APD/GBA (Belgium) - 73/2020: Difference between revisions
m (→Holding) |
m (Ar moved page APD/GBA - 73/2020 to APD/GBA (Belgium) - 73/2020) |
||
(6 intermediate revisions by 5 users not shown) | |||
Line 70: | Line 70: | ||
}} | }} | ||
The Belgian DPA (APD/GBA) | The Belgian DPA (APD/GBA) imposed an administrative fine of €1500 on a social housing company for breaching several fundamental principles and obligations of the GDPR. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The | The data subject lives in the social housing of the controller. | ||
Several cases are bundled in this one decision, the | Several cases are bundled in this one decision, the data subject raised several issues at different times: | ||
1) They exercised | 1) They exercised their right of access and said the controller wasn't sufficiently clear or thorough in the information they provided. | ||
2) The website of the | 2) The website of the controller wasn't sufficiently secure and the privacy policy was short and vague. | ||
3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed. | 3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed. | ||
Line 90: | Line 90: | ||
6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras. | 6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras. | ||
===Holding=== | ===Holding=== | ||
The | The DPA split the cases in several subtopics: | ||
- Privacy Policy & Right of Access | - Privacy Policy & Right of Access | ||
Line 119: | Line 105: | ||
- Processing through digital meters | - Processing through digital meters | ||
The DPA points out that, pursuant to [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR]], the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the | The DPA points out that, pursuant to [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR]], the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed. | ||
<b>1) Privacy Policy & Right of Access</b> | <b>1) Privacy Policy & Right of Access</b> | ||
Line 127: | Line 113: | ||
Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain. | Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain. | ||
The word "concise" in [[Article 12 GDPR | The word "concise" in [[Article 12 GDPR|Article 12(1) GDPR]], however, does not mean incomplete, all mandatory information from [[Article 13 GDPR]] must still be included. The contact details of the DPO must be filled in correctly as well. | ||
The | The controller does not fulfil their requirement of transparency by inadequately informing the data subjects. | ||
<b>2) DPO</b> | <b>2) DPO</b> | ||
Pursuant to [[Article 37 GDPR#5|Article 37(5) GDPR]], the DPO should be designated, inter alia, on the basis of | Pursuant to [[Article 37 GDPR#5|Article 37(5) GDPR]], the DPO should be designated, inter alia, on the basis of their in data protection law and practice. [[Article 37 GDPR#7|Article 37(7) GDPR]] provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subject as a single point of contact. | ||
Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO. | Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO. | ||
Lastly, the DPO was not properly involved in all data protection manners, which means the | Lastly, the DPO was not properly involved in all data protection manners, which means the controller breached [[Article 38 GDPR#1|Article 38(1) GDPR.]] | ||
<b>3) Cookie policy</b> | <b>3) Cookie policy</b> | ||
For a Google-DoubleClick.net cookie, no consent was asked. In the | For a Google-DoubleClick.net cookie, no consent was asked. In the [[CJEU - C-673/17 - Planet49|Planet49]] judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information. | ||
The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply. | The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply. | ||
Line 149: | Line 135: | ||
<b>4) Processing of health data</b> | <b>4) Processing of health data</b> | ||
The e-mail exchanges between the parties show that the | The e-mail exchanges between the parties show that the data subject voluntarily informed the controller of his health situation and indicated that he could provide the controller with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of [[Article 9 GDPR#h|Article 9(2)(h) GDPR]]. | ||
<b>5) CCTV surveillance</b> | <b>5) CCTV surveillance</b> | ||
The | The data subject argues that there is camera surveillance in several residential units of the apartment. According to the data subject, the privacy policy does not mention anything about camera surveillance. The data subject also wants to know the legal basis and purpose of this processing. | ||
In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras. | In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras. | ||
Line 159: | Line 145: | ||
No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law). | No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law). | ||
The DPA found a violation of the requirement to keep a register of processing activities of [[Article 30 | The DPA found a violation of the requirement to keep a register of processing activities of [[Article 30 GDPR|Article 30 GDPR]] and storage limitation [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. | ||
<b>6) Digital meters</b> | <b>6) Digital meters</b> | ||
The | The data subject complains that the controller uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The data subject indicates that they had not given their consent to the processing of data relating to their consumption of gas and electricity. | ||
During the hearing, the | During the hearing, the controller indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The controller receives a list of this and links it to the tenant files, according to the controller. | ||
On the basis of [[Article 6 GDPR]], the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of [[Article 24 | On the basis of [[Article 6 GDPR]], the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of [[Article 24 GDPR|Article 24]] and [[Article 25 GDPR]], the controller must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. | ||
In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the | In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the controller has not been able to demonstrate that any privacy policy has been developed with respect to the digital remote reading of meter readings. Moreover, it is unclear on what legal basis the data are processed in accordance with [[Article 6 GDPR]]. This constitutes a breach of [[Article 6 GDPR]]. | ||
The data subject indicates that they had not given permission for the processing. The controller does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The controller indicates that a third party reads out the consumption data and forwards them to the controller. The DPA points out that according to [[Article 28 GDPR#3|Article 28(3) GDPR]] the processing by a processor should be regulated in a contract between the controller and the processor. | |||
<b>Sanction</b> | <b>Sanction</b> | ||
Line 177: | Line 163: | ||
The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept. | The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept. | ||
In the opinion of the DPA, a private law organization such as the | In the opinion of the DPA, a private law organization such as the controller's housing company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing. | ||
On these grounds, the DPA orders the | On these grounds, the DPA orders the controller to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500. | ||
==Comment== | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
Line 190: | Line 176: | ||
<pre> | <pre> | ||
1/31 | |||
Dispute room | |||
Decision on the substance 73/2020 of 13 November | |||
2020 | |||
File reference : DOS-2018-04368, DOS-2018-06611, DOS-2019-02464, DOS-2019- | |||
04329, DOS-2020-00543 and DOS 2020-00574. | |||
Subject: Complaints against the social housing company for failure to comply with | |||
several principles of data processing, including those of lawfulness, and | |||
transparency. | |||
The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke | |||
Hijmans, Chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, Members; | |||
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 | |||
on the protection of individuals with regard to the processing of | |||
personal data and on the free movement of such data and repealing directive | |||
95/46/EC (general data protection regulation), hereinafter AVG; | |||
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter | |||
WOG; | |||
Having regard to the Internal Rules of Procedure approved by the Court of Auditors of | |||
Members of Parliament on 20 December 2018 and published in the Moniteur belge on | |||
15 January 2019; | |||
Having regard to the documents in the file; | |||
. | |||
. | |||
. Decision on the substance 73/2020 - 2/31 | |||
has taken the following decision on: | |||
- The complainant: Mr X | |||
- The defendant: Y Housing company . | |||
1. Facts and procedure | |||
1. At various points in time, the Complainant submitted a total of six complaints against | |||
defendant. Since the defendant, who is also the person responsible for processing, in all files | |||
is the Y Housing Company, the complaints will be dealt with jointly. The | |||
The Inspectorate has issued an inspection report on the first three complaints. | |||
Complaint 1: DOS-2018-04368, Right of inspection | |||
2. This complaint was lodged on 19 November 2018 and declared admissible by the | |||
First-line service on 14 January 2019. The complaint concerns the exercise of the right to | |||
access by the defendant in accordance with Article 15 of the AVG. | |||
3. On 4 October 2018, the complainant requested access to all the information that the defendant had obtained from him. | |||
processed since his registration as candidate tenant. In doing so, the complainant has processed a number of | |||
questions put to the defendant. Those questions concern the purposes of the processing, the | |||
categories of personal data, the recipients or categories of recipients to whom | |||
the data are provided and in particular the recipients abroad, the | |||
retention periods, question or right to rectify or erase personal data | |||
exists, the source of data in the case of indirect data collection, and finally the | |||
the question of automated decision-making. | |||
4. In response to this request, the complainant received a document called Extract | |||
Personal details Candidate - tenant Y Housing CVBA. The personal data provided on | |||
the extract includes the following: name, address and place of residence as well as | |||
the national register number, bank account, e-mail address, income details and | |||
telephone number. The same extract states that personal data will only be used for the following purposes | |||
shared with "authorised parties". In his complaint, the complainant asks who | |||
which are authorised parties, what is the function of the personal data on the extract | |||
and what purpose the extract serves. The defendant claims to use these data; | |||
However, the complainant wonders how and for what purposes the various data | |||
are processed. Decision on the merits 73/2020 - 3/31 | |||
5. Furthermore, the complainant considers that the defendant does not make it clear and unambiguous | |||
how, inter alia, the right of rectification and erasure of data can be addressed to data subjects | |||
shall be exercised. In addition, the complainant notes that the legal texts and relevant | |||
documents are difficult to find and consult. | |||
Complaint 2 : dos-2018-06611, Website [...] | |||
6. The second complaint was lodged on 20 November 2018 and declared admissible on 14 January. | |||
2019. This complaint concerns the website [...]. The complainant complains that the website | |||
does not comply at all with privacy legislation. According to the complainant, the website is inadequate | |||
secure, as an http connection is used instead of a | |||
https connection while, according to the complainant, confidential information is being processed. At the | |||
use of an https connection, according to the complainant the data is encrypted at the time of the | |||
send it. In addition, a non-secure website (which uses an http- | |||
connection) subject to possible external attacks, according to the complainant. The complainant asks | |||
wonder what mechanisms are in place by the defendant to deal with possible attacks | |||
to avert them. According to the complainant, no explanation or information is given anywhere about how the | |||
data will be secured. The part of the website where you can log in to see | |||
at which point on the waiting list the prospective tenant also goes via a | |||
unsecured http connection, according to the complainant. Requesting a new password to be entered in | |||
logging via the same http connection and, according to the complainant, is totally against the | |||
principles of data protection. | |||
7. According to the complainant, the forms used on the website are also as follows | |||
unsecured. Secure forms should be used in order to make everything | |||
more orderly and streamlined. | |||
8. According to the complainant, nowhere is it made clear whether and to what extent use is made of | |||
made from Google Analytics. | |||
9. The complainant claims that the defendant also uses cookies on the website [...] (see also the | |||
separate complaint on this subject: complaint 3). According to the complainant, there is no indication of what the | |||
cookies are used, with what content and who their recipients are. | |||
In addition, there is no possibility of rejecting cookies. There | |||
in addition, according to the complainant, use is made of 'keywords' and 'description' of the | |||
website which, according to the complainant, indicates that the defendant wishes to be found through | |||
search engines. This will lead to more visitors on an unsecured website. Decision on the merits 73/2020 - 4/31 | |||
10. According to the complainant, the privacy statement is of a very general nature and refers to | |||
legislative texts, deliberations, etc., without indicating where to find them, and | |||
can be consulted. According to the complainant, the defendant is attempting to avoid the liability of | |||
to disclaim the use of a disclaimer by stating that the website should not be | |||
visits in the event of disagreement with the defendant's general terms and conditions. | |||
11. With regard to the protection of personal data, the privacy statement shall | |||
indicate that the data collected will be processed for the purposes of efficient and | |||
correct composition of the file and that it is stored in the files of | |||
Y Housing and that of the Vlaamse Maatschappij voor Sociaal Wonen. Here is according to | |||
there is no uniformity and consistency between the complainant. | |||
12. The Complainant further complains about the fact that the information on the website of | |||
the defendant is completely incomprehensible and unclear. He points out that most | |||
(candidate) tenants of a social housing company such as that of the defendant | |||
belong to vulnerable groups of persons for whom it is difficult to obtain this information | |||
is fathom. | |||
13. Finally, the complainant asks what other personal data are collected from | |||
visiting the website, through whom it is done and how it is done. The complainant also points out | |||
once on 'GO4it media group' which is the operator of the defendant's website. Complainant | |||
notes that that website does use https security. | |||
Complaint 3 DOS-2019-02464, Website www.[...].be | |||
14. The Complainant filed a complaint on 1 July 2019. The complaint was admissible on 3 July 2019. | |||
declared by the First Line Service. | |||
The complainant complains about the website [...] used by the defendant. According to the complainant | |||
the website does not comply with current privacy legislation. The complainant states that the only thing there is | |||
in function of data protection, a document called "privacy policy" is a | |||
contains very brief text. The complainant indicates that it is a new additional website of | |||
concerns the defendant. The complainant is disturbed that there is no correct and complete | |||
There would be a privacy statement and there would be no cookie policy either. | |||
16. The complainant states that personal data are collected by means of a web form. Also | |||
a number of preferred themes should be passed on and agreed upon | |||
with the defendant's privacy statement, according to the complainant. In addition, according to the complainant | |||
use of cookies from Google Analytics and others. In addition, the Complainant complains that Judgment on the merits 73/2020 - 5/31 | |||
no indication is given as to which third parties are involved in the processing of the | |||
content of the web forms. | |||
17. Personal data are stored and, according to the complainant, no indication is given as to how long | |||
the data are kept and for which they will be used. According to | |||
Neither does the complainant indicate how and by whom the data will be processed. | |||
Complaint 4 DOS-2019-04329, Processing medical data | |||
18. This complaint was lodged on 16 August 2019 and declared admissible on 30 September. | |||
2019. The complainant complains that the defendant has provided personal data, and in particular | |||
medical data, are processed and these processes are carried out in violation of the AVG. In order to be able to | |||
to be eligible for a ground floor/adapted dwelling the complainant has medical | |||
provides information to the defendant. From the annexes, it appears that the complainant will receive a medical certificate | |||
mailed to the defendant so that his housing preferences could be adjusted. Defendant | |||
replied to that e-mail that the housing preferences following the submission of the | |||
medical certificate would be adapted to ground floor residences only. On | |||
the list of documents to be produced at the time of registration includes medical certificates | |||
mentioned. According to the complainant, it is completely unclear what the processing purposes are. | |||
The complainant argues that the processing of health data in the present case is contrary to the articles. | |||
5, 6, 12 and 13 AVG. Also in this complaint, the complainant discusses the general privacy policy of | |||
Defendant reiterating that the defendant has violated privacy laws | |||
violates the policies being pursued. | |||
Complaint 5 DOS-2020-00543, Use digital meters | |||
19. The complaint was lodged on 23 January 2020 and declared admissible on 4 February 2020. | |||
On 10 January 2020, the complainant received a letter from the defendant called | |||
"interim review - consumption of gas. On the document you can read what the consumption is on | |||
heating and hot water over the last two months. The complainant does not claim | |||
to have given consent to the defendant to process his consumption data. | |||
Consumption of gas and electricity is recorded by the defendant without the plaintiff | |||
The complainant stated that he knew, let alone gave his consent. According to the complainant | |||
unnecessary processing as customers can pass on the meter readings themselves. | |||
In an email dated 20 January 2020 from the email address [...], the defendant writes that | |||
the data is read automatically and sent to the defendant via an Internet connection | |||
are sent. Decision on the merits 73/2020 - 6/31 | |||
Complaint 6 DOS-2020-00574, Use of surveillance cameras | |||
20. The complainant submitted a complaint on 30 January 2020, which was admissible on 4 February 2020. | |||
was declared by the First Line Service. The complainant alleges that the defendant's personal data | |||
Processed by means of various fixed cameras in various residential entities. There are | |||
according to the complainant 4 security cameras placed on the roof, 2 in the common | |||
entrance halls and 1 in the communal basement entrance. About the use of the cameras | |||
According to the complainant, the privacy policy does not mention anything. The rental agreement contains | |||
according to the complainant, only the use of surveillance cameras is reported. The complainant also requests | |||
this processing to know the legal basis and the purpose. | |||
Continuation of the procedure | |||
21. The Inspectorate was set up on 7 June 2019 with regard to complaints 1 to 3 . 1 | |||
22. On 9 August 2019, the Inspectorate wrote a letter with questions to the | |||
defendant. | |||
23. The letter contained questions to the defendant, in which the Inspectorate identified possible infringements of | |||
wished to examine and improve Articles 5, 6, 12, 13, 15, 24, 37, 38 and 39 of the AVG | |||
wishes to gain insight into the complaints. | |||
24. The inspectorate requested the following information in relation to the defendant: | |||
