APD/GBA (Belgium) - 07/2024: Difference between revisions
From GDPRhub
m (→Facts) |
No edit summary |
||
| Line 81: | Line 81: | ||
}} | }} | ||
The Belgian DPA fined a data broker €174,640. Among other violations, the controller could not rely on legitimate interest to collect data from third parties and infringed Article 15(1)(c) and (g) GDPR by not disclosing specific information about sources and recipients of the data in the context of an access request. | The Belgian DPA fined a data broker €174,640. Among other violations, the controller could not rely on legitimate interest to collect data from third parties and infringed [[Article 15 GDPR|Article 15(1)(c) and (g) GDPR]] by not disclosing specific information about sources and recipients of the data in the context of an access request. | ||
== English Summary == | == English Summary == | ||
| Line 90: | Line 90: | ||
On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | ||
Following the information provided, on 28 January 2021, the complainants filed | Following the information provided, on 28 January 2021, the complainants filed complaints with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating [[Article 13 GDPR|Article 13]] or [[Article 14 GDPR|14 GDPR]]. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, outdated. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached [[Article 12 GDPR#3|Article 12(3) GDPR]] by providing the requested information on paper, whereas the request was made electronically. | ||
On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023. | On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023. | ||
=== Holding === | === Holding === | ||
Following the information provided, the Belgian DPA found several GDPR infringements, | To begin with, the DPA found that there could be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change, as disputed by the controller. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing. | ||
Following the information provided, the Belgian DPA found several GDPR infringements, which it divided into three sections. | |||
The first category of violations concerns the unlawful and unfair processing of personal data. | The first category of violations concerns the unlawful and unfair processing of personal data. | ||
| Line 103: | Line 105: | ||
* The DPA brought into question the storage limitation of the data processed under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] since the controller stated to keep personal data in its databases for 15 years from the last entry. | * The DPA brought into question the storage limitation of the data processed under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] since the controller stated to keep personal data in its databases for 15 years from the last entry. | ||
* Moreover, the DPA found a breach of [[Article 12 GDPR|Articles 12]] and [[Article 14 GDPR|14 GDPR]] as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed [[Article 14 GDPR]]. | * Moreover, the DPA found a breach of [[Article 12 GDPR|Articles 12]] and [[Article 14 GDPR|14 GDPR]] as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed [[Article 14 GDPR]]. | ||
* Additionally, | * Additionally, since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of [[Article 5 GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]], as well as [[Article 25 GDPR|Articles 25(1) and (2) GDPR]]. | ||
Secondly, the DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. [[Article 15 GDPR#3|Article 15(3) GDPR]] states that when the data subject submits their request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated [[Article 12 GDPR|Articles 12(1) and (2) GDPR]] since the controller did not facilitate the complainants’ rights, as well as [[Article 12 GDPR#3|Article 12(3)]] in conjunction with [[Article 15 GDPR#3|Article 15(3) GDPR]]. Furthermore, the DPA stated that the controller infringed [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]] due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the [https://gdprhub.eu/index.php?title=CJEU_-_C-154/21_-_RW_v_%C3%96sterreichische_Post CJEU C-154/21 case Österreichische Post], the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed [[Article 15 GDPR#1c|Article 15(1)(c) GDPR]]. | Secondly, the DPA addressed the access request violations. The DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. [[Article 15 GDPR#3|Article 15(3) GDPR]] states that when the data subject submits their request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated [[Article 12 GDPR|Articles 12(1) and (2) GDPR]] since the controller did not facilitate the complainants’ rights, as well as [[Article 12 GDPR#3|Article 12(3)]] in conjunction with [[Article 15 GDPR#3|Article 15(3) GDPR]]. Furthermore, the DPA stated that the controller infringed [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]] due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the [https://gdprhub.eu/index.php?title=CJEU_-_C-154/21_-_RW_v_%C3%96sterreichische_Post CJEU C-154/21 case Österreichische Post], the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed [[Article 15 GDPR#1c|Article 15(1)(c) GDPR]]. | ||
Lastly, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]] explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]]. | Lastly, on the issue of the records of processgin activities, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]] explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]]. | ||
Taking into consideration | Taking into consideration these infringements, the DPA issued on the controller three fines for each one of the above-mentioned sections, which cumulatively amount to €174,640. | ||
== Comment == | == Comment == | ||
Revision as of 09:23, 31 January 2024
| APD/GBA - 07/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 14 GDPR Article 15(1)(c) GDPR Article 15(1)(g) GDPR Article 15(3) GDPR Article 24(1) GDPR Article 25 GDPR Article 30(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 174,640 EUR |
| Parties: | Black Tiger Belgium |
| National Case Number/Name: | 07/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | ar |
The Belgian DPA fined a data broker €174,640. Among other violations, the controller could not rely on legitimate interest to collect data from third parties and infringed Article 15(1)(c) and (g) GDPR by not disclosing specific information about sources and recipients of the data in the context of an access request.
English Summary
Facts
On 23 October 2020 and 27 November 2020, two complainants submitted two separate access requests under Article 15 GDPR to Bisnode Belgium, a direct marketing and data specialist company, which was subsequently taken over by the French Black Tiger Group and renamed Black Tiger Belgium (the controller).
On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under Article 6(1)(f) GDPR.
Following the information provided, on 28 January 2021, the complainants filed complaints with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating Article 13 or 14 GDPR. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, outdated. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached Article 12(3) GDPR by providing the requested information on paper, whereas the request was made electronically.
On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023.
Holding
To begin with, the DPA found that there could be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change, as disputed by the controller. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing.
Following the information provided, the Belgian DPA found several GDPR infringements, which it divided into three sections.
The first category of violations concerns the unlawful and unfair processing of personal data.
- The DPA found an infringement of Article 6(1)(f) GDPR since the controller did not properly demonstrate that its legitimate interests, supplying the personal data to its customers and maintaining updated records of the data subjects, would outweigh the interests and fundamental rights of the complainants. Moreover, the DPA noted that the controller processed different types of data, raising doubts over whether all these personal data were systematically necessary for the representation of the intended interests under Article 5(1)(c) GDPR.
- The DPA brought into question the storage limitation of the data processed under Article 5(1)(e) GDPR since the controller stated to keep personal data in its databases for 15 years from the last entry.
- Moreover, the DPA found a breach of Articles 12 and 14 GDPR as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed Article 14 GDPR.
- Additionally, since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of Article 5 GDPR, Article 24(1) GDPR, as well as Articles 25(1) and (2) GDPR.
Secondly, the DPA addressed the access request violations. The DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. Article 15(3) GDPR states that when the data subject submits their request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated Articles 12(1) and (2) GDPR since the controller did not facilitate the complainants’ rights, as well as Article 12(3) in conjunction with Article 15(3) GDPR. Furthermore, the DPA stated that the controller infringed Article 15(1)(g) GDPR due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the CJEU C-154/21 case Österreichische Post, the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed Article 15(1)(c) GDPR.
Lastly, on the issue of the records of processgin activities, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, Article 30(1)(c) GDPR explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed Article 30(1)(c) GDPR.
Taking into consideration these infringements, the DPA issued on the controller three fines for each one of the above-mentioned sections, which cumulatively amount to €174,640.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/114
Dispute Chamber
Decision on the merits 07/2024 of 16 January 2024
File number: DOS-2021-01224
Subject: Complaint regarding unlawful processing and commercialization
of personal data by a data broker
The Disputes Chamber of the Data Protection Authority (hereinafter, GBA), composed of
Mr Hielke Hijmans, chairman, and Mr Dirk Van Der Kelen and Yves Poullet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter WOG;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainants: [X], [...], hereinafter “the complainants”, represented by [...], with social
registered office in [...], registered with the Crossroads Bank for Enterprises under the
number [...].
The defendant: BLACK TIGER BELGIUM (former BISNODE BELGIUM NV), with social
registered office in [...], registered with the Crossroads Bank for Enterprises under the
number [...], hereinafter “the defendant”, represented by masters
DOCQUIR and CORNETTE, with offices in [...]. Decision on the merits 07/2024 - 2/114
I. Facts and procedure 3
II. Justification 9
II.1. Competence of the Belgian Data Protection Authority 9
II.2. Description of the disputed processing activities by the defendant 11
II.2.1. Processing responsibility 12
II.2.2. Data processing 14
II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR) 16
II.3.1. Position of the Inspection Service 16
II.3.2. Position of the parties 16
II.3.3. Judgment of the Disputes Chamber 28
II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2, Article 14.1
and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR) 57
II.4.1. Position of the Inspection Service 57
II.4.2. Position of the parties 57
II.4.3. Judgment of the Disputes Chamber 59
II.5. Handling requests from data subjects to exercise their rights (Article 12.1
and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR) 68
II.5.1. Position of the Inspection Service 68
II.5.2. Position of the parties 68
II.5.3. Judgment of the Disputes Chamber 71
II.6. Use of cookies on the defendant's websites (Article 4.11), Article 5.1.a) and 5.2,
Article 6.1.a), as well as Article 7.1 and 7.3 GDPR) 76
II.6.1. Position of the Inspection Service 76
II.6.2. Position of the defendant 76
II.6.3. Judgment of the Disputes Chamber 77
II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as Article 25.1 and
25.2 GDPR) 77
II.7.1. Position of the Inspection Service 77
II.7.2. Position of the defendant 78
II.7.3. Judgment of the Disputes Chamber 79
II.8. Register of processing activities (Article 30.1, 30.2, and 30.3 GDPR) 81
II.8.1. Position of the Inspection Service 81
II.8.2. Position of the defendant 81
II.8.3. Judgment of the Disputes Chamber 82
II.9. Involvement of the DPO (Article 38.1 and Article 39.1 GDPR) 83
II.9.1. Position of the Inspection Service 83
II.9.2. Position of the defendant 84
II.9.3. Judgment of the Disputes Chamber 84
II.10. Additional considerations regarding the inspection report 85
III. Sanctions and corrective measures 87
III.1. Established infringements 87
III.2. Measures imposed by the Disputes Chamber 89
III.2.1.Corrective measures to bring processing into compliance with GDPR 89
III.2.2.Administrative fines 91
III.3. Other grievances 112
IV. Publication of the decision 112 Decision on the merits 07/2024 - 3/114
I. Facts and procedure
1. The subject of the complaint concerns the alleged unlawful processing and
commercialization of personal data of the complainants by the former NV
1
B ISNODE BELGIUM, now known as “B LACK TIGERB ELGIUM”.
2. B ISNODE BELGIUM is, in its own words, a direct marketing and big data specialist that already...
has been active on the B2B market in Belgium for several decades. This was for several years
company active in the field of data broking (broker in data), where
B ISNODE B ELGIUM purchased data from sources and processed this data for
account of its customers, who themselves carried out direct marketing activities, either for
companies, either for private individuals or consumers.
3. On October 23, 2020 and on November 27, 2020, the two complainants must, each separately,
submit a request to the defendant, to exercise their right of access accordingly
Article 15 GDPR.
4. On November 13, 2020 and December 23, 2020, they will each receive an answer to their
request. Both responses are sent by regular mail by the defendant, and
provide further explanation about the various files in which the personal data of
the complainants are included or not, as well as a summary of the categories of
personal data available to the defendant, the processing purposes and the
legal basis (Article 6.1.f) GDPR). Furthermore, the defendant provides a list “of the
(potentially) involved sectors” within which companies are active that may be
may receive personal data of the complainants from the defendant. The defendant
then clarifies that the complainants' personal data will be kept for 15 years from
the last registration is kept in its database, and lists the sources of the
personal data in the consumer file [the Z8 company] resp. It
company database (Belgian Official Gazette and Crossroads Bank for Enterprises). Also
the defendant emphasizes that he does not use automated decision-making,
but assesses the so-called “marketing potential” of those involved for each
user to create a marketing segmentation profile. The defendant states
also that he, or “one of his customers”, “includes” the personal data of the complainants
certain cases” to countries outside the EEA. Finally, the
defendant to the complainants the opportunity to exercise their other rights and more
Information about this can be consulted on the website www.bisnodeenu.be as well as on the website www.bisnodeenu.be
possibility to file a complaint with the Data Protection Authority.
1See edge no. 36 in this decision.
2Conclusions of the defendant dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 4/114
5. On January 28, 2021, the complainants will submit a joint complaint to the
Data Protection Authority, against the defendant. The complainants complain about it
that as a data broker it processes a large number of their data, but without
their knowledge, and therefore in violation of Article 13 or 14 GDPR, nor the preceding
consent. According to the complainants, these data were held by different parties
purchased, if necessary enriched, and then resold to third parties for
commercial purposes.The complainants also object to the fact that some personal data
are more than 15 years old, and are therefore incorrect. In addition, the complainants believe that the
defendant applies profiling to their data before passing on this profile data
to sell. In conclusion, the complainants state that the defendant has Article 12.3 GDPR
violated by providing the requested information on paper while exercising
of their rights by data subjects necessarily had to be done electronically
to happen.
6. On March 15, 2021, the complaint will be declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
7. On March 22, 2021, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG
to request an investigation from the Inspection Service.
8. On March 24, 2021, the request from the
Disputes Chamber to conduct an investigation and transfer it to the Inspection Service,
together with the complaint and the inventory of the documents.
9. On March 31, 2021, B ISNODE B ELGIUM will be acquired by [the parent company Z1] 3
and the former directors will be replaced by new directors, including [...]
who also sits as chairwoman on the board of directors of [the parent company Z1].
10. The investigation by the Inspection Service will be completed on May 20, 2021, and the report will be
is added to the file and the file is transferred by the Inspector General to
the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject of the complaint and decision
that the defendant has committed violations of the following provisions of the GDPR:
i. Articles 5.1.a) and 5.2, as well as Article 6.1 GDPR;
ii. Articles 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR;
3[Z1], established in […], registered on the National Trade and Companies Register (Registre national du commerce
et des sociétés) of France with SIREN number […]. At the General Meeting of […] June 2023, the name of the
company changed to “Z2”; the minutes of this General Meeting were recorded on […] November 2023
registered with the Commercial Court of Paris (see paragraphs 28 and 34 in this decision).
4B.S., April 21, 2021 – https://www.ejustice.just.fgov.be/[...].
5See the French government website L'Annuaire des Entreprises: https://annuaire-entreprises.data.gouv.fr/[...]. Decision on the merits 07/2024 - 5/114
iii. article 12.1, article 13.1 and 13.2, article 14.1 and 14.2, article 5.2, article 24.1, and article
25.1 GDPR.
The report also contains findings that go further than the subject of the complaint
In particular, the Inspection Service determines that the defendant complies with the following provisions of the
GDPR has violated:
iv. Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR;
v. Article 5, Article 24.1, as well as Articles 25.1 and 25.2 GDPR;
vi. Articles 30.1, 30.2, and 30.3 GDPR;
vii. Article 38.1 and Article 39.1 GDPR.
Finally, the Inspection Service determines that the processing of personal data leads to the
core activities of the defendant, and that these are systematic and on a large scale
processes personal data for, among other things, direct marketing purposes.
11. On June 15, 2021, the name of B ISNODE BELGIUM will be changed to B LACK T IGERB ELGIUM6.
However, the company number […] remains unchanged.
12. On September 30, 2021, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and
Article 98 WOG states that the file is ready for substantive treatment. The involved
Parties will be notified by registered mail of the provisions such as:
mentioned in Article 95, § 2, as well as in Article 98WOG. They are also stated on the basis of
Article 99 WOG of the deadlines for submitting their defenses.
13. On October 4, 2021 and October 8, 2021, the defendant respectively the complainant a copy of
the file (Article 95, § 2, 3° WOG), which was sent to them on October 8, 2021.
Both parties accept further exchanges of documents electronically.
14. On October 13, 2021, the defendant indicates that he wishes to make use of the
opportunity to be heard, in accordance with Article 98 of the WOG, and he requests it
to be able to express in French, both in the context of his conclusions and during the
hearing before the Dispute Chamber, since the defendant has its seat in bilingual
Brussels Capital area, is registered in French with the Crossroads Bank of
Companies, has its articles of association in French, and is part of the French “B LACK
7
TIGER GROUP”.
15. On November 3, 2021, the parties will be informed of the suspension of the previous
communicated conclusion periods, pending a decision by the
Dispute chamber regarding the language of the procedure. The complainant will let us know on November 6, 2021
6B.S., June 30, 2021 – https://www.ejustice.just.fgov.be/[...].
7See edge no. 36 in this decision. Decision on the merits 07/2024 - 6/114
that he opposes the change of the procedural language to French, as he
insufficient command of French, nor the means to write French-language documents
to have it translated. On November 13, 2021, the complainant reports that he is allowing […]
represent.
16. On November 29, 2021, the Disputes Chamber decides not to respond to the request of the
defendant to change the language of the proceedings to French, for the following reasons
reasons:
- The position of the defendant - The Dispute Chamber determines that the defendant
should be classified as a large company, with more than 100 full-time employees
employees in 2020. The Disputes Chamber also notes based on the documents
of the file that the defendant is a Dutch-speaking as well as a
French-speaking target audience.
- The position of the complainant—The Dispute Chamber determines that the complainant is directly
has an interest in a decision of the Disputes Chamber as the complaint relates
has to exercise his rights in relation to him
personal data collected and processed by the defendant.
- Abuse of the option to object to complicate the procedure - In view of the
bilingualism of the defendant, as evidenced, among other things, by the answers given by the
complainant received in Dutch as well as the bilingual website of the
defendant, also located in the bilingual area of Brussels-Capital, judges
the Disputes Chamber that the defendant's request to change the procedural language
change, unnecessarily complicates the procedure before the Disputes Chamber.
- Other specific circumstances in the case - The Disputes Chamber takes note
of the fact that the defendant during the investigation by the
Inspection Service has always expressed in French; the Disputes Chamber considers this
argument, however, is insufficient to justify a change in the procedural language
justified, taking into account the previous elements. Finally wishes
the Disputes Chamber to emphasize that it also does not understand to what extent the
takeover of B ISNODE BELGIUM by the French group B LACK TIGER. A change is possible
justifying the language in which the dispute settlement procedure will be conducted
become.
Consequently, both parties must submit their defenses in Dutch. It
However, the parties are free to provide any supporting documents in their original language
without the GBA being responsible for its translation. Decision on the merits 07/2024 - 7/114
The parties involved will also be notified by registered mail
new deadlines for submitting their defenses, in accordance with Articles 98 and
99 WOG.
With regard to the findings regarding the subject of the complaint, the
deadline for receipt of the defendant's response
recorded on January 24, 2022, this for the conclusion of the complainant's reply on 14
February 2022 and finally this for the conclusion of the defendant's rejoinder on March 7
2022.
With regard to findings that go beyond the subject of the complaint, the
deadline for receipt of the defendant's response
recorded on January 24, 2022.
17. On January 24, 2022, the Disputes Chamber will receive the response conclusions from the
defendant with regard to the findings regarding the subject of the
complaint. The Disputes Chamber hereby establishes that the defendant has not objected further
against the use of Dutch by the Disputes Chamber and its written statements
has drawn up comments in Dutch.
