputes Chamber states that the defendant before 22
November 2019 did not comply with the information obligations with regard to article 13, paragraph 1, pointa) of
the GDPR. Consequently, the Litigation Chamber establishes a breach of the information obligation
Article 13(1)(a) GDPR.
II.4. Action plan
74. By means of this decision, the Disputes Chamber orders the defendant to draw up an action plan
in order to bring its processing operations into line with the General
Data Protection Regulation. This action plan should be submitted to the
Data Protection Authority within three months of notification of this decision.
75. The Litigation Chamber has identified a number of infringements of the GDPR above. An action plan
that brings processing operations into line with the law, following this decision,
should therefore cover at least the following aspects:
a. With regard to the violations of article 37, paragraph 1, pointa) and article 37, paragraph 7 GDPR: the way
when the DPO is appointed, how this appointment is monitored, and the like
allocation of responsibility for the notification of this DPO to the GBA;
b. With regard to the infringement of Article 39 (1) GDPR: the analysis of an adequate and
adequate working framework for the DPO, with regard to the performance of her duties for the
defendant, taking into account in particular the time commitment of
this DPO for the specific activities of the defendant and its services. In addition
it should also be examined how adequate direct access can be achieved
be granted for the DPO to the highest level of decision, where appropriate within the framework
of reporting or advice so that these tasks can be properly performed;
c. With regard to the infringement of Article 5 (2) GDPR: the preparation of internal
policy measures in order to provide adequate access to the
Data Protection Authority and its services, when required by law
and with particular attention to cooperation in case of breaches related
with personal data; Decision on the substance 110/2021 - 21/21
d. With regard to the breach of Article 13 GDPR: drafting policies that
to properly implement the duty of information, with structural policy measures
with regard to the periodic monitoring of (data protection or privacy)
)declarations and other relevant documents, as well as ensuring the content
quality of statements and other documents.
II.5. Publication of the decision
Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for this to include the identification data
of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- Pursuant to article of art. 100, §1, 1° WOG, the elements that are part of the complaint te
dismiss .
- Pursuant to Article 100, §1, 9° WOG, in view of the violations of Article 5, paragraph 2; 13; 37, member
1, point a); 37 (7) and 39 (1) GDPR, the defendant to order its processing
to bring it into line with the GDPR, and to submit an action plan to the GBA for this purpose
within three months of notification of this decision.
Against this decision, pursuant to Art. 108, §1 WOG, appeals are lodged within one
term of thirty days, from the notification, at the Marktenhof, with the
Data Protection Authority as defendant.
(Get). Hilke Hijmans
Chairman of the Litigation Chamber
