APD/GBA (Belgium) - 110/2023: Difference between revisions
mNo edit summary |
(expanded on the provisions of the gdpr which the dpa found breaches of. Also, changed the verbs to past tense.) |
||
Line 67: | Line 67: | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA found violations of [[Article 5 GDPR|Articles 5(2)]], [[Article 13 GDPR|13(1)(a),]] [[Article 37 GDPR|37(1)(a)]], [[Article 37 GDPR|37(7)]], and [[Article 39 GDPR|39 GDPR]] by a municipal school because it had failed to assign a data protection officer and correctly document compliance with the GDPR. | ||
== English Summary == | == English Summary == | ||
Line 88: | Line 88: | ||
However, the DPA found several violations outside of the scope of the complaint. The DPA found violations of [[Article 5 GDPR|Articles 5(2)]], [[Article 13 GDPR|13(1)(a),]] [[Article 37 GDPR|37(1)(a)]], [[Article 37 GDPR|37(7)]], and [[Article 39 GDPR|39 GDPR]]. | However, the DPA found several violations outside of the scope of the complaint. The DPA found violations of [[Article 5 GDPR|Articles 5(2)]], [[Article 13 GDPR|13(1)(a),]] [[Article 37 GDPR|37(1)(a)]], [[Article 37 GDPR|37(7)]], and [[Article 39 GDPR|39 GDPR]]. | ||
Firstly, the Belgian DPA found that the municipal body was the controller for the purposes of Article 4(7) GDPR, as the management of the school was under the administrative authority of the municipality. The DPA acknowledged that the school held high levels of autonomous decision-making powers regarding educational decisions, but adopted the EDPB's reading of [[Article 4 GDPR|Article 4(7) GDPR]]. The EDPB on this matter, notes that ''"an organisation can still be the controler even if it does not make all the decisions about the ends and the means''.''"'' | |||
Secondly, the DPA found a breach of [[Article 37 GDPR]]. As a public body, the school was obliged to designate a data protection officer under Article 37(1)(a) GDPR, as well as publish the contact details of the DPO and communicate them to the DPA under Article 37(7) GDPR. The municipal body had a DPO whose functions extended to the school, but the school did not have its own separate DPO. Moreover, the controller failed to publish their DPO's contact details. Consequently, the DPA found a violation of [[Article 37 GDPR#1a|Article 37(1)(a)]] GDPR as the school acted as a public body in its own right and should have had a seperate DPO. Moreover, the failure to publish the municipal DPO's contact details was a breach of [[Article 37 GDPR|Article 37(7) GDPR]]. | |||
Thirdly, the DPA found a breach of [[Article 39 GDPR]], which establishes the tasks of the DPO. The municipality's DPO was employed for 120 hours annually, to fulfill its tasks for the municipality, the school in the current case, and another school under the municipality's administration. The DPA held that 120 hours was wholly inadequate. The DPO was not systematically involved in the operations of the school and municipality at all. Resultantly, the DPA found a breach of [[Article 39 GDPR#1|Article 39(1)]] GDPR. | |||
The DPA | Fourthly, the DPA found that no register of data breaches were being kept, as required by [[Article 33 GDPR#5|Article 33(5) GDPR]]. The controller stated that ''"no data breaches had taken place since the last one which was registered,"'' as the DPA could not verify whether another data breach took place or not, the DPA found a breach of the principle of accountability under [[Article 5 GDPR#2|Article 5(2)]] GDPR and Article 33(5) GDPR. Article 5(2) GDPR establishes the principle of accountability which obliges controllers to demonstrate compliance with the GDPR. | ||
Lastly, the DPA found a violation of the disclosure obligations under [[Article 13 GDPR|Article 13(1)(a) GDPR]]. This provision obliges the controller to publish the controller's contact details. The DPA found that the controller did not adequately provide the information, and the information that was provided was unclear. Thus the controller was in breach of [[Article 13 GDPR#1a|Article 13(1)(a)]]. | |||
'''Remedies''' | |||
The DPA issued no fine, but ordered the controller to create an action plan within 3 months to comply with the GDPR. | |||
== Comment == | == Comment == |
Revision as of 08:51, 7 September 2023
APD/GBA - 110/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 13 GDPR Article 37(1)(a) GDPR Article 37(7) GDPR Article 39(1) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 15.06.2018 |
Decided: | 09.08.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 110/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA found violations of Articles 5(2), 13(1)(a), 37(1)(a), 37(7), and 39 GDPR by a municipal school because it had failed to assign a data protection officer and correctly document compliance with the GDPR.
English Summary
Facts
On 15 June 2018, a complaint was brought joinyly by two data subjects, employed at a municipal school as teachers, against the municipal authority which acted as the governing body of the school.
The complaint concerned two alleged infringements of the GDPR:
- The publication of a series of Board reports on the school's online platform on 23 November 2017. The reports contained incriminating statements made against the first data subject.
- The publication of the results of a student survey concerning the second data subject. This survey was published on the school's platform on 22 January 2018.
Both the reports and the survey were removed from the online platform before the data subject's had filed the complaint. The reports were taken down on 9 May 2018, and the survey was removed on the same day as its publication (22 January 2018).
On 4 July 2018, the complaint was declared admissible by the Belgian DPA and a formal investigation of the matter was commenced on 11 October 2019.
Holding
The DPA issued a technical dismissal of the orginial complaint as the processing (the publishing and removing of the reports and survey) took place prior to the GDPR's entry into force on 25 May 2018.
However, the DPA found several violations outside of the scope of the complaint. The DPA found violations of Articles 5(2), 13(1)(a), 37(1)(a), 37(7), and 39 GDPR.
Firstly, the Belgian DPA found that the municipal body was the controller for the purposes of Article 4(7) GDPR, as the management of the school was under the administrative authority of the municipality. The DPA acknowledged that the school held high levels of autonomous decision-making powers regarding educational decisions, but adopted the EDPB's reading of Article 4(7) GDPR. The EDPB on this matter, notes that "an organisation can still be the controler even if it does not make all the decisions about the ends and the means."