18. On February 15, 2022, the Disputes Chamber will receive the complainant's response conclusions,
with regard to the findings regarding the subject of the complaint.
19. On March 7, 2022, the Disputes Chamber will receive the conclusions of the defendant's rejoinder
with regard to the findings regarding the subject of the complaint.
20. On August 3, 2022, the Disputes Chamber decides to issue an appeal pursuant to Article 56 GDPR
to initiate a procedure to identify the lead supervisory authority
as well as, where appropriate, other relevant supervisory authorities. The reason for this
is the possible transfer of data processing responsibility in the context
of the acquisition of B ISNODE BELGIUM by B LACK T IGER on March 31, 2021, as well as the
statements by the defendant that his services were explained to the French
supervisory authority (CNIL). There is also the possibility that those involved in
other Member States are materially affected by the controversial processing of
personal data by B ISNODEB ELGIUM, now LACK T IGERBELGIUM.
21. On October 6, 2022, the CNIL confirmed that it is investigating to what extent it is leading
supervisory authority will act as a result of the takeover by B LACK TIGER. On 19 and
October 27, 2022 the Polish and Italian supervisory authorities respectively
inform the GBA that they wish to act as the relevant authority.
22. On November 15, 2022, the CNIL confirmed to the GBA that B LACK TIGER contacted the CNIL
has included, but only with regard to the development of the “Data
Quality” platform, which contains a specific module dedicated to GDPR compliance. Decision on the merits 07/2024 - 8/114
The CNIL, on the other hand, clarifies that it cannot yet confirm whether there will be any exchanges
have taken place between its services and B LACK T IGER regarding the possible
cross-border nature of B LACK TIGER's processing operations. What hair
authority for the processing of the group B LACK T IGER, the CNIL confirms this
it is trying to determine whether the group's headquarters has changed in the period after
takeover of the Belgian company by the French company. The CNIL closes
with the comment that it is awaiting additional information on this point.
23. On December 22, 2022, the CNIL will inform the GBA that, pursuant to the
information provided by B LACKT IGER has led to the conclusion that B LACK TIGERB ELGIUM
has retained its decision-making bodies following the acquisition of B ISNODE in March 2021
B ELGIUM by [Z1], the French parent company of the BLACK TIGER group. The CNIL states
more specifically, that the executive body of B LACK TIGER B ELGIUM despite the
acquisition remained responsible for the formal decision to terminate the Data Delivery
to cease data broker activities. Therefore, the CNIL concludes, it is Belgian
BLACK TIGERB ELGIUM branch is the main branch for the disputed processing and remains the
authority of the GBA as lead supervisory authority unchanged.
24. On January 19, 2023, the parties will be notified that the hearing will
take place on February 22, 2023.
25. On February 22, 2023, the parties will be heard by the Disputes Chamber.
26. The minutes of the hearing will be submitted to the parties on March 2, 2023.
27. On March 10, 2023, the Disputes Chamber will receive some information from the defendant
comments regarding the official report, which it decides to include
her deliberation.
28. On […] June 2023, the General Meeting of [the parent company Z1] will approve unanimously
the tenth decision is good, changing the name of the company to “[de
parent company Z2]”.
29. On August 7, 2023, the Disputes Chamber decides to reopen the debates regarding
specific points related to the case at hand.
30. On August 8, 2023, the supervisory authorities concerned will be informed by means of a
request for mutual assistance 8 formally informed of the withdrawal of the
cooperation procedure in accordance with Article 60 GDPR, given the lack of
8Article 61.1 GDPR — “The supervisory authorities shall provide each other with relevant information and mutual assistance to
implement and apply this Regulation in a consistent manner, and take measures to effectively
working together. Mutual assistance mainly covers information requests and supervisory measures, such as
requests for prior authorization and consultations, inspections and investigations.” Decision on the merits 07/2024 - 9/114
determination in the present case of cross-border data processing
the meaning of Article 4.23) GDPR.
31. On 6 September 2023, the Disputes Chamber received the conclusion of the response due to
complainant.
32. On September 11, 2023, the Disputes Chamber will receive the response statement
defendant, which she decides to include in her deliberations.
33. On October 31, 2023, the Disputes Chamber informed the defendant of its intention to transfer
to impose an administrative fine and its amount
made known, in order to give the defendant the opportunity to defend himself,
before the sanction is actually imposed.
34. On […] November 2023, the Registrar of the Commercial Court of Paris shall register
under file number […] the deed of company containing the official report of the
General Meeting held on […] June 2023 as well as the articles of association of [de
parent company Z2], as updated following the decisions of the General
Meeting.
35. On November 24, 2023, the Disputes Chamber will receive the defendant's response to the
intention to impose corrective measures and an administrative one
fine, as well as the amount thereof. The Disputes Chamber accepts this response
consideration in the context of its deliberation.
II. Justification
II.1. Competence of the Belgian Data Protection Authority
36. Between 2007 and 2020, B ISNODE B ELGIUM was part of [the company Z3], hereinafter
'[Z3]'), an international holding company consisting of entities mainly in North and East
Europe. On October 8, 2020, the Swedish private equity firm [Z4], also announced
majority shareholder (70%) of B ISNODE AB, the sale to [the company Z5]
of all its shares in the holding company ISNODE AB, excluding the operational activities of
B ISNODE BELGIUM .
37. The Disputes Chamber notes that B ISNODE BELGIUM was taken over on March 31, 2021
by the French company [Z1]—now [Z2]—, trading under the commercial name
B LACK TIGER GROUP . As a result of the takeover, the name B ISNODE BELGIUM was changed to 15
June 2021 changed to BLACK T IGERBELGIUM.
9See edge nos. 28 and 34 in this decision. Decision on the merits 07/2024 - 10/114
38. The Disputes Chamber rules that this takeover of B ISNODE BELGIUM by the French group
B LACK TIGER as well as the name change to BLACK TIGERB ELGIUM have no impact on the
jurisdiction of the GBA with regard to alleged infringements of the GDPR, because
the following reasons.
39. First of all, the Disputes Chamber points out that the original complaint was directed against
B ISNODE BELGIUM NV, established in Belgium, as well as the website https://bisnodeandyou.be,
currently no longer accessible, on March 31, 2021 still explicitly B ISNODE BELGIUM
stated as controller for the processing of personal data. 10
40. Under Article 55 GDPR, each supervisory authority has the power to:
territory of its Member State to perform the tasks and exercise the powers
that have been assigned or granted to it in accordance with the GDPR. It follows that the
Belgian data protection authority was competent at the time of the complaint
of the processing activities carried out by ISNODE B ELGIUM. The fact thatISNODE BELGIUM
11
was still owned by the Swedish listed group [Z4] until March 31, 2021, can
do not lead to a lack of jurisdiction under the GBA. The defendant's contention that
B ISNODE BELGIUM only had “little room for maneuver to […] its own strategies
and determine policy regarding personal data” 12 is also not convincing to the Disputes Chamber.
After all, after the transfer of the parent company B ISNODE AB to [the Z5 company].
October 2020, B ISNODE B ELGIUM could no longer be considered bound by the
former policy choices imposed by B ISNODE AB.
41. That the defendant was taken over by a French group at the time of the investigation,
nor does it lead to the conclusion that the GBA is not competent for the processing of
personal data until the aforementioned date of takeover. In this case, the Disputes Chamber
established that the processing activities of the defendant, including the various
websites managed by him are aimed at a Belgian target audience and
10
Item 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 4.
1In October 2020, [Z4], a Swedish listed group and majority shareholder (70%) of the
BISNODE group ISNODE ASWEDEN), the sale of all its shares to [the company Z5], with the exception of
operational activities in verISNODBELGIU.
12
Conclusion in the defendant's rejoinder dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 11/114
relate to the person concerned and established in Belgium. The defendant's statement that
“Bisnode Belgium [before and after the entry into force of the GDPR] ensured that
[the company] had an appropriate internal organization to meet its requirements
obligations towards the persons whose personal data it holds,”
as well as that “the new buyer was in no way involved and[sic]in the course of
these events [the alleged infringements]” also confirms the jurisdiction of
the GBA.
42. Finally, and for the sake of completeness, the Disputes Chamber notes that the defendant in no way
currently questions the authority of the GBA to deal with the complaint on the merits
stated. On the contrary, both during and following the hearing of February 22
2023, the defendant disputed that there was a cross-border situation
processing within the meaning of Article 4.23) GDPR, with the result that the application of
According to the defendant, Article 60 GDPR is not relevant. The mere circumstance that the
website of B LACK TIGER BELGIUM mentions a branch in Poland, according to the
defendant is in no way sufficient as such to establish the existence of a cross-border
to make processing plausible. In connection with the above, the GBA has
circumstances, the cooperation procedure pursuant to Article 60 GDPR is terminated. 13
43. The Disputes Chamber will hereafter review the data processing activities carried out by the
defendant, before summarizing each of the findings included in the report
to assess the Inspection Service in the light of the relevant information provided by the parties
resources supplied.
II.2. Description of the disputed processing activities by the defendant
44. Based on the documents submitted, the Disputes Chamber understands that the defendant
at the time of the complaints, it managed three different databases with personal data
had:
i. the consumer file Consu-Matrix (hereinafter, “CMX”), which contains personal data
of consumers that the defendant contains from various external sources (“source
partners”) has collected. These sources create their own customer databases
disposal to B ISNODE B ELGIUM for commercialization with a view to direct
marketing purposes. CMX is a B2C information database intended for
13
See edge no. 30 in this decision.
1 Document 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service, p.4; Piece 8 (“Bisnode
Belgium GDPR Governance B2C de 2019”) submitted to the Inspection Service; Part 9 (Bisnode Belgium GDPR Governance
B2B de 2019) submitted to the Inspection Service. Decision on the merits 07/2024 - 12/114
marketing, analysis, profiling, statistics, verification and audit purposes
15
(data quality), as well as for reference and “other” purposes.
ii. the Spectron company file, which contains company and contact details of
Belgian companies that the defendant acquired through
public/government sources (Crossroads Bank for Enterprises, National Bank
of Belgium) as well as via commercial data sources. Spectron is a B2B
information database intended for marketing profiling, analysis,
credit purposes, statistics, verification and control purposes
16
(data quality), as well as for reference and “other” purposes.
iii. the Permesso direct marketing file, which contains personal data from
“Permesso members” that the defendant has via an online marketing platform
collected. Personal data included in Permesso is intended for:
marketing and direct marketing purposes (marketing, analysis, profiling and
statistics).
45. Unlike Permesso, which contains personal data collected directly from the
data subjects have been collected for direct marketing purposes, based on consent
of the data subjects (Article 6.1.a) GDPR), CMX and Spectron are exclusively supplemented with
personal data collected indirectly, on the basis of
legitimate interest of the defendant and its customers (Article 6.1.f) GDPR).
II.2.1. Processing responsibility
46. A controller is defined as “a natural person or
legal entity, a public authority, a service or another body that, alone or
together with others, the purpose and means of processing personal data
determines” (Article 4.7) GDPR). This is an autonomous concept, specific to the regulations
on data protection, which should be assessed against the criteria that
are established therein: the determination of the purposes of the data subject
data processing and the means for that processing.
15Free translation of: “purposes of marketing, analysis, profiling, statistics, verification and control (Data Quality), directory
(reference purposes) and other” in Document 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”) submitted to the
Inspection service.
16
Free translation of: “purposesofanalysis,creditpurposes,marketingprofiling,statistics,verificationandcontrol(DataQuality),
directory (reference purposes) and other” in Section 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”)
to the Inspection Service.
17Free translation of: “marketing/direct marketing purposes (marketing, analysis, profiling and statistics)” in Section 1 (“DPIA
Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service. Decision on the merits 07/2024 - 13/114
47. The aforementioned databases were set up and managed by B ISNODE BELGIUM, such as
irrefutably proven by the internal documentation submitted to the GBA during
the research (own underlining and filtering):
48. In view of the information available, the Disputes Chamber considers this sufficient
proven that the B ISNODE BELGIUM was the controller at the time of the complaints
acted for the aforementioned processing activities.
49. Until March 2021, B ISNODE BELGIUM offered to its customers on the Belgian B2B market
two separate activities: on the one hand, a “Data Quality” service, which consists of:
improve the quality or relevance of customer data, and on the other hand, a “Data
Delivery” service, which consists of providing data to customers
who do not yet have them and which enable them to carry out direct marketing campaigns
feed. Both Spectron and CMX were processed by the defendant for Data Quality
19
(DQ) and for Data Delivery (DD) purposes. In concrete terms, the data from CMX
customers of the defendant for enrichment purposes or rented out for
direct marketing purposes (mainly by post). The Spectron
company base was also marketed to customers of the
defendant, who could use the data from this file for his own, directly
marketing purposes .21
18 Piece 1 ("DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso") and Piece 30 ("Bisnode Belgium - Copy of Record of
Processing”), transferred by the defendant to the Inspection Service in the context of the investigation.
19
Document 30 (“Bisnode Belgium – Copy of Record of Processing”) submitted to the Inspection Service.
20Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3.
21Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant, p. 1: “Bisnode compiles data from different sources: […] (ii)via public sources such as, for example, the Crossroads
Bankfor Enterprises. […]ThepurposeofsuchprocessingoperationforBisnodeisincreaseandincreaseitsproprietaryB2B
databaseSpectron, in ordertodeliverbetterservices.Thoseservicesmayinclude […]deliveryofdatasetsfordirectmarketing
purposes on the basis of specific criteria (segmentation) covering offline and digital channels, including social media”. Decision on the merits 07/2024 - 14/114
50. Following the takeover by B LACK T IGERG ROUP on March 31, 2021, the renewed
new board of directors of B LACK TIGER BELGIUM on June 25, 2021 opted to
to discontinue activities in connection with the Data Delivery services. Also became
decided to destroy the CMX consumer file on July 30, 2021, as well as the
Permesso direct marketing file . Until that date, the data was taken from CMX
— including the personal data of the complainants — sold, rented or for sale
made available to companies with a view to their direct use
marketing purposes, and in particular for sending advertising messages as well
for validation, identification and analysis purposes. All customers of the defendant
additionally received a communication informing them that B LACK T IGER
B ELGIUM intended to discontinue the “B2CDataDelivery” activity, although it already existed
contracts with customers of these services were terminated, customers could
from the defendant who had received data before or on July 30, 2021,
in accordance with the contractual provisions and data already provided
24
use until October 30, 2021.
51. The Data Delivery service for the professional market (“B2B Data Delivery”), which
related to the Spectron company file, was canceled with effect from 1 December
25
2021 transferred by B LACK TIGER BELGIUM to [the Z6 company]. Customers of the
defendant who had received data up to November 30, 2021
contractual right to use this data for another three months, until the end of February
26
2022 . This decision also testifies to the responsibility of B LACK TIGER BELGIUM
with regard to the transferred processing activities.
II.2.2. Data processing
52. Article 4.2) of the GDPR defines a processing of personal data as
“an operation or a set of operations relating to personal data or a
set of personal data, whether or not carried out via automated processes, such as
collecting, recording, organizing, structuring, storing, updating or modifying, retrieving,
consult, use, provide by transmission, dissemination or otherwise
making available, aligning or combining, shielding, erasing or destroying
facts ".
22Ibid.
23Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3.
24Ibid.
25Ibid.
26
Ibid. Decision on the merits 07/2024 - 15/114
53. Based on this definition and based on the documentation provided in the framework
of the investigation as well as the conclusion phase, the Disputes Chamber distinguishes four
various processing activities carried out by the defendant, and in particular:
A. The processing of consumer data in the CMX database in the context of “B2C
Data Delivery” service, whereby the defendant pursuant to Article 6.1.f)
GDPR collects and enriches personal data of consumers for the purpose of
the commercial supply of data to its customers, who use it
use personal data for direct marketing purposes, and in particular for
sending advertising messages, as well as for validation, identification and
analysis purposes;
B. the processing of consumer data in the CMX database in the context of “B2C
DataQuality” service, whereby the defendant is provided on the basis of Article 6.1.f)GDPR
collects, enriches and consolidates personal data from consumers
payment, to assign a reliability score to personal data of
consumers already in possession of the customers of B LACK TIGERBELGIUM, so that these
can improve the quality of their data by formatting it, too
to standardize, correct and/or link internally (matching);
C. the processing of company data in the Spectron database in the context of
“B2B Data Delivery” services, where the defendant is provided pursuant to Article
6.1.f)GDPR personal data of natural persons associated with
companies collects and enriches with a view to commercial delivery
of the personal data to its customers, who provide this personal data
use to send advertising messages 27 and for
segmentation purposes (validation, identification and analysis of profiles);
D. the processing of company data in the Spectron database in the context of
“B2B Data Quality” services, which the defendant provides under Article
6.1.f)GDPR personal data of natural persons associated with
collects, enriches and consolidates companies to, for a fee, create a
to assign a reliability score to personal data already in our possession
by customers of B LACK TIGER BELGIUM, so that they can guarantee the quality of their
can improve data by formatting, standardizing,...
correct and/or internally link (matching).
54. Since B ISNODEBELGIUM in the present case for each of these processing activities
has determined both the means and the ends, B LACK T IGERB ELGIUM must be
capacity as legal successor of BISNODE BELGIUM as
27Exhibit 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 38. Decision on the merits 07/2024 - 16/114
be considered a controller. In light of the foregoing
elements, the Disputes Chamber will then accept the findings by the Inspection Service
the investigation report as well as the documents provided by the parties and their
assess defenses step by step.
II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR)
II.3.1. Position of the Inspection Service
55. According to the Inspection Service, the defendant is wrongly appealing to his
legitimate interests for the processing of the data of the complainants
within the framework of his commercial activities, and he therefore infringes
Article 6.1 GDPR.
56. The Inspection Service notes in particular that the defendant has collected various personal data
(including general personal information, contact details, professional details
and family data) that are partly obtained from the data subjects themselves and partly from other sources
— so-called “partners” of the defendant — have been obtained, processed on a large scale. This
According to the Inspection Service, this implies that those involved cannot reasonably do so
expect their personal data to be collected without their consent, systematically and against
payment by the defendant to its customers for
marketing campaigns, or are processed in the context of the freedom to
actions of the defendant. Consequently, the third cannot be satisfied
condition of Article 6.1.f) GDPR, the so-called balancing test between the interests of
the defendant, on the one hand, and the fundamental freedoms and fundamental rights of the
28
stakeholders, on the other hand.
57. Moreover, according to the Inspection Service, the defendant does not demonstrate that his interests
by weighing on those of the data subjects, thereby also violating Articles 5.1.a) and 5.2 GDPR.
II.3.2. Position of the parties
II.3.2.1. Relying on a legitimate interest (6.1.f) GDPR) as the basis for the
processing of personal data and weighing of interests by B LACKT IGER
BELGIUM
58. The complainants essentially take the position that the processing of their
personal data by the defendant for commercial purposes unlawfully
manner, since the plaintiffs were not informed of this
28See Title II.3.3.3 below in this decision. Decision on the merits 07/2024 - 17/114
never gave their consent. In other words, the complainant posits that the
defendant cannot rely on a legitimate interest in collecting
as well as the subsequent commercialization of his personal data.