(a) The communication from the defendant to the complainant concerning the request for access to | |||
the complainant, and the opinions thereon delivered by the Data Protection Officer | |||
of the defendant. | |||
b.) As regards the privacy policy of the website [...] , a copy of the decisions that | |||
were taken on the privacy policy which can be consulted on the website, as well as | |||
copy of the opinions of the Data Protection Officer on the | |||
privacy policy on the website. | |||
(c) Copy of the decisions concerning legal information and the disclaimer on the website | |||
of the defendant and a copy of the official's opinions for | |||
data protection on this information and the disclaimer. | |||
1 | |||
Concerning DOS-2018-06611, DOS-2018-04368 and DOS-2019-02464. Decision on the merits 73/2020 - 7/31 | |||
d.) Copy of the register of processing operations. | |||
e.) A reasoned and documentary reply to the question whether the defendant | |||
has or does not have a data protection officer. If so, did the | |||
inspectorate to receive an organisation chart showing the place of the official | |||
for data protection, his title and the tasks he carries out, including | |||
orders not related to data protection. | |||
25. On 2 July 2019, the Inspectorate received a reply to its letter of 7 June 2019. At | |||
the reply was annexed to a letter from the defendant dated 25 October 2018 | |||
in response to the complainant's request of 4 October 2018 for access to his file, to | |||
to obtain the defendant. The response shall contain an extract of personal data from | |||
the prospective tenant, in this case the complainant. The extract contains the name, address and | |||
residence details as well as the national register number, bank account, e-mail address, income | |||
and telephone number. | |||
26. In addition, a privacy datasheet has been added as an appendix which states that | |||
information and personal data are kept of (candidate) tenants to see | |||
whether a person is entitled to social housing. The information which, according to the defendant | |||
kept are: identification data, national register number, address and | |||
contact details, family composition, language knowledge, financial data, ownership details, | |||
and, in some cases, accompanying services. It is mentioned that the | |||
data are kept for 10 years, in accordance with the Archives Act. | |||
27. The defendant also indicated that it queried a number of bodies in order to obtain data on the following | |||
obtain. These bodies are : | |||
a) Federal Public Service Finance: data on taxable income and | |||
ownership data; | |||
(b) National Register: national register number, surname and forenames, date of birth, gender, | |||
main residence and history, the place and date of death, civil | |||
State, composition of the family, nationality and history, legal | |||
cohabitation, the register of registration and legal capacity; | |||
c) Federal Public Service Social Security: data on living wage; | |||
d) Flemish Agency for Integration and Integration: data on integration and | |||
linguistic readiness; decision on the merits 73/2020 - 8/31 | |||
(e) VREG (independent authority of the Flemish energy market): housing data on | |||
the energy value of social housing. | |||
28. On 9 July 2019, following the replies it received on 2 July | |||
2019 received from the defendant, in response to its questions, provisional findings and | |||
supplementary questions put to the defendant. The provisional findings of the | |||
The Inspectorate was as follows : | |||
a. The defendant does not have at his disposal any advice given by the official for | |||
data protection has been provided in relation to the complainant's request for access; | |||
b. The defendant does not have access to opinions of the Data Protection Officer. | |||
concerning the privacy policy on the website [...] ; | |||
c. Respondent does not have at his disposal decisions taken on privacy policy | |||
on the website; | |||
d. The copy of the processing register does not contain the name and contact details of the | |||
controller and data-processing official and shall include | |||
nor the processing purposes; | |||
e. The defendant does not explain the duties and powers of the official for | |||
data protection. | |||
29. The Inspectorate also put further questions to the defendant about the | |||
Data Protection Officer. For example, a copy of the | |||
documents justifying the choice of that person as | |||
Data Protection Officer, the date of notification to the | |||
Data protection authority of that Data Protection Officer and finally | |||
a copy was requested of the documents proving the effective exercise of | |||
his mission appears to be, more specifically, advice, correspondence and the like. | |||
30. By email of 8 August 2019, the defendant's response to the temporary injunction was made public. | |||
the inspectorate's findings. The response contains a number of annexes including | |||
email correspondence between the defendant and the data protection officer who | |||
works at Infosentry. This e-mail is referred to as advice from the officer for | |||
data protection on the complaint. | |||
31. As a privacy policy communication requested by the Inspectorate, | |||
the defendant sent an e-mail from the Vlaamse Maatschappij voor Sociaal Wonen (VMSW) (Flemish Social Housing Company) | |||
enclosed. The mail contains the message that the VMSW has new privacy statements for customers Decision on the merits 73/2020 - 9/31 | |||
of social housing companies. This is an e-mail addressed to all | |||
social landlords. In addition, general information sheets have always been added. | |||
32. It should also be noted that the processing register has been amended as a result of | |||
of the Inspectorate's temporary findings. | |||
33. The Inspectorate's questions to the defendant concerning the designation of the | |||
Article 37 AVG Data Protection Officer (outside the scope) | |||
were also answered. It was indicated that the appointment of the official for | |||
data protection was carried out on the initiative of the VMSW, which, by means of a call for tenders, issued an | |||
had concluded a framework agreement with the company Infosentry NV. | |||
34. The defendant points out in this connection that : The defendant points out in this connection that: "The companies could, on their own initiative | |||
subscribe to the services of Infosentry NV, which offers all its employees on top of an | |||
minimum experience is also required to obtain a minimum number of certificates in the | |||
domain of knowledge of data protection'. | |||
35. The date of notification of the Data Protection Officer shall be 25. | |||
May 2018. The defendant points out that it has submitted a new notification to the GBA | |||
in which another person was registered as an official. The latter is according to | |||
Therefore, the defendant is the actual Data Protection Officer. | |||
36. On 16 September 2019, the Inspectorate made its report to the Disputes Chamber | |||
on the basis of Article 92, 3° of the WOG. | |||
37. The inspection report shall identify potential breaches of Articles 5, 6, 12, 13, 15, 30, 31, | |||
32 and 37 to 39 of the AVG. | |||
38. The Inspectorate finds that the defendant has failed to comply with the obligations imposed by Articles 5 | |||
and 6 of the AVG. The Inspectorate has now reached the following conclusion | |||
the answers given by the defendant do not show any justification as to which decisions there are | |||
have been taken concerning the legal info / legal disclaimer and general terms and conditions | |||
2 | |||
on the webpage [...] | |||
2 | |||
See page 3 of inspection report DOS-2018-006611 document 21. Decision on the merits 73/2020 - 10/31 | |||
39. In addition, the defendant acknowledges that no advice was given by the officer for | |||
data protection since, in the defendant's view, that advice is not normally covered by | |||
the duties of the official. | |||
40. Nor do the replies of the defendant indicate what decisions were taken | |||
on those parts of the website [...] which involve the processing of personal data | |||
Facilitate such as the contact page. | |||
41. According to the Inspectorate, the privacy policy Y Housing is not transparent and not | |||
understandable to those concerned. It is not made clear what happens to the | |||
personal data obtained. According to the Inspectorate, the privacy policy is confusing and | |||
contains all kinds of concepts that are incomprehensible to those concerned. In addition, the | |||
policy indicating that in the event a data subject contacts the defendant and does so | |||
via an electronic medium other than the website, the privacy statement of that other | |||
medium has priority. According to the Inspectorate, this also indicates that there are no | |||
Transparency is towards those involved. | |||
42. The Inspectorate points out that, despite its express request, it did not | |||
has received opinions from the defendant from the Data Protection Officer. | |||
43. According to the Inspectorate, technical investigations have shown that use is being made of | |||
made from cookies on the website [...] . One of these concerns a necessary technical | |||
cookie called "hs_js" and another, a marketing cookie called "IDE" originating | |||
from Google-Doubleclick. No permission is asked for the latter cookie | |||
to the visitors of the website. The processing of personal data which, in that context | |||
takes place, is therefore, according to the Inspectorate, unlawful. | |||
44. With regard to Articles 12, 13 and 14 of the AVG, the Inspectorate also has | |||
infringements detected. The service comes to these findings as the Annex Internal | |||
rental regulations annex 11 which is not related to the privacy policy of the defendant | |||
is transparent and comprehensible to those concerned, thus infringing Article 12.1 | |||
AVG is established by the Inspectorate. It is not made clear what should | |||
various terms used in that Annex shall be understood to mean | |||
11. The contact details of the data protection officer of the defendant | |||
are missing. The processing purposes and the legal basis for the processing are lacking. | |||
Finally, the data subjects are not made aware of the right of access, according to the Court. | |||
Inspectorate. Decision on the substance 73/2020 - 11/31 | |||
45. As of 1 July 2019, an amended privacy policy has been published by the defendant on its website. | |||
3 | |||
website. The document containing the defendant's privacy policy is, according to the | |||
Inspectorate not transparent and comprehensible to those concerned and therefore not satisfactory | |||
meet the requirements of Article 12.1 AVG. In addition, not all information provided in accordance with the | |||
Articles 13 and 14 of the AVG are actually prescribed in the privacy policy. | |||
described. Different terms are used interchangeably and the contact details | |||
of the Data Protection Officer is missing, according to the inspection report. | |||
46. In response to the complainant's request for access on the basis of Article 15 AVG, the defendant | |||
reacted by sending, inter alia, a document called "GDPR". Also this | |||
document is neither transparent nor comprehensible, according to the Inspectorate, to | |||
involved, as a result of which the defendant does not meet the requirements set out in Article 12.1 AVG. | |||
According to the Inspectorate, the answer does not meet the requirements of Article 15.1 AVG either. | |||
The obligatory information to be stated, such as stating the recipients of the | |||
personal data is missing. | |||
47. An infringement of Articles 28 and 30 was also found by the Inspectorate and | |||
for the following reasons. The defendant has indicated that a company called | |||
C-Works designed the website [...]. Via that website, personal data of | |||
tenants collected and processed. The defendant does not regard the company as a processor. It | |||
it is not clear to the inspectorate, in view of the information provided, whether | |||
a processor and whether there is thus a processor's contract in accordance with Article 28 of the CMR | |||
should have been closed. | |||
Additional findings ( outside the scope of the complaints ) | |||
48. The obligations imposed by articles 37.5 and 37.7 of the AVG are, according to the | |||
Inspectorate not complied with by the defendant. The justification for the choice of the | |||
The data protection officer shall not be given by the defendant. Defendant | |||
indicates only that this was done on the initiative of VMSW which, by means of a call for tenders, issued a | |||
had a framework agreement with Infosentry. The contact details of the official for | |||
data protection is also not disclosed and this implies a breach of | |||
Article 37.7 AVG according to the Inspectorate. | |||
49. Finally, the Inspectorate has established that the obligations set out in Articles 38.1 and 38.3 | |||
AVG are also not being complied with by the defendant. From the various documents provided by the | |||
3 | |||
Decision on the substance 73/2020 - 12/31 | |||
Inspectorate received from the defendant it may be concluded that the | |||
No opinion was sought from the Data Protection Officer for, inter alia, the | |||
processing of personal data via the website [...]. | |||
Treatment on the merits by the Dispute Chamber | |||
50. On 21 March 2020, the Dispute Settlement Chamber shall inform the parties that the six individually | |||
Complaints submitted will be joined and the Chamber of Disputes will decide on | |||
on the basis of art. 95, §1, 1° and art. 98 of the WOG that the dossier is ready to be processed at the end of the year. | |||
ground. The parties shall also be notified of the | |||
time limits for submitting their defences. The final date for receipt of the | |||
conclusion of the defendant's response was thereby recorded on 26 March 2020, that | |||
for the conclusion of the reply of the complainant of 27 April 2020 and the conclusion of | |||
Reply of the defendant on 27 May 2020. | |||
51. On 26 March 2020, the Data Protection Officer, employed by | |||
the company Infosentry, on behalf of the defendant, by e-mail in the form of order sought by the defendant, | |||
in which he also expresses his desire to be heard. | |||
52. On 19 August 2020, the parties were informed that the oral hearing would | |||
take place on 23 September 2020. | |||
53. On 23 September 2020, the parties will be heard by the Chamber of Disputes. | |||
54. The minutes of the hearing will be presented to the parties on 29 September 2020. | |||
55. On 2 October 2020, the Data Protection Officer, on behalf of the defendant, issued an | |||
send a response to the minutes to the Chamber of Disputes, stating that | |||
4 | |||
asked for a number of corrections to be made to the minutes. | |||
56. On 8 October 2020, the complainant replied to the official report by e-mail. The complainant replied in | |||
his reaction to the official report is a detailed reiteration of his earlier arguments. The | |||
The Dispute Settlement Chamber points this out, as already mentioned at the hearing, | |||
no new facts can be added as the debates have already taken place | |||
closed. The official report is only sent to see if everything is correct. | |||
4 | |||
See e-mail of 2 October 2020 with feedback on DPO Cranium's official report on behalf of the defendant to the Chamber of Disputes. Decision on the merits 73/2020 - 13/31 | |||
displayed. Therefore, the arguments put forward after the closure of the debates will not | |||
5 | |||
will be taken into account in the decision. | |||
57. In its conclusions of 26 March 2020, the defendant acknowledges that, with regard to the legal information / | |||
legal disclaimer no opinions have been issued by the officer for | |||
data protection. It should be noted that the document will be | |||
removed as it does not contain any conditions attached to the exchange of | |||
personal data shall apply. | |||
58. As regards the Inspectorate's findings concerning the website [...] responds | |||
defendant as follows : "With regard to the technical examination carried out on the website | |||
Y Housing rests in the fact that findings made by the Inspectorate | |||
are correct and a marketing cookie did work on the web page. Considering | |||
the one-off event that was organised and the brief use of the website is Y | |||
Housing continued in good faith on explanation of the website builder (Go4IT), a | |||
e-mail to substantiate this was attached as a document to the previous file, which does not contain cookies. | |||
were active on the website. Y Housing acknowledges that not submitting the website | |||
a test on this can constitute a reprehensible omission and learns the necessary lessons from it. | |||
for the future. “ | |||
59. The defendant further states that it has taken note of the findings of the | |||
Inspectorate for the establishment of transparent information, communication and | |||
detailed arrangements for exercising the rights of the person concerned (Articles 12 and 13) | |||
AVG). The defendant indicates that it will amend the privacy statements. | |||
60. With regard to the findings concerning the right of inspection in Article 15 of the AVG, the following replies are given | |||
Defendant as follows. The defendant states that it is always seeking to ensure transparency and transparency. | |||
provide clear information in response to questions received from her (candidate) | |||
tenants. The defendant then states that it "to the best of its ability, the necessary documentation | |||
has transmitted, following the exercise of the right of access of the person concerned, acknowledges the | |||
society that some elements of this document may not be fully clear after | |||
its first reading. As a modest SME, it is the first time that Y Housing | |||
was faced with such a request. The organisation recognises that areas for improvement and | |||
efficiency gains would be possible if such a request were to recur". | |||
5 | |||
E-mail from the complainant to the Chamber of Disputes of 8 October 2020 following the minutes of the hearing. Decision on the merits 73/2020 - 14/31 | |||
61. The defendant points out that it is open at all times to questions from and communication with | |||
(candidate) tenants. The defendant was ignorant of the circumstance that | |||
the document contained ambiguities and would rather expect the complainant to first | |||
had communicated to the defendant before lodging a complaint. | |||
62. The defendant indicates that it has taken note of the Inspectorate's findings. | |||
concerning the register of processing operations. The register has now been updated | |||
according to the defendant. | |||
63. The defendant concludes as follows : | |||
"In conclusion, Y Housing stresses that the necessary efforts to be made in | |||
The AVG has been delivered in conformity with the AVG. Furthermore, Y Housing acknowledges | |||
the importance of the protection of personal data and the role played by the | |||
Data protection authority has a role to play here. Nevertheless, Y Housing | |||
In recent weeks and months, this procedure has had to undergo most of all. Although Y | |||
Housing always tries to accommodate its (prospective) tenants in the most suitable way. | |||
comply with the necessary legislation, while also being in contact as far as possible | |||
with stakeholder organisations, it has been shown that, as a modest social | |||
rental company required an excessive workload, and financial effort, to | |||
deal with this administrative procedure to the necessary level of detail. With this | |||
Consideration Y Housing would like to stress once again the importance of being heard | |||
in this case." | |||
64. By email of 23 October 2020, the Chamber of Disputes notifies the defendant of the | |||
intention to impose an administrative fine as well as the amount of the | |||
fine and the possibility for the defendant to communicate his defences in this respect. | |||
65. On 30 October 2020, the defendant replied by email to the intention to impose an injunction. | |||
fine. The Dispute Chamber points out in this regard that there can be no new facts. | |||
be added as the debates were already closed. The reaction of | |||
In summary, the defendant is as follows: The amount of the fine, according to the defendant, is as follows | |||
high. The defendant indicates that these are difficult times for them financially. That is why | |||
the defendant would have been compelled, inter alia, to sell dwellings in order to | |||
to be able to continue. This has a direct impact on their target group, namely the | |||
weaker members of society, according to the defendant. The defendant shares the view of the | |||