Secondly, the DPA found a breach of Article 37 GDPR. As a public body, the school was obliged to designate a data protection officer under Article 37(1)(a) GDPR, as well as publish the contact details of the DPO and communicate them to the DPA under Article 37(7) GDPR. The municipal body had a DPO whose functions extended to the school, but the school did not have its own separate DPO. Moreover, the controller failed to publish their DPO's contact details. Consequently, the DPA found a violation of Article 37(1)(a) GDPR as the school acted as a public body in its own right and should have had a seperate DPO. Moreover, the failure to publish the municipal DPO's contact details was a breach of Article 37(7) GDPR.
Thirdly, the DPA found a breach of Article 39 GDPR, which establishes the tasks of the DPO. The municipality's DPO was employed for 120 hours annually, to fulfill its tasks for the municipality, the school in the current case, and another school under the municipality's administration. The DPA held that 120 hours was wholly inadequate. The DPO was not systematically involved in the operations of the school and municipality at all. Resultantly, the DPA found a breach of Article 39(1) GDPR.
Fourthly, the DPA found that no register of data breaches were being kept, as required by Article 33(5) GDPR. The controller stated that "no data breaches had taken place since the last one which was registered," as the DPA could not verify whether another data breach took place or not, the DPA found a breach of the principle of accountability under Article 5(2) GDPR and Article 33(5) GDPR. Article 5(2) GDPR establishes the principle of accountability which obliges controllers to demonstrate compliance with the GDPR.
Lastly, the DPA found a violation of the disclosure obligations under Article 13(1)(a) GDPR. This provision obliges the controller to publish the controller's contact details. The DPA found that the controller did not adequately provide the information, and the information that was provided was unclear. Thus the controller was in breach of Article 13(1)(a).
Remedies
The DPA issued no fine, but ordered the controller to create an action plan within 3 months to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/21 Litigation room Decision on the substance 110/2023 of August 9, 2023 File number : DOS-2018-03496 Subject: Complaint against a municipal secondary school because of the publication of disciplinary reports on the one hand and a student inquiry on the other The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Frank De Smet and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; . has taken the following decision regarding: . . The complainants: Mr. X1, hereinafter referred to as “the first complainant”; Ms. X2 hereinafter referred to as “the second complainant”; . . both represented by Mr. Stijn BUTENAERTS, with offices in Leopold . II-laan 180, 1080 Brussels; The defendant: The Municipality of Y, represented by its Board of Mayors and Aldermen, hereinafter referred to as “the defendant”; represented by Mr. Alain BOUTEILLA mr. Stephanie NGAY-KATALAY, Decision on the substance 110/2021 - 2/21 I. Factual Procedure 1. The defendant is a municipality that acts as the organizing body of the school concerned in the present file. In some cases, the documents in the file specifically stated the municipal school as an entity, without being specifically identified as a part of the defendant as a municipality. As an educational institution, the school has a number of autonomous ones decision-making powers, which are important during the course of the facts giving rise to it gave to this procedure. In those cases, where the educational institution on file as separate entity occurs or is referred to, it is referred to as “school of the defendant”. I.1. The complaint 2. On 15 June 2018, the complainants jointly lodge a complaint with the Data Protection Authority against the defendant. Both complainants are at the time of the facts described in the complaint employed at the defendant's school. 3. The object of the complaint concerns two alleged infringements of the provisions of the GDPR, which would involve personal data of the complainants: - The first alleged infringement concerns the publication on Smartschool of a series of Board reports, including two reports from the Board of Mayor and Aldermen dated 12 February 2015 and 30 March 2015 concerning the first complainant, in connection with a incident that led to his temporary suspension. The reports contain incriminating statements from two teachers and a student regarding the named first complainer. At a later stage, an appeal body would decide on temporary suspension have destroyed. However, the document containing this decision was not published on Smart school. - The second alleged infringement concerns the publication of a student survey concerning the second complainant at Smartschool. The student survey was completed by 48 students and was created on December 15, 2017. The publication of the student survey took place on January 22, 2018. 4. Prior to this complaint, the complainants exercised their rights through a lawyer by to turn to the defendant, and more specifically the defendant's school concerned, per registered letter of 8 May 2018. The complainants formulated their grievances in this regard to the facts set forth above. The complainants also requested that the reports of the first alleged infringement relating to the first complainant within 5 working days would be removed injury. Decision on the substance 110/2021 - 3/21 5. The defendant's school replied to this registered letter on 22 May 2018. It stated that the Board of Mayor and Aldermen took note of the letter from the complainants, and subsequently decided to reserve all rights and without any detrimental acknowledgment to remove Smartschool's reports (with regard to the first alleged infringement). 6. The complainants did not consider this answer to be sufficient and subsequently proceeded to submit a complaint to the GBA. In parallel with this complaint procedure, the complainants wrote on September 5, 2018 again a letter to the defendant asking in particular a number of additional questions. They first asked whether the then director of the school was obliged by the organizing body power to put the reports of the college of mayors and aldermen and on Smartschool. Secondly, the complainants refer to the defendant's regulations, where in the context of the openness of the board a written request has been made before the right of inspection (in particular to the reports on disciplinary law) can be exercised. The inspection would according to these regulations, can also be refused when the protection of the personal privacy of a person involved in the conduct. 7. The defendant replied to this letter on 18 September 2018 by stating that there was no order was given to place the lecture reports on Smartschool. The college reports would only serve as an “internal” working document to the principals of the municipal schools provided for notice. 8. The complainants finally wrote a final letter to the defendant on 15 October 2018. In here they argue that it appears from the letter of 18 September 2018 by the defendant that the lecture reports are sent directly to the principals of all municipal schools, even if the report has no relevance whatsoever for a municipal school. Cover bearings emphasize that college reports could contain sensitive information (in this case the disciplinary proceedings concerning the first complainant), and would therefore be protected under the privacy legislation and the rules on open government. The complainants then ask to the defendant how the facts – linked to the two alleged infringements in the complaint to the GBA – compatible with those last two. Finally, they also ask what the reason is for the to (systematically) transfer lecture reports that concern one school to all municipal schools. 