59. The defendant, on the other hand, states that he is permitted to do so on the basis of his
legitimate interest, as well as that of its customers and partners, personal data
to process complainants as well as other involved parties. According to the defendant, the
Inspection service did not take into account all the elements that the defendant
However, it had argued for its legitimate interests and the proportionality of the processing
to demonstrate. The defendant would specifically have the Inspection Service during the investigation
pointed out the relevant passages of the various LIA reports 29 that relate
had on the identification of the data in question, but also on the legality,
necessity and proportionality test. The Inspection Service's determination that the
defendant did not take into account the three aforementioned cumulative conditions
are therefore manifestly incorrect.
60. The defendant also complains that the Inspection Service made no attempt
has taken to determine the precise factual circumstances of the case.
61. Legality test — First of all, the defendant argues that direct marketing as
such constitutes a lawful purpose, as stated in recital 47 GDPR and reiterated
30
in the GBA recommendation 01/2020. The defendant also points out that his
legitimate interest in the continuation of its services regarding big data
expertise, which he has been offering to his customers for years, on the basis of his
fundamental freedom to conduct a business as provided in Article II.3 of the Code of
economic law and Article 16 of the EU Charter of Fundamental Rights. The 31
taking into account the freedom to conduct a business when assessing the balance of interests
by the Disputes Chamber would therefore be indispensable. Therefore, the
processing activities of the defendant in the context of his Data Delivery activity
to the purpose or legality test.
62. In addition, the Data Quality services would serve the legitimate interests of
customers of B LACK TIGER BELGIUM, in particular to be able to implement effective marketing campaigns
and to maintain - as the GDPR requires - databases that contain only correct ones
and contain current information, according to the defendant. Also the Data Quality services
would therefore meet the legality test.
29Legitimate Interest Assessment Reports; see edge nos. 95 and 130 in this decision.
30
GBA — Recommendation No. 01/2020 of January 17, 2020 on the processing of personal data for direct
marketing purposes, https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-01-2020.pdf.
31Article 16 Charter of Fundamental Rights of the European Union — “The freedom to conduct a business is recognised
in accordance with Union law and national laws and practices.” Decision on the merits 07/2024 - 18/114
63. Necessity test — Secondly, the need to process data can be
nor, according to the defendant, for the intended direct marketing activities
cannot be disputed, since sending mail is not intrusive under any law
is prohibited, and direct marketing by post is not subject to any specific regulation
which requires the prior consent of the recipients (as opposed to direct
marketing by email). Consequently, the defendant argues, the processing activities are satisfactory
of BLACK TIGER BELGIUM in the context of its Data Delivery activity also to the
necessity test. According to the defendant, the report of the Inspection Service
does not, however, adequately explain why there would be a shortage
proportionality, as the defendant's activity consists precisely of large-scale
collect data of various kinds. On the contrary, it would be “completely normal
and legitimate” are that the defendant “collects various data to protect the family or
to characterize a person's socio-professional situation”, “since the defendant
has been professionally active in the sector for many years”. The defendant emphasizes that the
large-scale processing of personal data falls within his expertise in big data, and
according to him, no argument could be derived from the fact that data from
are collected from various sources, nor to the large scale of the processing
BLACK TIGER BELGIUM in the abstract.
64. Balancing test — Third, the defendant maintains that, contrary to what the
The Inspection Service claims to have weighed up interests properly and with the necessary accuracy
has argued between his interests and the rights and freedoms of the data subjects, with
taking into account the nature of the processing, its consequences for the data subjects, and
the interests of the company. The defendant refers in particular to the
documented considerations of interests 32 — which, according to the defendant, are only of
apply to direct marketing campaigns by post — which were sent to the
Inspection Service and taking into account:
▪ the economic interest of the defendant and its customers;
▪ the defendant's fundamental freedom to conduct a business;
▪ the negative and positive consequences of the processing, whereby it is done according to the
defendant is not necessary to avoid any negative consequences for the data subject,
but rather the intention is to have a disproportionate impact for this
prevent those involved;
▪ the “rather innocent” nature of the data;
32Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 19/114
▪ the reuse and further processing of publicly available
personal data from, among others, the KBO and the NBB;
▪ “the data subject's right to object/opt-out”; and
▪ making transparent information public on, among other things, the website of the
defendant and that of its data sources, as well as the mandatory indication
of B ISNODEB ELGIUM in the advertising messages sent to them by customers
goal audience.
65. The defendant states that he came to the conclusion taking these interests into account
that the negative consequences for those involved do not outweigh the
positive consequences for the defendant and his customers, given the freedom of
entrepreneurship, as well as the positive consequences for those involved themselves, which
the processing of their personal data will no longer receive irrelevant advertising.
66. Accordingly, the legitimate interests invoked by the defendant
according to the defendant, constitute an appropriate basis for the processing of
personal data of data subjects, since the defendant takes a series of measures
has taken to maintain the balance at all times in the context of the proportionality test
guarantees between the relevant interests, as well as to be able to demonstrate this
in accordance with the accountability obligation resting on the defendant. In that regard
refers the defendant in particular to the following, which he has already implemented
33
measures:
▪ an extensive due diligence of the data sources in terms of
data protection, including thorough analyzes of licenses of
public sources regarding the reuse of public data;
▪ the obligation for data sources to inform data subjects about the
transfer of their data to the defendant, so that the defendant or other
companies can deliver personalized offers to those involved;
▪ the mandatory mention of “B ISNODE BELGIUM” in the advertising message and the
right of review of the defendant regarding the advertising message, in
combination with conducting campaigns through the media to increase the visibility of
to raise the defendant with those involved;
▪ compliance with the principle of minimal data processing as well as the fact
that “data enrichment is only applied to data that is already in our possession
of Bisnode Belgium customers” ;
33Conclusion of response dated January 24, 2022 from the defendant, p. 7.
34Conclusion of response dated January 24, 2022 from the defendant, p. 7 in fine. Decision on the merits 07/2024 - 20/114
▪ the effective possibility of data subjects to exercise their rights under the GDPR
to practice; and
▪ taking appropriate technical and organizational measures.
67. Reasonable expectations of those involved — In the alternative, the defendant posits that the
assessment of the legitimate interest of the controller
necessary to take into account the reasonable expectations of the
person involved. Thus, the Inspection Service's determination that those involved would not
expect the data to be processed “without their consent” and “for payment”.
be irrelevant, because the criterion of reasonable expectations stated in
35
according to the defendant, recital 47 of the GDPR would only relate to the
hypothesis of further processing of personal data within the meaning of Article 6.4
36
GDPR . Due to the reasonable expectations of those involved at the time of collection
systematically taking into account the lawfulness of the processing
fully rely — according to the defendant — on the subjective position of the
those involved at a certain point in time, which changes the other criteria for assessing
the proportionality of the processing would be reduced to unnecessary
considerations.Such reasoning would, moreover, “almost necessarily lead to the
[lead] to the conclusion that LACK TIGER BELGIUM has no overriding legitimate interest, since the
By definition, those involved cannot or only with difficulty expect their data to be available to them
will be subject to technical processing such as that carried out by the
defendant is being executed (and which is also part of his secret know-how)”, 37
so that in fact any activity of DataDelivery in a broad sense becomes impossible. Thedefendant
argues that the criterion of reasonable expectations is therefore not the only criterion
can be used to assess proportionality.
In addition, the degree of transparency must also be taken into account
the data processing; (ii) the defendant's efforts to contact those involved
informing; and (iii) encouraging the data sources and customers of the defendant
to “make an active contribution to those involved” . The defendant further states that
the choice of a legitimate interest as a basis for the processing
personal data “by definition” a certain infringement of fundamental rights and
fundamental freedoms of those involved, but does not lead to a restriction of the
obligations of a controller due to the GDPR. Those involved
35Recital 47 GDPR — “[…] In any case, a careful assessment is required to determine whether there is a
legitimate interest, as well as to determine whether a data subject is at the time and in the context of the collection of the
personal data can reasonably expect that processing can take place for that purpose […]”.
36Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 15.
37Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 16.
38Conclusion of response dated January 24, 2022 from the defendant, p. 8.
39
Conclusion of the defendant's response dated January 24, 2022, p. 9. Decision on the merits 07/2024 - 21/114
can always exercise their right to object, thanks to the transparency
information on the defendant's website as well as the mandatory mention of B ISNODE
B ELGIUM in the advertising messages that its customers send to data subjects.
68. However, if the Dispute Chamber were to accept the arguments put forward by the defendant
rejected, the defendant requests that the handling of the case be suspended and a
to submit a preliminary question to the Court of Justice of the European Union, regarding the
interpretation of Article 6 GDPR and of the freedom to conduct a business under it
Charter of Fundamental Rights of the European Union. According to the defendant, the
Dispute Chamber namely:
“a 'court or tribunal of a Member State' […] within the meaning of Article 267 of the Treaty
on the functioning of the European Union, in the sense given by the Court of Justice
autonomous understanding of Union law. It was established by the law of 3
December 2017, has a permanent character, is certainly independent or at least should be
according to both EU law and Belgian law, and it issues binding legal orders
decisions at the end of an adversarial procedure that complies with
legal rules that are laid down in particular in a clear separation between the
research function on the one hand, and the judgment function on the other. As such, she has the right
to request the Court of Justice of the European Union for a preliminary ruling on
the interpretation and validity of the treaties and acts of the institutions,
organs and agencies of the U.e
69. Finally, in his conclusions in response, the defendant emphasizes that the following elements
are indispensable to properly assess the role of the defendant:
i. B LACK TIGER BELGIUM is a big data specialist, i.e. a technical expert in the
processing enormous amounts of data.
ii. The now discontinued Data Delivery activities include:
i. purchasing data from different sources;
ii. processing this data to generate suitable datasets; and
iii. delivering these data sets to professional customers who require them
use it to enrich their own data or to try to create new ones
reach customers, at their own expense, directly
carry out marketing campaigns.
iii. Since the personal data provided by the partner sources of B LACK TIGERB ELGIUM
be collected, either directly from the data subjects or from third parties, it is included
in the first instance to these sources to verify the legality of the initial
to guarantee processing and to provide data subjects with information about the
processing, purposes, etc. Decision on the merits 07/2024 - 22/114
iv. Since B LACK TIGER BELGIUM mainly carried out technical processing
in order to compile datasets that meet the needs of his professional
customers complied, the defendant maintains that in this context he acted as
processor and its customers as controllers. Therefore, the
role of the defendant as controller strictly limited to the
aggregation of data, being the technical processing within the context of
its know-how which became available in its CMX database for direct marketing purposes
kept for the benefit of its customers.
v. It is then the defendant's professional clients who, after they receive the
had received datasets that exactly matched their requests,
personally sent direct marketing communications to those involved.
Since the defendant has never conducted a canvassing campaign by post
for its own needs towards consumers, the customers of the
defendant, the only ones responsible with regard to the processing
of personal data in the context of the sent directly
marketing communications, now that they are the initiators of this, for their own
needs.
vi. The activities in the field of Data Delivery were almost exclusively related
on the channel post, as opposed to emails, cell phone numbers, or
other digital channels. These activities, described in detail in the
response letter to the Inspection Service dated April 27, 2021
governed by clear contractual agreements with both the sources and the
professional clients of the defendant.
II.3.2.2. Continuation of the Data Delivery service after the acquisition of B ISNODE
B ELGIUM by BLACK TIGER
70. In his conclusions, the complainant refers to the defendant's web page40 on which dated 14
February 2022, the purposes for processing were still reported
personal data, in particular: (a) Data Delivery, (b) Data Quality and (c) Internal use.
40https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/waarom-professioneel/.
41The Disputes Chamber emphasizes that the complaints do not relate to internal use and that there are no
investigation was conducted into internal use, with the result that the Disputes Chamber will limit its assessment to the
first two processing operations. Decision on the merits 07/2024 - 23/114
71. In particular, the complainant believes that the defendant provided the following explanation in February 2022
argues with regard to its Data Delivery services:
In the context of our Data Delivery activities, we commercialize your data
for prospecting and direct marketing purposes, to make available to our customers
to enrich established databases, to draw up marketing profiles and/or to
to conduct market research”.2
In other words, the complainant posits that the defendant is contradicting himself
conclusions, in 2022 was still engaged in direct marketing activities in the context
of its Data Delivery activities — including creating profiles of
those involved — based on data from public sources such as the Crossroads Bank of
Companies, while such data is in principle solely intended to assist third parties
possibility to check company data. Also with regard to processing
of consumers' data, the defendant would have indicated that this
processed by him, and in a number of cases also sent to his customers
provided.
72. In his summary conclusion, the defendant clarifies that the disputed communication on the
website is purely the result of the transition periods specified in the agreements with
customers of the B2B Data Delivery service, which delivers data until November 30, 2021
Spectron had received. Notwithstanding the transfer of the services to
[the company Z6] on December 1, 2021, these customers had the right to the
provided data can be used for another three months, until the end of February 2022
The defendant has therefore kept information about the categories on its website
of collected data, the purposes of the processing and the rights of the
those involved. The defendant states that this is expressly stated on the
web page https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/, which precedes
to the web page containing the description of the complaint cited by the complainant
42
Conclusions of the complainant's reply dated February 15, 2022, p. 2.
43See edge no. 51 in this decision. Decision on the merits 07/2024 - 24/114
processing purposes. In short, according to the defendant, the complainant is wrong
positing that B LACK TIGER BELGIUM would still resell personal data in 2022
to its customers.
II.3.2.3. Processing government data from the KBO for direct marketing
purposes, by B LACK TIGER BELGIUM
73. The complainant states that the contact details of the entities registered with the
Crossroads Bank for Enterprises both via the “public search” web page and via
so-called “KBO Web Services” or reuse files are made available.
Although it is legally possible to purchase a data license from the KBO for
reuse of company data, according to the complainant it is unclear whether the defendant does
has the necessary KBO annual subscription to be able to use this data.
Regardless of this license for reuse, the complainant states that it is in accordance with Belgian law on
KBO is nevertheless expressly prohibited from using KBO data for direct marketing,
with the result that the use of KBO data for direct marketing purposes by B LACK
TIGER BELGIUM constitutes at least a violation of the law.
The complainant points out that making KBO data available via the "public search"
functionality is in accordance with Article III.31 of the Economic Code
44
law and in accordance with Article 1 of the Royal Decree of March 28, 2014
implementation of Article III.31 of the Code of Economic Law, in particular the
44
Code of Economic Law, B.S., March 29, 2013, article III.31 — “All natural persons, legal persons or entities
have access, via the internet, to data referred to in Article III.29, § 1, registered in the Crossroads Bank of
Enterprises. At least a freely accessible website is provided on which this data is available in a readable format
can be found […]”.
45Royal Decree implementing Article III.31 of the Code of Economic Law, in particular the provision of
data from the Crossroads Bank for Enterprises that are accessible via the internet, as well as the conditions for it
consult it, B.S., April 28, 2014, article 1 - Ҥ 1. The following information from the Crossroads Bank for Enterprises is available via
the Internet accessible:
1° the company number and the establishment unit number(s);
2° the names of the registered entity and/or its business units;
3° the addresses of the registered entity and/or its business units;
4° the legal form;
5° the legal situation;
6° the economic activities of the registered entity and its business units;
7° the qualities according to which the registered entity is registered in the Crossroads Bank for Enterprises;
8° […];
9° the surname and first name of the founders and of the persons who exercise a function in the registered entity
which is subject to disclosure;
10°the reference to the website of the registered entity, its telephone and fax numbers as well as its e-mail address;[…]
§2.The name and address of the natural person's place of residence are not shown when accessing the paragraph
1 stated data, unless:
(a) either this name corresponds to the name of the registered entity or its establishment unit;
b) or the address of the place of residence corresponds to the address of its business unit.
§ 3. Only the active data referred to in paragraph 1 are stated.
§ 4. Data that has a starting date in the future or that has been discontinued is not listed. Decision on the merits 07/2024 - 25/114
determination of the KBO data that are accessible via the internet as well as the
conditions for consulting it.
With regard to the provision of contact details in the context of web services or
reuse files, the complainant believes that the KBO has a number of data available
allows data reuse via the entire file. Included in this data
including information regarding the entity and natural person as well as the names and
first names of the persons who, within legal entities, perform functions or
prove entrepreneurial skills.
74. The complainant adds that as a person responsible for a company, he also has so-called
can provide “declarative” additional contact details. Providing such
contact details in the context of the web services or reuse files of the
In principle, CBO must be carried out in accordance with Article III.33 of the Code of
46
Economic law and the Royal Decree on the reuse of public data
47
of the Crossroads Bank for Enterprises, which expressly prohibits public
to use and/or share data from the KBO for direct marketing purposes
redistribute:
Article 2 — § 1. The public data of the Crossroads Bank for Enterprises can
in accordance with the further rules and conditions of this decision, by the management service
be passed on to third parties for the purpose of reuse. However, third parties may not
use and/or redistribute personal data for direct marketing purposes.
§ 2. The management service may neither use the identification number in the National Register nor the
pass on your identification number in the Crossroads Bank for Social Security to third parties.
§ 3. The special conditions for reuse are laid down in a
license agreement between the licensee and the Belgian State”
According to the complainant, this prohibition is also included in the privacy statements as well as the
license agreements from the Crossroads Bank for Enterprises:
2.2 The licensee may not use the personal data for direct marketing
purposes, in accordance with Article 2 of the Royal Decree of 18 July 2008
Notwithstanding the first paragraph, given that it concerns a discontinued registered entity, the data intended in
paragraph 1, which were active at the time of the cessation of the registered entity”.
46
Code of Economic Law, B.S., March 29, 2013, article III.33 — “Without prejudice to the provisions of the
Articles III.29 and III.30, the King, after advice from the Supervisory Committee, sets the data of the Crossroads Ban of
Companies that may be the subject of commercial or non-commercial reuse as well as the
modalities regarding their provision. Only the management department is allowed to provide these basic data to companies
provide”.
47Royal Decree of 18 July 2008 regarding the commercial reuse of public data from the Crossroads Bank
van Ondernemingen, B.S., October 29, 2008. Decision on the merits 07/2024 - 26/114
regarding the reuse of public data from the Crossroads Bank
Enterprises.”
75. In his rejoinder, the defendant states that he has a data license
concluded with the KBO and also adheres to the terms of use of this license.
According to the defendant, it is therefore established that he does not use KBO data directly
marketing purposes, but processed exclusively for Data Quality purposes. The
The defendant also emphasizes that “direct marketing” is not intended anywhere
commercial purpose is stated in the license agreement concluded between B LACK
T IGERBELGIUM and the FPS Economy.
76. Although he expressly stated in his first defense that the
company and contact details of Belgian companies in the reference file “Spectron”
— which have been obtained indirectly via both public/government sources (KBO, NBB) and
via commercial data sources — also used for direct marketing purposes
were made, the defendant stated during the hearing on February 22, 2023 that “it
Nevertheless, it is clear that LACK TIGERB ELGIUM does not contain any data from the KBO
direct marketing purposes”.