Litigation chamber on the (in)accessibility of the Data Protection Officer Decision on the merits 73/2020 - 15/31 | |||
does not. According to the defendant, the official can be reached in the manner prescribed by | |||
the AVG. The defendant states that the positive result of EUR 528,355 such as | |||
included in the penalty form is incorrect and adds other figures. As regards the | |||
Infringements detected in relation to the surveillance cameras, the defendant pleads | |||
largely in the opinion of the Dispute Settlement Chamber, but with the | |||
addition that the images were not consulted by the defendant but were merely consulted | |||
saved. | |||
2. Reasons Dispute Chamber | |||
66. In view of the number and size of the cases submitted, the Litigation Chamber assesses the following | |||
complaints, for reasons of procedural economy, the degree to which they are well-founded, to | |||
the subject of the complaint. Consequently, complaints 1 to 6 will not be included in those | |||
order but shall be grouped under the themes to which they relate | |||
belong. The themes which are the subject of the various complaints and | |||
on which the Chamber of Disputes will give its verdict are the following: | |||
- privacy policy & right of access in accordance with article 15 AVG (section 2.1) | |||
- data processing officer (section 2.2) | |||
- cookie policy (section 2.3) | |||
- health data processing (section 2.4) | |||
- camera law (section 2.5) | |||
- processing by means of digital meters (section 2.6) | |||
67. The Dispute Chamber points out that, pursuant to the articles, the controller | |||
5.2 and 24 AVG must take appropriate technical and organisational measures to | |||
ensure and be able to demonstrate that the processing of personal data in | |||
be carried out in accordance with the AVG. In doing so, the AVG requires, among other things | |||
account shall be taken of the nature and volume of the processing operations and of the | |||
Risks to those involved. In assessing whether and to what extent | |||
Sanctions will have to be imposed, these elements will play an important role. | |||
2.1 Privacy Policy & Right of Access in accordance with Article 15 AVG Decision on the merits 73/2020 - 16/31 | |||
68. As regards the right of access to Article 15 AVG and the information provided by the complainant (especially in complaint 1) | |||
alleged infringements, the Litigation Chamber argues as follows. | |||
69. The document called "Extract Personal Data Candidate - Tenant Y Housing | |||
CVBA" contains various data, including the national register number, name, address and | |||
residence data as well as nationality, email address, sex, date of birth and | |||
Family income of (prospective) tenants. In addition to the extract, a document to the complainant | |||
transferred called: "Privacy: what information does Y Housing have?". This info sheet contains | |||
the following opening paragraph : "Via Y Housing you can rent a social housing. We | |||
Therefore, keep information about you in lists and files to see if you have a right to a particular item. | |||
on. Or to help you better. “ 6 | |||
Articles 13.1 and 13.2 AVG stipulate as follows: | |||
1. When personal data relating to a data subject become | |||
the controller shall provide the data subject with the following information at the time of obtaining | |||
the personal data already contain the following information: | |||
(a) the identity and contact details of the controller and, in | |||
where appropriate, of the representative of the controller; | |||
(b) where appropriate, the contact details of the officer for | |||
data protection; | |||
(c) the processing purposes for which the personal data are intended, as well as the | |||
legal basis for processing; | |||
(d) the legitimate interests of the controller or of a third party, | |||
if the processing is based on Article 6(1)(f); | |||
(e) where appropriate, the recipients or categories of recipients of the | |||
personal data; | |||
(f) where appropriate, that the controller intends to delete the | |||
to transfer personal data to a third country or an international organisation; or | |||
whether or not an adequacy decision by the Commission exists; or, in the case of | |||
Article 46, Article 47 or the second subparagraph of Article 49(1), which shall include the transfers referred to in | |||
are appropriate or suitable safeguards, how a copy can be obtained or where | |||
they can be consulted. | |||
2. In addition to the information referred to in paragraph 1, the controller shall provide the | |||
data subject at the time of obtaining the personal data, the following additional information | |||
to ensure proper and transparent processing: | |||
6 | |||
See attachment to e-mail of 4 October 2018 from complainant to GBA Decision on the merits 73/2020 - 17/31 | |||
(a) the period for which the personal data will be stored, or if | |||
that is not possible, the criteria for setting that deadline; | |||
(b) the legitimate interests of the controller or of a third party, | |||
if the processing is based on Article 6(1)(f); | |||
(c) that the data subject shall have the right to request the controller to | |||
access, rectification or erasure of personal data or limitation of personal data relating to him or her | |||
concerning processing, as well as the right to object to such processing and to have it carried out | |||
right to data portability; | |||
(d) where the processing is pursuant to Article 6(1)(a) or Article 9(2)(a) | |||
based on the fact that the person concerned has the right to withdraw consent at any time, | |||
without prejudice to the lawfulness of processing based on the | |||
consent before its withdrawal; | |||
(e) that the data subject has the right to lodge a complaint with a supervisory authority | |||
authority; | |||
(f) whether the transmission of personal data is a legal or contractual obligation | |||
or a necessary condition for the conclusion of an agreement, and whether the | |||
the data subject is obliged to provide the personal data and what the possible consequences are | |||
are when these data are not provided; | |||
(g) the existence of automated decision making, including that referred to in Article 22, | |||
profiling as referred to in paragraphs 1 and 4 and, at least in those cases, useful information on | |||
the underlying logic as well as the importance and the expected consequences of that processing | |||
for the person concerned. | |||
70. During the hearing, the defendant stated that the privacy statement on the website is | |||
published after having been reviewed and endorsed by the Board of Directors. It is a | |||
privacy statement derived from the example of the VMSW, according to the defendant. | |||
71. The Dispute Settlement Chamber finds that the aforementioned privacy statement - also in the form of a | |||
information sheet after the declaration has been adapted and is in force | |||
entered into force on 1 July 2019 - does not meet the requirements for processing | |||
in accordance with Articles 12 and 13 AVG. Such a privacy data sheet should | |||
must fully inform the person concerned of what is actually happening. | |||
personal data is done and in the context of which it is processed. | |||
Any processing of personal data must be lawful, adequate and transparent. | |||
happen. Those concerned should be clearly informed which | |||
data are processed, how the processing is carried out and why the personal data is processed | |||
are processed. It cannot be deduced from the privacy sheet what exactly the | |||
personal data are used. Decision on the substance 73/2020 - 18/31 | |||
72. The Privacy Sheet contains the following paragraph concerning the processing of personal data: | |||
"Via Y Housing you can rent a social housing. We therefore keep in lists and | |||
files information about you. We use this information to find out if you have any information about you. | |||
have a right to it. Or to be able to help you better." | |||
73. The Disputes Chamber is of the opinion that the above is a very vague, general and | |||
concerns unclear text from which it is in no way possible to deduce what the collected | |||
personal data are actually used. This text does not comply with the AVG. It is | |||
For example, it is absolutely unclear what is meant by 'we use this information to | |||
to see if you have a right to something. Or to be able to help you better." There should be a clear | |||
and clear language to be communicated to those concerned. | |||
74. Transparency requirements are laid down in the AVG and further explained in the | |||
Guidelines on transparency in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council | |||
Article 29 Data Protection Working Party which states that "One of the key elements of | |||
the principle of transparency as referred to in these provisions is that interested parties shall be informed in advance | |||
be able to determine the scope and effects of the processing and not subsequently | |||
7 | |||
be surprised by other ways in which their personal data have been used'. The | |||
specific interest in question must be identified for the benefit of the person concerned. | |||
75. In addition, information and communication concerning privacy should comply with the | |||
principle of transparency, i.e. that information is simple, accessible and | |||
must be comprehensible in accordance with Article 12.1 AVG. Under "comprehensible" is understood that | |||
the message must contain, inter alia, a certain level of linguistic usage, namely | |||
"clear and simple language". In addition, the use of language should be adapted to | |||
the target group . This means communicating in clear and simple language. | |||
to those concerned. The defendant would, (all the more so) now that | |||
(candidate) tenants of a social housing company, more understandable and clearer | |||
have to draw up. After all, these are tenants with low incomes and in general | |||
7 | |||
Transparency guidelines p.8. | |||
8 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259, | |||
p. 4.; Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260, p. 7: "The requirement that information shall | |||
must be "comprehensible" means that the information must be comprehensible to an average member of the intended | |||
public. Understandability is closely linked to the requirement to use clear and simple language. A | |||
Processing controller respecting the principle of accountability will have knowledge of the | |||
persons from whom information is collected and can use this knowledge to determine what the target group is likely to be | |||
understand. For example, a data controller who collects personal data of working professionals may assume | |||
that his or her target group has a higher level of understanding than the target group of a data controller who | |||
collects children's personal data. […]”. | |||
9Recital 39 at AVG. Decision on the merits 73/2020 - 19/31 | |||
(barring exceptions) a low level of education which makes the policy more comprehensible | |||
is all the more necessary. | |||
76. In addition to the infringements mentioned above, the defendant's privacy policy is even more difficult to enforce. | |||
now understand, in different places and different times, various concepts such as | |||
"personal data", "information" and "data" are used interchangeably in the | |||
privacy sheet. In addition, references are made without an explanatory statement. | |||
glossary or clear explanations. The information provided is often not up to date. As | |||
example can be given of the referral to the website of the supervisory authority | |||
authority, as both the complainant and the Inspectorate are right to do, for example | |||
commented, referred to www.privacycommission.be while the current website since May | |||
2018 www.gegevensbeschermingsautoriteit.be. | |||
77. The Disputes Chamber also finds that the defendant's privacy policy is incomplete, | |||
as it does not contain the mandatory information as laid down in Article 13 of the AVG. | |||
According to Article 12 of the AVG, the privacy information must be "concise"; this does not in any way mean | |||
that the obligation to provide information in accordance with the following may be waived | |||
Article 13 AVG. | |||
78. The privacy policy of the defendant contains this mandatory information in accordance with Article 13.1 under | |||
(b) AVG, such as the contact details of the Data Protection Officer not on | |||
10 | |||
a manner that complies with the legislation and the guidelines of the Working Party 29 on the | |||
Data Protection Officer. In order to comply with the requirement of the | |||
provision of prior information, these contact details should indeed | |||
be included in the privacy policy. | |||
79. As rightly pointed out by the Inspectorate, the e-mail address [...] is indicated on the | |||
privacy sheet, according to the "Explanation of organisation chart" provided by the defendant linked to | |||
the mailbox of the defendant's IT administrator while the function of | |||
According to the defendant, the data protection officer has been subcontracted to a third party in | |||
11 | |||
the framework contract of VMSW. The Data Protection Officer | |||
appears to be employed by that third party, in this case the company Infosentry. The e-mail address | |||
of the official is [...], according to various documents and mail correspondence between | |||
the defendant and the official. Accordingly, the data relating to the persons concerned are inaccurate | |||
of the Data Protection Officer and may, in the event of need | |||
10Group on Data Protection, WP243 rev.01, Guidelines on Data Protection Officers p.12. | |||
11Stuk 10 of dos-2018-06611. Decision on the merits 73/2020 - 20/31 | |||
do not turn to the right person. As a result of this | |||
list of findings finding an infringement of Article 13(1)(b) | |||
AVG. The fact that, as of 1 September 2020, a new official for the | |||
data protection has been infringed, the infringement up to that date | |||
continued and a new appointment does not retroactively rectify the infringement committed | |||
makes. | |||
80. The Litigation Chamber deduces from the findings of infringements listed above that the | |||
the defendant's obligations of transparency under Article 12 of the AVG and its obligation to provide information | |||
has failed to comply with Article 13 of the AVG. The defendant acknowledges this in its conclusion. As a result | |||
the defendant has acted imputably negligently in breach of his duty of accountability, such as | |||
determined in Articles 5.2 and 24 of the AVG. This information must be in accordance with | |||
with Articles 12 and 13 of the AVG. | |||
81. Article 15 AVG in which the right of inspection of the person concerned is laid down reads as follows : | |||
1. The data subject shall have the right to obtain from the controller confirmation of the following | |||
whether or not to process personal data concerning him and, where that is the case, to have access to them | |||
obtain those personal data and the following information: | |||
(a) the processing purposes; | |||
(b) the categories of personal data concerned; | |||
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed | |||
provided, in particular to recipients in third countries or international organisations; | |||
(d) if possible, the period during which the personal data are expected to be kept | |||
stored or, if that is not possible, the criteria for setting that time limit; | |||
(e) that the data subject shall have the right to ask the controller for that personal data | |||
be rectified or erased, or that the processing of personal data concerning him/her be carried out | |||
limited, as well as the right to object to such processing; | |||
(f) that the data subject has the right to lodge a complaint with a supervisory authority; | |||
(g) where personal data are not collected from the data subject, all available information | |||
on the source of that data; | |||
(h) the existence of computerised decision-making, including those referred to in Article 22(1) and (4), | |||
and, at least in those cases, useful information on the underlying logic, | |||
as well as the importance and the expected consequences of such processing for the data subject. Decision on the substance 73/2020 - 21/31 | |||
2. Where personal data are transferred to a third country or an international | |||
organisation, the person concerned shall have the right to be informed of the appropriate safeguards | |||
in accordance with Article 46 on transfers. | |||
3. The controller shall provide the data subject with a copy of the personal data which | |||
are processed. If the data subject requests additional copies, the | |||
a reasonable charge on the basis of administrative costs | |||
charge. Where the person concerned submits his application electronically, and not for any other arrangement | |||
request, the information shall be provided in a common electronic format. | |||
4. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to rights and freedoms | |||
of others. | |||
82. The defendant's privacy policy does not contain several mandatory elements from Article 15.1 AVG. From | |||
the privacy document does not disclose the exact purposes of the processing of the data which | |||
request the defendant to (candidate) tenants. It should be precisely defined for which | |||
every piece of data collected is used precisely. If data on the | |||
health then it will have to be stated that these data are being processed, for example | |||
with the aim of being able to ascertain whether, on the basis of a given health situation, an | |||
Adapted accommodation can be granted. There is also no indication as to who the recipients and | |||
are categories of recipients. In addition, there is no mention of the right | |||
that the data subject has the right to request that his/her data be rectified and/or deleted in accordance with | |||
Article 15.1 under e. It is also not stated that the processing of personal data will | |||
be restricted. By doing so, the Disputes Chamber also deems a violation of Article 15.1 to have been proven. | |||
83. In addition, the complainant claims that he has not been granted access to all of his personal data transmitted by | |||
defendant are processed. According to the complainant, this is a sheet containing only general information from the | |||
National Registry. There is no indication as to whether the information provided is complete, according to the complainant. | |||
84. The Chamber of Disputes recalls that Article 15 AVG "gives the person concerned the right to | |||
to have access to personal data collected about him, and to exercise that right simply and with reasonable | |||
to carry out periodic checks to ensure that he is aware of the processing operation and that it is lawful | |||
...can control it." 12 | |||
It is clear from all of the above that the information provided by the defendant on their | |||
processed data of the complainant does not comply with the requirements of Article 15. The complainant has rightly noted | |||
12 | |||
Introductory recital 63 to AVG. Decision as to substance 73/2020 - 22/31 | |||
that he has not been able to exercise his right of inspection properly. Between the personal data of | |||
complainants processed by the defendant and those to which the complainant had had access were as follows | |||
for example, not the medical certificates that the plaintiff will provide to the defendant, as will be shown below in section 2.4 | |||
had submitted. | |||
2.2 Data Protection Officer | |||
85. Additional findings were also made in the inspection report with regard to the | |||
Data Protection Officer, which are outside the scope of the complaint. The | |||
The Inspectorate has established that the defendant has acted in violation of Article 37.5 and | |||
Article 37.7 AVG. On the basis of article 37.5, the officer must be appointed, under | |||
more, on the basis of its expertise in the field of legislation and practice on the | |||
data protection. Article 37.7 states that the contact details of the officer shall be known | |||
must be made and communicated to the supervisory authority. | |||
86. From the defendant's replies to the Inspectorate concerning the appointment of the official | |||
as regards data protection, it appears that that appointment was made on the initiative of the VMSW through | |||
a company with which it had a framework agreement. The Chamber of Disputes finds that | |||
the defendant fails to comply with the duty to choose the Data Protection Officer | |||
to be accounted for. The defendant refers only to very general information and communication from | |||
the VMSW to the defendant. Moreover, the defendant cites several times that there is a | |||
Framework agreement was concluded between the VMSW and Infosentry NV as DPO. The Chamber of Disputes | |||
