APD/GBA (Belgium) - 53/2020: Difference between revisions
From GDPRhub
m (Ar moved page APD/GBA - 53/2020 to APD/GBA (Belgium) - 53/2020) |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 63: | Line 63: | ||
===Facts=== | ===Facts=== | ||
A mayor of a Belgian village sent | A mayor of a Belgian village sent unsolicited political emails using email addresses collected during his time as mayor. In this specific case it concerned emails a citizen sent to the mayor's office to complain in 2014. The mayor used these emails for his most recent election campaign. | ||
===Dispute=== | ===Dispute=== | ||
Latest revision as of 16:58, 12 December 2023
| APD/GBA - 53/2020 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.09.2020 |
| Published: | 01.09.2020 |
| Fine: | 5000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 53/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA (APB/GBA) imposed a fine of € 5000 to a politician for sending unsolicited political email to the plaintiff, violating among others the purpose limitation principle.
English Summary
Facts
A mayor of a Belgian village sent unsolicited political emails using email addresses collected during his time as mayor. In this specific case it concerned emails a citizen sent to the mayor's office to complain in 2014. The mayor used these emails for his most recent election campaign.
Dispute
Can a politician reuse the emails collected during his time as mayor to send political campaign emails ?
Holding
The litigation chamber decided that the politician violated the purpose limitation principle and imposed a fine of € 5000.
Comment
This decision has been appealed to the Brussels Court which cancelled the DPA decision in 27 January 2021 for lack of proportionality of the fine with regard to the goodwill of the appealant.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/13 Litigation Chamber Decision on the merits 53/2020 September 1, 2020 File No.: DOS-2019-02974 Subject: Complaint due to the sending of an email of electoral propaganda The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke Hijmans, Chairman, and Messrs Frank de Smet and Christophe Boeraeve, members ; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the free movement of data protection), hereinafter referred to as RGPD ; Having regard to the law of 3 December 2017 creating the Data Protection Authority, hereinafter LCA ; Having regard to the internal rules of procedure as approved by the House of Representatives on December 20, 2018 and published in the Moniteur belge on January 15, 2019 ; Having regard to the documents in the file ; has taken the following decision concerning : - the plaintiff ; - the defendant: a politician. 1. Facts and procedure Decision on the merits 53/2020 - 2/13 1. On May 25, 2019, the complainant filed a request for information with the protection of data concerning the defendant's use of his e-mail address received on May 22, 2019, sent on his behalf by his personal email for the sending of an electoral message received on secretary. The complainant points out that he never gave his consent to the use of his address. for this purpose by the defendant. The plaintiff also complains that this message was sent to many recipients placed copies, which favoured the unsolicited distribution of his address to these third parties. 2. The letter was worded as follows: "Ladies, Gentlemen, Dear friends, I I am proud to be the [Xth] candidate of the [Y] list for our district [list of communes]. concerned .] May I be allowed to ask for your vote. A good result will allow me with our team at the College and Provincial Council to be even more effective. I wish to put everything to also support our local agents and their projects. ». 3. By letter dated July 2, 2019, the Data Protection Authority's Front-Line Service invited the plaintiff to exercise his rights with the defendant, in this case, his right of opposition to the processing of his personal data. At the same time, by letter dated July 2, 2019, the the defendant to ask him, among other things, how he had obtained the information he needed. the complainant's e-mail address, if he or she had filed a data leakage notification with ODA and what steps have been taken to ensure that this type of incident does not happen again. 4. 