77. In his written comments regarding the report of the hearing dated 22
February 2023, the defendant further emphasizes that B LACKT IGERBELGIUM itself never did the
was the sender of promotional messages, nor the designer of the content of
such messages. It is always the defendant's customers who
are responsible for selecting addresses and sending
advertising messages to these addresses.
In any case, according to the defendant, this does not prevent his customers from doing the same
may process data ourselves for direct marketing purposes, with the understanding that
they then carry out processing using data already in their possession, and
were therefore in no way supplied by B LACK TIGERB ELGIUM.
Finally, the defendant argues that the only processing operations at issue are:
promotional campaigns by post, excluding all digital or other
means of communication.
II.3.2.4. Mass processing of personal data of minors without
permission
78. Based on the answers to the requests for access, the complainant determines that the
defendant processes personal data of minors, in this case the minor
children of the complainants. This data is said to have been obtained via [the Z7 company],
as well as other commercial companies such as [the company Z8] and [the company Z9]. Decision on the merits 07/2024 - 27/114
In this regard, the complainant refers to the alleged 21.10% share of the Belgian
population of which [the company Z6] processes personal data, in order to conclude
that the defendant processes an even larger volume of data, partly thanks to the
data that the defendant purchases from additional suppliers.
79. In his rejoinder, on the other hand, the defendant points out that he only
limited data (date of birth and gender of the child, in relation to the information provided in the
source file identified parent) of minors. This data will be
used solely for segmentation purposes. In no event has the defendant
data of minors is provided to its customers, with which they are directly contacted
minors could send advertising.
II.3.2.5. Retention periods apply to the collected personal data
80. During the hearing on February 22, 2023, the complainant regrets the exceptionally long
retention periods of 15 years after the last registration in the defendant's databases.
The complainant states that if data is re-registered in any way
databases of the defendant, a new term of 15 years begins. This would, by the way
evident from the information that the complainants received in the response from the defendant, in which
data that is more than 15 years old is included, including data from them
children and a number of “outdated email addresses dating back to the mid-1990s”.
81. To the question of the Disputes Chamber during the hearing of February 22, 2023, regarding
what measures have been taken to assess and guarantee the quality of
personal data that is 15 years old, the defendant merely replies confirming that the
personal data will in principle be retained for a period of 15 years. When the
The complainant then points out that the current privacy statement has a retention period of
3 or 10 years, depending on the category of the person involved, the defendant answers
that the current privacy statement is not relevant since the complaint as well as the
investigation report, both of which are the subject of the present proceedings for
the Disputes Chamber, relate to the period before June 2021.
48
82. In addition, the defendant emphasizes this in the context of the reopening of the debates
the old privacy statement has now been “completely annulled and replaced”.
defendant that the privacy statement on the website is intended for the general public
in contrast to the privacy statement that applies to data subjects who directly
have received marketing communications, which mention the defendant by name
48 Conclusions of the defendant (“Additional Conclusion Black Tiger (1002387.1)”) submitted to the Disputes Chamber on
September 11, 2023.
49https://www.blacktigerbelqium.tech/privacy-policv. Decision on the merits 07/2024 - 28/114
50
is becoming . This distinction, which according to the defendant, does not relate to the nature of
the personal data, is expressly emphasized on the first page of the
modified general privacy statement — which would nevertheless be insufficient for the
present case, according to the defendant.
II.3.2.6. Enriching personal data with personal impact
83. The complainant posits that the defendant enriches personal profiles on the basis of
statistical data from the National Institute for Statistics, as well as that the
the consequences of this enrichment are significant and immediately tangible for those involved. The complainer
refers specifically to a specific company that has the creditworthiness of
would determine its customers based on profile data as well as data provided by the
defendant. The defendant's response to the requests for access would also reveal:
it appears that the profiles of the complainants are classified as “Social class: elite class”.
be .1
84. In his rejoinder, the defendant disputes this claim of the complainant, which does not
is supported by the documents in the file.
85. During the hearing before the Disputes Chamber on February 22, 2023, the
defendant asked the extent to which his Data Quality services are provided - whereby the
customers of the defendant share their own customer files with the defendant for
quality control, i.e. to check whether the personal data is sufficient
are worthy of trust — also entails (a form of) data enrichment. The defendant
answers that when receiving customer data about a specific data subject, he only
will check whether more relevant data is now known about the same data subject — at
As an example, an email address that came into use more recently — before a
to assign a score with regard to the data supplied and to communicate this score
to the client. According to the defendant, no new personal data will be collected
transferred to customers in the context of the Data Quality services.
II.3.3. Judgment of the Disputes Chamber
86. Prior to its substantive assessment of the lawfulness of the processing
of the complainant's personal data by the defendant, the Disputes Chamber wishes to
emphasize that, contrary to what the defendant stated in his response dated 24
50
Available on the website https://avg.blacktigerbelgium.tech.
51Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), p. 3 and Piece 3 (“Response to the
request for access dated December 23, 2020 from Bisnode Belgium”), p. 2, as submitted to the Disputes Chamber in
in the context of the response's conclusions. Decision on the merits 07/2024 - 29/114
52
November 2023 on the sanction form, by no means “an incomprehensible confusion”.
create “between the activities of Data Delivery and Data Quality”. Also disputes the
Disputes Chamber the defendant's statement that there was no adversarial debate
opened regarding the Data Quality services. Neither means convincing,
for the reasons below.
First, the complainants' grievances relate to the processing of their data
personal data by the defendant, without the complainants expressly agreeing
distinguish between the different services offered by the defendant.
This is also logical; Data subjects cannot be expected to disclose commercial information
names that a controller gives to the processing activities
that he carries out, must expressly mention them in their complaint to the GBA. While also
that the defendant did not provide any information in his answers to both requests for access
makes a distinction depending on the service for which the personal data of the
complainant respectively the complainant were processed. Specific to the complainant is the distinction
defendant, on the other hand, between the consumer base, on the one hand, and the
company base, on the other.
Secondly, the investigation report explicitly refers to the answer dated
April 21, 2021 from the Data Protection Officer (hereinafter, DPO) of the
defendant to the questions from the Inspection Service, in which no distinction is made either
created between the Data Quality and Data Delivery services. That answer shows
very clear that the defendant considers both services jointly as “commercial activities”
describes:
“14.As indicated in the letters in response to the complainants' requests for redress
access, Bisnode Belgium has processed their data in the context of its commercial
activities based on Article 6 1 f) va” (free translation) .
Thirdly, during the hearing on February 22, 2023, questions were asked to the
defendant that were expressly related to the Data Quality services. The
However, the defendant never objected to the statement during the hearing
of these questions, which he, by the way, answered. The defendant was also free
to mention the alleged “confusion” in his response to the report of the hearing
to raise and dispute between both services, which again he does not have
done.
Finally, the defendant can hardly deny that he is already in his first
defenses dated January 24, 2022 ex officio explained both services
52Response from the defendant to the sanction form dated October 31, 2023, p. 2, point (i), and p. 3 ,point (iii).
53“14. Comme indiqué dans les lettres en réponse aux demandes de droit d'accès des plaignants, Bisnode Belgium a traité
they do not use the framework for their commercial activities on the basis of the article 6 1 f) of the RGPD”. Decision on the merits 07/2024 - 30/114
and has hereby referred to the documented considerations of interests for the
different databases, in which no essential distinction is made
depending on the Data Quality or Data Delivery services. It stands with others
states that the defendant acted both during the investigation and in the context of the
written debates before the Disputes Chamber with regard to the
Data Quality as well as the Data Delivery services, which is sufficiently demonstrated
by the documents submitted in the context of the statements of defense.
87. According to Article 5.1.a) GDPR, personal data must be in a manner with regard to the
data subjects are processed in a lawful, fair and transparent manner. Furthermore
Article 6.1 GDPR stipulates that the processing of personal data is only lawful
if and insofar as it is based on a valid legal basis. The
Finally, the controller must be able to demonstrate that the processing
is lawful, in view of the accountability obligation pursuant to Article 5.2 in conjunction with Article 24.1
AVG rests on him.
88. Based on the documents provided, the Disputes Chamber determines that the defendant
Article 6.1.f) GDPR (legitimate interest) is relied on for the collection and processing
of personal data in CMX and Spectron, while the consent of data subjects such as
processing basis applies to data processing in the context of Permesso.
However, in the context of the present case, the Disputes Chamber understands that the
56
personal data of the complainants were not processed in Permesso. Therefore, the
Disputes Chamber limits its assessment in this regard to data processing operations that:
relate to the CMX and Spectron databases.
89. The defendant confirms in his conclusions that he is relying on Article 6.1.f) GDPR for
the collection of personal data of data subjects from public and private sources,
as well as for the inclusion and enrichment of the same personal data in different ones
internal databases, before commercializing these personal data to its customers
in the context of both Data Delivery and Data Quality services, for direct
marketing purposes . This is further supported by the defendant's answers
to both complainants, in response to their requests for access:
54
Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
55See marginal nos. 64 et seq. in this decision.
56
Document 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), as submitted to the
Disputes Chamber in the context of the response.
57 Conclusions of the defendant's reply dated 24 January 2022, p. 11; Conclusions of the defendant's rejoinder dated 7 March
2022, p. 21
58
Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 31/114
“Your data is processed by us on the basis of the following legal basis, in particular:
pursuit of our legitimate interest (art. 6.1.f of the General Regulation
Data protection) in the context of our commercial activities. ”59
“We process as described in the Privacy Policy, available at www.bisnodeenu.be
your personal data in accordance with the GDPR. This data processing is
on the one hand, necessary to promote the legitimate interest of Bisnode Belgium,
on the other hand, to promote the legitimate interests of others. (Article 6.1.f GDPR).”60
90. Since it is therefore established that the defendant has personal data of the complainants
processed exclusively on the basis of Article 6.1.f) GDPR, the Disputes Chamber will not bow down
about the processing of personal data by the defendant on the basis of the
consent of those involved. 61
91. In accordance with Article 6.1.f) GDPR and the case law of the Court of Justice of the
European Union (hereinafter “CJEU”) in its judgment “Rīgas” , serves three cumulative
conditions must be met for a controller to be legally valid
rely on this legality ground, namely:
“[…] first of all, the promotion of a legitimate interest of the
controller or of the third party(ies) to whom the data is provided
secondly, the necessity of processing the personal data for the
pursuit of the legitimate interest, and, thirdly, the condition that the
fundamental rights and freedoms of the data subject
do not prevail”
92. In order to be able to rely on legitimate interests in accordance with Article 6.1.f) GDPR,
a controller must therefore demonstrate that:
i. the interests it pursues with the processing can be justified
are recognized (the “target test”);
ii. the intended processing is necessary for the realization of these interests
(the “necessity test”); and
iii. the weighing of these interests against the interests, fundamental
freedoms and fundamental rights of those involved weighs in favor of the
controller (the “balancing test”).
59
Answer from the defendant to the complainant, dated November 13, 2020.
60Reply from the defendant to the complainant, dated December 23, 2020.
61
I.e., in the context of the website www.permesso.be and in the Permesso database.
62CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 28. See also CJEU, 11 December 2019, C-708/18, TK v/ Asociaţia de Proprietari
block M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 40.
63
See also Decision on the merits 71/2020 of October 30, 2020, edge nos. 68-73 (available on the GBA website). Decision on the merits 07/2024 - 32/114
The Disputes Chamber will address the controversial data processing operations 64 in the following sections
test the three aforementioned conditions.
II.3.3.1. Target test
93. The Disputes Chamber reminds that the weighing of interests does not play a role if
interest of the controller is unjustified, since the first
threshold for the use of Article 6.1.f) GDPR in such circumstances is not
65
reaches . The interest pursued by a controller or
third party must be distinguished from the objectives achieved through a
66
certain processing is pursued. In the context of data protection it is
After all, “purpose” is the specific reason why the data is processed: the
purpose or intention of the data processing. The “interest”, on the other hand, is one
broader concept and considers the value to the controller or the benefit
that the controller, or society, may have in the processing. 67
94. Since it does not behoove her to judge in the abstract the practice of
data trading nor about the broader so-called data brokerage or data intermediaries
industry, the Disputes Chamber will give its judgment in the present case in concrete terms, on
on the basis of the various documents that the parties received both during the investigation and in
have handed over the framework of the defenses, including a detailed analysis
is evident from the various points of interest related to the activities
defendant as data broker.
95. As regards the first condition for invoking Article 6.1.f) GDPR, the
defendant in the legitimate interest laid down
68
assessment, hereinafter 'LIA') that the processing activities associated with CMX resp.
Spectron 69 pursues the following goals:
“[…] improving and expanding its own consumer database Consu-Matrix [resp.
B2B database Spectron], to provide better services. These services can
consist of (i) data analysis, (ii) enrichment, validation or other "Data Quality" services that
aim to improve the quality of Bisnode customers' data, and
64See edge no. 52 in this decision.
65 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 30.
66Ibidem, p. 29.
67Ibidem, p. 29: "For example, a company may have an interest in the health and safety of its employees
nuclear power plant. In connection with this, the company may have as its purpose the implementation of specific
access control procedures that justify the processing of certain specified personal data to ensure the
to help ensure the health and safety of workers.”
68
Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like
transferred to the Disputes Chamber in the context of the conclusions in response.
69Document 3, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 6, like
transferred to the Disputes Chamber in the context of the conclusions in response. Decision on the merits 07/2024 - 33/114
(iii) provision of data sets for direct marketing purposes on a specific basis
70
criteria (segmentation) that assess offline and digital channels, including social media.
96. In particular, the defendant would process personal data
included in the CMX database as well as the Spectron database, so the following specific ones
71
pursue objectives:
i. the commercialization and optimization of B LACK T IGER's activities
BELGIUM as data broker;
ii. improving the quality of data in customer databases
in particular by validating, correcting and supplementing this data
on the basis of the personal data that B LACK TIGER BELGIUM already has;
iii. the grouping of personal data that a company has about a specific person
possess; and
iv. the analysis of data and the preparation of market segmentation profiles to
to infer preferences of data subjects, so that (i) client companies provide them with suitable ones
can offer products/services that correspond to their professional
and personal situation and with the products/services they already own, and
(ii) social networks or other media the advertisements on web pages
client companies can adapt to the interests of those involved
shown.
The Disputes Chamber notes, partly in view of the wording used by the defendant,
that the objectives pursued are for both Data Delivery and Data Quality
services apply, regardless of whether the processed personal data is in the CMX
database (B2C) or in the Spectron database (B2B).
97. The “legitimate” nature of a pursued interest can generally be
assumed to the extent that the three following conditions are met:
i. The interest pursued must first be legitimate, or in other words acceptable
under EU law or the law of a Member State. So it applies as
70Original text: “[…] to enhance and increase its proprietary consumer database Consu-Matrix [/ B2B database
Spectron], in order to deliver better services. Those services may include (i) data analysis, (ii) enrichment, validation or other
"DataQuality" servicesaimedatiimproving thequalityofthedataheldbyBisnode'scustomers,and(iii)deliveryofdatasetsfor
direct marketing purpose on the basis of specific criteria (segmentation) covering offline and digital channels, including social
media".
71 Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like
transferred to the Disputes Chamber in the context of the conclusions in response (CMX); Document 3, as transferred by the
defendant to the Inspection Service in the context of the investigation; Document 6, as submitted to the Disputes Chamber in
in the context of the conclusions in response (Spectron).
72
The Disputes Chamber is aware that the question of whether each interest is a legitimate interest, provided that that interest is not
is contrary to the law, and in particular the question whether this also applies to a purely commercial interest, is up to the Court of Justice
submitted in case C-621/22, Royal Dutch Lawn Tennis Association. What is stated here represents the current state of affairs
right again. Decision on the merits 07/2024 - 34/114
general rule that interests that are recognized by or can be traced back to
a legislative measure or a legal principle, a legitimate interest
forms. It goes without saying that the pursued interest must not be in conflict
the law, including legal restrictions relating to the relevant
personal data.
ii. The pursued interest must also be sufficiently clear and precise
way to be determined: the scope of the legitimate interest pursued
must be clearly defined so that this interest can be properly addressed
weighed against the interests or fundamental rights and freedoms of the
those involved.
iii. Finally, the legitimate interest must be existing and effective at the time
of the data processing (and therefore not fictitious or purely hypothetical).
98. In the present case, the Disputes Chamber is of the opinion that the B2C Data Delivery
respectively the B2C Data Quality services, namely:
i. the interest for the defendant to enrich and improve its databases
commercialize in the context of his freedom of enterprise; and
ii. the interest of the defendant's customers to have the most current
obtain personal data in order to enrich their own databases or their
74
to confirm correctness in the light of the principle of correctness, with its purpose
conducting effective direct marketing campaigns;
are clearly established, demarcated, real and current, with the result that the desired
interests are legitimate.
99. Regarding the specific complaints of the complainant that the defendant KBO data (in
Spectron) would also use for direct marketing purposes, according to the Disputes Chamber
however, it is established that the relevant refutations of the defendant 75 are not
correspond to the documentation provided by him, nor to the
screenshots from his website :6
73CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 44.
74Pursuant to Recital 39 and Article 5.1.d) GDPR.
75
See edge numbers 75 to 77 in this decision.
76Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant; Item 12 (“Screenshots from the website https://bisnodeandyou.be/”) in the inventory. Decision on the merits 07/2024 - 35/114
100. The Disputes Chamber also notes that the conditions in Appendix 2 to the
license agreement for the use of data from the KBO for commercial purposes
77
purposes, not only prohibiting your own use for direct marketing, but also the
prohibit the redistribution of this data for direct marketing purposes:
Preliminary decision — To the extent that the defendant in the context of its B2B Data Delivery
services and B2B Data Quality services, so effective data from the KBO would
process for direct marketing-related purposes, as otherwise described in
78
the weighing of interests for the Spectron database, the Disputes Chamber rules that B LACK
77
Document 19 ("KBO license agreement Bisnode (790517.1)") filed with the conclusions of the defendant's rejoinder, p.16.
78Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant, p. 1. Decision on the merits 07/2024 - 36/114
TIGER B ELGIUM cannot possibly rely on Article 6.1.f) GDPR for these processing operations
since the legality condition has not been met.
II.3.3.2. Necessity test
101. In addition to the existence of a legitimate interest, the controller must
also demonstrate the necessity of the processing for that interest before an appeal
can do in accordance with Article 6.1.f) GDPR. The Court of Justice has emphasized this
that the condition regarding the necessity of the processing for the intended interest
consistency with the principle of minimum data processing, as laid down in Article
5.1.c) GDPR, needs to be investigated.
After all, the necessity requirement is important to guarantee that the
data processing based on legitimate interest does not lead to an overly broad scope
interpretation of the criterion on the need to process data.
Personal data must therefore always be sufficient, relevant and limited to
what is necessary for the representation of the interests for which they are processed.
In concrete terms, the defendant must ensure that no less intrusive means are used
terms of impact on the personal privacy of those involved are available
80
this is important to achieve, than to carry out the intended processing. This assessment must
the principle of storage limitation under Article 5.1.e) must also be taken into account
GDPR.