points out that the defendant is ultimately responsible and has a duty to comply with Article 37.5 | |||
AVG which provides that the Data Protection Officer shall be designated on the basis of | |||
of his professional qualities and, in particular, his expertise in the field of the | |||
data protection legislation and practice. This shows a lack of | |||
justification for the defendant's choice of official. In addition, the data are | |||
of the officer not disclosed as prescribed in Article 37.7 AVG. In doing so, the | |||
Disputes Chamber established infringements of articles 37.5 and 37.7 AVG. | |||
87. The Dispute Settlement Chamber refers to the guidelines of the Working Group 29 for officials for | |||
data protection which provides for the following with regard to external officers: "With the | |||
in order to ensure legal transparency and good organisation and to avoid conflicts of interest for members of the | |||
team, it is recommended in the Guidelines to avoid the tasks within the external team. | |||
Data Protection Officer to be clearly set out in a service contract Decision on the substance 73/2020 - 23/31 | |||
as well as a single person for the customer as the main contact person and "responsible person | |||
13 | |||
to be appointed. | |||
88. At the hearing, the current Data Protection Officer, who has been in office since 1 | |||
September 2020 the official is that, as a new official for | |||
data protection, in line with the WP29 guidelines on the role of data protection in the protection of personal data. | |||
Data Protection Officer. Essentially, the officer for | |||
data protection must be available to the controller. That some | |||
correspondence first arrived at the defendant's IT administrator and was forwarded to | |||
the Data Protection Officer was, according to the Data Protection Officer | |||
14 | |||
correct. The Dispute Chamber points out that according to the Guidelines of the Working Party 29, the | |||
requirements to disclose the contact details of the official in order to ensure | |||
that both data subjects (both inside and outside the organisation) and supervisory authorities | |||
be able to contact the Data Protection Officer easily and directly. The | |||
access should be direct, without having to involve another part of the organisation | |||
contact. In the present case, the contact was made via the defendant's IT manager, which was | |||
goes against the intention of the regulator. Confidentiality is equally important. | |||
employees are reluctant to complain to the Data Protection Officer | |||
if the confidentiality of their communications is not guaranteed. | |||
89. Article 38.1 and Article 38.3 AVG stipulate that the data-processing controller must ensure that | |||
shall ensure that the Data Protection Officer is involved in all matters that | |||
relate to the protection of personal data. The official for | |||
Data protection must not be instructed in the performance of those tasks. The | |||
The Inspectorate stated that in the light of the replies and the documents obtained | |||
noted that no opinion was sought from the Data Protection Officer concerning | |||
privacy issues. The Dispute Settlement Chamber finds that indeed no justification is given for | |||
the person responsible for processing has been presented with the decisions taken for the | |||
website [...] , on legal information and general terms and conditions. There are no opinions from the | |||
Data Protection Officer as regards the processing of data via this website. | |||
Moreover, in its conclusion, the defendant acknowledges indeed that it did not request an opinion from the | |||
Data Protection Officer. The Litigation Chamber therefore finds that the defendant | |||
infringed Article 38.1 of the AVG. | |||
2.3 Cookie policy | |||
13Directions for Data Protection Officers of the Working Party 29 p.28. | |||
14Page 5 of the verbal proceedings of the hearing of 23 September 2020. Decision on the substance 73/2020 - 24/31 | |||
90. As already mentioned above, the plaintiff claims that the defendant uses cookies on the | |||
website [...] . and [...]. According to the complainant, no consent is sought for the use of the | |||
cookies. The Inspectorate has established by means of a technical report that on the website | |||
[...] use was made of cookies. As previously indicated, this is a necessary | |||
technical cookie called "hs_js" from the defendant himself and a cookie called "IDE" derived from it | |||
from Google-Doubleclick.net. For this last "IDE" cookie no consent was given. | |||
asked of visitors to the website, according to the Inspectorate's report. 15 | |||
91. At the hearing, the defendant acknowledged that the website dates from the year 2010 and therefore | |||
does not comply with the current regulations. There is no question of unwillingness; however, the technical | |||
Restrictions do not allow, for example, the display of a pop-up for the use of cookies. Also | |||
setting up a secure connection via https domain name is not possible on the current website, according to | |||
defendant. A new website is currently under construction. According to the defendant | |||
will most probably be finished by the end of this year. | |||
92. The Court of Justice ruled in the Planet49 judgment that, for the placing of cookies | |||
information must be provided by the controller. 16 From the data | |||
information must show for how long cookies will remain active and whether third parties will also have access | |||
may have up to those cookies. This is necessary in order to ensure proper and transparent information. | |||
guarantees. | |||
93. Article 129 of the Electronic Communications Act stipulates that the user shall | |||
must have given his consent for placing and consulting cookies on his computer. | |||
terminal equipment. The consent requirement shall not apply to the technical storage of information. Also | |||
when the placement of cookies is necessary for the delivery of a cookie expressly requested by the | |||
subscriber or end-user requested service, the consent requirement does not apply. 17 | |||
94. The Chamber of Disputes also draws attention to the following considerations from the abovementioned judgment | |||
Planet49: "Regulation 2016/679 now explicitly provides for active consent | |||
prescribed. In this context, it should be noted that, according to recital 32 of these | |||
Regulation, the consent may be expressed in particular by clicking on a box next to a | |||
visit to a website. On the other hand, this recital expressly excludes "silence, the | |||
15Inspection report, p5. | |||
16 | |||
Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801. | |||
17See also Decision No 12/2019 of the Disputes Chamber of 17 December 2019. Decision on the merits 73/2020 - 25/31 | |||
use of already ticked boxes or inactivity" may constitute consent. It follows from this | |||
that the consent provided for in Articles 2(f) and 5(3) of Directive 2002/58, read in conjunction with | |||
in conjunction with Articles 4(11) and 6(1)(a) of Regulation 2016/679, not | |||
is validly granted when the storage of information or the gaining of access to | |||
information which is already stored in the terminal equipment of the user of a website shall be | |||
allowed by means of a standard checkbox to be unchecked by the user | |||
if he refuses to give his consent. . 18 | |||
95. The consent must also be 'specific'. The Dispute Chamber refers to the Guidelines | |||
19 | |||
on consent under regulation 2016/679 endorsed by the EDPB: | |||
"Article 6(1)(a) confirms that the person's consent must be given with | |||
in relation to "one or more specific" purposes, and that a data subject has a choice in relation to | |||
20 | |||
each of these purposes' . This means 'that a data controller who wishes to obtain consent | |||
for a number of different purposes, must offer a separate opt-in for each purpose in order to allow users to | |||
to enable specific authorisations to be granted for specific purposes". 21 | |||
96. On the basis of the technical report drawn up by the inspectorate, the Dispute Settlement Chamber states that | |||
ascertained that the consent of the complainant has not been sought by the defendant on the websites | |||
for placing a cookie for marketing purposes, namely the "IDE" cookie. In addition, | |||
the defendant answered the Inspectorate's question as to whether cookies had been used | |||
On the websites, no. The defendant returned to the foregoing by concluding that | |||
acknowledge that they have made use of cookies for which consent was required. Defendant | |||
indicates that he has changed his cookie policy and will ask for permission from now on. | |||
of the users. 22 | |||
97. In view of the above facts and findings, the Litigation Chamber considers the processing of | |||
personal data through the placement of cookies, without a valid legal basis of | |||
to have permission in accordance with Article 6.1 AVG, unlawful. | |||
98. The controller must, pursuant to Articles 5.2 and 24 AVG, provide appropriate technical information to the controller. | |||
and take organisational measures to ensure and demonstrate that the | |||
18 | |||
19Arrest Planet49, ro. 62 and 63. | |||
Working Party on Data Protection, Guidelines on consent under Regulation 2016/679, WP259, p. 4. | |||
20 | |||
Ibid., p. 14. | |||
21Ibid., p. 14. Decision on the merits 73/2020 - 26/31 | |||
processing of personal data using cookies in accordance with Articles 12 | |||
and 13 AVG is being carried out. In its conclusion, the defendant acknowledges that certain mandatory | |||
statements such as the processing purposes in the original privacy statement of the website | |||
were missing. | |||
2.4 Health data | |||
99. The complainant claims that the defendant is also processing medical data. The Complainant states that his medical | |||
to have issued certificates to the defendant. According to the complainant, the defendant is processing on systematic | |||
wrongful medical data. The complainant takes the view that it is not the task of the defendant | |||
to make a substantive assessment of the health situation of a (prospective) tenant. | |||
100. Attached to the complaint are mail exchanges between the complainant and the defendant. From the | |||
In any case, several e-mails reveal the following. In an e-mail dated 30 August 2016 | |||
defendant to have received the doctor's certificate from the complainant, but not to be able to provide a guarantee | |||
that a positive decision will be taken on the complainant's request for candidates higher up the | |||
list for the allocation of a dwelling. The complainant therefore requested a | |||
higher up the list. From another email dated 6 February 2019 from the complainant to the defendant, it appears that | |||
that the complainant voluntarily sent an e-mail to the defendant in which he wrote to the | |||
informed him of his changed medical condition. The complainant closed the e-mail with " Supplementary | |||
a medical certificate may be provided for again, should you again have doubts as to whether there is a | |||
I have my own opinion about my medical condition. I therefore urge you | |||
to want to take due account of my medical physical limitations and to live close to my home. | |||
to want to put hospital first. In view of the seriousness of the problem of (...) I would ask you to | |||
to absolutely avoid living in a busy residential environment". | |||
101. At the hearing, the defendant indicated that only a medical certificate was requested. | |||
in the event that the (prospective) tenant requests special housing preferences as in this case. | |||
The defendant states that the medical certificates do not contain any diagnoses. Complainant speaks | |||
not against it. The doctor asks for the situation of the person concerned to be taken into account and asks | |||
than, for example, a house with a lift or a house in a quiet area. The medical | |||
According to the defendant, the only purpose of attestations is to enable a correct allocation to be made. | |||
102. On the basis of the above, the Disputes Chamber decides that there is no question of a | |||
unlawful processing of health data. Such processing is necessary and | |||
can be based on Article 9(h) the processing is necessary for the purposes of the substantive decision 73/2020 - 27/31 | |||
preventive or occupational medicine, for the assessment of fitness for work of the | |||
worker, medical diagnosis, the provision of health care or social services, or | |||
treatment or the management of health care systems and services or social systems, and | |||
services, on the basis of Union or Member State law, or under an agreement with an | |||
health professional and subject to the conditions and safeguards laid down in paragraph 3, in the absence of any | |||
diagnoses in the medical certificates. Moreover, it appears from the exchanges of e-mails that the complainant has his own | |||
movement informed the defendant of his state of health, indicating that he was | |||
may, if necessary, provide a further medical certificate. | |||
2.3 Camera surveillance | |||
103. The complainant alleges that there is camera surveillance in various residential entities of the | |||
flat. According to the complainant, the privacy policy says nothing about camera surveillance. Complainant wishes | |||
to know the legal basis and purpose of this processing as well. | |||
104. It appears from the documents submitted that point 11 of the tenancy agreement mentions | |||
made from the surveillance cameras that are installed on the roof, in the communal entrance halls and the | |||
communal cellar entrances have been suspended. Apart from this information, nothing is known about the | |||
Use of cameras. | |||
105. At the hearing, the defendant indicated, upon request, that the surveillance cameras in | |||
2012 at the request of residents in cellars and corridors have been hung for safety. The cameras | |||
are legally registered and used as a kind of deterrent, according to the defendant. There | |||
nothing else would be done with the images. A year and a half ago, the camera images | |||
according to the defendant, consulted once. The cameras are, according to the defendant, difficult to consult. | |||
management because there is too little budget for its maintenance. There is currently no | |||
maintenance contract for the surveillance cameras. Respondent indicates that the images can | |||
consult and be responsible for the processing of the images. The official for | |||
data protection points out that the Camerawet is the legal basis for the | |||
processing of the camera images. | |||
106. On the basis of the documents available in the file, the Chamber of Disputes and | |||
what emerged from the hearing shows that there are very many uncertainties as to what | |||
concerns the use of surveillance cameras. As a processing purpose, first of all the | |||
The prevention of nuisance has been mentioned. Subsequently, during the hearing, the defendant indicated that there was also | |||
once asked to consult the images in connection with illegal dumping. The Dispute Room is | |||
considers that the defendant is not entirely clear as to what the cameras actually do Decision 73/2020 - 28/31 on the merits | |||
serve. In addition, according to the Dispute Chamber, from the elements that are available | |||
are insufficiently drawn up as to whether the Camerawet is correctly complied with by the defendant. In article | |||
6 § 2 of the Camerawet provides that the controller shall keep a register containing | |||
keeps a record of the image processing activities of the surveillance cameras and this register on request | |||
made available to the Data Protection Authority and the police services. Such a | |||
register is not kept by the defendant. Moreover, it is apparent from what the defendant said at the hearing | |||
has declared that the retention period in Article 6 § 3 is also not complied with now that this article | |||
it appears that if "the images cannot contribute to proving a crime, of | |||
damage or nuisance", these should in principle be removed after one month. The | |||
The Dispute Chamber thus establishes infringements of Article 30 of the AVG (keeping of register of | |||
processing activities) and article 5.1 under e AVG (storage restriction). | |||
2.4 Digital Consumption Meters | |||
107. The plaintiff complains that the defendant is using digital consumption meters and on those | |||
the way in which tenants' consumption is recorded and data on that consumption unlawfully without | |||
valid legal basis processed. The complainant indicates that he has not given his consent for the | |||
processing of data relating to its consumption of gas and electricity. | |||
108. During the hearing, the defendant indicated that the digital meters will be linked to the | |||
address. In this way, you can see how much has been consumed at a particular address. These data | |||
are also passed on to a third party (local company) with whom there is a processing agreement | |||
is. That company reads the consumption. The defendant receives a list of this and links it to the | |||
tenants' files, according to the defendant. | |||
109. On the basis of Article 6 of the AVG, the person responsible for processing the | |||
to have a legal basis for the processing of personal data in order to ensure that the processing | |||
would be lawful. On the basis of Articles 24 and 25 of the AVG, the defendant must therefore | |||
take appropriate technical and organisational measures to ensure and be able to | |||
demonstrate that processing takes place in accordance with the AVG. The person responsible for processing must | |||
in doing so, effectively implement the principles of data protection, the rights of the | |||
protect data subjects and process only those personal data that are necessary for each of the following | |||
specific purpose of processing. On the basis of the facts and documents presented, the | |||
Litigation Chamber finds that the defendant has not been able to prove that there is any privacy policy | |||
Developed for the digital remote reading of meter readings. It is also | |||
unclear on the basis of which legal basis the data are processed in accordance with Article 6 of the AVG. | |||
An infringement of Article 6 of the Data Protection Act is thus established. The complainant states that he does not consent to the decision on the merits 73/2020 - 29/31 | |||
have given for processing. The defendant does not rely on any other legal basis. | |||
for processing. In addition, the Disputes Chamber alleges in the present case a breach of Article 5.1(a) | |||
AVG now that it is clear from the above that the personal data are not in a lawful, legitimate and proper manner. | |||
and are processed transparently. The defendant indicates that a third party is processing the data. | |||
read out the consumption and forward it to the defendant. The Chamber of Disputes points out that | |||
according to article 28.3 GC, the processing by a processor must be arranged in a | |||
agreement between the controller and the processor. | |||
Sanction to be imposed | |||
In view of the above, the Dispute Settlement Chamber will impose two sanctions: | |||
1. order that the processing be brought into conformity in accordance with Article 100 § 1, 9°; | |||
2. impose an administrative fine in accordance with Article 100 § 1, 13°. | |||
Taking into account Article 83 of the AVG and the case law of the Market Court, the Disputes Chamber gives its reasons | |||
the imposition of an administrative fine in concrete terms: | |||
- Seriousness of the infringement: the reasons given above show the seriousness of the infringement. | |||
- The duration of the infringement: the defendant sought to rectify certain infringements and to comply with | |||
privacy rules; however, many of the breaches identified are still ongoing. | |||
- This is a necessary deterrent to prevent further infringements. As regards the nature and seriousness of the | |||
infringement (Art. 83.2 a) AVG), the Chamber of Disputes stresses that compliance with the principles provides for | |||
in Article 5 of the AVG - in the present case, in particular, the principle of legality - is essential, since the | |||
concerns fundamental principles of data protection. The Litigation Chamber considers the infringement of | |||
the defendant relies on the principle of lawfulness set out in Article 6 of the AVG, therefore, as a serious | |||
Infringement. The Disputes Chamber finds that article 83.7 AVG stipulates the following: "Without prejudice to the | |||
powers of the supervisory authorities to take remedial action | |||
In accordance with Article 58(2), each Member State may lay down rules on whether and to what extent | |||
administrative pecuniary sanctions may be imposed on public authorities established in that Member State, and | |||