4. From the responses that the respondent provided to the complainant and to the front-line service, he or she will indicates that the complainant's email address was collected in connection with a request for information addressed in March 2014 by the complainant to the secretariat of the mayor of the city of X. to report a problem of public cleanliness. More specifically, it was an e-mail addressed to "secretariat.bourgmestre@X.be " concerning a clandestine landfill site near the former city walls for which the complainant requested the cleanup. On July 4, in his letter Addressed to the Front Line Service, co-signed by the defendant's secretary writes the following explanation concerning the collection of the disputed e-mail address: "The addresses come from a "permanences" file organized by the defendant when he was mayor of the city. The complainant is therefore included in the report for having, at one time or another, had contact with the city. the defendant. "The Litigation Chamber cannot therefore follow the defendant in his explanations. (July 2020) according to which the disputed e-mail address (and others) were collected via e-mails addressed to him personally and not via an administrative or other service of the company. the municipal administration.1 The Dispute Chamber understands that the data collected 1 The defendant sets out the facts as follows: "In addition to the answers I give in the form you will find duly completed in the appendix, allow me to contradict a few elements contained in your letter: page 3- point 1 - Decision on the merits 53/2020 - 3/13 by the mayor are not only the result of contacts of citizens with the city administration but also, according to the defendant's statements, of emails addressed to him personally, which were which was not the case with regard to the complainant's e-mail which was indeed collected via the secretariat of the mayor. 5. With regard to the modus operandi for sending the disputed email, the defendant responded to the questions from the Data Protection Authority by co-signing the following explanation provided by the municipal employee who was his secretary when he was mayor: "In fact, from my private messaging service, I sent an election advertisement for the defendant, in order to to avoid using his professional messaging in his capacity as an MPP. [...] And this e-mail has was sent spontaneously, omitting to put in CCI the recipients. There is therefore no intention to misuse these addresses or harm anyone else. It is just a mistake of manipulation that we regret. We have apologized to the complainant as you have could read it".2 6. As a result of these responses, the complainant confirmed to ODA's Front-Line Service that he was willing to that his request for information be forwarded as a complaint to the ODA Litigation Chamber, by letters dated July 11 and 26, 2019. On August 6, 2019, the Front Line Service of the Authority of The data protection authority declared the complaint admissible and forwarded it to the Litigation Chamber. 7. On August 25, 2019, the Litigation Chamber considered the file ready for processing. as to the substance pursuant to articles 95 § 1, 1° and 98 LCA. On the same date, the Dispute Chamber forwarded the complaint and exhibits to the defendant by registered letter and invited the parties to argue their case according to a set timetable. The letter stated that "each of the parties is to transmit its conclusions simultaneously to the secretariat of the Litigation Chamber and to the other party". 8. By letter dated October 14, 2019, received October 18, 2019, the defendant states that it is is at the disposal of the Litigation Chamber to be heard if the Chamber so wishes. The in his brief letter, the defendant explains that he confirms "that the sending of the file to all of the people was a simple handling error at the time of sending the document that was [sic] individualized". 2nd paragraph - it is affirmed: "the defendant used in order to send electoral mail a list of citizens who have been in contact with the commune for various questions". Answer: this statement is not correct. I had of a file of persons who have contacted me personally and not an administrative or other service of the municipal administration" (letter of the defendant of July 6, 2020 addressed to the Litigation Chamber by e-mail of July 7, 2020). 2020). 2 Letter from Respondent to ODA Frontline Service, July 4, 2019. Decision on the merits 53/2020 - 4/13 9. The respondent also states that it "sought the advice of an expert in the new legislation "to help him coach his team" in order to avoid any future mistakes by the like". The defendant states that the question of what precautions should be taken with e-mail addresses that people have not spontaneously transmitted, is still under analysis. The the defendant concluded that he thought he was entitled to contact the persons who had given him their address, and that he is now aware that this is "obviously not so obvious". 10. In an email dated November 7, 2019, the plaintiff introduced his arguments such as the calendar of conclusion invited him to do so. On that occasion, the complainant reported that he had not received the findings of the the elements of his complaint, and asks to retain as an aggravating circumstance the following that the denounced violations were committed by a politician in the exercise of his mandate. 