102. In order to be able to assess whether the processing passes the necessity test, eight
the Disputes Chamber again finds it important to present the defenses submitted
the documentation provided during the investigation and in the context of the conclusions
to take into account. The defendant explains the necessity of the disputed case
processing, by answering three questions in the context of the assessment of the
81
interests he has regarding CMX resp. Spectron presents as justified:
i. Why is the processing activity important for the controller?
ii. Why is the processing activity important for other parties to whom the data
can be provided if necessary?
iii. Can the objective be achieved in another way?
79CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 48.
80
Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 35.
81Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
82
(1) “Why is theprocessing activityimportant to theController?”; (2) “Why is the processing activity important to other parties
the data may be disclosed to, if applicable?”; (3) “Is there another way of achieving the objective?”. Decision on the merits 07/2024 - 37/114
103. The Disputes Chamber first determines on the basis of the documentation provided that:
there is no substantial difference between the assessment of the processing operations
relate to personal data included in the CMX database (B2C) and the
assessment of the processing of personal data included in the Spectron
database (B2B). The following explanation therefore applies to both databases.
104. In answer to the first question, the defendant refers to the benefit that he himself derives from the
processing of personal data, and in particular the necessity of the
processing for the continuation of its economic activities. This position holds
both for the Data Delivery and for the Data Quality services.
105. As regards the representation of the interests of third parties (second question), the
defendant, on the other hand, does make a distinction based on the service provided.
i. B2C/B2B Data Delivery services — The defendant points out the advantage
for its customers to reach prospects, consumer or
select entrepreneurial target groups via various channels (post, telephone,
social media, ...) and thus increase their turnover. The processing would be with
in other words, are necessary for the enrichment of the databases
customers of B LACK TIGER BELGIUM with additional contact details of
consumers and entrepreneurs, so that these customers can gain access to new ones
communication channels could contact their own prospects
and consumers for direct marketing purposes. In addition, the customers would
of BLACK T IGERB ELGIUM based on the additional attributes of their own
to better analyze and segment customer databases based on
enriched profiling data, again for the purpose of sending direct
marketing communications.
ii. B2C/B2B Data Quality services — The processing of personal data
included in the CMX file as well as the Spectron database
to improve the quality of the databases of B LACKT IGERBELGIUM customers,
resulting in duplicate entries at individual or household level in the databases
of customers can be combined and returns due to
incorrect consumer addresses can be avoided. 85
106. As to the third question, the defendant summarily posits that other methods of
interests and would offer less security and would not contribute to it
83“The benefit of the processing for Bisnode Belgium is the continuation of its economic activities”.
84Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 4.
85“The benefit of the processing for the Bisnode clients is multiple: […] To improve the quality of their database: Avoid postal
returns because of bad addresses […] Be able to group a same person/household that is several times in the database”. Decision on the merits 07/2024 - 38/114
to deepen the relationship between B LACK TIGER B ELGIUM customers and those involved.
Accordingly, according to the defendant, there is no less intrusive but still effective
measures to deepen existing customer relationships and generate more sales than
direct marketing. This position also applies to both the DataDelivery services
86
and for the Data Quality services.
Minimum data processing — 5.1.c) GDPR
107. To determine the necessity of these processing activities for the purposes pursued
To be able to assess this, the Disputes Chamber also collects the processed personal data
consideration. Relying on the screenshots of the privacy policy on the website, the
joint data protection impact assessment (GEA) for the three databases, it
register of processing activities as well as the response from the DPO of BISNODE B ELGIUM
to the questions from the Inspection Service and the detailed answers provided by the complainants
defendant - then still B ISNODE BELGIUM - received, the Disputes Chamber establishes 87that
BLACK T IGERB ELGIUM processes the following categories of personal data
databases:
88
i. Screenshots of the privacy policy dated March 31, 2021 (CMX, B2C) —Name,
first name, gender, language, age (or date of birth or presumed
age group), address, landline phone, mobile phone, email address, date of
last contact made by the data source with the data subject, statistical
data at the district or municipality level (average income in the district where people
housing, percentage of owners/tenants, gardens, unemployment rate...),
observation data (area of land, presence of solar panels…),
derived data, marketing profiles.
ii. Screenshots of the privacy policy dated March 31, 2021 89(Spectron, B2B)
- Company details — Company name, company and VAT number,
contact points, social security number, activity sector according to NACE, joint committee,
size of the company, number of employees employed, date of establishment,
details of and number of branches/branches/franchisees,
web pages, financial information (including any solvency and bankruptcy).
86
Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant, p. 5; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 5.
87In accordance with a “careful finding of facts”, as emphasized by the Market Court in its interim judgment 2022/AR/292 of
September 7, 2022, p 36 and 39.
88
Item 12 (Screenshots of the Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory,
p. 45-48.
89 Item 12 (Screenshots of Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory,
p. 31-33. Decision on the merits 07/2024 - 39/114
- Individual data — Surname, first name, gender, language, contact points
professional and sometimes private address, professional fixed and/or mobile
telephone number, professional email address, date of birth, position or title
(incl. date of appointment), derived data, marketing profiles, date
on which the information was communicated to B ISNODE B ELGIUM or on which
changes have been made.
iii. Joint GEB (CMX, B2C) 90 — Contact details, personal data about
minors (over 16 years old), consumer interests, family typology,
lifestyle data, identification data, personal characteristics.
iv. Joint GEB (Spectron, B2B) 91 — Contact details, collection details,
electronic identification data, financial data, identification data,
memberships, other data, personal characteristics, professional training
and training.
92
v. Register of processing activities (CMX, B2C) — Contact details,
date of birth, age, socio-demographic and lifestyle data,
93
family typology, presence of children, neighborhood data.
94
vi. Register of processing activities (Spectron, B2B) — Contact details,
company data (CBE number, number of employees, turnover, NACE, ...), financial
95
facts .
vii. Letter to the GBA (CMX, B2C) 96 — General personal information (name,
first name, gender, language and age or date of birth or presumed age),
contact details (postal address, landline telephone number, mobile telephone number and e-mail)
email address), typologies such as family (young couple, single with or without
children), housing (single-family or multi-family home), statistical data
neighborhood and/or municipality level (average income, percentage
owners/tenants, percentage of gardens, unemployment rate, etc.), and
general physical information at neighborhood level (average plot size or the
presence of solar panels, etc.).
90Part 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service.
91
Ibid.
92Piece 30 (“Piece 30 - Bisnode Belgium - Copy of Record of Processing”) submitted to the Inspection Service.
93“Contact Data, Date of Birth, Age, Socio-demo and Lifestyle data, Family typology, Presence of children, Neighborhood
data”.
94Part 30 (Bisnode Belgium - Copy of Record of Processing) transferred to the Inspection Service.
95“Contact Data, Firmographics (CBE number, number of employees, turnover, NACE, ...), Financial data”.
96
Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory. Decision on the merits 07/2024 - 40/114
viii. Letter to the GBA (Spectron, B2B) 97 — Surname, first name, gender, language, business
address, business telephone number (landline and/or mobile), business email address,
date of birth, position or title within the company, date of appointment or
entry into force.
98
ix. Responses to the access requests — Surname, first name, address, gender, language,
date of birth, email address, child (incl. date of birth and gender), family
typology, statistical data at neighborhood level (urbanization, social class,
percentage of higher education, percentage of unemployed, percentage of gardens,
percentage of owners).
108. The personal data processed at the time of the complaints therefore included several
categories, which the Disputes Chamber explains below per database:
CMX (B2C) Spectron (B2B)
Identification data Identification data
Name, first name Name, first name
Contact details Contact details
Address, landline and/or mobile telephone number, e-Business address, business landline and/or mobile
email address, telephone number, business email address
Personal data about minors (> 16 years) Electronic identification data
Date of birth and gender Not further defined
Personal characteristics Personal characteristics
Gender, language, age (or date of birth or Gender, language, date of birth, position or
probable age group) title (incl. date of appointment)
Consumer interests Financial specifications
Not further defined Solvency, bankruptcy
Lifestyle data Vocational education and training
Not further defined Not further defined
Family composition Collection data
Family typology (single with or without Not further defined
children, young couple, etc.), date of birth and
gender of child(ren)
Housing Memberships
Single-family or multi-family home Not further defined
Statistical data by district or Other data
municipal level Not further defined
Average income in the neighborhood, percentage
owners/tenants, gardens, social class,
percentage of higher education,
unemployment rate
Observation data (at neighborhood level) Derived data
Average plot size, presence of Not further defined
solar panels
97Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory.
98
Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”) and Part 3 (“Response to the
request for access dated 23 December 2020 from Bisnode Belgium") lodged with the conclusions of the response of the
defendant. Decision on the merits 07/2024 - 41/114
Derived Data Marketing Profiles
Not further defined Not further defined
Marketing profiles
Not further defined
99
109. Although the Disputes Chamber will return to this further in the present decision,
The question still arises to what extent all these personal data are systematically equal
are necessary for the promotion of the intended interests.
In the context of the Data Delivery service 100, compliance with the
correctness principle under recital 39 and article 5.1.d) GDPR namely by the
defendant put forward as an interest in the processing. According to that principle, a
controller - in this case the defendant or its customers — all necessary
take measures to ensure that the personal data that is inaccurate, taking into account the
purposes for which they are processed, deleted or rectified without delay
In this regard, the Litigation Chamber is of the opinion that the principle of correctness 102
has a narrower application than the quality of the information 103, which in addition to the
104
accuracy and correctness also includes the completeness of the information. The
In other words, the Disputes Chamber rules that compliance with the principle of correctness
under no circumstances the unlimited collection of personal data, for the main purpose
it would be possible to draw up a profile of the data subject that is as complete and accurate as possible
justify 105. The necessity of the collection and enrichment of personal data
included in the CMX and Spectron databases, for compliance with the correctness principle
in the context of the Data Delivery services, has therefore not been demonstrated.
110. In a subordinate order, the Disputes Chamber notes that an “excessive”
accuracy of the personal data — in light of the purposes pursued
99See edge nos. 150 et seq. under Title II.4 in this decision.
100Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant, p. 2; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
vandedefendant, p.2: “[…]referenceismmadetothelegitimateinterestofBisnode'scustomers […]tocomplywiththeaccurate
[sic] principle of the GDPR that sets forth that data controllers must make efforts to maintain accurate personal data of theirs
data subjects”.
101EDPB — Guidelines 4/2019 on Article 25 - Data protection by design and by default (v2.0,
October 20, 2020), p. 26.
102
In French “exactitude”; in English “accuracy”; in German “Richtigkeit”.
103 Working Party on Data ProtectionArticle 29 – Guidelines on automated individual decision-making and profiling
for the application of Regulation (EU) 2016/679 (WP251, February 6, 2018), p. 14. See also D. D IMITROVA, “The Rise of the
Personal Data Quality Principle. Is it Legal and Does it Have an Impact on the Right to Rectification?”, EJLT, 2021, p. 5-6.
104See Article 7.2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of data by competent authorities with
for the prevention, investigation, detection and prosecution of criminal offenses or the execution of
penalties, and regarding the free movement of such data; and Article 74 of Regulation 2018/1725 of October 23, 2018
on the protection of natural persons with regard to the processing of personal data by the
institutions, bodies, offices and agencies of the Union and on the free movement of such data, to which reference is made
the need to check the quality of data for accuracy, completeness and topicality.
105
GBA — Recommendation 01/2020 of January 17, 2020 regarding the processing of personal data for direct
marketing purposes, edge no. 111. See also A. JIEGA & M. FINCK, “Reviving Purpose Limitation and Data Minimization in Data-
Driven Systems”, Technology and Regulation, 2021, p. 56. Decision on the merits 07/2024 - 42/114
as well as the context of the processing 106—in certain situations also to the detriment of the
involved can play, especially when involved in an inappropriate and
be profiled or segmented in an opaque manner based on their
107
(indirectly collected) personal data .
The right to the protection of personal data from Article 8 of the
After all, the Fundamental Rights Charter assumes that data subjects, in addition to the right to
information included in Articles 13 and 14 GDPR also requires a certain amount of control
have control over “how accurately” their personal data is collected. The
Dispute Chamber also refers to the opening words of the Convention for the Protection of
108
persons with regard to the processing of personal data (Convention 108) who
talks about “personal autonomy based on a person's right to control of his or her personal
data and the processing of such data” 10, which translates, among other things, into the information
and transparency obligation towards data subjects, as well as in the rights granted by the GDPR
awards to them .10
111. The defendant does not make any comments regarding the B2C Data Quality services either
plausible to what extent the lifestyle data, the derived data 11or the statistical
data at district or municipal level were necessary to ensure that
customers of B LACK T IGER BELGIUM would not have duplicate entries in their own
databases, or to prevent returns.
112. With regard to the B2BDataQuality services, the defendant does not prove that the
processing the financial specifications, memberships and vocational training in the
Spectron database is necessary for the realization of non-marketing related activities
interests — in view of the prohibition on processing KBO data for marketing purposes 11 —
such as preventing returns or double entries.
Storage limitation — 5.1.e) GDPR
113. In addition to the principle of minimal data processing, the
controller also in the context of the necessity test
principle of storage limitation contained in Article 5.1.e) GDPR
10CJEU, December 20, 2017, C-434/16, Peter Nowak v. Data Protection Commissioner (ECLI:EU:C:2017:994), edge no. 53.
10See, among others, HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1-2018, p. 36–52;
G. ONZALEZFUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics and Information Technology, Springer, 2010, p. 87-88.
108
Council of Europe – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28
January 1981.
10 Loosely translated as "personal autonomy based on a person's right to control his or her personal
data and the processing of such data”.
110
J. HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1/2018, p. 43.
11“Other variables” in Document 5 and Document 6 included in the defendant's conclusions in response, p. 5.
112
See edge no. 74 in this decision. Decision on the merits 07/2024 - 43/114
the Disputes Chamber has established that the defendant has not clarified at any time, nor
when he was asked the question during the hearing on February 22, 2023, nor in the
in the context of the reopening of the debates, why the personal data for 15 years
be kept in the databases from the last registration and how such
retention period - an essential element to consider in the framework
of the weighing of interests 114— actually contributes to the objective so accurately
and process current possible personal data.
The Disputes Chamber also notes that the justification for this significant
retention period of 15 years from the last recording in the database in the joint GEB
for CMX, Permesso and Spectron was identified as “requiring improvement”
(“improvable”) and a term that requires “further justification” (“Addjustification for 15
years owned data retention”). Furthermore, it is unclear to what extent there are in addition to the most
recent home addresses, e.g., also a history of the previous domiciles of
involved was kept up to date and, if necessary, what the need for this would be, the
intended objectives in mind.
114. In his response to the sanction form dated October 31, 2023, the defendant argues that the
statement that the unlawful processing took place for at least 15 years
occurred would be incorrect. According to the defendant, the disputed activities
therefore have taken place for a maximum of three years, and in particular between
entry into force of the GDPR and the filing of the complaint.
In this regard, the Disputes Chamber reminds that the principle of storage limitation
116
already existed under the previous Directive 95/46 and is irrefutably the case in this case
processing that continued after May 25, 2018. The defendant's argument that
the controversial activities only for the limited period between the entry into force of
the GDPR and the date of the complaint took place, therefore makes no sense.
115. Preliminary decision — The foregoing elements bring the Litigation Chamber to the
conclude that the processing of their data accused by the complainants
the Spectron and CMX databases, for Data Delivery respectively. the Data Quality
services did not meet the necessity test or to fulfil. The
Disputes Chamber considers the defendant's argumentation regarding the necessity of
after all, the processing is not very convincing.
11Exhibit 17 (“Bisnode Belgium Retention Policy”) filed with the defendant's response.
11See Title II.3.3.3 Balancing test in this decision.
11Part 1 ("DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso") transferred to the Inspection Service, p. 6 and p. 15 in fine.
116
Article 6.1.e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of natural persons with regard to the processing of personal data and with regard to free movement
of that data (OJ L 281, 23 November 1995). Decision on the merits 07/2024 - 44/114
First of all, it goes without saying that the processing of personal data is not possible
justified by simply citing the necessity of this processing
117
to continue economic activities. Accepting such circular reasoning
would otherwise be the relevance and usefulness of the assessment adopted by the Court
118
Rīgas judgment will inevitably be compromised, since the necessity test
precisely aims to determine and demonstrate to what extent the collected data in
are concretely necessary to achieve the interests pursued. The
The Litigation Chamber is therefore of the opinion that the analysis carried out by the defendant on this
point does not meet the conditions of a proper necessity test.
Secondly, the compliance with the principle of correctness under Article 5.1.d) GDPR, which by
the defendant is brought forward in connection with the processing of
personal data from CMX and Spectron for the Data Delivery services,
as already stated11 under no circumstances be used as an interest in creating databases
fill with missing personal data.
Third, the Litigation Chamber is not convinced — and the documentation that the defendant
also does not make it at all plausible — that there is no alternative, less drastic
measures exist for the intended interest, namely compliance with the principle of correctness
to be achieved by the customers of the defendant 12. The Disputes Chamber eight
namely, it is insufficiently proven that the defendant's customers have no other
could take measures to obtain the missing personal data, e.g
collect this data directly from the data subjects - which means:
could have had a say in their 'degree of accuracy'
personal data. For the foregoing reasons, the Disputes Chamber decides that the
defendant could not rely on Article 6.1.f) GDPR for the data processing
the context of the B2C and B2B Data Delivery services.
116. The Disputes Chamber does not consider this to be the case either with regard to the B2C Data Quality services
it is likely that all consolidated personal data in both databases are strict
would be necessary to ensure the quality and reliability of the personal data
already in the possession of the customers of LACK TIGER BELGIUM, in the light of it
correctness principle under Article 5.1.d) GDPR. The defendant's customers — those in
unlike the latter, they will indeed come into contact with those involved
moreover, they already have (part of) their personal data - after all, this is possible
117
Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 4.
11 CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 30.
119
See edge nos. 109 and 110 in this decision.
12See edge no. 109 in this decision. Decision on the merits 07/2024 - 45/114
inquire directly with the data subject to what extent their personal data still remains
are current or need to be changed or supplemented. The
Disputes Chamber: the retention period of 15 years is disproportionate to the intended
interests.
117. With regard to the B2B Data Quality services, the Disputes Chamber rules that
principle of necessity can only be complied with on the condition that the
retention period of 15 years is shortened, as well as the service provision is limited to
assigning a reliability score and the Data Quality service is not provided
used to indirectly transfer data to third parties in order to:
increase data quality. Consequently, the current B2B Data Quality is satisfactory
services do not meet the necessity test.
II.3.3.3. Balancing test
118. In order to rely on Article 6.1.f) of the GDPR, the controller must
finally to make a consideration of the interests, and to demonstrate, that his own
interests — or those of third parties — outweigh the interests or
fundamental rights and freedoms of those involved.
119. The Disputes Chamber reminds that the assessment test is not aimed at preventing
any effect on the interests and rights of data subjects, but on the prevention of
disproportionate consequences as well as the assessment of the mutual weight of these
interests . The fundamental rights and freedoms of the data subjects referred to in Article
6.1.f)GDPR does not only include the right to data protection and privacy, but
also other fundamental rights, such as the right to liberty and security, the freedom of
expression and information, freedom of thought, conscience and religion, freedom
of meetings, association, the prohibition of discrimination, property rights or law
on physical and mental integrity, either directly or indirectly through the processing
122
can be affected.