public bodies. The AVG does not give any further explanation on the scope of what is covered by public bodies. | |||
and public bodies' is to be understood. However, according to the Dispute Chamber, it is certain that these | |||
derogation must be interpreted strictly. | |||
The Litigation Chamber considers it particularly necessary in this case to give a strict interpretation to the | |||
(optional) exemption from an administrative fine provided for in Article 83.7 of the AVG for | |||
"public authorities and public bodies". For this reason, Article 221, § 2, Law | |||
Data protection, which implements Article 83.7 AVG, to be interpreted strictly. Article 83.7 AVG leaves | |||
Moreover, it does not allow the Member States to define the concept of 'public authorities and bodies'. The decision in substance 73/2020 - 30/31 | |||
It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It will come | |||
Therefore, only the Union institutions, in particular the Court of Justice, should be required to respect the limits of | |||
to define that concept. | |||
In the opinion of the Disputes Chamber, a private law organisation such as the Y | |||
It does not include housing companies, even though this organisation carries out tasks in the public interest | |||
the area of social housing. 23 | |||
The Dispute Chamber finds that there is a serious attributable shortcoming on the part of | |||
defendant. As explained in detail above, the Litigation Chamber has a considerable number of | |||
identified shortcomings. Among those deficiencies are breaches of fundamental principles of | |||
data protection. The infringements established justify, in the opinion of the | |||
A high fine in its own right. In determining the administrative fine | |||
However, the Chamber of Disputes takes into account a number of moderating factors, including the following shown | |||
the defendant's willingness to adapt certain matters, the appointment of an expert | |||
Data Protection Officer and a new website which, according to the defendant, will be AVG compliant | |||
are. In addition, when determining the amount of the fine, the Dispute Chamber shall take into account | |||
that this is a not-for-profit social housing company. The fact that | |||
In its response to the penalty form, the defendant states that it is not financially sound, and this | |||
If the decision is supported by figures, the Dispute Settlement Chamber will take the decision into account. | |||
FOR THESE REASONS, | |||
the Data Protection Authority's Litigation Chamber shall, after deliberation, decide : | |||
Pursuant to Article 100, §1, 9° WOG, order the defendant to order that the processing in | |||
is brought into line with Articles 5.1(a) and (b), 5.2, 6.1, 12.1, art. | |||
13.1. b) and c) , Art. 13.2. b), Art. 15.1, Art. 25.2, Art. 37.5, Art. 37.7, Art. 38.1, Art. 38.3, and | |||
Article 39 of the AVG, no later than three months after notification of the decision, and within three months of the date of notification of the decision. | |||
the same deadline, to the Data Protection Authority (Disputes Chamber) by e-mail (via | |||
to inform the e-mail address: litigationchamber@apd-gba.be ) that the above order | |||
was carried out. | |||
23 | |||
See recital 52 of the judgment 31/2020 of 16 June 2020 of the Chamber of Disputes Decision on the merits 73/2020 - 31/31 | |||
- on the basis of art. 100 § 1, 13° and art. 100 WOG an administrative fine on | |||
of EUR 1 500. | |||
This decision may be appealed against under Article 108(1) of the WOG within one of the following days. | |||
period of thirty days from the date of notification to the Court of Justice of the European Communities with the | |||
Data protection authority as defendant. | |||
Hielke Hijmans | |||
President of the Chamber of Disputes | |||
</pre> | </pre> |
Latest revision as of 17:00, 12 December 2023
APD/GBA - 73/2020 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 30 GDPR Article 37(5) GDPR Article 37(7) GDPR Article 38(1) GDPR Article 83(7) GDPR Art. 6 § 2 Camera law Art. 6 § 3 Camera law |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 13.11.2020 |
Published: | |
Fine: | 1500 EUR |
Parties: | n/a |
National Case Number/Name: | 73/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 73/2020 van 13 November 2020 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA (APD/GBA) imposed an administrative fine of €1500 on a social housing company for breaching several fundamental principles and obligations of the GDPR.
English Summary
Facts
The data subject lives in the social housing of the controller.
Several cases are bundled in this one decision, the data subject raised several issues at different times:
1) They exercised their right of access and said the controller wasn't sufficiently clear or thorough in the information they provided.
2) The website of the controller wasn't sufficiently secure and the privacy policy was short and vague.
3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed.
4) It is unclear why certain personal data of medical nature are required.
5) The usage of digital meters of gas wasn't communicated, nor with whom the data was shared.
6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras.
Holding
The DPA split the cases in several subtopics:
- Privacy Policy & Right of Access
- DPO
- Cookie Policy
- Processing of health data
- Law on cameras
- Processing through digital meters
The DPA points out that, pursuant to Article 5(2) and Article 24 GDPR, the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed.
1) Privacy Policy & Right of Access
The DPA upheld that a privacy policy should serve to fully inform the data subject about what is actually done with his or her personal data and in what context those data are processed. Any processing of personal data should be lawful, proper and transparent. Data subjects should be clearly informed of what data is being processed, how the processing is being carried out and why the personal data is being processed. It is not possible to deduce from the Privacy Sheet presented what exactly the personal data is used for. Clear and concrete language must be used when communicating to data subjects.
Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain.
The word "concise" in Article 12(1) GDPR, however, does not mean incomplete, all mandatory information from Article 13 GDPR must still be included. The contact details of the DPO must be filled in correctly as well.
The controller does not fulfil their requirement of transparency by inadequately informing the data subjects.
2) DPO
Pursuant to Article 37(5) GDPR, the DPO should be designated, inter alia, on the basis of their in data protection law and practice. Article 37(7) GDPR provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subject as a single point of contact.
Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO.
Lastly, the DPO was not properly involved in all data protection manners, which means the controller breached Article 38(1) GDPR.
3) Cookie policy
For a Google-DoubleClick.net cookie, no consent was asked. In the Planet49 judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information.
The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply.
The processing of personal data through cookies without consent is a breach of Article 6(1) GDPR as there is no legal basis for the processing.
4) Processing of health data
The e-mail exchanges between the parties show that the data subject voluntarily informed the controller of his health situation and indicated that he could provide the controller with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of Article 9(2)(h) GDPR.
5) CCTV surveillance
The data subject argues that there is camera surveillance in several residential units of the apartment. According to the data subject, the privacy policy does not mention anything about camera surveillance. The data subject also wants to know the legal basis and purpose of this processing.
In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras.
No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law).
The DPA found a violation of the requirement to keep a register of processing activities of Article 30 GDPR and storage limitation Article 5(1)(e) GDPR.
6) Digital meters
The data subject complains that the controller uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The data subject indicates that they had not given their consent to the processing of data relating to their consumption of gas and electricity.
During the hearing, the controller indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The controller receives a list of this and links it to the tenant files, according to the controller.
On the basis of Article 6 GDPR, the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of Article 24 and Article 25 GDPR, the controller must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR.
In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the controller has not been able to demonstrate that any privacy policy has been developed with respect to the digital remote reading of meter readings. Moreover, it is unclear on what legal basis the data are processed in accordance with Article 6 GDPR. This constitutes a breach of Article 6 GDPR.
The data subject indicates that they had not given permission for the processing. The controller does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of Article 5(1)(a) GDPR now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The controller indicates that a third party reads out the consumption data and forwards them to the controller. The DPA points out that according to Article 28(3) GDPR the processing by a processor should be regulated in a contract between the controller and the processor.
Sanction
The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept.
In the opinion of the DPA, a private law organization such as the controller's housing company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing.
On these grounds, the DPA orders the controller to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/31 Dispute room Decision on the substance 73/2020 of 13 November 2020 File reference : DOS-2018-04368, DOS-2018-06611, DOS-2019-02464, DOS-2019- 04329, DOS-2020-00543 and DOS 2020-00574. Subject: Complaints against the social housing company for failure to comply with several principles of data processing, including those of lawfulness, and transparency. The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, Chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, Members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing directive 95/46/EC (general data protection regulation), hereinafter AVG; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the Internal Rules of Procedure approved by the Court of Auditors of Members of Parliament on 20 December 2018 and published in the Moniteur belge on 15 January 2019; Having regard to the documents in the file; . . . Decision on the substance 73/2020 - 2/31 has taken the following decision on: - The complainant: Mr X - The defendant: Y Housing company . 1. Facts and procedure 1. At various points in time, the Complainant submitted a total of six complaints against defendant. Since the defendant, who is also the person responsible for processing, in all files is the Y Housing Company, the complaints will be dealt with jointly. The The Inspectorate has issued an inspection report on the first three complaints. Complaint 1: DOS-2018-04368, Right of inspection 2. This complaint was lodged on 19 November 2018 and declared admissible by the First-line service on 14 January 2019. The complaint concerns the exercise of the right to access by the defendant in accordance with Article 15 of the AVG. 3. On 4 October 2018, the complainant requested access to all the information that the defendant had obtained from him. processed since his registration as candidate tenant. In doing so, the complainant has processed a number of questions put to the defendant. Those questions concern the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the data are provided and in particular the recipients abroad, the retention periods, question or right to rectify or erase personal data exists, the source of data in the case of indirect data collection, and finally the the question of automated decision-making. 4. In response to this request, the complainant received a document called Extract Personal details Candidate - tenant Y Housing CVBA. The personal data provided on the extract includes the following: name, address and place of residence as well as the national register number, bank account, e-mail address, income details and telephone number. The same extract states that personal data will only be used for the following purposes shared with "authorised parties". In his complaint, the complainant asks who which are authorised parties, what is the function of the personal data on the extract and what purpose the extract serves. The defendant claims to use these data; However, the complainant wonders how and for what purposes the various data are processed. Decision on the merits 73/2020 - 3/31 5. Furthermore, the complainant considers that the defendant does not make it clear and unambiguous how, inter alia, the right of rectification and erasure of data can be addressed to data subjects shall be exercised. In addition, the complainant notes that the legal texts and relevant documents are difficult to find and consult. Complaint 2 : dos-2018-06611, Website [...] 6. The second complaint was lodged on 20 November 2018 and declared admissible on 14 January. 2019. This complaint concerns the website [...]. The complainant complains that the website does not comply at all with privacy legislation. According to the complainant, the website is inadequate secure, as an http connection is used instead of a https connection while, according to the complainant, confidential information is being processed. At the use of an https connection, according to the complainant the data is encrypted at the time of the send it. In addition, a non-secure website (which uses an http- connection) subject to possible external attacks, according to the complainant. The complainant asks wonder what mechanisms are in place by the defendant to deal with possible attacks to avert them. According to the complainant, no explanation or information is given anywhere about how the data will be secured. The part of the website where you can log in to see at which point on the waiting list the prospective tenant also goes via a unsecured http connection, according to the complainant. Requesting a new password to be entered in logging via the same http connection and, according to the complainant, is totally against the principles of data protection. 7. According to the complainant, the forms used on the website are also as follows unsecured. Secure forms should be used in order to make everything more orderly and streamlined. 8. According to the complainant, nowhere is it made clear whether and to what extent use is made of made from Google Analytics. 9. The complainant claims that the defendant also uses cookies on the website [...] (see also the separate complaint on this subject: complaint 3). According to the complainant, there is no indication of what the cookies are used, with what content and who their recipients are. In addition, there is no possibility of rejecting cookies. There in addition, according to the complainant, use is made of 'keywords' and 'description' of the website which, according to the complainant, indicates that the defendant wishes to be found through search engines. This will lead to more visitors on an unsecured website. Decision on the merits 73/2020 - 4/31 10. According to the complainant, the privacy statement is of a very general nature and refers to legislative texts, deliberations, etc., without indicating where to find them, and can be consulted. According to the complainant, the defendant is attempting to avoid the liability of to disclaim the use of a disclaimer by stating that the website should not be visits in the event of disagreement with the defendant's general terms and conditions. 11. With regard to the protection of personal data, the privacy statement shall indicate that the data collected will be processed for the purposes of efficient and correct composition of the file and that it is stored in the files of Y Housing and that of the Vlaamse Maatschappij voor Sociaal Wonen. Here is according to there is no uniformity and consistency between the complainant. 12. The Complainant further complains about the fact that the information on the website of the defendant is completely incomprehensible and unclear. He points out that most (candidate) tenants of a social housing company such as that of the defendant belong to vulnerable groups of persons for whom it is difficult to obtain this information is fathom. 13. Finally, the complainant asks what other personal data are collected from visiting the website, through whom it is done and how it is done. The complainant also points out once on 'GO4it media group' which is the operator of the defendant's website. Complainant notes that that website does use https security. Complaint 3 DOS-2019-02464, Website www.[...].be 14. The Complainant filed a complaint on 1 July 2019. The complaint was admissible on 3 July 2019. declared by the First Line Service. The complainant complains about the website [...] used by the defendant. According to the complainant the website does not comply with current privacy legislation. The complainant states that the only thing there is in function of data protection, a document called "privacy policy" is a contains very brief text. The complainant indicates that it is a new additional website of concerns the defendant. The complainant is disturbed that there is no correct and complete There would be a privacy statement and there would be no cookie policy either. 16. The complainant states that personal data are collected by means of a web form. Also a number of preferred themes should be passed on and agreed upon with the defendant's privacy statement, according to the complainant. In addition, according to the complainant use of cookies from Google Analytics and others. In addition, the Complainant complains that Judgment on the merits 73/2020 - 5/31 no indication is given as to which third parties are involved in the processing of the content of the web forms. 17. Personal data are stored and, according to the complainant, no indication is given as to how long the data are kept and for which they will be used. According to Neither does the complainant indicate how and by whom the data will be processed. Complaint 4 DOS-2019-04329, Processing medical data 18. This complaint was lodged on 16 August 2019 and declared admissible on 30 September. 2019. The complainant complains that the defendant has provided personal data, and in particular medical data, are processed and these processes are carried out in violation of the AVG. In order to be able to to be eligible for a ground floor/adapted dwelling the complainant has medical provides information to the defendant. From the annexes, it appears that the complainant will receive a medical certificate mailed to the defendant so that his housing preferences could be adjusted. Defendant replied to that e-mail that the housing preferences following the submission of the medical certificate would be adapted to ground floor residences only. On the list of documents to be produced at the time of registration includes medical certificates mentioned. According to the complainant, it is completely unclear what the processing purposes are. The complainant argues that the processing of health data in the present case is contrary to the articles. 5, 6, 12 and 13 AVG. Also in this complaint, the complainant discusses the general privacy policy of Defendant reiterating that the defendant has violated privacy laws violates the policies being pursued. Complaint 5 DOS-2020-00543, Use digital meters 19. The complaint was lodged on 23 January 2020 and declared admissible on 4 February 2020. On 10 January 2020, the complainant received a letter from the defendant called "interim review - consumption of gas. On the document you can read what the consumption is on heating and hot water over the last two months. The complainant does not claim to have given consent to the defendant to process his consumption data. Consumption of gas and electricity is recorded by the defendant without the plaintiff The complainant stated that he knew, let alone gave his consent. According to the complainant unnecessary processing as customers can pass on the meter readings themselves. In an email dated 20 January 2020 from the email address [...], the defendant writes that the data is read automatically and sent to the defendant via an Internet connection are sent. Decision on the merits 73/2020 - 6/31 Complaint 6 DOS-2020-00574, Use of surveillance cameras 20. The complainant submitted a complaint on 30 January 2020, which was admissible on 4 February 2020. was declared by the First Line Service. The complainant alleges that the defendant's personal data Processed by means of various fixed cameras in various residential entities. There are according to the complainant 4 security cameras placed on the roof, 2 in the common entrance halls and 1 in the communal basement entrance. About the use of the cameras According to the complainant, the privacy policy does not mention anything. The rental agreement contains according to the complainant, only the use of surveillance cameras is reported. The complainant also requests this processing to know the legal basis and the purpose. Continuation of the procedure 21. The Inspectorate was set up on 7 June 2019 with regard to complaints 1 to 3 . 