11. The Litigation Chamber resumed the case by written procedure on July 3, 2020 and adopted the following decision a draft decision. On the same day, the Litigation Chamber communicated by e-mail to the defendant the amount of the fine envisaged against it, as well as a list of the breaches observed at the RGPD and justifying this amount. In particular, the Chamber found that the Respondent did not submit its findings to the complainant. The defendant was invited, by the same e-mail, to put forward its pleas in law. defence to the amount of the proposed fine. In this communication, the Chamber The litigator stressed that the debates on the merits were closed. The Litigation Chamber received the defendant's reply by email on July 7, 2020 (completed fine form and letter). dated July 6, 2020). 2. Violations of the GDMP 12. The defendant in his capacity as burgomaster at the time of the collection of the e-mail address concerned, is the person responsible for processing the personal data file that he or she has constituted from the data of citizens addressing his secretariat and/or himself personally for various requests. It is his responsibility to ensure that the data have been processed on an appropriate legal basis and in compliance with the law. strictly the principles set out in the RGPD. It is also responsible for appropriate technical and organizational measures to ensure, in particular, that the data does not will not be further processed for a purpose that is incompatible with the purpose for which they were were initially collected and processed (Articles 5.1(f), 6.4 and 32 of the GDMP). From the documents provided, it appears that by the defendant himself that he was a mayor at the time the disputed e-mail address was collected (email to "secretariat.bourgmestre@....be"). The Dispute Chamber takes note Decision on the merits 53/2020 - 5/13 the fact that the defendant was no longer mayor at the time the disputed email was sent3. For the part of the data collected from emails sent to the secretariat of the mayor, the Chamber the defendant has therefore personally processed data collected as a result of the litigation. that mayor, at the very least, the email of the complainant. 13. On the basis of these elements of the file, the Litigation Chamber considers that it is established that the defendant used to send out election mailings a list of citizens who were in contact with the commune of which the defendant was then mayor, for various questions related to to its function as a public representative, and that the personal data collected in this context would have had to be processed with the strict purpose of answering questions asked by citizens. 14. In his capacity as data controller, the defendant is obliged to comply with the principles of the law. protection of data and must be able to demonstrate compliance (principle of data protection). of liability - section 5.2. of the GDMP). It must also implement all measures to ensure that necessary for this purpose (Article 24 of the GDMP). 15. The purpose principle is an angular principle of data protection. Dedicated from 1981 to Article 5 b) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. of the Council of Europe (ETS 108), it is set out at Article 6.1.b) of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 relating to the protection of individuals with regard to the processing of personal data and the free circulation of this data as well as in article 4 § 1, 2° of the Law of December 8, 2009. 1992 relating to the protection of privacy with regard to the processing of personal data personal. When the right to data protection is enshrined as a fundamental right by Article 8 of the Charter of Fundamental Rights of the European Union in 2000, the principle of purpose has been stated as a key element of this right4. This principle has, logically, been taken up again at Article 5.1(b) of the GDPR under the Principles for the Processing of Personal Data (Chapter II). 16. Article 5.1(b) of the GDMP provides that : « 1. Personal data must be : (...) (b) collected for the following purposes and legitimate, and not to be further processed in a particular, explicit and legitimate manner, and not to be incompatible with these purposes; further processing for archival purposes in the interest of public, for the purposes of scientific or historical research or for statistical purposes is not 3 Letter of the Respondent to the Litigation Chamber of July 6, 2020. 4 Article 8 of the Charter of Fundamental Rights of the European Union: 1 Everyone has the right to data protection. of a personal nature concerning it. Decision on the merits 53/2020 - 6/13 considered in accordance with Article 89(1) as incompatible with the purposes of initials" (limitation of purposes). » 17. 17. Personal data may not be further processed in a way that is contrary to the law. incompatible with their collection purpose (section 5.1.b. of the GDGR)5. Further processing of data personal data for purposes other than the one(s) for which they were collected. initially collected is permitted only if such further processing is compatible with the purposes for which it was collected. for which the personal data were initially collected, taking into account the link between the purposes for which they were collected and the purposes of further processing considered, also taking into account the framework in which the personal data were considered, and the collected, the possible consequences of the envisaged further processing for the data subject and the existence of appropriate guarantees. 