The wording of Article 6.1.f) GDPR also assumes that, in addition to the fundamental
rights of data subjects and other interests are also taken into account, such as
social, financial or personal interests. In short, from a controller
is expected to consider all relevant interests raised by the
data processing can be influenced, including - but not limited to -
121
Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 49.
12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 35-37. Decision on the substance 07/2024 - 46/114
legal interests, financial interests, social interests or personal interests of the
those involved.
120. Once these interests have been identified, it must then be determined which ones
consequences the intended data processing could have for this
123
interests. The EDPB states:
“32. […] The reference to abstract situations or the comparison of similar cases is
not enough. The controller must assess the risks of infringement of rights
of those involved; The determining factor here is how far-reaching the infringement is
rights and freedoms of persons.
33. The intrusiveness can be determined, among other things, on the basis of the type of information
collected (information content), its scope (information density,
spatial and geographical range), the number of people involved, either in absolute numbers, or as
percentage of the population involved, the concrete situation, the actual interests of the
group of people involved and the available alternative means, as well as on the basis of the nature and
the scope of the data assessment [by the controller].”
Nature of the personal data processed
121. According to the EDPB, the controller must take into account the
categories of personal data that data subjects generally regard as more private
124 125
or rather of a more public nature. In the present case it is established that
the defendant processes data related to the family composition of
data subjects, as well as their private email address or private mobile telephone number, which
data that is rarely made publicly available by those involved. Also
the exact date of birth and social class belong to, according to the Dispute Chamber
categories of information that are generally considered more private by the
data subjects than data of a public nature, such as their professional capacity.
122. The Disputes Chamber is also of the opinion that the position taken by the defendant
about the non-processing of special categories of personal data, any
requires nuance in the light of the case law of the Court of Justice. In his judgment
In C‑184/20, the Court focused on certain information which, although not intrinsic
are “sensitive” within the meaning of Article 9 GDPR, may reveal potentially sensitive information,
such as the sexual orientation of those involved. For example, the Court ruled that “the concepts
'special categories of personal data' and 'sensitive data' should be broad
123EDPB – Guidelines 3/2019 on the processing of personal data using video equipment (v2.0, 29
January 2020), edge nos. 32-33.
124 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 46-47.
12See edge no. 108 in this decision. Decision on the merits 07/2024 - 47/114
be explained”, with the result that the processing of “personal data that is indirect
may reveal sensitive information about a natural person” as well as “a
processing of special categories of personal data within the meaning of those provisions
constitutes” 12.
123. In the absence of specific elements available to the Disputes Chamber regarding the
how those involved who belong to the same household become concrete
characterized and linked together in the defendant's databases, and given the
In the absence of a specific determination by the Inspection Service in this regard, the
However, the Disputes Chamber may authorize the processing of special categories of
personal data not to be taken into account in the context of the assessment test and none
infringement of Article 9 GDPR by the defendant in the present case.
124. Finally, and notwithstanding the defendant himself acknowledges that he has the data of
minors who belong to the same household as the complainants
127
has processed segmentation purposes, the Disputes Chamber first determines that the
data concerned are limited to the gender and date of birth of the child. The
Furthermore, the Dispute Chamber has no indications that the defendant
has effectively transferred personal data of these minors to its customers.
Context of data processing
125. In addition to the nature of the personal data, the controller must also:
taking into account the amount of personal data processed, whether or not to combine it
of these personal data with other databases, the extent of
accessibility and/or publicity of the data after processing, the status of the
controller (e.g., his market position, his relationship with the data subjects) and the like
status of those involved (e.g., if vulnerable persons are involved).
126. In his defense the defendant states that as a data broker he is virtually
does not maintain a direct relationship with those involved, but his expertise in big data
129
makes available to its customers. The Disputes Chamber believes that this specific
context, where the defendant does not come into direct contact with those involved, there
inevitably contributes to characterizing the processing activities it carries out
be reduced by more limited transparency towards those involved,
notwithstanding the various initiatives and measures taken by the
12CJEU, August 1, 2022, C-184/20, OT v. Vyriausioji tarnybinės etikos komisija (ECLI:EU:C:2022:601), marginal nos. 125-128.
127
See edge no. 79 in this decision.
12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 47-49.
12Conclusions of the defendant's rejoinder dated March 7, 2022, p. 15 Decision on the merits 07/2024 - 48/114
defendant. From the foregoing it also follows that the person concerned is in fact forced to do so
to consult the privacy statement on the defendant's website on their own initiative
— or to carefully keep track of which companies they have sold to whom over the past 15 years
have provided their personal data, have indicated these personal data
to be transferred to B ISNODE BELGIUM — in order to be able to comprehend the extent of the
personal data that the defendant processes about them. In addition, the
large-scale130 processing activities of the defendant, in his capacity as
data broker, inherently involves combining personal data with other data
data files. This is by no means refuted by the defendant.
127. In view of these elements, the Disputes Chamber finds that the context of the processing in
is essentially more disadvantageous for the data subjects, whose personal data is provided in an opaque manner
be processed, compared to the benefit that the defendant and its customers receive from the
get processing. In other words, the interests of those involved weigh more heavily
through the weighing of interests.
Impact of the processing for the data subjects
128. In addition, the controller must pay particular attention to the
consequences — both positive and negative — for those involved, including possible
future decisions or actions of third parties; situations in which the processing would
may lead to the exclusion or discrimination of persons or defamation; or, in a broader sense,
situations where there is a risk of damaging reputation, it
131
negotiating capacity or the autonomy of those involved. Important again
that this assessment relates to the different ways in which those involved have a
may experience a positive or negative impact due to their processing
personal data.
129. During the hearing on February 22, 2023, the complainant refers to the assessment of his
creditworthiness by a company, based on data provided by the defendant,
132
without the complainant being informed in advance. In response to a request for
inspection directed to that company, which the complainant adds to his response conclusions, is clear
to see that the information used to determine the company's creditworthiness
133
comes from the defendant. Certain authors have already warned about the
risks related to invisible discrimination based on profiling data
13The defendant does not dispute this classification of the scope of the data processing in his rejoinder.
13 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 45-46.
13See edge no. 83 in this decision.
133
“Creditworthiness (based on the street where you live – source = bisnode” in the appendix to the Conclusions of the reply of
the complainant, transferred to the Disputes Chamber on February 15, 2022. Decision on the merits 07/2024 - 49/114
such as the income of those involved, but also for the general loss of control
data subjects experience with regard to their data 13. This represents the
Disputes Chamber established that the non-transparent processing of personal data of
by the defendant can have significant consequences for those involved
who would like to purchase certain services from the defendant's customers.
130. In the so-called “Legitimate Interest Assessments” (LIAs) for both databases
the defendant describes the consequences of the processing for data subjects as follows.
By offering the defendant's customers the opportunity to create direct marketing profiles
sets that would otherwise be difficult or impossible to create, the
privacy of those involved is affected, which can cause annoyance, irritation or stress
with them (“perceived or real lack of transparency and illegitimacy of processing” 13). Thereby
In addition, the defendant acknowledges that those involved have only limited or none
have more control over the processing of their personal data, as well as that it
bypassing the sources that transfer their personal data to the defendant
may require significant adjustments to their lifestyle. Accepted along the same lines
the defendant that those involved are actually denied the opportunity to
to refuse processing of their personal data by the defendant; instead
they must make the effort themselves to exercise their right to object
defendant (opt-out) 13.
131. Furthermore, the Disputes Chamber notes that the disadvantage identified by the defendant
consequences for the data subject and, however, do not take the aforementioned risks into account
discrimination by the defendant's customers, based on the information provided
personal data. The Disputes Chamber refers in particular to contractual matters
provisions with the defendant's customers, which only prohibit them from the
137
to use personal data provided for the benefit of a third party. For the rest
the defendant's customers are therefore permitted to use the personal data for their own,
to use direct marketing-related purposes, which are not further specified
be defined in the agreement.
134
H. USCHMEIER , “Data Brokers and European Digital Legislation”, EDPL, 2023-1, p. 30 ISHR, “The dark industry of
databrokers:needforregulation?”,InternationalJournalofLawandInformationTechnology,Volume29,Issue4,2021,p.395–
410; G. ONZÁLEZ FUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics Inf Technol, 2010, p. 91 et seq.
13In Dutch, “perceived or actual lack of transparency and illegality of the processing” (free translation),
in Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) in the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
136Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant, point 3 under title “2.3 The Balancing Test”; Part 6 (“Legitimate Interest Assessment Spectron 27082020”)
laid down in the defendant's response, point 3 under title “2.3 The BalancingTest”.
137 Document 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the
Inspection service in the context of the investigation: “3.1. The license d'utilization is approved by Bisnode Belgium for one
utilization propre auClient, pour one action de type "marketingdirect" etdonc al'exclusiondetoutes prestations, directes or
indirects pour des tiers (commepar exemple, toute forme de vente, de commercialisation, de cession, direct or indirect, à
titre onéreux or gratuit, the license à des tiers or toute autre utilization par des tiers)”. Decision on the merits 07/2024 - 50/114
132. In this regard, the Disputes Chamber considers it remarkable that the defendant is his customers
contractually prohibited from (in)directly informing the data subjects
refer to the selection criteria that were applied, and that the defendant in addition
monitors the content of the messages from his customers, which he must approve in advance
approve138. In concrete terms, this means that the defendant guarantees the transparency of its customers
has expressly and therefore consciously hindered the data subjects. In the
In the context of the reopening of the debates, the defendant briefly confirms that:
“with regard to professional customers[…]a licensing agreement[was]concludedfor
the use of B2C data, which indeed places different obligations on the customers
were imposed in order to safeguard the defendant's commercial interests. Thus
the template agreement stipulated, among other things, that the selection criteria were not given to consumers
could be communicated”.
The Disputes Chamber rules that this restriction of the provision of information is contrary
against the fundamental rights of those involved, if they receive more information
wish to obtain information about the precise circumstances in which their personal data
processed, are obliged to exercise their right of access towards the sender
of the direct marketing messages or with the defendant.
133. In summary, the Disputes Chamber is of the opinion that the consequences of the
data processing for the data subjects were not sufficiently taken into account
by the defendant in the context of the balancing test, since the analysis by the
defendant has limited itself to receiving direct marketing advertising by post
as well as the exercise of their rights (including their right to object) and thus
has not taken into account the known risks regarding hidden or
indirect discrimination against complainants based on their profiling data, including
of their creditworthiness. The Disputes Chamber must conclude in this regard that the
interests of the defendant and his clients do not outweigh the interests, ten
with regard to the interests of those involved.
Reasonable expectations of those involved
134. To determine whether the third condition (balancing test) has been met, in addition to the
Finally, the impact of the intended data processing must also be taken into account
with the reasonable expectations of the data subjects, in accordance with Recital 47 GDPR.
In particular, the controller must determine to what extent the
13Piece 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the
Inspection service in the context of the investigation: “3.3.IlestinterditauClientdeseréférerauxcriteresdessélectionsutilisésdans
sa communication commerciale aux consommateurs, directment or indirection. Avant chaque campaign, Bisnode
Belgium doit recevoir, àbrefdélai, unexemplaire, par langue, du message commercial quiseraadressé au consommateur (à la
fois sur l'enveloppe, la lettre, les pièces jointes et le script telephonique). Dans le cadre de la campaign déterminée, que le
message soumis à et approuvé par Bisnode Belgium peut être diffuser [sic].”. Decision on the merits 07/2024 - 51/114
data subjects at the time and in the context of the collection of personal data
can reasonably expect that data processing will be carried out for the intended purpose
can take place.
135. Data brokers collect and aggregate numerous data points in order to create comprehensive
and compiling detailed numerical profiles of the individual people involved. Afterwards
they offer this profile data to customers (Data Delivery) or, as for the defendant
since the termination of the Data Delivery services, to assess and improve the quality
confirming data already in the possession of these customers (DataQuality). In the majority
In most cases this happens without the prior consent of those involved
— as in the present case — or without them becoming fully informed
of the scope of these processing operations.
136. The Inspection Service, referring to previous case law of the Court of Justice 139
and following guidelines adopted by the EDPB 140, essentially establishes that the defendant
various personal data, partly from the data subjects themselves and partly from other sources
are obtained, on a large scale and beyond the reasonable expectations of the
data subjects processed. The defendant always disputes this in his defenses
the reasonable expectations of users must be taken into account
different interests at stake. Referring to the legal doctrine posits
the defendant, on the contrary, states that “the reasonable expectation criterion only relates
on further processing within the meaning of Article 6(4) GDPR” 141 and is therefore not necessary
is relevant with regard to the weighing of interests in the context of Article 6.1.f) GDPR.
137. The Disputes Chamber rules that the argument raised by the defendant, and with
because the reasonable expectations of those involved cannot be taken into account
are not used when assessing the legitimate interest of B LACK T IGER BELGIUM
convinces. In this regard, the Disputes Chamber first refers to the answer of the
DPO of B ISNODE B ELGIUM dated April 27, 2021, in which the defendant expressly declares the
to take into account reasonable expectations of those involved (free translation and
own underlining)142:
13CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge nos. 56-
58.
140 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, 9 April 2014); EDPB – Guidelines 3/2019
on the processing of personal data by means of video equipment (v2.0, January 29, 2020), p. 10 et seq.
141
D. DEBOT, The application of the General Data Protection Regulation in the Belgian context, Kluwer, 2020,
p. 448-449, no. 1094 et seq.
14“Bisnode Belgium ensures that the preparation and attention of the persons concerned is taken into account
exigeantdesesclientsqu'ilsluifournissentsystématiquementleprojetdetextedesmailings qu'ilsenvisagentd'adresser.Ceci
the manner in which the procedure is followed by the assurance of the ceux-ci sont conforme à nos deontologie internal rules, the rules according to which
sont toutes entières axée sur le respect des attentivees raisonnables des personnes concernées. Toujours dans le but de tenir
compte des attentivees raisonnables des personnes concernées, Bisnode Belgium veille également être mentionnée dans la
politique de confidentiality de ses partenaires sources de données.” Decision on the merits 07/2024 - 52/114
“Bisnode Belgium also ensures that reasonable considerations are taken into account
expectations of the people involved by asking its customers to inform us systematically
to deliver the draft text of the mailings they want to send. That's what we can do about it
ensure that these are in accordance with our internal rules of conduct, which all
aimed at respecting the reasonable expectations of those involved. To
Bisnode ensures that the reasonable expectations of those involved are taken into account
Belgium also ensures that this is stated in its privacy policy
data source partners”
138. Furthermore, the Disputes Chamber recalls that Article 5.1.a) GDPR - which stipulates that
personal data must be processed in a manner that is lawful, fair and proper
is transparent towards the data subject — must be read in conjunction with
Recital 39 GDPR, which stipulates that it must be transparent to data subjects “that they
concerning personal data is collected, used, consulted or otherwise
processed and to what extent the personal data are or will be processed”.
This core principle of the GDPR therefore means that any processing of personal data,
regardless of the legal basis put forward by the controller, it
transparency principle must be adhered to.
139. Having said this, the Disputes Chamber considers it important to make the distinction for the time being
to emphasize between the information that data subjects receive regarding the processing, and
the reasonable expectations that those involved may or may not assume with regard to a
specific data processing. As already stated 14, those involved have no
direct relationship with the defendant, with the result that they cannot act reasonably
expect the indirect collection of their personal data by B ISNODE
B ELGIUM and then B LACK TIGER BELGIUM . From the policy documents and
model agreements that the defendant has submitted to the Inspection Service
nowhere to be inferred that the data sources 144proactively and individually
data subjects must inform them about the effective transfer of the personal data
available to the defendant. In other words, the defendant can quit
no guarantees whatsoever that those involved, that the privacy policy of the data source
would no longer consult after such an adjustment to the privacy policy of the
data sources in order to mention B ISNODE BELGIUM by name among the possible
data recipients, are actually notified of the collection and
subsequent processing of their data by the defendant. Such
gap in the defendant's transparency policy therefore means that a
negligible number of data subjects whose personal data are in the databases of the
defendant were processed for the Data Delivery service only after receipt of
143
See edge no. 126 in this decision.
14These are the partners of the defendant, who provide him with personal data. Decision on the merits 07/2024 - 53/114
the first direct marketing communications by a customer of the defendant
could be alleged of the processing of their data by the defendant.
Due to the nature of the Data Quality services, which according to the defendant
no personal data will be transferred to the defendant's customers
on the other hand, the data subjects may never be informed of the processing and
commercialization of their personal data by the defendant 14.
140. The Disputes Chamber therefore decides that the services provided by the defendant are
offers customers anything but within the reasonable expectations of those involved and frameworks,
even more so because these reasonable expectations must specifically relate to
the processing by the defendant. The argument that those involved can adhere to it
expect that their personal data will sooner or later be collected by a third party and
will be exchanged, as this became part of a national media campaign in 2019
announced 14, is far from convincing in this regard.
147
141. In subordinate order, the Disputes Chamber again notes that, with the exception of:
position of the defendant that “B2B stakeholders” reasonably expect that their
148
personal data are processed by third parties in a professional context, none
There is a substantial difference between the two assessments regarding the Spectron
database (B2B) resp. the CMX database (B2C). This alone testifies according to the
Disputes Chamber will conclude that there has been a lack of proper consideration of all relevant matters
circumstances of the data processing, as well as its consequences for B2C
those involved, in the context of the weighing of interests carried out. The Dispute Chamber
therefore rules that the analysis conducted by the defendant in any case does not meet the requirements
meets the conditions of a proper assessment test.
142. If, after the weighing of interests, it is unclear whose interest prevails, then
it is of course possible for the controller to provide additional guarantees
to prevent the undesirable consequences of the processing for the data subjects
mitigating 14. Such safeguards include, according to the Disputes Chamber
necessarily proactive information to the individual involved about how
145I.e., except for the limited information that may have been communicated when the personal data were collected by the sources
were passed on to the defendant, which the Disputes Chamber has already ruled to be insufficient
guarantees in the light of the transparency obligation.
146
Document 14 (“Copie d'extraits de la campaign de presse de juillet 2019”) as submitted by the defendant to the
Inspection service in the context of the investigation.
14See edge no. 102 in this decision.
148
Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant: “It is likely or, at least, reasonable to assume that in a B2B context, data subjects are aware that personal data is
being collected and commercialized (= reasonable expectations of the data subject). Indeed, it is even possible that the data
subjects may even use the services of Bisnode themselves. At any rate, data brokerage is a common activity in a professional
setting and the various official database ensure a large, public propagation of professional data, including personal data.
Therefore, impact should be given a lesser weight in relation to the Spectron database” (own underlining).
149
Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 21. Decision on the substance 07/2024 - 54/114
their personal data are processed, as well as simple and accessible
mechanism through which those involved are given the opportunity to express themselves
oppose (opt-out) the processing of their data by the defendant, and
possibly also to exercise their right to erasure of data.