1 22. On 9 August 2019, the Inspectorate wrote a letter with questions to the defendant. 23. The letter contained questions to the defendant, in which the Inspectorate identified possible infringements of wished to examine and improve Articles 5, 6, 12, 13, 15, 24, 37, 38 and 39 of the AVG wishes to gain insight into the complaints. 24. The inspectorate requested the following information in relation to the defendant: (a) The communication from the defendant to the complainant concerning the request for access to the complainant, and the opinions thereon delivered by the Data Protection Officer of the defendant. b.) As regards the privacy policy of the website [...] , a copy of the decisions that were taken on the privacy policy which can be consulted on the website, as well as copy of the opinions of the Data Protection Officer on the privacy policy on the website. (c) Copy of the decisions concerning legal information and the disclaimer on the website of the defendant and a copy of the official's opinions for data protection on this information and the disclaimer. 1 Concerning DOS-2018-06611, DOS-2018-04368 and DOS-2019-02464. Decision on the merits 73/2020 - 7/31 d.) Copy of the register of processing operations. e.) A reasoned and documentary reply to the question whether the defendant has or does not have a data protection officer. If so, did the inspectorate to receive an organisation chart showing the place of the official for data protection, his title and the tasks he carries out, including orders not related to data protection. 25. On 2 July 2019, the Inspectorate received a reply to its letter of 7 June 2019. At the reply was annexed to a letter from the defendant dated 25 October 2018 in response to the complainant's request of 4 October 2018 for access to his file, to to obtain the defendant. The response shall contain an extract of personal data from the prospective tenant, in this case the complainant. The extract contains the name, address and residence details as well as the national register number, bank account, e-mail address, income and telephone number. 26. In addition, a privacy datasheet has been added as an appendix which states that information and personal data are kept of (candidate) tenants to see whether a person is entitled to social housing. The information which, according to the defendant kept are: identification data, national register number, address and contact details, family composition, language knowledge, financial data, ownership details, and, in some cases, accompanying services. It is mentioned that the data are kept for 10 years, in accordance with the Archives Act. 27. The defendant also indicated that it queried a number of bodies in order to obtain data on the following obtain. These bodies are : a) Federal Public Service Finance: data on taxable income and ownership data; (b) National Register: national register number, surname and forenames, date of birth, gender, main residence and history, the place and date of death, civil State, composition of the family, nationality and history, legal cohabitation, the register of registration and legal capacity; c) Federal Public Service Social Security: data on living wage; d) Flemish Agency for Integration and Integration: data on integration and linguistic readiness; decision on the merits 73/2020 - 8/31 (e) VREG (independent authority of the Flemish energy market): housing data on the energy value of social housing. 28. On 9 July 2019, following the replies it received on 2 July 2019 received from the defendant, in response to its questions, provisional findings and supplementary questions put to the defendant. The provisional findings of the The Inspectorate was as follows : a. The defendant does not have at his disposal any advice given by the official for data protection has been provided in relation to the complainant's request for access; b. The defendant does not have access to opinions of the Data Protection Officer. concerning the privacy policy on the website [...] ; c. Respondent does not have at his disposal decisions taken on privacy policy on the website; d. The copy of the processing register does not contain the name and contact details of the controller and data-processing official and shall include nor the processing purposes; e. The defendant does not explain the duties and powers of the official for data protection. 29. The Inspectorate also put further questions to the defendant about the Data Protection Officer. For example, a copy of the documents justifying the choice of that person as Data Protection Officer, the date of notification to the Data protection authority of that Data Protection Officer and finally a copy was requested of the documents proving the effective exercise of his mission appears to be, more specifically, advice, correspondence and the like. 30. By email of 8 August 2019, the defendant's response to the temporary injunction was made public. the inspectorate's findings. The response contains a number of annexes including email correspondence between the defendant and the data protection officer who works at Infosentry. This e-mail is referred to as advice from the officer for data protection on the complaint. 31. As a privacy policy communication requested by the Inspectorate, the defendant sent an e-mail from the Vlaamse Maatschappij voor Sociaal Wonen (VMSW) (Flemish Social Housing Company) enclosed. The mail contains the message that the VMSW has new privacy statements for customers Decision on the merits 73/2020 - 9/31 of social housing companies. This is an e-mail addressed to all social landlords. In addition, general information sheets have always been added. 32. It should also be noted that the processing register has been amended as a result of of the Inspectorate's temporary findings. 33. The Inspectorate's questions to the defendant concerning the designation of the Article 37 AVG Data Protection Officer (outside the scope) were also answered. It was indicated that the appointment of the official for data protection was carried out on the initiative of the VMSW, which, by means of a call for tenders, issued an had concluded a framework agreement with the company Infosentry NV. 34. The defendant points out in this connection that : The defendant points out in this connection that: "The companies could, on their own initiative subscribe to the services of Infosentry NV, which offers all its employees on top of an minimum experience is also required to obtain a minimum number of certificates in the domain of knowledge of data protection'. 35. The date of notification of the Data Protection Officer shall be 25. May 2018. The defendant points out that it has submitted a new notification to the GBA in which another person was registered as an official. The latter is according to Therefore, the defendant is the actual Data Protection Officer. 36. On 16 September 2019, the Inspectorate made its report to the Disputes Chamber on the basis of Article 92, 3° of the WOG. 37. The inspection report shall identify potential breaches of Articles 5, 6, 12, 13, 15, 30, 31, 32 and 37 to 39 of the AVG. 38. The Inspectorate finds that the defendant has failed to comply with the obligations imposed by Articles 5 and 6 of the AVG. The Inspectorate has now reached the following conclusion the answers given by the defendant do not show any justification as to which decisions there are have been taken concerning the legal info / legal disclaimer and general terms and conditions 2 on the webpage [...] 2 See page 3 of inspection report DOS-2018-006611 document 21. Decision on the merits 73/2020 - 10/31 39. In addition, the defendant acknowledges that no advice was given by the officer for data protection since, in the defendant's view, that advice is not normally covered by the duties of the official. 40. Nor do the replies of the defendant indicate what decisions were taken on those parts of the website [...] which involve the processing of personal data Facilitate such as the contact page. 41. According to the Inspectorate, the privacy policy Y Housing is not transparent and not understandable to those concerned. It is not made clear what happens to the personal data obtained. According to the Inspectorate, the privacy policy is confusing and contains all kinds of concepts that are incomprehensible to those concerned. In addition, the policy indicating that in the event a data subject contacts the defendant and does so via an electronic medium other than the website, the privacy statement of that other medium has priority. According to the Inspectorate, this also indicates that there are no Transparency is towards those involved. 42. The Inspectorate points out that, despite its express request, it did not has received opinions from the defendant from the Data Protection Officer. 43. According to the Inspectorate, technical investigations have shown that use is being made of made from cookies on the website [...] . One of these concerns a necessary technical cookie called "hs_js" and another, a marketing cookie called "IDE" originating from Google-Doubleclick. No permission is asked for the latter cookie to the visitors of the website. The processing of personal data which, in that context takes place, is therefore, according to the Inspectorate, unlawful. 44. With regard to Articles 12, 13 and 14 of the AVG, the Inspectorate also has infringements detected. The service comes to these findings as the Annex Internal rental regulations annex 11 which is not related to the privacy policy of the defendant is transparent and comprehensible to those concerned, thus infringing Article 12.1 AVG is established by the Inspectorate. It is not made clear what should various terms used in that Annex shall be understood to mean 11. The contact details of the data protection officer of the defendant are missing. The processing purposes and the legal basis for the processing are lacking. Finally, the data subjects are not made aware of the right of access, according to the Court. Inspectorate. Decision on the substance 73/2020 - 11/31 45. As of 1 July 2019, an amended privacy policy has been published by the defendant on its website. 3 website. The document containing the defendant's privacy policy is, according to the Inspectorate not transparent and comprehensible to those concerned and therefore not satisfactory meet the requirements of Article 12.1 AVG. In addition, not all information provided in accordance with the Articles 13 and 14 of the AVG are actually prescribed in the privacy policy. described. Different terms are used interchangeably and the contact details of the Data Protection Officer is missing, according to the inspection report. 46. In response to the complainant's request for access on the basis of Article 15 AVG, the defendant reacted by sending, inter alia, a document called "GDPR". Also this document is neither transparent nor comprehensible, according to the Inspectorate, to involved, as a result of which the defendant does not meet the requirements set out in Article 12.1 AVG. According to the Inspectorate, the answer does not meet the requirements of Article 15.1 AVG either. The obligatory information to be stated, such as stating the recipients of the personal data is missing. 47. An infringement of Articles 28 and 30 was also found by the Inspectorate and for the following reasons. The defendant has indicated that a company called C-Works designed the website [...]. Via that website, personal data of tenants collected and processed. The defendant does not regard the company as a processor. It it is not clear to the inspectorate, in view of the information provided, whether a processor and whether there is thus a processor's contract in accordance with Article 28 of the CMR should have been closed. Additional findings ( outside the scope of the complaints ) 48. The obligations imposed by articles 37.5 and 37.7 of the AVG are, according to the Inspectorate not complied with by the defendant. The justification for the choice of the The data protection officer shall not be given by the defendant. Defendant indicates only that this was done on the initiative of VMSW which, by means of a call for tenders, issued a had a framework agreement with Infosentry. The contact details of the official for data protection is also not disclosed and this implies a breach of Article 37.7 AVG according to the Inspectorate. 49. Finally, the Inspectorate has established that the obligations set out in Articles 38.1 and 38.3 AVG are also not being complied with by the defendant. From the various documents provided by the 3 Decision on the substance 73/2020 - 12/31 Inspectorate received from the defendant it may be concluded that the No opinion was sought from the Data Protection Officer for, inter alia, the processing of personal data via the website [...]. Treatment on the merits by the Dispute Chamber 50. On 21 March 2020, the Dispute Settlement Chamber shall inform the parties that the six individually Complaints submitted will be joined and the Chamber of Disputes will decide on on the basis of art. 95, §1, 1° and art. 98 of the WOG that the dossier is ready to be processed at the end of the year. ground. The parties shall also be notified of the time limits for submitting their defences. The final date for receipt of the conclusion of the defendant's response was thereby recorded on 26 March 2020, that for the conclusion of the reply of the complainant of 27 April 2020 and the conclusion of Reply of the defendant on 27 May 2020. 51. On 26 March 2020, the Data Protection Officer, employed by the company Infosentry, on behalf of the defendant, by e-mail in the form of order sought by the defendant, in which he also expresses his desire to be heard. 52. On 19 August 2020, the parties were informed that the oral hearing would take place on 23 September 2020. 53. On 23 September 2020, the parties will be heard by the Chamber of Disputes. 54. The minutes of the hearing will be presented to the parties on 29 September 2020. 55. On 2 October 2020, the Data Protection Officer, on behalf of the defendant, issued an send a response to the minutes to the Chamber of Disputes, stating that 4 asked for a number of corrections to be made to the minutes. 56. On 8 October 2020, the complainant replied to the official report by e-mail. The complainant replied in his reaction to the official report is a detailed reiteration of his earlier arguments. The The Dispute Settlement Chamber points this out, as already mentioned at the hearing, no new facts can be added as the debates have already taken place closed. The official report is only sent to see if everything is correct. 4 See e-mail of 2 October 2020 with feedback on DPO Cranium's official report on behalf of the defendant to the Chamber of Disputes. Decision on the merits 73/2020 - 13/31 displayed. Therefore, the arguments put forward after the closure of the debates will not 5 will be taken into account in the decision. 57. In its conclusions of 26 March 2020, the defendant acknowledges that, with regard to the legal information / legal disclaimer no opinions have been issued by the officer for data protection. It should be noted that the document will be removed as it does not contain any conditions attached to the exchange of personal data shall apply. 58. As regards the Inspectorate's findings concerning the website [...] responds defendant as follows : "With regard to the technical examination carried out on the website Y Housing rests in the fact that findings made by the Inspectorate are correct and a marketing cookie did work on the web page. Considering the one-off event that was organised and the brief use of the website is Y Housing continued in good faith on explanation of the website builder (Go4IT), a e-mail to substantiate this was attached as a document to the previous file, which does not contain cookies. were active on the website. Y Housing acknowledges that not submitting the website a test on this can constitute a reprehensible omission and learns the necessary lessons from it. for the future. “ 59. The defendant further states that it has taken note of the findings of the Inspectorate for the establishment of transparent information, communication and detailed arrangements for exercising the rights of the person concerned (Articles 12 and 13) AVG). The defendant indicates that it will amend the privacy statements. 60. With regard to the findings concerning the right of inspection in Article 15 of the AVG, the following replies are given Defendant as follows. The defendant states that it is always seeking to ensure transparency and transparency. provide clear information in response to questions received from her (candidate) tenants. The defendant then states that it "to the best of its ability, the necessary documentation has transmitted, following the exercise of the right of access of the person concerned, acknowledges the society that some elements of this document may not be fully clear after its first reading. As a modest SME, it is the first time that Y Housing was faced with such a request. The organisation recognises that areas for improvement and efficiency gains would be possible if such a request were to recur". 5 E-mail from the complainant to the Chamber of Disputes of 8 October 2020 following the minutes of the hearing. Decision on the merits 73/2020 - 14/31 61. The defendant points out that it is open at all times to questions from and communication with (candidate) tenants. The defendant was ignorant of the circumstance that the document contained ambiguities and would rather expect the complainant to first had communicated to the defendant before lodging a complaint. 62. The defendant indicates that it has taken note of the Inspectorate's findings. concerning the register of processing operations. The register has now been updated according to the defendant. 63. The defendant concludes as follows : "In conclusion, Y Housing stresses that the necessary efforts to be made in The AVG has been delivered in conformity with the AVG. Furthermore, Y Housing acknowledges the importance of the protection of personal data and the role played by the Data protection authority has a role to play here. Nevertheless, Y Housing In recent weeks and months, this procedure has had to undergo most of all. Although Y Housing always tries to accommodate its (prospective) tenants in the most suitable way. comply with the necessary legislation, while also being in contact as far as possible with stakeholder organisations, it has been shown that, as a modest social rental company required an excessive workload, and financial effort, to deal with this administrative procedure to the necessary level of detail. With this Consideration Y Housing would like to stress once again the importance of being heard in this case." 64. By email of 23 October 2020, the Chamber of Disputes notifies the defendant of the intention to impose an administrative fine as well as the amount of the fine and the possibility for the defendant to communicate his defences in this respect. 65. On 30 October 2020, the defendant replied by email to the intention to impose an injunction. fine. The Dispute Chamber points out in this regard that there can be no new facts. be added as the debates were already closed. The reaction of In summary, the defendant is as follows: The amount of the fine, according to the defendant, is as follows high. The defendant indicates that these are difficult times for them financially. That is why the defendant would have been compelled, inter alia, to sell dwellings in order to to be able to continue. This has a direct impact on their target group, namely the weaker members of society, according to the defendant. The defendant shares the view of the Litigation chamber on the (in)accessibility of the Data Protection Officer Decision on the merits 73/2020 - 15/31 does not. According to the defendant, the official can be reached in the manner prescribed by the AVG. The defendant states that the positive result of EUR 528,355 such as included in the penalty form is incorrect and adds other figures. As regards the Infringements detected in relation to the surveillance cameras, the defendant pleads largely in the opinion of the Dispute Settlement Chamber, but with the addition that the images were not consulted by the defendant but were merely consulted saved. 