18. A compatible purpose is, for example, a purpose that the data subject can foresee or that can be considered compatible by virtue of a legal provision (see Article 6.4. of the RGPD). Based on the criteria in section 6.4 of the EDR: there is no link between the two. purposes of processing, and the contexts of data collection are totally foreign, one of the most important concerning the management of the commune in the treatment of the answers to the questions of the citizens, the other that of the relations between an elector and a candidate for an elective mandate. This incompatibility is further evidenced by the fact that the applicable law allows candidates in elections to have access to to a voters' list specially dedicated to the realization of their campaign. 19. Any subsequent incompatible use is prohibited with two exceptions provided for in Article 6.4. of the RGPD. Where the data subject has given his consent to further processing in order to a distinct purpose or where the processing operation is based on a legal provision which constitutes an necessary and proportionate measure in a democratic society, in particular to ensure the guarantee of important purposes in the public interest, the data controller has the possibility of processing subsequently these personal data for other purposes, whether or not they are compatible with the purpose for which they were collected. or not with the initial purposes. In this case, the defendant may not base his subsequent treatment of data neither on the consent of the persons concerned nor on a legal basis under Belgian law or European Union as a necessary and proportionate measure in a democratic society for ensure the objectives set out in section 23.1 of the MDR (section 6.4 of the MDR). 5 Article 5(1)(b) of the GDPMR states that "personal data must be : (...) b) collected for the purpose of legitimate, explicit and specified purposes, and not to be further processed in a manner inconsistent with those purposes. purposes". See the explanations on this principle of finality in the decision of the Litigation Chamber 11/2019 of November 25. 2019. Decision on the merits 53/2020 - 7/13 20. The purpose of advertising/electoral propaganda is not a further purpose of processing data compatible with the original purpose of collecting data from citizens in the context of evoked. In its note "Elections" published in the early 2000s on its website and put in Updated following the implementation of the DPGR6 the Data Protection Authority mentions that : "However, political parties and their candidates in an election may be tempted to have use of personal data collected in the context of other processing operations whose primary purpose had nothing to do with electoral propaganda. This is true as well for data retrieved from public sector files (such as the National Registry, the data from public service personnel files, a list of people assisted by a CPAS, data obtained in the exercise of an alderman's mandate, ...) that for data from private sector files (company customer files, list of members of an association, ...)". 21. The note goes on to state: "From this point of view, it is therefore not permitted to reuse the personal data recorded in the above-mentioned files for propaganda purposes election. Such processing is incompatible with the purposes for which the data were collected. initially harvested, which is punishable under section 83.5 of the GDMP". 22. With respect to the prohibition on the re-use of election propaganda data for electioneering purposes, the obtained in the exercise of an alderman's or burgomaster's mandate, the Chamber shall also refers to the explanations provided on this subject in its decision on the merits of the case. 11/2019 of November 25, 20197. The Litigation Chamber also emphasizes that the reuse by a burgomaster of personal data collected in the course of his duties for the purposes of incompatible, is such as to undermine the foundations of democracy and equality between the candidates. 