9. On 4 July 2018, the complaint was declared admissible by the Data Protection Authority on pursuant to Articles 58 and 60 WOG. Subsequently, the complaint pursuant to art. 62, §1 WOG transferred by the First Line Service to the Disputes Chamber. I.2. The Inspectorate's investigation 10. On 14 November 2018, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG to request an investigation from the Inspectorate. Decision on the substance 110/2021 - 4/21 11. On November 21, 2018, in accordance with art.96, §1 WOG, the request of the Disputes Chamber to conduct an investigation submitted to the Inspection Service, together with the complaint and the inventory of the items. 12. Prior to the Inspection Report, questions were asked by the Inspection Service of the GBA to both the complainant and the defendant. 13. On October 11, 2019, the investigation will be completed by the Inspectorate, the report will be attached to the file and the file is transferred by the Inspector General to the Chairman of the Litigation Chamber (art. 91, §1 and §2 WOG). The report first contains findings with regard to the subject of the complaint (within scope). The Inspectorate supports the position of the defendant that the GDPR is impossible may apply to the first incident, as the facts predate 25 May 2018. 14. The report also contains findings that go beyond the subject of the complaint. The In general, the Inspectorate determines the following matters. 15. First, with regard to the obligation to document incidents in Article 33(5) GDPR and the risk-based approach in accordance with Article 32 GDPR, the Inspection Service examined the manner of handling of both incidents by the defendant. This is how the defendant replies the question from the Inspectorate whether incidents have been registered in the meantime, that there are “none incidents have been more”. The Inspectorate states that this is not an answer to the question and that it cannot therefore be concluded that the school and/or the municipality involved have meanwhile have initiated an incident registration as required by Article 33(5) GDPR 16. Secondly, with regard to the investigation of incidents within the meaning of Article 33(5) GDPR, the Inspectorate states that appropriate investigation is necessary in the interests of those involved. The The Inspectorate, however, states that it has no indications that the incidents were proper were investigated. 17. Thirdly, with regard to the reporting obligation to the supervisory authority within the meaning of Article 33 GDPR, the Inspection Service states that the incidents were not reported to the Data Protection Authority. 18. Fourth, with regard to the obligation to provide information within the meaning of Article 13 (specific paragraph 1 point a) The AVG first suggests to the Inspectorate that the municipality acts as the controller identifies in its communication to the GBA. The Inspectorate states that there is no consistent reference to one data controller and one point of contact (for example, for the position of data protection officer). Now the defendant for data protection law aspects appeals to an “external e-gov support center” (this is the company Z ) and the references to the defendant and this support not always clear were displayed, according to the Inspectorate, this leads to a breach of the information obligation. Decision on the substance 110/2021 - 5/21 19. Fifth, with regard to the designation of a data protection officer (“DPO”) and the disclosure of his contact details within the meaning of Article 37, paragraph respectively 1, point a) and Article 37, paragraph 7 GDPR, the Inspection Service states as follows: In the privacy statement of the Defendant's school was referred to a privacy email address of the Defendant (de municipality), without a specific clarification as to which person or service it concerns. The The Inspectorate did find out that the position of DPO is performed by the external e-mail gov support to which the defendant is affiliated. 20. Sixth, with regard to the registration of the DPO with the DPA within the meaning of Article 37(7) AVG informs the Inspection Service that no DPO has been registered for the defendant. 21. Seventh, in relation to the tasks performed by the DPO within the meaning of Article 39(1) GDPR the defendant had submitted a number of documents to the Inspectorate. The inspection report states: “The Inspection Service has no indication whatsoever that the aforementioned employee of [the external e-gov support] performs the tasks provided for in Article 39 1. b), d) and e) GDPR (tasks of supervising compliance with the GDPR, cooperation with the GBA, acting as contact point for the GBA). . . In no correspondence between the [defendant] . . . and GBA was indicated as a single contact with the DPO. If the DPO has already been appointed, the Inspectorate determines that at least the tasks under Article 39.1 d) and e) were not completed by the DPO.” 1 22. Eighth, with regard to accountability, documentation, and record keeping of and the investigation of incidents within the meaning of Articles 5(2) and 33(5) GDPR has In its investigation, the Inspectorate can first determine that the ICT manager of the municipality was informed about the two incidents. In this regard, the Inspectorate: “However, it cannot be proven when this happened and in what way, there according to the [defendant] the notification was made orally . . .” In addition, the defendant could not explain agreements with regard to the Inspectorate regarding timely reporting and further following up (or “handling”) incidents that affect personal data protection. Until finally, there is also no “no evidence of registration, investigation and follow-up of the incidents that have occurred the director, ICT manager and/or DPO were reported”, according to the Inspectorate. 1 Inspection report, page 12. 2Inspection report, p. 13. Decision on the substance 110/2021 - 6/21 I.3. The conclusions of the parties 23. On 14 October 2019, the Inspectorate's investigation report will be finalized and the file submitted to the Disputes Chamber. The Disputes Chamber will decide on 12 November 2019 on the basis of art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits. The Disputes Chamber decides to divide the file on the basis of the report of the Inspectorate in two separate cases: 1. On the one hand, the Disputes Chamber will make a substantive decision with regard to the object of the complaint; 2. On the other hand, the Disputes Chamber will take a decision on the merits in response to the findings made by the Inspectorate outside the scope of the complaint. 24. On November 13, 2019, the parties involved will be notified by registered mail of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. also become they pursuant to art. 99 WOG of the deadlines to file their defences serve. With regard to the findings relating to the subject matter of the complaint, the ultimate date for receipt of the defendant's statement of defense set at 13 December 2019, those for the complainant's reply of 31 December 2019 and at finally these for the statement of defense of the defendant on 17 January 2020. With regard to the findings that go beyond the object of the complaint, the ultimate date for receipt of the defendant's statement of defense set at 17 January 2020. 25. On December 16, 2019, the Disputes Chamber will receive the statement of defense from the defendant as regards the findings relating to the subject-matter of the complaint. 