2. Reasons Dispute Chamber 66. In view of the number and size of the cases submitted, the Litigation Chamber assesses the following complaints, for reasons of procedural economy, the degree to which they are well-founded, to the subject of the complaint. Consequently, complaints 1 to 6 will not be included in those order but shall be grouped under the themes to which they relate belong. The themes which are the subject of the various complaints and on which the Chamber of Disputes will give its verdict are the following: - privacy policy & right of access in accordance with article 15 AVG (section 2.1) - data processing officer (section 2.2) - cookie policy (section 2.3) - health data processing (section 2.4) - camera law (section 2.5) - processing by means of digital meters (section 2.6) 67. The Dispute Chamber points out that, pursuant to the articles, the controller 5.2 and 24 AVG must take appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data in be carried out in accordance with the AVG. In doing so, the AVG requires, among other things account shall be taken of the nature and volume of the processing operations and of the Risks to those involved. In assessing whether and to what extent Sanctions will have to be imposed, these elements will play an important role. 2.1 Privacy Policy & Right of Access in accordance with Article 15 AVG Decision on the merits 73/2020 - 16/31 68. As regards the right of access to Article 15 AVG and the information provided by the complainant (especially in complaint 1) alleged infringements, the Litigation Chamber argues as follows. 69. The document called "Extract Personal Data Candidate - Tenant Y Housing CVBA" contains various data, including the national register number, name, address and residence data as well as nationality, email address, sex, date of birth and Family income of (prospective) tenants. In addition to the extract, a document to the complainant transferred called: "Privacy: what information does Y Housing have?". This info sheet contains the following opening paragraph : "Via Y Housing you can rent a social housing. We Therefore, keep information about you in lists and files to see if you have a right to a particular item. on. Or to help you better. “ 6 Articles 13.1 and 13.2 AVG stipulate as follows: 1. When personal data relating to a data subject become the controller shall provide the data subject with the following information at the time of obtaining the personal data already contain the following information: (a) the identity and contact details of the controller and, in where appropriate, of the representative of the controller; (b) where appropriate, the contact details of the officer for data protection; (c) the processing purposes for which the personal data are intended, as well as the legal basis for processing; (d) the legitimate interests of the controller or of a third party, if the processing is based on Article 6(1)(f); (e) where appropriate, the recipients or categories of recipients of the personal data; (f) where appropriate, that the controller intends to delete the to transfer personal data to a third country or an international organisation; or whether or not an adequacy decision by the Commission exists; or, in the case of Article 46, Article 47 or the second subparagraph of Article 49(1), which shall include the transfers referred to in are appropriate or suitable safeguards, how a copy can be obtained or where they can be consulted. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject at the time of obtaining the personal data, the following additional information to ensure proper and transparent processing: 6 See attachment to e-mail of 4 October 2018 from complainant to GBA Decision on the merits 73/2020 - 17/31 (a) the period for which the personal data will be stored, or if that is not possible, the criteria for setting that deadline; (b) the legitimate interests of the controller or of a third party, if the processing is based on Article 6(1)(f); (c) that the data subject shall have the right to request the controller to access, rectification or erasure of personal data or limitation of personal data relating to him or her concerning processing, as well as the right to object to such processing and to have it carried out right to data portability; (d) where the processing is pursuant to Article 6(1)(a) or Article 9(2)(a) based on the fact that the person concerned has the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on the consent before its withdrawal; (e) that the data subject has the right to lodge a complaint with a supervisory authority authority; (f) whether the transmission of personal data is a legal or contractual obligation or a necessary condition for the conclusion of an agreement, and whether the the data subject is obliged to provide the personal data and what the possible consequences are are when these data are not provided; (g) the existence of automated decision making, including that referred to in Article 22, profiling as referred to in paragraphs 1 and 4 and, at least in those cases, useful information on the underlying logic as well as the importance and the expected consequences of that processing for the person concerned. 70. During the hearing, the defendant stated that the privacy statement on the website is published after having been reviewed and endorsed by the Board of Directors. It is a privacy statement derived from the example of the VMSW, according to the defendant. 71. The Dispute Settlement Chamber finds that the aforementioned privacy statement - also in the form of a information sheet after the declaration has been adapted and is in force entered into force on 1 July 2019 - does not meet the requirements for processing in accordance with Articles 12 and 13 AVG. Such a privacy data sheet should must fully inform the person concerned of what is actually happening. personal data is done and in the context of which it is processed. Any processing of personal data must be lawful, adequate and transparent. happen. Those concerned should be clearly informed which data are processed, how the processing is carried out and why the personal data is processed are processed. It cannot be deduced from the privacy sheet what exactly the personal data are used. Decision on the substance 73/2020 - 18/31 72. The Privacy Sheet contains the following paragraph concerning the processing of personal data: "Via Y Housing you can rent a social housing. We therefore keep in lists and files information about you. We use this information to find out if you have any information about you. have a right to it. Or to be able to help you better." 73. The Disputes Chamber is of the opinion that the above is a very vague, general and concerns unclear text from which it is in no way possible to deduce what the collected personal data are actually used. This text does not comply with the AVG. It is For example, it is absolutely unclear what is meant by 'we use this information to to see if you have a right to something. Or to be able to help you better." There should be a clear and clear language to be communicated to those concerned. 74. Transparency requirements are laid down in the AVG and further explained in the Guidelines on transparency in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council Article 29 Data Protection Working Party which states that "One of the key elements of the principle of transparency as referred to in these provisions is that interested parties shall be informed in advance be able to determine the scope and effects of the processing and not subsequently 7 be surprised by other ways in which their personal data have been used'. The specific interest in question must be identified for the benefit of the person concerned. 75. In addition, information and communication concerning privacy should comply with the principle of transparency, i.e. that information is simple, accessible and must be comprehensible in accordance with Article 12.1 AVG. Under "comprehensible" is understood that the message must contain, inter alia, a certain level of linguistic usage, namely "clear and simple language". In addition, the use of language should be adapted to the target group . This means communicating in clear and simple language. to those concerned. The defendant would, (all the more so) now that (candidate) tenants of a social housing company, more understandable and clearer have to draw up. After all, these are tenants with low incomes and in general 7 Transparency guidelines p.8. 8 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259, p. 4.; Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260, p. 7: "The requirement that information shall must be "comprehensible" means that the information must be comprehensible to an average member of the intended public. Understandability is closely linked to the requirement to use clear and simple language. A Processing controller respecting the principle of accountability will have knowledge of the persons from whom information is collected and can use this knowledge to determine what the target group is likely to be understand. For example, a data controller who collects personal data of working professionals may assume that his or her target group has a higher level of understanding than the target group of a data controller who collects children's personal data. […]”. 9Recital 39 at AVG. Decision on the merits 73/2020 - 19/31 (barring exceptions) a low level of education which makes the policy more comprehensible is all the more necessary. 76. In addition to the infringements mentioned above, the defendant's privacy policy is even more difficult to enforce. now understand, in different places and different times, various concepts such as "personal data", "information" and "data" are used interchangeably in the privacy sheet. In addition, references are made without an explanatory statement. glossary or clear explanations. The information provided is often not up to date. As example can be given of the referral to the website of the supervisory authority authority, as both the complainant and the Inspectorate are right to do, for example commented, referred to www.privacycommission.be while the current website since May 2018 www.gegevensbeschermingsautoriteit.be. 77. The Disputes Chamber also finds that the defendant's privacy policy is incomplete, as it does not contain the mandatory information as laid down in Article 13 of the AVG. According to Article 12 of the AVG, the privacy information must be "concise"; this does not in any way mean that the obligation to provide information in accordance with the following may be waived Article 13 AVG. 78. The privacy policy of the defendant contains this mandatory information in accordance with Article 13.1 under (b) AVG, such as the contact details of the Data Protection Officer not on 10 a manner that complies with the legislation and the guidelines of the Working Party 29 on the Data Protection Officer. In order to comply with the requirement of the provision of prior information, these contact details should indeed be included in the privacy policy. 79. As rightly pointed out by the Inspectorate, the e-mail address [...] is indicated on the privacy sheet, according to the "Explanation of organisation chart" provided by the defendant linked to the mailbox of the defendant's IT administrator while the function of According to the defendant, the data protection officer has been subcontracted to a third party in 11 the framework contract of VMSW. The Data Protection Officer appears to be employed by that third party, in this case the company Infosentry. The e-mail address of the official is [...], according to various documents and mail correspondence between the defendant and the official. Accordingly, the data relating to the persons concerned are inaccurate of the Data Protection Officer and may, in the event of need 10Group on Data Protection, WP243 rev.01, Guidelines on Data Protection Officers p.12. 11Stuk 10 of dos-2018-06611. Decision on the merits 73/2020 - 20/31 do not turn to the right person. As a result of this list of findings finding an infringement of Article 13(1)(b) AVG. The fact that, as of 1 September 2020, a new official for the data protection has been infringed, the infringement up to that date continued and a new appointment does not retroactively rectify the infringement committed makes. 80. The Litigation Chamber deduces from the findings of infringements listed above that the the defendant's obligations of transparency under Article 12 of the AVG and its obligation to provide information has failed to comply with Article 13 of the AVG. The defendant acknowledges this in its conclusion. As a result the defendant has acted imputably negligently in breach of his duty of accountability, such as determined in Articles 5.2 and 24 of the AVG. This information must be in accordance with with Articles 12 and 13 of the AVG. 81. Article 15 AVG in which the right of inspection of the person concerned is laid down reads as follows : 1. The data subject shall have the right to obtain from the controller confirmation of the following whether or not to process personal data concerning him and, where that is the case, to have access to them obtain those personal data and the following information: (a) the processing purposes; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed provided, in particular to recipients in third countries or international organisations; (d) if possible, the period during which the personal data are expected to be kept stored or, if that is not possible, the criteria for setting that time limit; (e) that the data subject shall have the right to ask the controller for that personal data be rectified or erased, or that the processing of personal data concerning him/her be carried out limited, as well as the right to object to such processing; (f) that the data subject has the right to lodge a complaint with a supervisory authority; (g) where personal data are not collected from the data subject, all available information on the source of that data; (h) the existence of computerised decision-making, including those referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic, as well as the importance and the expected consequences of such processing for the data subject. Decision on the substance 73/2020 - 21/31 2. Where personal data are transferred to a third country or an international organisation, the person concerned shall have the right to be informed of the appropriate safeguards in accordance with Article 46 on transfers. 3. The controller shall provide the data subject with a copy of the personal data which are processed. If the data subject requests additional copies, the a reasonable charge on the basis of administrative costs charge. Where the person concerned submits his application electronically, and not for any other arrangement request, the information shall be provided in a common electronic format. 4. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to rights and freedoms of others. 82. The defendant's privacy policy does not contain several mandatory elements from Article 15.1 AVG. From the privacy document does not disclose the exact purposes of the processing of the data which request the defendant to (candidate) tenants. It should be precisely defined for which every piece of data collected is used precisely. If data on the health then it will have to be stated that these data are being processed, for example with the aim of being able to ascertain whether, on the basis of a given health situation, an Adapted accommodation can be granted. There is also no indication as to who the recipients and are categories of recipients. In addition, there is no mention of the right that the data subject has the right to request that his/her data be rectified and/or deleted in accordance with Article 15.1 under e. It is also not stated that the processing of personal data will be restricted. By doing so, the Disputes Chamber also deems a violation of Article 15.1 to have been proven. 83. In addition, the complainant claims that he has not been granted access to all of his personal data transmitted by defendant are processed. According to the complainant, this is a sheet containing only general information from the National Registry. There is no indication as to whether the information provided is complete, according to the complainant. 84. The Chamber of Disputes recalls that Article 15 AVG "gives the person concerned the right to to have access to personal data collected about him, and to exercise that right simply and with reasonable to carry out periodic checks to ensure that he is aware of the processing operation and that it is lawful ...can control it." 12 It is clear from all of the above that the information provided by the defendant on their processed data of the complainant does not comply with the requirements of Article 15. The complainant has rightly noted 12 Introductory recital 63 to AVG. Decision as to substance 73/2020 - 22/31 that he has not been able to exercise his right of inspection properly. Between the personal data of complainants processed by the defendant and those to which the complainant had had access were as follows for example, not the medical certificates that the plaintiff will provide to the defendant, as will be shown below in section 2.4 had submitted. 2.2 Data Protection Officer 85. Additional findings were also made in the inspection report with regard to the Data Protection Officer, which are outside the scope of the complaint. The The Inspectorate has established that the defendant has acted in violation of Article 37.5 and Article 37.7 AVG. On the basis of article 37.5, the officer must be appointed, under more, on the basis of its expertise in the field of legislation and practice on the data protection. Article 37.7 states that the contact details of the officer shall be known must be made and communicated to the supervisory authority. 86. From the defendant's replies to the Inspectorate concerning the appointment of the official as regards data protection, it appears that that appointment was made on the initiative of the VMSW through a company with which it had a framework agreement. The Chamber of Disputes finds that the defendant fails to comply with the duty to choose the Data Protection Officer to be accounted for. The defendant refers only to very general information and communication from the VMSW to the defendant. Moreover, the defendant cites several times that there is a Framework agreement was concluded between the VMSW and Infosentry NV as DPO. The Chamber of Disputes points out that the defendant is ultimately responsible and has a duty to comply with Article 37.5 AVG which provides that the Data Protection Officer shall be designated on the basis of of his professional qualities and, in particular, his expertise in the field of the data protection legislation and practice. This shows a lack of justification for the defendant's choice of official. In addition, the data are of the officer not disclosed as prescribed in Article 37.7 AVG. In doing so, the Disputes Chamber established infringements of articles 37.5 and 37.7 AVG. 87. The Dispute Settlement Chamber refers to the guidelines of the Working Group 29 for officials for data protection which provides for the following with regard to external officers: "With the in order to ensure legal transparency and good organisation and to avoid conflicts of interest for members of the team, it is recommended in the Guidelines to avoid the tasks within the external team. Data Protection Officer to be clearly set out in a service contract Decision on the substance 73/2020 - 23/31 as well as a single person for the customer as the main contact person and "responsible person 13 to be appointed. 88. At the hearing, the current Data Protection Officer, who has been in office since 1 September 2020 the official is that, as a new official for data protection, in line with the WP29 guidelines on the role of data protection in the protection of personal data. Data Protection Officer. Essentially, the officer for data protection must be available to the controller. That some correspondence first arrived at the defendant's IT administrator and was forwarded to the Data Protection Officer was, according to the Data Protection Officer 14 correct. The Dispute Chamber points out that according to the Guidelines of the Working Party 29, the requirements to disclose the contact details of the official in order to ensure that both data subjects (both inside and outside the organisation) and supervisory authorities be able to contact the Data Protection Officer easily and directly. The access should be direct, without having to involve another part of the organisation contact. In the present case, the contact was made via the defendant's IT manager, which was goes against the intention of the regulator. Confidentiality is equally important. employees are reluctant to complain to the Data Protection Officer if the confidentiality of their communications is not guaranteed. 