23. Under these conditions and on the basis of all the preceding elements, the Chamber of Deputies shall Litigation considers that the defendant, according to its own statements, processed data to personal character of the citizens of his commune, and in particular those of the complainant, in violation of section 5.1.b of the MDR (purpose limitation) of the MDR and section 6 of the MDR (lawfulness of the treatment). The Litigation Chamber also finds a violation of articles 25.1 and 25.2 of the 6 Processing of personal data for the purposes of personalized election propaganda and respect for life privacy of citizens: fundamental principles, https://www.autoriteprotectiondonnees.be/publications/note-juridique-sur-leselections.pdf. 7 See https://www.autoriteprotectiondonnees.be/citoyen/chercher?q=&search_category%5B%5D=taxonomy%3Apublications&sear ch_type%5B%5D=decision&search_subtype%5B%5D=taxonomy%3Adispute_chamber_substance_decisions&s=recent&l=25 (DEDF11-2019), pp. 5-6. Decision on the merits 53/2020 - 8/13 RGPD, under which it is the responsibility of the data controller to implement the measures appropriate technical and organizational measures to ensure that, by default, only the data to be used for the personal data which are necessary for each specific purpose of the processing are treated. 24. With regard to the sending of an email where all recipients are visible, the Chamber the defendant does not contest the facts and declares that the person acting as defendant does not contest the facts. under its authority made an error in the processing of the personal data of the The complainant "by failing to put in TCC the addressees "8 . Whether or not there was an error in the manipulation, the Contentious Chamber considers that there has been a violation of articles 32.1 and 32.4 of the RGPD9 and that these facts constitute a breach of security within the meaning of section 4.12 of the GDPR, such that denounced by the complainant in his complaint. The Litigation Chamber recalls that it is also responsible for the data controller to implement technical and organizational measures appropriate to ensure that, by default, only the data necessary for the purposes of each specific purpose, including from the point of view of their accessibility (s. 25.2 of the GDGR). The Chambre contentieuse also recalls that it is the responsibility of the controller to notify such data breaches to the competent authority when the conditions for the application of Article 33 of the RGPD are gathered together. In this case, no such notification has been introduced, which constitutes also an infringement of the GDMP. 25. In summary, in light of the inspection report and taking into account the Respondent's findings, the Litigation Chamber establishes the following violations of the GDR : - Violation of articles 5.1.a, 5.1.b) and 6.1 of the RGPD, given that by sending the disputed email, the defendant processed the plaintiff's personal data without a legal basis and in violation of the purpose for which these data were collected by the Secretariat of the mayor (answer his questions). - Violation of sections 25.1 and 25.2 of the MPR, which require the person responsible to processing to implement the appropriate technical and organizational measures to guarantee that, by default, only the personal data that are necessary to the with regard to each specific purpose of the treatment are processed. - Violation of articles 32.1 and 32.4 of the RGPD, since a person acting under the defendant's authority has sent the plaintiff's email contact information to third parties, in the context of of an e-mail where all the recipients were visible. Violation of article 33 of the RGPD being given that this data leak was not notified to the DPA. 8 Letter from Respondent to ODA Frontline Service, July 4, 2019. 9 In the same sense, see the decision of the Litigation Chamber ANO 2/2019 of April 2, 2019, see https://www.autoriteprotectiondonnees.be/citoyen/chercher?q=&search_category%5B%5D=taxonomy%3Apublications&sear ch_type%5B%5D=decision&search_subtype%5B%5D=taxonomy%3Adispute_chamber_substance_decisions&s=recent&l=2. Decision on the merits 53/2020 - 9/13 3. Corrective action 26. The Litigation Chamber has already had the opportunity to rule on cases of unlawful treatment of data for electoral purposes in the following cases : Decision 11-2019 of November 25, 2019; Decision 10-2019 of November 25, 2019; Decision 04/2019 of May 28, 2019 and Decision 30/2020 of November 8, 2019; Decision 10-2019 of November 25, 2019; Decision 04/2019 of May 28, 2019 and Decision 30/2020 of May 8, 2019. June 202010. 27. In these four cases, the Litigation Chamber imposed administrative fines, in particular for non-compliance with the principle of finality, enshrined in article 5.1.b of the GDMP. These were in these cases, the unlawful further processing for electoral purposes of data of a personal nature for the personal data collected (at least with regard to the e-mail address at issue on 22 May 2019) within the framework of the exercise of communal competences. The present case is part of this jurisprudence. 28. The Litigation Chamber considers that the breaches it has identified (infra, § 22) justify the imposition of administrative fines in accordance with articles 100, 13° and 101 of the ACL as well as 83 of the DPGR, and this taking into account the following. 29. First, the nature and seriousness of the breaches are taken into account (section 83, 1, (a) of the DPGR). Indeed, breaches of Articles 5.1.b (inconsistent subsequent treatment),5.1.a (lawfulness) and 6.1 of the GDPMR (unlawful processing) identified in this Decision constitute breaches of the fundamental principles of data protection. These include violations for which the maximum fine amounts are the highest (Section 83.5 of the RGPD). 