26. The defendant argues, first, as regards the facts, that it is only aware of the former incident. According to the defendant, it was never informed about the second incident (except for the notification of the complaint and start of the investigation by the GBA). The resources cited of the defendant are: • The incidents fall outside the scope of the GDPR as they are both took place before the date of entry into force (25 May 2018). The complaint is related on facts prior to May 25, 2018; so these facts will have to be examined in light of the privacy law. Therefore, no administrative fine can be imposed for this according to the defendant; • The defendant also explains the circumstances surrounding both incidents, as well its presumed (legal) qualification. Decision on the substance 110/2021 - 7/21 • In conclusion, the defendant states that if the GBA were of the opinion that the complaint was well founded it requests the favor of the suspension on the basis of Article 100, § 1, 3° WOG. 27. On 30 November 2019, the Litigation Chamber receives the statement of reply from the complainants, in which with regard to the findings relating to the subject of the complaint alone means is concluded regarding the applicable law. The complaining party argues hereby that the GDPR applies to all pertinent facts, and that the defendant does not makes it plausible that there are legitimate purposes for which the publications on Smartschool are used account for both incidents. In addition, the complaining party points to, among other things, the lack of rectification of the elements relating to the disciplinary procedure (the first incident), the missing pseudonymization measures, as well as the consequences of the events and the according to them, damage suffered as a result (according to the complainants, “intangible or reputational damage”). Finally the complainants also ask for compensation and the imposition of “the necessary administrative fines and sanctions”. 28. On 17 January 2020, the Litigation Chamber will receive the conclusion of the reply from the defendant for with regard to the findings relating to the subject of the complaint: • Respondent reiterates with regard to applicable legislation that the GDPR does not apply may be based on the facts that took place before 25 May 2018. The facts fall under it scope of the privacy law; • With regard to the first and second incident, the defendant raises the same arguments as set out in its Opinion of 16 December 2019; • With regard to the authority of the GBA to award compensation, the Respondent reserves all rights and without any prejudicial acknowledgment in this because it is not up to the GBA to rule on civil (or criminal) liability of the defendant. 29. On the same date, the Disputes Chamber also receives the statement of reply from the defendant with regard to the findings of the Inspectorate outside the scope of the complaint. The the defendant first of all states in general terms that it can be qualified as a controller for a variety of "public services", including the provision of education. The defendant states that privacy and personal data protection are a “priority” subject forms for her. With regard to the specific findings of the Inspectorate, the defendant the following: • With regard to the registration of the incidents (documentation obligation Article 33, paragraph 5 GDPR and risk-based approach Article 32 GDPR) and the obligation to report to the GBA (Article 33 GDPR): the defendant points out that she was only confronted with one incident on 15 October 2019, regarding hacking an email box. According to the defendant, this incident was 110/2021 - 8/21 immediately registered in the incident register and within the statutory period to the GBA reported. A solution was also found and the passwords of all involved users as well as the passwords of the servers were changed. • Regarding the investigation of incidents (Article 33, paragraph 5 GDPR): the defendant states that she documents all personal data breaches in accordance with Article 33 (5) GDPR. The defendant states that she uses an incident register and that she reports incidents informs the GBA in a detailed manner. The defendant states: “This shows that the defendant has implemented an effective procedure that enables it to quickly detect incidents and respond in the event of a data breach.” In addition, the the defendant have also developed an information security plant, grafted onto the activities of the school concerned. • With regard to the obligation to provide information regarding the name and address of the controller (Article 13(1)(a) GDPR): the defendant acknowledges in her concluded that “the original privacy statement was not clear and incomplete”. The The defendant states that it has made the necessary adjustments – in consultation with the court external e-gov support point that also provides the DPO – so that the privacy statement can also be improved being reached. The website of the defendant's school states, according to the defendant, from now on clearly designate the municipal administration as the controller. • With regard to the findings regarding the data protection officer: In In 2015, the defendant approved the award to the e-gov support centre. The award states the assignment for appointing a service provider for the preparation of a risk analysis with regard to information security. As for the tasks and functions of the DPO for (the relevant school of) the defendant, the latter refers to by way of illustration the advice and presentations prepared and submitted by the e-gov support centre. • Regarding the accountability / Documentation obligation / Registration and investigation of incidents (Article 5(2) and 33(5) GDPR): the defendant refers to the previous one argumentation regarding this finding. The Defendant also adds the extracts from the register of processing activities in accordance with Article 30 GDPR. • In conclusion, the defendant states that it has taken numerous actions and important ones has mobilized financial and technical resources to meet the increased duties of the to comply with GDPR. The defendant argues that if the GBA were of the opinion that the defendant does not adequately comply with the obligations of the AVG, albeit in any case the requests favor of the suspension and this on the basis of Article 100, § 1 3° GDPR. Decision on the substance 110/2021 - 9/21 I.4. The hearing before the Litigation Chamber 29. On April 21, 2023, the Disputes Chamber decides ex officio to organize a hearing in the present file. This on the basis of Article 52 of the Rules of Internal Order of the Data Protection Authority. 30. The hearing will take place on 6 June 2023. At the hearing, the two complainants will be in person present, as is their lawyer. For the defendant, the two lawyers of the defendant are present, the DPO of the defendant (from the external gov support center), as well as the current director of the defendant's school in question. 31. At the hearing, the complaining party again explains the grievances. The complaining party points it out lack of apologies and rectifications. 32. Subsequently, the defendant's lawyer further explains the claims. The lawyer offers I hereby apologize on behalf of his client. 33. The members of the Litigation Chamber then address a number of questions to the defendant. Here light the DPO of the defendant admits, among other things, that a pool of privacy experts from the support center is offered, and that the support center also includes an information security cell. The DPO also states that for the performance of the tasks there is mainly contact with an IT employee of the defendant, and that 120 scheduled hours per year are offered for all activities of the defendant. However, it is emphasized that a number of aspects – for example knowledge aspects related to municipal privacy statements and the writing–happen at “group level”. In addition, the DPO admits no direct contact has taken place with the municipal council itself for DPO-related activities, and that it is the practice in the case of the Respondent to act as DPO directly to the IT report employee. II. Motivation II.1. The qualification of the defendant as a controller 34. Throughout the proceedings, the defendant identified herself as controller, and is also always in that capacity regarding the facts addressed (including by the Inspection Service). This also applies to all processing activities which runs the school.However, this does not mean that it is absolutely clear that the defendant as the municipality is in any case the controller in all cases that the municipal school. Decision on the substance 110/2021 - 10/21 35. In accordance with the law (specifically the Article 4(7) of the GDPR), and to established 3 4 case law of the Court of Justice ,should be assessed factually or a certain actor (this can be a natural or legal person, but also a public authority, a agency or other body) the purposes and means of the processing of personal data determines. The European Data Protection Board (“EDPB”) has clarified this that the factual control of this actor over the personal data processing is possible, among other things be derived from a legal provision, but also from a factual influence that the actor has on the 5 processing activity(ies). 