89. Article 38.1 and Article 38.3 AVG stipulate that the data-processing controller must ensure that shall ensure that the Data Protection Officer is involved in all matters that relate to the protection of personal data. The official for Data protection must not be instructed in the performance of those tasks. The The Inspectorate stated that in the light of the replies and the documents obtained noted that no opinion was sought from the Data Protection Officer concerning privacy issues. The Dispute Settlement Chamber finds that indeed no justification is given for the person responsible for processing has been presented with the decisions taken for the website [...] , on legal information and general terms and conditions. There are no opinions from the Data Protection Officer as regards the processing of data via this website. Moreover, in its conclusion, the defendant acknowledges indeed that it did not request an opinion from the Data Protection Officer. The Litigation Chamber therefore finds that the defendant infringed Article 38.1 of the AVG. 2.3 Cookie policy 13Directions for Data Protection Officers of the Working Party 29 p.28. 14Page 5 of the verbal proceedings of the hearing of 23 September 2020. Decision on the substance 73/2020 - 24/31 90. As already mentioned above, the plaintiff claims that the defendant uses cookies on the website [...] . and [...]. According to the complainant, no consent is sought for the use of the cookies. The Inspectorate has established by means of a technical report that on the website [...] use was made of cookies. As previously indicated, this is a necessary technical cookie called "hs_js" from the defendant himself and a cookie called "IDE" derived from it from Google-Doubleclick.net. For this last "IDE" cookie no consent was given. asked of visitors to the website, according to the Inspectorate's report. 15 91. At the hearing, the defendant acknowledged that the website dates from the year 2010 and therefore does not comply with the current regulations. There is no question of unwillingness; however, the technical Restrictions do not allow, for example, the display of a pop-up for the use of cookies. Also setting up a secure connection via https domain name is not possible on the current website, according to defendant. A new website is currently under construction. According to the defendant will most probably be finished by the end of this year. 92. The Court of Justice ruled in the Planet49 judgment that, for the placing of cookies information must be provided by the controller. 16 From the data information must show for how long cookies will remain active and whether third parties will also have access may have up to those cookies. This is necessary in order to ensure proper and transparent information. guarantees. 93. Article 129 of the Electronic Communications Act stipulates that the user shall must have given his consent for placing and consulting cookies on his computer. terminal equipment. The consent requirement shall not apply to the technical storage of information. Also when the placement of cookies is necessary for the delivery of a cookie expressly requested by the subscriber or end-user requested service, the consent requirement does not apply. 17 94. The Chamber of Disputes also draws attention to the following considerations from the abovementioned judgment Planet49: "Regulation 2016/679 now explicitly provides for active consent prescribed. In this context, it should be noted that, according to recital 32 of these Regulation, the consent may be expressed in particular by clicking on a box next to a visit to a website. On the other hand, this recital expressly excludes "silence, the 15Inspection report, p5. 16 Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801. 17See also Decision No 12/2019 of the Disputes Chamber of 17 December 2019. Decision on the merits 73/2020 - 25/31 use of already ticked boxes or inactivity" may constitute consent. It follows from this that the consent provided for in Articles 2(f) and 5(3) of Directive 2002/58, read in conjunction with in conjunction with Articles 4(11) and 6(1)(a) of Regulation 2016/679, not is validly granted when the storage of information or the gaining of access to information which is already stored in the terminal equipment of the user of a website shall be allowed by means of a standard checkbox to be unchecked by the user if he refuses to give his consent. . 18 95. The consent must also be 'specific'. The Dispute Chamber refers to the Guidelines 19 on consent under regulation 2016/679 endorsed by the EDPB: "Article 6(1)(a) confirms that the person's consent must be given with in relation to "one or more specific" purposes, and that a data subject has a choice in relation to 20 each of these purposes' . This means 'that a data controller who wishes to obtain consent for a number of different purposes, must offer a separate opt-in for each purpose in order to allow users to to enable specific authorisations to be granted for specific purposes". 21 96. On the basis of the technical report drawn up by the inspectorate, the Dispute Settlement Chamber states that ascertained that the consent of the complainant has not been sought by the defendant on the websites for placing a cookie for marketing purposes, namely the "IDE" cookie. In addition, the defendant answered the Inspectorate's question as to whether cookies had been used On the websites, no. The defendant returned to the foregoing by concluding that acknowledge that they have made use of cookies for which consent was required. Defendant indicates that he has changed his cookie policy and will ask for permission from now on. of the users. 22 97. In view of the above facts and findings, the Litigation Chamber considers the processing of personal data through the placement of cookies, without a valid legal basis of to have permission in accordance with Article 6.1 AVG, unlawful. 98. The controller must, pursuant to Articles 5.2 and 24 AVG, provide appropriate technical information to the controller. and take organisational measures to ensure and demonstrate that the 18 19Arrest Planet49, ro. 62 and 63. Working Party on Data Protection, Guidelines on consent under Regulation 2016/679, WP259, p. 4. 20 Ibid., p. 14. 21Ibid., p. 14. Decision on the merits 73/2020 - 26/31 processing of personal data using cookies in accordance with Articles 12 and 13 AVG is being carried out. In its conclusion, the defendant acknowledges that certain mandatory statements such as the processing purposes in the original privacy statement of the website were missing. 2.4 Health data 99. The complainant claims that the defendant is also processing medical data. The Complainant states that his medical to have issued certificates to the defendant. According to the complainant, the defendant is processing on systematic wrongful medical data. The complainant takes the view that it is not the task of the defendant to make a substantive assessment of the health situation of a (prospective) tenant. 100. Attached to the complaint are mail exchanges between the complainant and the defendant. From the In any case, several e-mails reveal the following. In an e-mail dated 30 August 2016 defendant to have received the doctor's certificate from the complainant, but not to be able to provide a guarantee that a positive decision will be taken on the complainant's request for candidates higher up the list for the allocation of a dwelling. The complainant therefore requested a higher up the list. From another email dated 6 February 2019 from the complainant to the defendant, it appears that that the complainant voluntarily sent an e-mail to the defendant in which he wrote to the informed him of his changed medical condition. The complainant closed the e-mail with " Supplementary a medical certificate may be provided for again, should you again have doubts as to whether there is a I have my own opinion about my medical condition. I therefore urge you to want to take due account of my medical physical limitations and to live close to my home. to want to put hospital first. In view of the seriousness of the problem of (...) I would ask you to to absolutely avoid living in a busy residential environment". 101. At the hearing, the defendant indicated that only a medical certificate was requested. in the event that the (prospective) tenant requests special housing preferences as in this case. The defendant states that the medical certificates do not contain any diagnoses. Complainant speaks not against it. The doctor asks for the situation of the person concerned to be taken into account and asks than, for example, a house with a lift or a house in a quiet area. The medical According to the defendant, the only purpose of attestations is to enable a correct allocation to be made. 102. On the basis of the above, the Disputes Chamber decides that there is no question of a unlawful processing of health data. Such processing is necessary and can be based on Article 9(h) the processing is necessary for the purposes of the substantive decision 73/2020 - 27/31 preventive or occupational medicine, for the assessment of fitness for work of the worker, medical diagnosis, the provision of health care or social services, or treatment or the management of health care systems and services or social systems, and services, on the basis of Union or Member State law, or under an agreement with an health professional and subject to the conditions and safeguards laid down in paragraph 3, in the absence of any diagnoses in the medical certificates. Moreover, it appears from the exchanges of e-mails that the complainant has his own movement informed the defendant of his state of health, indicating that he was may, if necessary, provide a further medical certificate. 2.3 Camera surveillance 103. The complainant alleges that there is camera surveillance in various residential entities of the flat. According to the complainant, the privacy policy says nothing about camera surveillance. Complainant wishes to know the legal basis and purpose of this processing as well. 104. It appears from the documents submitted that point 11 of the tenancy agreement mentions made from the surveillance cameras that are installed on the roof, in the communal entrance halls and the communal cellar entrances have been suspended. Apart from this information, nothing is known about the Use of cameras. 105. At the hearing, the defendant indicated, upon request, that the surveillance cameras in 2012 at the request of residents in cellars and corridors have been hung for safety. The cameras are legally registered and used as a kind of deterrent, according to the defendant. There nothing else would be done with the images. A year and a half ago, the camera images according to the defendant, consulted once. The cameras are, according to the defendant, difficult to consult. management because there is too little budget for its maintenance. There is currently no maintenance contract for the surveillance cameras. Respondent indicates that the images can consult and be responsible for the processing of the images. The official for data protection points out that the Camerawet is the legal basis for the processing of the camera images. 106. On the basis of the documents available in the file, the Chamber of Disputes and what emerged from the hearing shows that there are very many uncertainties as to what concerns the use of surveillance cameras. As a processing purpose, first of all the The prevention of nuisance has been mentioned. Subsequently, during the hearing, the defendant indicated that there was also once asked to consult the images in connection with illegal dumping. The Dispute Room is considers that the defendant is not entirely clear as to what the cameras actually do Decision 73/2020 - 28/31 on the merits serve. In addition, according to the Dispute Chamber, from the elements that are available are insufficiently drawn up as to whether the Camerawet is correctly complied with by the defendant. In article 6 § 2 of the Camerawet provides that the controller shall keep a register containing keeps a record of the image processing activities of the surveillance cameras and this register on request made available to the Data Protection Authority and the police services. Such a register is not kept by the defendant. Moreover, it is apparent from what the defendant said at the hearing has declared that the retention period in Article 6 § 3 is also not complied with now that this article it appears that if "the images cannot contribute to proving a crime, of damage or nuisance", these should in principle be removed after one month. The The Dispute Chamber thus establishes infringements of Article 30 of the AVG (keeping of register of processing activities) and article 5.1 under e AVG (storage restriction). 2.4 Digital Consumption Meters 107. The plaintiff complains that the defendant is using digital consumption meters and on those the way in which tenants' consumption is recorded and data on that consumption unlawfully without valid legal basis processed. The complainant indicates that he has not given his consent for the processing of data relating to its consumption of gas and electricity. 108. During the hearing, the defendant indicated that the digital meters will be linked to the address. In this way, you can see how much has been consumed at a particular address. These data are also passed on to a third party (local company) with whom there is a processing agreement is. That company reads the consumption. The defendant receives a list of this and links it to the tenants' files, according to the defendant. 109. On the basis of Article 6 of the AVG, the person responsible for processing the to have a legal basis for the processing of personal data in order to ensure that the processing would be lawful. On the basis of Articles 24 and 25 of the AVG, the defendant must therefore take appropriate technical and organisational measures to ensure and be able to demonstrate that processing takes place in accordance with the AVG. The person responsible for processing must in doing so, effectively implement the principles of data protection, the rights of the protect data subjects and process only those personal data that are necessary for each of the following specific purpose of processing. On the basis of the facts and documents presented, the Litigation Chamber finds that the defendant has not been able to prove that there is any privacy policy Developed for the digital remote reading of meter readings. It is also unclear on the basis of which legal basis the data are processed in accordance with Article 6 of the AVG. An infringement of Article 6 of the Data Protection Act is thus established. The complainant states that he does not consent to the decision on the merits 73/2020 - 29/31 have given for processing. The defendant does not rely on any other legal basis. for processing. In addition, the Disputes Chamber alleges in the present case a breach of Article 5.1(a) AVG now that it is clear from the above that the personal data are not in a lawful, legitimate and proper manner. and are processed transparently. The defendant indicates that a third party is processing the data. read out the consumption and forward it to the defendant. The Chamber of Disputes points out that according to article 28.3 GC, the processing by a processor must be arranged in a agreement between the controller and the processor. Sanction to be imposed In view of the above, the Dispute Settlement Chamber will impose two sanctions: 1. order that the processing be brought into conformity in accordance with Article 100 § 1, 9°; 2. impose an administrative fine in accordance with Article 100 § 1, 13°. Taking into account Article 83 of the AVG and the case law of the Market Court, the Disputes Chamber gives its reasons the imposition of an administrative fine in concrete terms: - Seriousness of the infringement: the reasons given above show the seriousness of the infringement. - The duration of the infringement: the defendant sought to rectify certain infringements and to comply with privacy rules; however, many of the breaches identified are still ongoing. - This is a necessary deterrent to prevent further infringements. As regards the nature and seriousness of the infringement (Art. 83.2 a) AVG), the Chamber of Disputes stresses that compliance with the principles provides for in Article 5 of the AVG - in the present case, in particular, the principle of legality - is essential, since the concerns fundamental principles of data protection. The Litigation Chamber considers the infringement of the defendant relies on the principle of lawfulness set out in Article 6 of the AVG, therefore, as a serious Infringement. The Disputes Chamber finds that article 83.7 AVG stipulates the following: "Without prejudice to the powers of the supervisory authorities to take remedial action In accordance with Article 58(2), each Member State may lay down rules on whether and to what extent administrative pecuniary sanctions may be imposed on public authorities established in that Member State, and public bodies. The AVG does not give any further explanation on the scope of what is covered by public bodies. and public bodies' is to be understood. However, according to the Dispute Chamber, it is certain that these derogation must be interpreted strictly. The Litigation Chamber considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from an administrative fine provided for in Article 83.7 of the AVG for "public authorities and public bodies". For this reason, Article 221, § 2, Law Data protection, which implements Article 83.7 AVG, to be interpreted strictly. Article 83.7 AVG leaves Moreover, it does not allow the Member States to define the concept of 'public authorities and bodies'. The decision in substance 73/2020 - 30/31 It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It will come Therefore, only the Union institutions, in particular the Court of Justice, should be required to respect the limits of to define that concept. In the opinion of the Disputes Chamber, a private law organisation such as the Y It does not include housing companies, even though this organisation carries out tasks in the public interest the area of social housing. 23 The Dispute Chamber finds that there is a serious attributable shortcoming on the part of defendant. As explained in detail above, the Litigation Chamber has a considerable number of identified shortcomings. Among those deficiencies are breaches of fundamental principles of data protection. The infringements established justify, in the opinion of the A high fine in its own right. In determining the administrative fine However, the Chamber of Disputes takes into account a number of moderating factors, including the following shown the defendant's willingness to adapt certain matters, the appointment of an expert Data Protection Officer and a new website which, according to the defendant, will be AVG compliant are. In addition, when determining the amount of the fine, the Dispute Chamber shall take into account that this is a not-for-profit social housing company. The fact that In its response to the penalty form, the defendant states that it is not financially sound, and this If the decision is supported by figures, the Dispute Settlement Chamber will take the decision into account. FOR THESE REASONS, the Data Protection Authority's Litigation Chamber shall, after deliberation, decide : Pursuant to Article 100, §1, 9° WOG, order the defendant to order that the processing in is brought into line with Articles 5.1(a) and (b), 5.2, 6.1, 12.1, art. 13.1. b) and c) , Art. 13.2. b), Art. 15.1, Art. 25.2, Art. 37.5, Art. 37.7, Art. 38.1, Art. 38.3, and Article 39 of the AVG, no later than three months after notification of the decision, and within three months of the date of notification of the decision. the same deadline, to the Data Protection Authority (Disputes Chamber) by e-mail (via to inform the e-mail address: litigationchamber@apd-gba.be ) that the above order was carried out. 23 See recital 52 of the judgment 31/2020 of 16 June 2020 of the Chamber of Disputes Decision on the merits 73/2020 - 31/31 - on the basis of art. 100 § 1, 13° and art. 100 WOG an administrative fine on of EUR 1 500. This decision may be appealed against under Article 108(1) of the WOG within one of the following days. period of thirty days from the date of notification to the Court of Justice of the European Communities with the Data protection authority as defendant. Hielke Hijmans President of the Chamber of Disputes