30. Second, the Litigation Chamber considers that the quality of the defendant, at the time of the data collection, namely that of the mayor, and subsequently the quality of the time the litigious e-mail was sent11 , constitutes an aggravating circumstance at the time of the sending of the litigious e-mail. under section 83.2.k. In view of this role played by the defendant in public life, he could legitimately be expected to take the greatest care not to reuse data for personal use. collected through the secretariat of the city of which he had been mayor, and conduct an election campaign. 10 Available on the ODA website under the publications tab "Decisions of the Litigation Chamber", https://www.autoriteprotectiondonnees.be/citoyen/publications/decisions. 11 The Litigation Chamber notes the clarification made by the defendant in his letter of 6 July 2020 to the Chamber that he was no longer mayor at the time the disputed email was sent. The contentious Chamber notes information available to him, the defendant was at the time a member of the provincial legislature, a position he held until he was elected to the House of Commons. is still occupied in July 2019. The Litigation Chamber relies on public information available on the province represented by the defendant where the defendant's CV is described. In July 2019 and July 2020, the defendant signed its Letters to the Litigation Chamber as a Member of the Legislative Assembly of the province he or she represents. Decision on the merits 53/2020 - 10/13 in compliance with all applicable rules and, in this case, with the rules for the protection of data. 31. Finally, the Litigation Chamber takes note of the fact that the defendant exposes his good willingness to implement the DPGR, in that it states that it "sought the advice of an expert in the new legislation "to help him coach his team" in order to avoid any new mistakes in the future. of the kind" (see § 9 above). The Litigation Chamber cannot take into account the entry into force of the of the DPGR as a mitigating circumstance, as the observed violations of the purpose and principles of the lawfulness are not new elements in data protection legislation. personal. In its note on "Elections" published in the early 2000s on the website of the DPA and updated following the entry into force of the DPR12, the Data Protection Authority already mentioned the ban on reusing data extracted from the public sector (such as the National Registry, data from the list of people assisted by a CPAS, data obtained from the public health care system, a list of the exercise of an alderman's mandate, ...) or data from private sector files (client file of a company, list of members of an association, ...)". 32. These principles already formed the cornerstone of the Parliament Directive 95/46/EC European Parliament and Council of October 24, 1995 (art. 6.1.b and art. 6.1.a and 7), which the RGPD replaced. It The same applies to the obligation to implement organizational and security measures. under the old Directive (art. 17), which has been strengthened and clarified in the GDMP in article 32 in particular. 33. The Litigation Chamber further notes that according to the facts transmitted to it, the failed to communicate its findings to the plaintiff, or at least to reserve the right to make the proof that such a communication has been made (recommended or proof of sending an email). The mail the Litigation Chamber on September 25, 2019 indicated in a registered letter addressed to the defendant by the Each of the parties is required to submit its conclusions simultaneously. to the secretariat of the Litigation Chamber and to the other party". However, the plaintiff pointed out that he had not not received the conclusions of the defendant, who is therefore in default of at least providing proof of its full cooperation in this procedure. However, the defendant did receive the letter of September 25, 2019 inviting it to conclude by October 25, 2019 at the latest, and to forward its conclusions simultaneously to the other party. The defendant has acknowledged receipt of this letter. by letter dated October 14, 201913. The Litigation Chamber cannot therefore follow the defendant in 12 Processing of personal data for the purposes of personalized election propaganda and respect for life Citizen privacy: fundamental principles, https://www.autoriteprotectiondonnees.be/publications/note-juridique-sur-leselections.pdf. 13 The Litigation Chamber did send this registered letter dated 30-09 to the defendant's business address. Decision on the merits 53/2020 - 11/13 the statement that "I have never been asked or even advised to send in any conclusions to the complainant. The registered letter of the Litigation Chamber also offered the following the possibility for the defendant to ask for a copy of the file of exhibits, in which he could have reread his own statements to ensure the consistency of his own defence, which he did not do. 34. 