36. With regard to the facts that fall within the scope of the complaint, it appears that the director of the school of the defendant itself - whether or not after consultation within the school and with instructions that were limited to employees of the school – has decided to provide certain documents containing these person was delivered by the defendant, of his own accord at the Smartschool- platform. The principal of the defendant's school acted in that sense without instruction to publish the documents on the part of the defendant. More so, implicitly had the director can deduce from the contents of the documents that the defendant documents would rather not be published on Smartschool. 37. None of this in any way implies that the Respondent may not have any processing responsibility about the facts that occurred within the scope of the complaint. Article 4(7) of after all, the GDPR stipulates that the purpose and means can be used alone or together with others be established. This could also be the case if the director does not have an explicit mandate had to publish the documents and acted on its own initiative, as did the EDPB confirmed: “Accordingly, an organization can still be controller even if it does not make all the decisions about the ends and the means.” After all, the fact that a organization if the defendant did not give general or concrete instructions to protect the integrity of the to guarantee the documents it supplied, (part of) the place responsibility for processing on the defendant. 38. Hic et nunc, however, it is not appropriate to define the exact roles and responsibilities in this to analyze and determine, now that the Disputes Chamber will proceed to a dismissal of the 3 CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat – uskonnollinen yhdyskunta, C-25/17, ECLI:EU:C:2018:55;CJEUJudgementof13May2014,GoogleSpainSLt.AgenciaEspañola deproteccióndeDatos(AEPD) and Others,C-131/12, ECLI:EU:C:2014:317, in particular par.34;CJEUJudgementof5June2018,UnabhängigesLandeszentrumfürDatenschutzSchleswig- Holstein v Wirtschaftsakademie Schleswig-HolsteinGmbH, C-210/16, ECLI: EU:C:2017:796, in particular para. 35. 4 L. A. BYGRAVE & L. TOSONI, “Article 4(7). Controller” in The EU General Data Protection Regulation. A Commentary, Oxford University Press, 2020, 14. 5 EDPB, Guidance 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0), available in Dutch at: https://edpb.europa.eu/system/files/2022- 02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 25 et seq. 6EDPB, Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0), available in Dutch at: https://edpb.europa.eu/system/files/2022- 02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 31. Substantive decision 110/2021 - 11/21 elements within the scope of the complaint. However, outside the scope of the complaint there are determinations made by the Inspectorate that expressly relate to the the defendant as controller.For that reasonthere is no doubt that the defendant acts as controller for those elements, including for activities related to her school. II.2. With regard to the findings within the scope of the complaint 39. Based on the elements in the file known to the Litigation Chamber and on the basis of the powers assigned to it by the legislator pursuant to Article 100§1 WOG the Litigation Chamber about the further follow-up of the file; in this case, the Disputes Chamber about to dismiss part of the complaint in accordance with Article 100, §1, 5° WOG, based on the following justification. 40. In the event of a dismissal, the Litigation Chamber must gradually investigate and substantiate: - Whether there is insufficient prospect of a conviction, followed by a technical dismissal; - Whether a successful conviction would be technically feasible but on grounds, up to it general interest, a (further) follow-up is undesirable, after which a policy follows. In the event that more than one ground is dismissed, the grounds for dismissal (resp. technical dismissal and policy dismissal) should be dealt with in order of importance. 41. In the present case, the Disputes Chamber considered it technically impossible to follow up to certain elements of the file that are based on the complaint, and decides to proceed to a technical dismissal based on the motives set out below. 42. Based on the findings in the investigation by the Inspectorate in this case (cf. appendix), it appears that the Litigation Chamber has no jurisdiction ratione temporis, there on the basis of the facts and the in the complaint The grievances put forward show that the complaint relates to processing operations that started before May 25, 2018 (the date on which the GDPR came into effect), and the processing involved as well ended before that date. 43. It is true that the complaint was initially admissible by the GBA's First Line Service declared, and that an investigation by the Inspectorate subsequently also took place with regarding the facts. This does not alter the fact that the Disputes Chamber has always ruled that are not authorized to act for acts that only take place before 25 May 2018. 44. In order for the Disputes Chamber to be competent, it is necessary that the GDPR applies to the processing operations that are the subject of the complaint. According to art. 4 (2) GDPR means it processing of personal data: “any operation or set of operations relating to Decision on the substance 110/2021 - 12/21 to personal data or a set of personal data, whether or not carried out via automated procedures, such as collecting, recording, organizing, structuring, store, update or change, retrieve, consult, use, provide by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, erasing or destroying data”. 45. The processing operations in this case and their timing can be summarized as follows: - Heteersteincident: a publication of personal data on Smartschool on 23 November 2017 at 10:58 am. It concerns a publication of a series of college reports, including two reports dated 12 February 2015 and 30 March 2015 and that the first complainant concern. The report dd. February 12, 2015 concerns information about the disciplinary investigation that was initiated in the head of the first plaintiff and contains incriminating statements. Inquiry from the complainant to remove the reports, they were removed from Smartschool at 9 May 2018; - The second incident: a publication of a student survey dated. December 15, 2017 on Smartschool (date of publication: January 22, 2018). Second complainant would be the publication that same day and immediately sent an e-mail to the then director. This is apparent from communication between the Inspectorate and the complainants that same day the published student survey was removed. 