143. Finally, the Disputes Chamber rules that it is not within its powers to
since the Disputes Chamber is a (non-autonomous) dispute resolution body of a
150 151
administrative authority, to submit preliminary questions under Article 267 TFEU
to the CJEU. After all, in order to ensure the uniform application of Union law
guarantees, this provision provides an instrument of judicial cooperation between
the CJEU and the national courts, with a so-called preliminary ruling
question may emanate from a court ruling in the context of a
152
procedure leading to a judicial decision. When assessing whether a referral
body is a “judicial authority” within the meaning of Article 267 TFEU, the CJEU holds
taking into account the legal basis of the body that submitted a request
permanent character and its mandatory jurisdiction, the fact that the body is ruling
After an adversarial procedure, the body applies legal rules and regulations
153
the independence of that body. However, the Disputes Chamber rules that the GDPR
makes a clear distinction between the supervisory authorities and the
judicial authorities 154. Where Article 267 TFEU through the preliminary ruling procedure for
the CJEU aims to obtain a uniform interpretation during the judicial phase, as provided by the GDPR
in the coherence mechanism, where the Disputes Chamber specifically points to the
155
procedure provided for in Article 64.2 thereof, with a view to a similar purpose but for the
supervisory authorities under the GDPR. In any case, the Disputes Chamber considers this
150
HofvanBeroepBrussel (Marktenhof section), X t.GBA, Judgment 2023/AR/184 of 8 March 2023, p. 12; Court of Appeal Brussels
(Marktenhof section), X t. GBA, Judgment 2022/AR/292 of September 7, 2022, p. 36; Brussels Court of Appeal (Markten Court section),
X t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 24; Court of Appeal Brussels (Markten Court section), X t.GBA, Judgment 2020/AR/329
of September 2, 2020, p. 13.
151
Article 267 of the Treaty on the Functioning of the European Union—“The Court of Justice of the European Union shall have jurisdiction,
by way of preliminary ruling, to rule (a) on the interpretation of the Treaties, (b) on the validity and
interpretation of acts of the institutions, bodies, offices or agencies of the Union.
If a question in this regard is raised before a court of one of the Member States, that court may,
if it considers a decision on this point necessary for the delivery of its judgment, it shall request the Court to answer this question
to make a statement.
If a question in this regard is raised in a case pending before a national court or tribunal
decisions are not subject to appeal under national law, this authority is obliged to refer the matter to the Court
turn.” (own underlining).
152K. ENAERTS and P.VAN NUFFEL, European Law, Antwerp-Cambridge, Intersentia, 2011, edge nos. 836-837.
153CJEU, 31 May 2005, C-53/03, Syfait (ECLI:EU:C:2005:333), edge no. 29; CJEU, June 30, 1966, C-61/65, Vaassen-Göbbels
(EU:C:1966:39); CJEU, December 10, 2009, C-205/08, Umweltanwalt von Kärnten (EU:C:2009:767), edge no. 35. See also K.
LENAERTS ,I.MASELI&K.G UTMAN , EU Procedural Law, Oxford University press, 2015, p. 53.
154
See, among others, Article 78.3 GDPR (right to institute effective legal remedies against a supervisory authority)
authority) and 79.2 GDPR (right to bring an effective remedy against a controller
or a processor).
155
Article 64.2GDPR—“2. A supervisory authority, the chairman of the Committee or the Commission may request any
that matters of general application or having legal effects in more than one Member State are examined by it
Committee in order to obtain advice, in particular where a competent supervisory authority has fulfilled its obligations
mutual assistance in accordance with Article 61, or to joint actions in accordance with Article 62.” Decision on the merits 07/2024 - 55/114
156
is in no way obliged to submit a preliminary question to the CJEU in this regard, as the
decisions of the Disputes Chamber of the GBA are subject to appeal
Marktenhof, and since the present case does not concern the validity of
157
an act of an institution, body or agency of the European Union.
II.3.3.4. Decision
144. In view of the previous elements, the Disputes Chamber concludes that
an infringement of Article 5.1.a), 5.2 and Article 6.1 GDPR, as the defendant has not properly
has demonstrated that its interests as well as those of its customers are legitimate or that the
processing is necessary for the realization of the interests pursued, and
that these interests would outweigh the interests and fundamental rights of the
those involved. In particular, the Disputes Chamber rules:
▪ that the processing of company data, insofar as this is personal data
concerns, in the Spectron database in the context of “B2B” Data Delivery
services, where the defendant has personal data of natural persons
collects and enriches people from the KBO, with a view to it
commercial supply of personal data to its customers
direct marketing-related purposes, is expressly prohibited by law and
can therefore not rely on the basis provided for in Article 6.1.f) GDPR;
▪ that the processing of consumer data collected in the CMX database in the
within the framework of the “B2C” Data Delivery service, where the defendant
personal data of consumers is collected and enriched with a purpose
on the commercial supply of personal data to its customers,
could not rely on the basis provided for in Article 6.1.f) GDPR due to the
lack of necessity and the disproportionate impact on those involved. The
commercial benefits that the defendant and its customers derive from the processing
achieved do not outweigh the fundamental right of the
those involved to respect their private sphere, given the nature of the
personal data, the duration of the processing, and the limited
provision of information to those involved. Finally, the defendant makes
insufficiently plausible that such processing is within reason
expectations of those involved could fall.
▪ that the processing of consumer data collected in the CMX database in the
within the framework of the “B2C” Data Quality services, where the defendant
156
Article 267(2) TFEU.
15F. PITALE, “Chapitre VI. La faculté et l'obligation de renvoi ERRARO& C.ANNONE, Le renvoi préjudiciel,
Bruxelles, Bruylant, 2023, p. 183. Decision on the merits 07/2024 - 56/114
collected, enriched and consolidated personal data of consumers
to assign a reliability score to, for a fee
personal data of consumers already in the possession of the customers of the
defendant, so that they could improve the quality of their data by
to format, standardize, correct and/or internalize them
linking (matching), could not rely on the basis provided for in Article 6.1.f)
GDPR. It has not been demonstrated that the processing was necessary for the
compliance by the defendant's customers with the principle of fairness
in accordance with Article 5.1.d) GDPR. The Dispute Chamber considers it to be insufficiently proven
that the customers of BLACK T IGERB ELGIUM exclusively through the Data Quality
services their interest in complying with the aforementioned principle
or, in short, that the disputed processing is indeed carried out
was necessary to ensure the completeness and accuracy of the personal data
already in the possession of the defendant's customers. The
Finally, the defendant does not sufficiently prove that such processing
could fall within the reasonable expectations of those involved.
▪ that the processing of company data in the Spectron database in the
within the framework of the “B2B” Data Quality services, where the defendant
personal data of natural persons affiliated with companies
collects, enriches and consolidates to, for a fee, a
to assign a reliability score to personal data already in the
possession of by the defendant's customers, so that they can ensure the quality of their
can improve data by formatting, standardizing,...
correct and/or internally link (matching), cannot rely on the
basis provided in article 6.1.f) GDPR. Personal data originating from the
After all, KBO may not be used or distributed for direct
marketing related purposes. In addition, the Disputes Chamber considers it
insufficiently demonstrated that the processing of personal data in
Spectron is necessary to ensure the completeness and accuracy of the
personal data already in the possession of the defendant's customers
insurance, as well as to protect non-direct marketing related interests
accomplish. Finally, the Disputes Chamber rules that the parties involved:
cannot reasonably expect, partly due to the lack of
proactive information provision, to the processing of all in the Spectron
database included categories of personal data. Decision on the merits 07/2024 - 57/114
II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2,
Articles 14.1 and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR)
II.4.1. Position of the Inspection Service
145. As part of its investigation, the Inspection Service has two websites of the defendant
analyzed and determined that the link to the privacy statement on the first website was 158
redirects visitors to the second website 15, where they read the privacy statement
can consult. However, the Inspection Service notes that the information provided by the
defendant makes available on the second website is neither transparent nor easy
accessible to the data subjects, the information about the processing about it
has been distributed on various web pages, and also contains incorrect information.
146. Furthermore, the Inspection Service notes that the information provided by the defendant
is incomplete, as not all are required by Articles 13 and 14 of the GDPR
information is communicated effectively. There is nothing in particular anywhere
referred to the right of data subjects to withdraw given consent, and
nor the right of data subjects to file a complaint with the GBA. Furthermore
the contact details of the defendant's DPO are not stated on the website,
although the DPO has a personal email address.
II.4.2. Position of the parties
147. The complainant states that B LACK TIGER BELGIUM has stored personal data in a non-transparent
processed, as he was not informed of the fact that the defendant is
personal data had been collected and processed for its own objectives. The complainant posits
that he only became aware of the extent of this processing in the context of the exercise of his duties
right to inspect his personal data. With regard to the manner in which the defendant
has fulfilled its obligation to provide information to those involved,
in particular, the complainant points out that during the past 17 years and not since
entry into force of the GDPR was not contacted at any time by the
defendant or its processors, or by joint controllers
who would have received personal data from the complainants, with a clear
explanation of exactly which personal data they process. Thus, the
defendant, as well as any other recipient of the personal data in question, according to
the complainant systematically failed to notify those involved in accordance with Articles 13 and 13
14 GDPR about the processing of their data. In this regard states
the complainant that the defendant cannot possibly rely on the exception provided
15https://www.permesso.be/nl/privacybeleid.
15https://bisnodeandyou.be. Decision on the merits 07/2024 - 58/114
in Article 14.5.b) GDPR, as he has the necessary data to contact
with those involved in order to be able to fulfill his information obligation. During the
hearing of February 22, 2023, the complainant also emphasizes that the defendant
uses different privacy statements, which makes it difficult for those involved
to find out which rules apply to the processing of their data
personal data.
148. The defendant disputes the finding that it would not be easy for those involved
to find concrete information about data processing, and states that he made a conscious choice
for a layered approach to its privacy statement, depending on the capacity of the
data subject (consumer/professional), in order not to work with too extensive and
information that is incomprehensible for these reasons. According to the defendant, this method leaves the
allows those involved to navigate directly to the part of the statement that they
want to read. Regarding the Inspection Service's argument that “a data subject does not
can reasonably expect that his data will be commercialized simply by
the existence of a cooperation agreement with certain public or commercial entities
sources” the defendant argues that he has taken the necessary measures to
ensure that data subjects are aware of the processing carried out. The
Defendant also refers to the privacy statement of the KBO, “which explicitly states:
informed that the personal data are processed for the purpose of reusing the data
data, whether or not for commercial purposes”.
149. During the hearing on February 22, 2023, the Disputes Chamber asks what the
responsibility of the defendant if the sources or partners fail to do so
to provide data subjects with information about the processing of their data
personal data by B LACK T IGERB ELGIUM. According to the defendant, this concerns first of all
a contractual matter between the defendant and his sources respectively. customers,
although the defendant always checks whether the standard wording is actually included
the privacy statement of the sources respectively. customers of the defendant. Also prior to
the sending of commercial messages by post by the defendant's customers,
the defendant has a right to inspect the draft communication as well as the right
to request adjustment of the communication, if necessary. For the rest,
the defendant has concerns about the appropriate level of control that the
Litigation chamber of the defendant would expect with regard to his partners and
customers, and more specifically whether the defendant must regularly check with each partner and customer
whether the privacy statement contains the standard wording. Finally, the defendant opines
to be aware of certain shortcomings in its privacy statement, although this
shortcomings have now been resolved in the new privacy statement160. The fact that the
16https://www.blacktigerbelgium.tech/privacy-policy/. Decision on the merits 07/2024 - 59/114
defendant does not mention the right for those involved to collect their consent
would also be irrelevant, as the defendant only relies on his
legitimate interests for the disputed data processing.
II.4.3. Judgment of the Disputes Chamber
150. As regards the lawfulness of the disputed processing, it is established that the reasonable
expectations of those involved are relevant — contrary to what the
defendant puts forward in his defense — to assess to what extent this may be the case
of lawful data processing that would be based on the legitimate interest
161
interests of the defendant or his customers. Those are reasonable expectations
also to be taken into consideration when determining the time at which the information is provided
162
about the processing is communicated to the data subjects, taking into account the generality
principle that those involved should not be surprised by the purpose of the
processing of their personal data 16. The Disputes Chamber has in previous cases
decisions has repeatedly emphasized that transparency is of crucial importance to those involved
control over their personal data and to ensure effective protection of it
to safeguard personal data 16. The transparency obligation in the GDPR requires
namely that all information or communication regarding the data processing of
must be easily accessible and understandable to those involved, 165 but also timely
provided to those involved 16.
151. In the present case it is first of all established that the data processed by the defendant
personal data were not collected directly from the complainants. Consequently, single
Article 14 GDPR applies 16, the first two paragraphs of which record the information
to be provided to data subjects:
a. the identity and contact details of B LACK T IGER B ELGIUM and, in
where appropriate, of his representative;
b. where applicable, the contact details of the DPO;
c. the processing purposes for which the personal data are intended;
d. the legal basis for the personal data processing;
161
See edge nos. 134 et seq. in this decision.
16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 28.
163
Ibidem, edge no. 45 in fine.
16See, among others, Decision 04/2021, edge no. 167; Decision 47/2022, edge no. 127 ff.; Decision 84/2022, edge no. 76.
165
Recital 39 GDPR.
16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 48.
167
Ibidem, edge no. 26 in fine. Decision on the merits 07/2024 - 60/114
e. the categories of personal data concerned;
f. where applicable, the recipients or categories of recipients of the
personal data;
g. where appropriate, that B LACK TIGER BELGIUM intends to:
to transfer personal data to a recipient in a third country or to
an international organization; whether or not there is an adequacy decision
the Commission exists or BLACK T IGERBELGIUM appropriate or suitable
has taken guarantees in the case of the situations referred to in Article 46, Article 47 or
Article 49.1.2°GDPR refers to the transfers, as well as the data subject and a copy
can obtain these or where these guarantees can be obtained
consulted;
h. the period during which the personal data will be stored
stored, or if that is not possible, the criteria to determine that period;
i. the legitimate interests of B LACK TIGER BELGIUM or a third party,
if the processing is based on Article 6.1.f) GDPR;
j. that the data subjects have the right to request B LACK T IGERBELGIUM
access to and rectification or deletion of personal data or request restriction
of the processing concerning them, as well as the right against processing
to object and the right to data portability;
k. when the processing is based on Article 6.1.a) GDPR or Article 9.2.a) GDPR, it
given that the data subjects have the right to give their consent at any time
to withdraw, without this affecting the legality of the
processing based on consent before its withdrawal;
l. that data subjects have the right to file a complaint with a
supervisory authority;
m. the source from which the personal data comes, and where applicable,
whether they come from public sources;
n. the existence of automated decision-making, including the in
profiling referred to in Articles 22.1 and 22.4 of the GDPR, and — at least in those cases —
useful information about the underlying logic, as well as the importance and
expected consequences of that processing for the data subjects.
152. Pursuant to Article 14.3 GDPR, which relates more specifically to the modalities of the
provision of information and as such forms an inherent addition to the
core obligations arising from the two preceding paragraphs of Article 14 GDPR,
the aforementioned information must be communicated to the decision on the merits within certain periods 07/2024 - 61/114
those involved. In general, the rule applies that the controller:
those involved within a reasonable period, but no later than one month after acquisition
of their data must be informed about the processing, depending on the specific nature
circumstances thereof (14.3.a) GDPR). According to the Transparency Guidelines under
168
However, under the GDPR, this period can be shortened to the extent that the data collected
personal data are intended for contacting the data subjects, in which case
case the information is required at the time of first contact with the data subject
are provided (14.3.b) GDPR). Finally, the one-month period can also be shortened
if the personal data is communicated to a recipient within the meaning of
Article 4.9) GDPR. In such circumstances, those involved must be informed
be processed no later than the time at which their personal data is provided (14.3.c)
GDPR).
153. In its defenses, B LACK TIGER BELGIUM states that those involved were informed
on the basis of the mandatory indications of the name of the defendant in the
advertising messages that his customers addressed to those involved 16. Concrete means
This means that in most cases those involved only meet for the first time through the — often
unwanted — advertising messages were informed of the existence of the
defendant, as well as the fact that the defendant may have their personal data at some point
collected and processed. The Disputes Chamber presupposes such an approach
aims to comply with the time provided under 14.3.b) GDPR, i.e. to inform the data subjects
inform at the time of actual contact with the data subject, without
that this necessarily takes into account the time period between
initial data collection and initial contact. In the guidelines on this matter
transparency under the GDPR it is nevertheless expressly stated that the period of one
month provided under Article 14.3.a) GDPR, a maximum period is 170, which is not possible
can be extended but can only be limited depending on the purposes of the
processing.
154. The Disputes Chamber is well aware that the data sources of the defendant
have an obligation to provide information in accordance with Article 14.3.c) GDPR, in particular when they
provide personal data in their possession to B LACK TIGERB ELGIUM. The Dispute Chamber
emphasizes, however, that it is in principle up to the controller who
transfers data — and therefore not to the recipients, in this case the customers of the
defendant — belongs to Article 14.3.c) GDPR to provide the information as provided under
Articles 14.1 and 14.2 GDPR to the data subjects. In concrete terms, all serve
16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), adopted by the EDPB.
169
See edge nos. 64, 66 and 137 in this decision.
17Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 28. Decision on the merits 07/2024 - 62/114
successive controllers — i.e., the defendant's partners who
provide him with personal data, the defendant himself, respectively. the customers to whom the
defendant, if necessary, transfers personal data - i.e. separately
to inform data subjects about the data processing they carry out themselves.
171
155. Moreover, it follows from an a contrario reading of Article 14.5.b) GDPR that the
provision of information in accordance with Articles 14.1 and 14.2 GDPR is logically proactive
should be done, in contrast to the rather passive provision of information in which
Article 14.5.b) GDPR provides an exception. The indirect collection of
After all, personal data of the data subjects does not presuppose that the
provision of information to those involved also only serves indirectly
to happen. On the contrary, from the case law of the Court of Justice as well as from the
172
provisions of the GDPR, it follows that it is exclusively applicable to the
controller who determines the means and purposes of the processing,
has the right to inform those involved in a loyal and transparent manner. The
The Dispute Chamber therefore concludes that it is primarily up to the
defendant has the right to proactively inform those involved about the processing of
their personal data by B LACK TIGER BELGIUM, in accordance with Article 14 GDPR.
156. The fact that the partners of the defendant, who in the context of their agreement, the by
transfer personal data collected from them to the defendant himself for a fee
Providing information to those involved does not affect the foregoing. The
After all, the Dispute Chamber is not convinced by the organizational measures taken by the
defendant has taken steps to “indirectly” comply with his transparency obligation,
whereby the data sources are obliged to include this in their privacy statement
to expressly refer to the personal data processing carried out by the
defendant. In that respect, the Disputes Chamber refers to the template for the
agreements with data sources 173 that stipulate the following (proper
underline)7:
171
See edge no. 157 below.