34. The defendant did not follow the procedure communicated to him by registered mail. and by email. His response that he had not been informed of the obligation to send conclusions to the complainant is contrary to the facts. The Litigation Chamber is of the opinion that by this omission and erroneous denials of facts, the defendant did not provide full cooperation in the procedure, which constitutes an aggravating circumstance. 35. In his reply to the form of reaction to a proposed fine, the defendant shall argues mainly that the sending of this mail is the result of an error of its view of handling. In this respect, the Litigation Chamber recalls that such a mistake of manipulation, the if applicable, constitutes a security breach and as such a data breach within the meaning of Article 4.12 of the DP Regs that result in the defendant's liability for implementation adequate safety measures to avoid such errors (see § 20 above). The The Litigation Chamber notes, however, that there is no evidence in the file that the infringement would have been committed deliberately, on the instructions of the defendant. The Litigation Chamber therefore holds that the non-deliberate nature of the infringement as a mitigating circumstance. 36. The defendant's arguments do not change the fact that the personal data of the complainant and of all persons included in the "permanence" file were unlawfully processed, namely all persons calling on the mayor's secretariat (see above, §. 5). 37. Lastly, as regards the amount of the fine, the Litigation Chamber adopts the same criteria as for the those set out above to withhold the amount of EUR 5,000 in order to deter the defendant from repeating such failures. 38. With regard to the amount, the defendant points out that the amount of the fine seems to him disproportionate in view of the fact that, in his opinion, it is a handling error which would not have been brought no benefit. In this respect, the Litigation Chamber has no information at its disposal that could to reasonably assess the extent to which the processing of the data in the file Whether or not "permanence" positively influenced the outcome of the elections. The House 14 Letter of the Respondent to the Litigation Chamber of July 6, 2020. Decision on the merits 53/2020 - 12/13 cannot, therefore, accept this element put forward by the defendant as a circumstance that is not in dispute. mitigating factor within the meaning of section 83.2.k of the DP Regs. 39. Concerning the financial means, the defendant reports financial difficulties following a litigation in which he won and which caused him to incur significant legal costs again. undischarged. The Respondent points out that the amount claimed today by the Litigation Chamber would only add to these difficulties. The defendant does not, however, bring any element of a nature to statements, and does not propose to be at the disposal of the Litigation Chamber to this topic. The plaintiff bears the burden of proof for the elements he or she puts forward in response to the fine form. At this stage of the procedure, the Dispute Chamber decides not to reopen the case. debates on this point. 40. The contentious Chamber retains the quality of the defendant at the time of the facts (mayor, mayor of the town). then MLA), as an aggravating circumstance in the present case (see supra, § 5 and 30). Indeed, it is incumbent on every public agent to adopt exemplary conduct, including in relation to concerns the respect of the legislation regarding the protection of personal data. 41. For these reasons, the Litigation Chamber considers that it is appropriate to maintain the amount of the envisaged fine of EUR 5,000. 42. In view of the importance of transparency with regard to the decision making process and the decisions of the Litigation Chamber, this decision will be published on the Authority's website data protection by deletion of directly identifying data of the parties and the persons mentioned, whether they are individuals or legal entities. BY THESE REASONS, THE LITIGATION CHAMBER, Decides, after deliberation, to impose on the controller a fine of EUR 5,000 on the based on articles 100, 13° and 101 of the LCA and 83 of the RGPD, for all breaches of the law. (b) for failure to comply with section 5.1(b) of the MDR, and for failure to comply with section 5.1(a) of the MDR. and 5.1(b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the MDR read together. Decision on the merits 53/2020 - 13/13 This decision may be appealed against within thirty days from the date of the decision. notification, to the Market Court15 (article 108, § 1 of the LCA), with the Autorité de protection des given as a defendant. (Sé.) Hielke Hijmans President of the Litigation Chamber 15 The Court of Appeal of Brussels.