46. The Disputes Chamber establishes that the aforementioned processing took place before the entry into force of the GDPR on May 25, 2018. In addition, the findings of the Inspectorate that the processing of personal data related to both incidents is not more took place after the entry into force of the GDPR on May 25, 2018. The publications became after all, removed from Smartschool on May 9, 2018 and January 22, 2018. Based on the The inspection report and the documents cannot be determined by the Disputes Chamber that after 25 May 2018 processing has taken place that relates to the subject of this complaint. 8 47. In view of the foregoing, the Disputes Chamber proceeds to a technical dismissal as a result of which no further action can be taken on this complaint as there is no infringement on the GDPR. For the sake of completeness, the Disputes Chamber states that it does not fall within its powers should award damages. 7See Article 99 GDPR. 8 See point 3.1.1.4 of the Dispute Chamber's Dismissal Policy, published on its website on 16 June 2021, (https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-19-2020.pdf). Decision on the substance 110/2021 - 13/21 II.3. With regard to the findings outside the scope of the complaint 48. Notwithstanding the technical dismissal with regard to the subject matter of the complaint, the Litigation Chamber the findings of the Inspectorate outside the scope of the complaint. 49. After all, it cannot be ruled out that a complaint will give rise to a more integral and substantial control by the Inspectorate in the event of a complaint, it also confirmed Markthof. 9 50. In this context, the Disputes Chamber acknowledges – in a positive sense – the cooperation of the defendant during the entire procedure before the Data Protection Authority, whereby the defendant acknowledges in a constructive manner on the one hand that certain errors occurred in the past or that certain aspects (for example, with regard to the privacy policy and the privacy statement) were not fully compliant with the law, and on the other hand indicates how it has adjusted this or would adjust it for the future. Reference is made here, among other things, to the incident registration and the investigation of incidents (see also infrastructure). 51. Nevertheless, the Disputes Chamber generally notes that there are a number of elements in the file point to a structural lack of attention and resources for data protection law safeguards. Although an external e-gov support is necessary expertise (in this respect using pools of experts) for the exercise of the DPO-related tasks and an external DPO provides, the available time and (personnel) resources needed to properly perform the tasks are too limited. II.3.1. The designation of the DPO and the performance of the duties of the DPO provided for by law DPO (article 37 and article 39 GDPR) II.3.1.1. With regard to the appointment of an officer for data protection in accordance with Art. 37 GDPR 52. In its report, the Inspectorate pointed out a number of ambiguities regarding the identity of the DPO: - The complainants' lawyer stated that there is no data protection officer was appointed; 9“Companies . . . however, should be aware that one particular incident . . . may lead to an integral inspection and substantial control of a company or organization's GDPR compliance, which in turn can lead to sanctions due to non-compliance with certain GDPR obligations that were not initially the trigger of the inspection.” Cf. Judgment of 14 June 2023, Brussels Court of Appeal (Chamber 19A, Section Marktenhof), no. 2023/4583, 29-30. Decision on the substance 110/2021 - 14/21 - Article 4.2.6. of the school regulations stated that the municipal council has an extra consultant to act as information security consultant and data protection officer; After June 2, 2019, this provision was deleted from the regulations, without clarification why this deletion was necessary; - Reference was also made to an employee of Z who would have been referred to as DPO. Z. It provides “objective advice” through its DPOs, according to its website. According to the Inspectorate, there were a number of remaining ambiguities regarding the appointment of an employee of the external e-gov support center as DPO: - No appointment decision was made by the Board of Mayor and Aldermen provided so that the GBA can verify from what date the defendant gave an order to Z, whether this assignment is temporary, and which tasks were or were not included in the services; - No registration code was provided for the registration of the DPO; - The GBA received no further information about the competences of the aforementioned employee of the e-gov support center as required by Article 37(5) GDPR; - According to Article 37(3) GDPR, a controller can be a DPO to various agencies and bodies. The GDPR does require that the controller hereby enter the “organizational structure and size”. takes into account. The question is whether in this concrete case the DPO of a municipality with 15,000 to 20,000 inhabitants can also be sufficiently independent and competent function as DPO of both two municipal schools and the municipal council. The processing is carried out within the context of a comprehensive school 3,000 to 4,000 students that exceeds the municipality, which may have consequences for the handling of incidents and the more efficient use of resources, including the teachers' affection; 53. With regard to the appointment of the DPO, the defendant refers to the award contract for the e- govsupport(piece5piecesbundleofrespondent).piece6ofdefendantprovesconcretethe appointment of a DPO for the defendant, as approved at a hearing held by her City Council of 25 November 2019. Document 7 shows that the defendant has an application filed for female worker approval at the e-gov support center as security consultant at the Flemish supervisory committee for the electronic administrative data traffic (hereinafter “VTC”). 54. The Litigation Chamber refers to Article 37(1)(a) GDPR which states that controllers are obliged to notify a data protection officer Decision on the substance 110/2021 - 15/21 to indicate in the event that the processing is carried out by a public authority or public authority, which is the case here. From the documents submitted by the defendant be deduced that the defendant had not appointed a DPO before 25 November 2019 . Since there was already an obligation for the appointment of a DPO since the entry into force of the GDPR (May 25, 2018), it is therefore not acceptable that the defendant only a year later a DPO appoints. 55. Regarding the disclosure of the contact details and the sharing of these contact details with the supervisory authority, the Disputes Chamber states that at the time of the investigation of the Inspectorate failed to provide any evidence of a registration of the DPO with the GBA. 56. For all these reasons, the Litigation Chamber finds a violation of both Article 37 paragraph 1, point a) and Article 37 (7) GDPR, as the mandatory designation of the actual DPO was not done correctly (according to the missing designation decision or other administrative decision in this regard), and also was not correctly reported to the Data Protection Authority. II.3.1.2. With regard to the duties of the data protection officer in accordance with Art. 39 GDPR 57. The Disputes Chamber notes that a number of problems existed and continue to exist with with regard to the data protection officer and (the possibility of) exercising it of certain tasks by that person. 58. The core of several problems that the Inspectorate was able to identify, therefore, seems to be back to the fact that the DPO – or at least the service that carries out the DPO tasks de facto - in this case does not receive sufficient resources to inform the controller advise to take the necessary data protection law safeguards that serve to be provided to support and strengthen those concerned in their rights, on the one hand, and infringements on data protection related legislation on the other hand. 59. It appears from the findings of the Inspectorate in this matter that the Inspectorate has not found any finds or receives instructions that indicate that the tasks within the meaning of more specific article 39 (1) points b), d) and e) GDPR are correctly observed. There is also a lack of clarity to find agreements, according to the Inspectorate, between the board of the defendant and the 10 For the definition of "government", see Article 5 of the framework law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data whereby government is defined as 1° the Federal State, the federated states and local authorities, 2° the legal entities under public law belonging to the Federal State, the federated states or local depending on governments, 3° the persons, whatever their form and nature, who have been established for the specific purpose of meeting needs of general interest that are not of an industrial or commercial nature; and have legal personality; and of which either the activities are mainly financed by the authorities or institutions referred to in the provisions under 1° or 2°, either the management is subject to supervision by these governments or institutions, or the members of the governing body, executive body or supervisory body are designated for more than half by these governments or institutions. 4° the associations consisting of one or more authorities as referred to in the provisions under 10, 2° or 3°. Decision on the substance 110/2021 - 16/21 external e-gov support. What's more, it appears from the file that there is no direct contact whatsoever between the defendant's board and the external e-gov support centre. Only with the IT responsible of the defendant, there would be structural contact. 60. Superfluously - but without this having any impact on the assessment of the determination of theInspectionserviceoutsidescope–maybeadjustedthateventhefactswhicharewithinthescope of the complaint took place indicate situations with a suboptimal structural approach and care for data protection. 61. Although the defendant rightly stated at the hearing that the file had a long lead time knows, her statements – and those of her DPO – at the hearing show that the structural data protection deficiencies still exist: a. The number of hours that the external DPO has available to perform the tasks that the GDPR provides is completely insufficient to meet the requirements of the GDPR. It is said to be 120 hours on an annual basis for the entire municipality and all its services. b. The DPO (still) has little or no contact with the municipal council of the defendant, let alone that the municipal council structurally consults or invites her to provide advice. However, the defendant is a public authority, where the legislator in the Article 37 (1) point a) GDPR explicitly designates a data protection officer, which indicates that the legislator has the function is paramount in the context of government services, and a DPO should access have access to the highest level of management so that the tasks can be properly carried out become. c. In addition, the defendant itself states in its conclusion that, as a municipality, it can do much more offers more than just education, which means that they have a large number processes personal data of a large number of data subjects. She refers to social and cultural services, but also sports, youth, housing and 11 environment. This may also concern sensitive personal data. The limited time commitment and limited access to governance for the DPO is in this context problematic. d. The defendant acts as a controller for the activities of the involved school (and other educational institutions), but in principle only offers access by the DPO to its IT manager. In case of incidents there would be consultation with the employees or responsible persons involved. A whole number of data protection aspects are ignored IT-related aspects, whereby incidents must be dealt with at a more structural level 1 Reply statement of the defendant, p. 5. Decision on the substance 110/2021 - 17/21 investigated, analyzed and rectified. This is how a DPO who has no access to certain institutions (which are the responsibility of the defendant) due to a lack of contact points at those institutions and a lack of time to act on their own initiative to establish contacts with such institutions, it is difficult for the data protection law related risks of such institutions on a adequately identify and address (and help mitigate where necessary). 62. Each of the elements listed in the preceding paragraph gives rise to an infringement to be set at Article 39(1) GDPR, given that these points show that the controller insufficient the adequate performance of tasks by the DPO guarantees. The Disputes Chamber therefore argues - partly on the basis of the findings of the Inspectorate on this point – note that the defendant has set out in this provision has not fulfilled its obligations, and that it does not sufficiently guarantee that its DPO fulfills its tasks can properly perform, as these tasks are listed in Article 39(1). 63. For that reason, the Litigation Chamber orders that the defendant draw up an action plan within three months (infra), whereby the defendant takes into account the infringements in the present case decision, taking into account, in particular, the specific aspects of its services as well as specific contact points in this regard. II.3.2. Findings of the Inspectorate regarding the follow-up, documentation and reporting incidents (Articles 5 (2), Article 32 and Article 33 GDPR) 64. The obligation to take security measures - with attention to the risks involved –which a controller should assume for certain processing activities contained in Article 32 GDPR. The registration and reporting obligation of incidents related to personal data is contained in Article 33 of the GDPR. Accountability for a controller is contained in Article 5(2) of the GDPR. 65. In its inspection report, the Inspection Service describes the way in which both incidents were handled by (the school of) the defendant. Taking into account the fact that the Litigation Chamber rationale temporis is not authorized to rule on facts that took place before May 25, 2018, can they make no statement about the way in which the two incidents that took place before were handled the date of entry into force of the GDPR. The Litigation Chamber is aware of the fact that the legal predecessor of the GBA (the Commission for the protection of privacy, hereinafter referred to as “CPPL”), since June 10, 2014, provided in a report form via which personal data breaches (outside the telecom sector because there was already a statutory notification obligation for this) could be Decision on the substance 110/2021 - 18/21 reported. The CBPL had also stated in a press release that it is “more than advisable” to using this report form. However, the Litigation Chamber points to the optional character of the notification obligation before the entry into force of the GDPR. 66. The Inspectorate also stated that the communication with the defendant shows that she during a certain period after 25 May 2018 still did not register any incidents. The Disputes Chamber considers itself competent to rule on this, since the GDPR does finds application. Proper registration of incidents is of great importance, especially in the light of the size of the educational institution (with 3,500 to 4,000 pupils), but also in the light of the risk-based approach under Article 32 GDPR. In this case, there is also one processing of sensitive personal data within the meaning of Article 9 GDPR (e.g. data about (mental) health and sexually transgressive behaviour,…). The processing also concerns data of vulnerable natural persons (particularly minors) 14 and it concerns a processing of data the processing of which involves a higher risk in view of the rights and freedoms of the persons concerned (performance, evaluations and any disciplinary assessments of teachers,…). 67. The defendant clarifies in its Opinion dd. January 17, 2020 that they have been since the entry into force of the GDPR has only had to deal with one incident. This was a case of hacking of one email address, where the data of possibly 500 people could have been leaked. The defendant states that this incident was immediately registered in the incident register and became reported to the GBA within the legal term. She hereby submits evidence to this effect to substantiate the argument. This shows the registration of the incident in the incident register, the reporting this incident on October 16, 2019 and the solution found (namely the change of the passwords of all affected users before October 17, 2019). 68. Due to a lack of evidence, the Litigation Chamber cannot verify whether the defendant has effectively but too experienced one incident since the entry into force of the GDPR. In addition, the Litigation Chamber also cannot verify since when the defendant actually uses one incident register. The Disputes Chamber can only rule that the defendant with regard to the one incident that took place after the entry into force of the GDPR, the obligations in Article 33 GDPR has correctly complied. 69. This does not alter the fact that the defendant had answered the Inspectorate's question incorrectly of 6 September 2019 when she asked whether incidents have been registered with with a view to the notification obligation under the GDPR. The defendant replied that “there is none incidents have been more”. This may indeed be correct since the defendant in its conclusion 12https://www.dataprotectionauthority.be/citizen/authority-lancet-notification forms-for-data leaks. 13See Appendix 6 to the Inspection Report. 14Recital 75 GDPR. Decision on the substance 110/2021 - 19/21 of January 17, 2019 indicates that there was only one incident after the entry into force of the GDPR (namely on October 16, 2019). However, it could not be deduced from this answer that the defendant now has an incident registration that meets the requirements of Article 33, paragraph 5 GDPR. Because the defendant cannot adequately justify that it has fulfilled the obligation to has complied with adequate registration of incidents, the Disputes Chamber establishes a breach to accountability within the meaning of Article 5 (2) GDPR. However, there are not enough elements present in the file to establish an infringement of either Article 32 or Article 33 GDPR. II.3.3. Findings of the Inspectorate regarding the obligation to provide information (Article 13(1) point a) GDPR) 70. Article 13(1)(a) of the GDPR requires the controller to provide information provided to the data subject about the identity and contact details of the controller and, where applicable, of the representative of the controller.Instructionsofthedataprotectiongrouparticle29about the information requirement was stated that this information serves for easy identification of the controller and preferably also other forms of communication with enable the controller. 15 71. The Inspectorate points out to the Disputes Chamber a combination of indications from which the At the time of the Inspectorate's investigation, it appears that the defendant has fulfilled its obligation to provide information violates regarding the designation of the controller: - For example, there are different provisions in different documents that each time refer to other people and services. - The school regulations of the school at issue do not contain any clarifications as such. - The “Privacy Policy” link on the website of the school at issue: The user becomes automatically redirected to the “privacy statement [municipality]” on the website of the defendant. - Point 2 in the privacy statement “who can you turn to for questions” refers to the municipal government . However, this privacy statement also states “With questions about it The privacy policy and the measures taken can be found at the general director V via the e-mail address […] for both the municipality and the OCMW and/or at our data protection officer at the email address […]”. 15Data Protection Working Party Article 29, Guidelines on Transparency under Regulation (EU) 2016/679, 11 April 2018, p. 41. Decision on the substance 110/2021 - 20/21 72. The defendant admits in its conclusion that the original privacy statement was unclear and was incomplete with regard to the information obligation under Article 13(1)(a) GDPR. On 22 however, this was rectified in November 2019 with the publication of a new privacy policy on the website of the defendant's school. In this new privacy policy it is now made clear in Article 2 the municipality of the defendant is appointed as the controller. It rectifying the infringement of Article 13 (1) point a) GDPR, however, does not alter the fact that in the an infringement may have occurred in the past. 73. In view of the foregoing considerations, the Disputes Chamber states that the defendant before 22 November 2019 did not comply with the information obligations with regard to article 13, paragraph 1, pointa) of the GDPR. Consequently, the Litigation Chamber establishes a breach of the information obligation Article 13(1)(a) GDPR. II.4. Action plan 74. By means of this decision, the Disputes Chamber orders the defendant to draw up an action plan in order to bring its processing operations into line with the General Data Protection Regulation. This action plan should be submitted to the Data Protection Authority within three months of notification of this decision. 75. The Litigation Chamber has identified a number of infringements of the GDPR above. An action plan that brings processing operations into line with the law, following this decision, should therefore cover at least the following aspects: a. With regard to the violations of article 37, paragraph 1, pointa) and article 37, paragraph 7 GDPR: the way when the DPO is appointed, how this appointment is monitored, and the like allocation of responsibility for the notification of this DPO to the GBA; b. With regard to the infringement of Article 39 (1) GDPR: the analysis of an adequate and adequate working framework for the DPO, with regard to the performance of her duties for the defendant, taking into account in particular the time commitment of this DPO for the specific activities of the defendant and its services. In addition it should also be examined how adequate direct access can be achieved be granted for the DPO to the highest level of decision, where appropriate within the framework of reporting or advice so that these tasks can be properly performed; c. With regard to the infringement of Article 5 (2) GDPR: the preparation of internal policy measures in order to provide adequate access to the Data Protection Authority and its services, when required by law and with particular attention to cooperation in case of breaches related with personal data; Decision on the substance 110/2021 - 21/21 d. With regard to the breach of Article 13 GDPR: drafting policies that to properly implement the duty of information, with structural policy measures with regard to the periodic monitoring of (data protection or privacy) )declarations and other relevant documents, as well as ensuring the content quality of statements and other documents. II.5. Publication of the decision Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - Pursuant to article of art. 100, §1, 1° WOG, the elements that are part of the complaint te dismiss . - Pursuant to Article 100, §1, 9° WOG, in view of the violations of Article 5, paragraph 2; 13; 37, member 1, point a); 37 (7) and 39 (1) GDPR, the defendant to order its processing to bring it into line with the GDPR, and to submit an action plan to the GBA for this purpose within three months of notification of this decision. Against this decision, pursuant to Art. 108, §1 WOG, appeals are lodged within one term of thirty days, from the notification, at the Marktenhof, with the Data Protection Authority as defendant. (Get). Hilke Hijmans Chairman of the Litigation Chamber