17Recital 60 — “In accordance with the principles of fair and transparent processing, the data subject should
be informed of the fact that processing is taking place and its purposes. The
The controller must provide the data subject with the further information necessary to act against the data subject
to ensure proper and transparent processing for the data subject, taking into account the specific circumstances
and the context in which the personal data are processed. […]”; Article 14 GDPR — “1. When personal data does not belong to
have been obtained from the data subject, the controller shall provide the data subject with the following information: […]” (de
Dispute Chamber underlines). See also CJEU, October 1, 2015, C-201/14, Smaranda Bara et al. v. Președintele Casei Naționale de
Asigurări de Sănătate (ECLI:EU:C:2015:638), edge no. 31.
173 Document 10 (“Piece 10 – Template contracts source – voir article 5”) as submitted by the defendant to the
Inspection service in the context of the investigation, p. 4.
17“Vosdonnéesàcaractèrepersonnelpeuventêtretransmisesesàdespartenairesextérieurs,quipeuventles utiliserpourvous
envoyer des informations commerciales ou des promotionalnelles ou pour les commercialiser à ces fins. Nous ne
Transmitting the characteristics of the external parts guaranteeing the correct characteristics of the external parts
Bisnode Belgium SA (Allée de la Recherche 65, 1070 Anderlecht). Toutefois, [X] ne sera en aucun cas responsable de Decision on the merits 07/2024 - 63/114
“Your Personal Data may be transferred to external partners who may
use it to send you commercial information or promotional offers or for these
commercial purposes. We only pass on such data to external parties
partners who ensure the correct processing of this data, including Bisnode
Belgium NV (Researchdreef 65, 1070 Anderlecht). However, [X] is not in any case
liable for the use of this data by external partners.
Your personal data can be used or commercialized by Bisnode Belgium
to be able to provide you with personalized [sic] offers (possibly
based on your marketing profile), to conduct market research or for data
already present in the database of other companies to validate, correct or combine
link (for more information about the processing of personal data by Bisnode Belgium
consult www.bisnodeenu.be)”.
The Disputes Chamber rules that such wording (“can be used”),
does not provide sufficient certainty to those involved about the nature and extent of the
processing of their personal data by the defendant. Accordingly, none can be done here
there is a transparent and honest provision of information to those involved
by the data sources.
157. The next question that arises is to what extent the defendant can rely on the
exception to the information obligation, as provided for in the same provision. Article 14.5 GDPR
provides that the obligation to provide information to data subjects does not apply
is when and to the extent that 17:
(a) the data subjects already have the information;
b) the provision of that information proves impossible or disproportionate
would require effort, or to the extent that the provision of information
achievement of the purposes of the intended processing is likely to be impossible
or threatens to seriously jeopardize it. In such cases
the controller takes appropriate measures to protect the rights, the
protect freedoms and the legitimate interests of data subjects,
including making the information public;
c) obtaining or providing the data is expressly prescribed by
Union or Member State law to which the controller is subject
l'utilisation de ces données par des partenaires externes. Vos données à caractère personnel être utilisées ou
commercialization by Bisnode Belgium according to the proposal of the personalized offers (event and function of the
profilmarketing), d'effectuerdesétudesdemarchéoudevalider, correcterourelierdesdonnéesdéjàprésentesdanslesbases
the young entrepreneurs (pour more information about the characteristics of the young personnel of Bisnode Belgium,
consultez www.bisnodetvous.be.”
17See also Data Protection Working Party Article 29 – Guidelines on transparency under Regulation (EU)
2016/679 (WP260, April 11, 2018), edge nos. 58 et seq. Decision on the merits 07/2024 - 64/114
and that law provides for appropriate measures to protect the justified person
protect the interests of the data subject; or
d) the personal data must remain confidential pursuant to a
professional secrecy under Union or Member State law, including a
statutory duty of confidentiality.
158. The Disputes Chamber determines that exceptions [c] and [d] do not apply to the
processing by the defendant. Exception [a] is also not met since the
176
privacy statement on the website is incomplete and the standard paragraphs in the
177
privacy statements of the data sources are generically worded. What the
exception [b], the Disputes Chamber refers to the categories of
defendant processed personal data as well as for the intended purposes, already
were explained above 17. It cannot be denied that the defendant
is at least in possession of the contact details of those involved, since such
data as well as the “identification data” form a common “attribute”.
for the three databases 17, and the business model of B LACK T IGERB ELGIUM calculated
consists of collecting, aggregating and then making available
so-called “contact points” with which the defendant's customers subsequently communicate
can improve their marketing and communication strategies. So the
Disputes Chamber has sufficiently proven that the provision of the information provided
under Article 14 GDPR to data subjects whose personal data the defendant has
collects and processes is not impossible.
159. Furthermore, it is not clear, and the defendant does not make it at all plausible, to what extent
compliance with the principle of transparency with regard to those involved
would seriously jeopardize objectives. The only reference to the necessary
efforts that the defendant would have taken and raises in his defenses,
is furthermore not further substantiated by the documents submitted. When asked if
those involved would receive a privacy statement individually, answers the
180
defendant in both LIAs submitted concisely that an individual
provision of information would “require a disproportionate effort”:
17See edge no. 107 and 108 in this decision.
17See edge no. 156 in this decision.
178
See edge nos. 107 and 108 in this decision.
17CMX; Permesso and Spectron.
180
Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 65/114
However, this position cannot be accepted in light of Article 14 GDPR. The
impossibility or disproportionate effort must be directly related
with the fact that the personal data have not been obtained from the data subjects. In addition
A controller who wants to make use of the exception must
Article 14.5.b) GDPR based on the argument that provision of the information
would require a disproportionate amount of effort, the effort it would take to get the information
to be provided to the data subject against the effect and consequences for the data subject
data subject when he or she does not receive the information .181
160. The Disputes Chamber hereby emphasizes that Article 14.5 of the GDPR is an exception
the right of data subjects in that sense must be interpreted restrictively. It is established in this case
that BLACK T IGERB ELGIUM must have contact details of the data subjects in order to
to be able to achieve the intended objectives of the various databases.
The Disputes Chamber further emphasizes that the defendant does not necessarily have the
contact details of all parties involved must be available before they can be shared together
to be informed once; as soon as BLACK TIGER BELGIUM has a postal address or an e-mail
has, the company is in principle able — and therefore obliged — to provide the specific
to directly inform data subjects about the collection and processing of their data
personal data, in line with Article 14 GDPR.
161. In this regard, the Disputes Chamber refers to the decision of the Polish
data protection authority (Urząd Ochrony Danych Osobowych, hereinafter “UODO”), which
on 25 March 2019 imposed a fine on B ISNODE POLAND for failing to
to directly inform data subjects for whom the company had contact details about the
182
processing of their personal data. The Disputes Chamber rules that the defendant
could have taken this 2019 decision into account in the present case
analysis dated August 27, 2020 regarding the obligation to provide information to those involved
in Belgium, although he apparently did not do so. Whatever the case, the
Disputes Chamber states that it is unacceptable 5 years after the entry into force of the GDPR
18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, April 11, 2018), edge nos. 62 and 64.
182
Urząd Ochrony Danych Osobowych – Decision ZSPR.421.3.2018 of March 15, 2019, available on the website of the
Polish Data Protection Authority (UODO): https://uodo.gov.pl/decyzje/ZSPR.421.3.2018#. Despite the profession
dISNODPOLAND was subsequently imposed, the UODO's decision remained intact, but the administrative fine was imposed
EUR 220,000 reduced. Decision on the merits 07/2024 - 66/114
to those involved whose contact details are already known, and especially when
concerns electronic contact data, not to inform you directly about the processing
of their personal data.
162. Although the Disputes Chamber acknowledges that the defendant has made efforts to
lack of direct, individual provision of information at least
183
to make it public on its website, the Disputes Chamber rules that this failure to comply with the
informing those involved in a timely and individually constitutes a violation of the obligation
to provide transparent — and therefore complete — information pursuant to Articles 12 and 14 GDPR
to provide data subjects with information about the processing of their personal data, in the
particularly when the data such as these are collected indirectly.
In such a circumstance it is certain that data subjects cannot be involved
expects them to consult the defendant's website regularly or not.
163. In addition, the Disputes Chamber has already established 184 that the categories
“marketing profiles”, “consumer interests” and “family composition” not mentioned
were intended for consumers 18 in the privacy statement dated March 31, 2021, nor in
the explanation on the current website of LACK TIGERB ELGIUM186. The fact that the defendant
in his defenses dated September 11, 2023, filed in the context of the limited
reopening of the debates, clarifies that the privacy statement on the LACK website
TIGERB ELGIUM only indicates which personal data are in the context of its current
activities are processed does not prevent the privacy statement for
consumers at the time of the investigation was not complete — which the defendant
incidentally, recognized in his rejoinder dated March 7, 2022 - and therefore in
was a violation of Article 14 GDPR.
164. In his response to the sanction form, the defendant states that the obligation to
to inform those involved individually and proactively, was not extensively discussed in the
written conclusions and no contradictory debate has been opened on this point by the
Dispute Chamber 18. The defendant also disputes the claim that he deliberately did not
would provide complete and sufficiently detailed information to those involved.
165. In this regard, the Disputes Chamber first notes that the manner in which the
those involved are informed by the defendant or by the data sources
about the processing of their personal data, was indeed discussed in both the
written conclusions as during the hearing on February 22, 2023. In the
18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, April 11, 2018), edge nos. 64.
184
See edge nos. 107 to 109 in this decision.
18Part 12 (“012 Screenshots of Bisnode Belgium website”) in the inventory, pp. 45-48.
186
https://avg.blacktigerbelgium.tech/uw-consumentengegevens/wat-consument/, accessed on August 4, 2023.
18Response from the defendant to the sanction form dated October 31, 2023, p. 1. Decision on the merits 07/2024 - 67/114
investigation report, the defendant is sufficiently informed that the
transparency obligation, both in the case of direct and indirect
data collection applies.
The Disputes Chamber also emphasizes that the transparency obligation under the GDPR
ensues, already applied under Directive 95/46, and as such requires no further interpretation
required by the Disputes Chamber. Furthermore, the complainant refers in his complaint as well as in
his written defenses to the fact that the processing of his
personal data took place “without [his] knowledge”, “without contact” (due to the
defendant), and that he “has not received any notice or notification from her
according to Art 13 and 14 of GDPR, when they have collected [his] data”8.
The defendant was also informed through the conclusion letter dated November 29, 2021
of the possible infringement of Article 14 GDPR, of which paragraphs 1 to 4 together
must be read and adhered to, as well as Article 5.2 in conjunction with 24.1 GDPR, “regarding
to the obligation for the controller to provide data subjects with concise information
yet provide complete, transparent and understandable information about the
personal data that are processed, as well as the requirement for the defendant to
to guarantee and be able to demonstrate compliance with these obligations”.
written procedure before the Disputes Chamber, the defendant was therefore free to express his views
defenses with regard to the grievances of the complainant as well as those raised by the Inspection Service
established lack of evidence that the defendant has fulfilled its obligations under Article 14 GDPR
had been complied with appropriately.
Also during the hearing, after the complainant expressed his dissatisfaction about “the collection
of numerous personal data without being informed of this”8, the
defendant the opportunity to express his position regarding the obligation imposed on B ISNODE
B ELGIUM and subsequently B LACK T IGER BELGIUM rested, in accordance with the regulations of
Article 14 GDPR, to be explained. The Disputes Chamber also noted that the defendant then
merely replied that “the sources as well as the customers of B LACK TIGER B ELGIUM
become contractually obliged to inform the data subject about the transfer of their
personal data to resp. its communication by B LACKT IGERBELGIUM ”.
Finally, the defendant was given one last opportunity to sign his position
to the Disputes Chamber, in response to the sanction form dated October 31, 2023.
In view of the foregoing elements, the Disputes Chamber rules that the defendant
has indeed been given several opportunities to defend himself against
the allegation that he did not inform the data subjects in an appropriate manner — i.e., in a complete manner
transparent and proactive manner, taking into account the context of the processing
18 Complaint form as submitted by the complainant on January 28, 2021.
18 Official report of the hearing dated February 23, 2023, p. 13. Decision on the merits 07/2024 - 68/114
informed, in accordance with Article 14 GDPR. The argument that the defendant
in his response to the sanction form is therefore manifestly unfounded.
166. Given the lack of a complete privacy statement190 as well as the conscious — as stated
the considerations of interests submitted to the Disputes Chamber appear to be sufficient. 191— choice
of the defendant for not directly informing those involved about the processing
of their personal data by B LACK TIGER BELGIUM, despite the fact that the defendant
has the contact details of the majority of those involved, according to the opinion
Dispute Chamber that the defendant at least vis-à-vis the parties involved
contact details were known, is subject to Article 14 GDPR due to serious negligence
violated.
II.5. Handling requests from data subjects to exercise their rights
(Article 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR)
II.5.1. Position of the Inspection Service
167. According to the Inspection Service, the defendant does not demonstrate that he - in the context of the
handling of their request for access — has informed the complainants effectively and transparently
about all available information about the source of their personal data accordingly
Article 15.1.g) GDPR. After all, the complainants were not informed about how the defendant
obtained their personal data from the stated sources, and when. In addition
the Inspection Service determines that the information provided is too vague and based on too much
a general type answer, with the result that the complainants do not receive a sufficient answer
have received the measure. Finally, according to the Inspection Service, the defendant does not indicate
that in his letter to both complainants he stated the right to erasure of data and the right to object
effective and transparent; the Inspection Service determines that
existence of these rights was communicated to only one of the complainants.
II.5.2. Position of the parties
168. The complainant states that B LACK T IGER BELGIUM has violated Article 12.3 GDPR by
to provide electronically requested information on paper. The complainant argues that the
defendant has not complied with its obligation under Article 12.3 GDPR, as the
responses to the requests for access via paper mail were submitted to the
those involved, notwithstanding the fact that the defendant requires that those involved
190
See edge no. 163 in this decision.
19See screenshot at edge no. 159 in this decision: “Isafairprocessingnoticeprovidedtotheindividual,ifso,how?Arethey
sufficiently clear and up front regarding the purposes of the processing? We don't inform each and every data subject
personally as this would involve a disproportionate effort. However, our sources must explicitly mention the possible use of
data by Bisnode in their privacy notices, we are mentioned in every mail […]” (own underlining). Decision on the merits 07/2024 - 69/114
request access to their personal data via the defendant's website
submission, in other words in an electronic manner, whereby data subjects also
provide their email addresses. Regarding the mention of the sources of his
personal data, the complainant states during the hearing — referring to the
response to his request for access — that the defendant reports statistical and
neighborhood data about the bearing, which, however, cannot possibly come from the sources
which the defendant lists in his answer. However, during the hearing the complainant leaves:
know that he has deliberately not requested the erasure of his data
to avoid these being removed prior to a decision by the
Dispute Chamber. In addition, the complainant believes that he was unable to simply
reply to the defendant's response as the information was sent to him by post
provided, rather than electronically. The complainant also refers to the recent one
192
case law of the Court of Justice, which established that
controllers are obliged to inform data subjects about the
precise identity of the recipients of their personal data, while the defendant
would have merely mentioned the categories of personal data in his response to the
requests for inspection submitted by the complainants. During the hearing, the complainant rejects
incidentally, to the lack of contact details of the DPO in the answer to his
request for access, and he is annoyed that he made the aforementioned on his own initiative
had to look up contact details on the website.
169. With regard to the requests for information submitted by the complainants, the
defendant that he received letters from his DPO on November 13, 2020 respectively. December 23, 2020
has provided information “about the processing of their personal data: the files
in which they are included and the purposes of the processing, as well as the legal basis
for the processing, the existence of a right to object, the categories of data processed
data and information kept about the complainants, the recipients of the
data, the period for which they are kept, the source of the data,
and so forth". The defendant disputes that the answers he provided to both
complainants can be regarded as a so-called “general type answer”, since
the defendant has informed both complainants separately about (i) the specific source of
their data, (ii) the fact that these data were sourced by the complainants themselves
provided in their capacity as a customer, and (iii) the question or cooperation with
relevant sources are still active. The use of a form letter testifies
according to the defendant, moreover, of the good internal organization of the defendant
respond to requests from data subjects.
192
CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 70/114
In addition, the defendant refutes the Inspection Service's finding that one of the
the complainant was not informed of the existence of his right to erasure and
opposition. The defendant refers to the letter addressed to the complainant, of which the second point
explicitly states the two aforementioned rights.
In response to the complainants' grievance regarding the sending of the response by post,
the defendant clarifies that he does not require proof of identity from those involved, of all places
to promote the exercise of the rights of data subjects. In order to reduce the risk of
to avoid unauthorized disclosure of data in case of identity theft,
the defendant has therefore opted for sending by post, as known to him
address of the data subject.
With regard to compliance with its obligation to provide information to those involved, the
defendant during the hearing to the standard wording that the sources of B LACK
TIGER BELGIUM in their privacy statement, and with which those involved
be informed of the collection of their personal data by the defendant.
The defendant also states that those involved and detailed information about the sources of
can obtain their data in the context of a request for access. because of this
the defendant is not obliged to provide the precise identities of all sources
in the privacy statement, as it may contain dozens of sources
can be listed while the personal data of an individual data subject
only come from a limited number of the listed sources.
With regard to the mention, in the response to a request for access, of the
categories instead of the specific recipients to whom data from the complainants
were effectively transferred, the defendant posits that this approach at the time was after internal
consultation and with due observance of the case law at the time. According to
the defendant cannot therefore be blamed for not having taken this into account
subsequent case law of the Court of Justice.
In addition, the defendant emphasizes that the complainants' requests for access are detailed
were answered, and the complainants subsequently have no additional request
submitted in order, among other things, to obtain additional information about the precise details
sources of the personal data, the specific recipients of his personal data,
or have possibly incorrect information corrected. Finally, the defendant recalls
Please note that the complainants have never requested the deletion of their data. Decision on the merits 07/2024 - 71/114
II.5.3. Judgment of the Disputes Chamber
Reply by post
170. The Disputes Chamber determines on the basis of the documents submitted that both complainants have a
received a response by post, although their original access requests were electronic
were sent. The defendant does not dispute this, nor in the context of the written statement
defenses nor during the hearing.
171. However, Article 12.3 GDPR expressly states:
“3. The controller shall provide the data subject without undue delay and in any event
within one month of receipt of the request under Articles 15 to 22
information about the action taken on the request. Depending on the complexity
oftherequestsandofthenumberofrequests,thatdeadlinecanbeadditionaltwoifnecessary
months are extended. The controller informs the data subject
one month after receipt of the request of such extension. When
the data subject submits his request electronically, the information will be provided if possible
provided electronically, unless the data subject requests otherwise.
172. Article 15(3) in fine GDPR states that when the data subject submits his request electronically,
and does not request any other arrangement, the information in a common electronic form
must be provided, whereby the usage must be determined from the
193
position of the data subject and not of the controller. Therefore,
the Disputes Chamber has sufficiently proven the infringement of Article 12.3 of the GDPR.
Notwithstanding the investigation report, only violations of articles 12.1 and 12.2 GDPR
determines, Article 12 GDPR must be read and complied with in its entirety, including
Article 12.3 GDPR. The manner in which a controller grants a request,
after all, it always falls within the general obligation to exercise their rights
to facilitate the data subjects as provided for in Article 12.2 GDPR, as well as within the
complementary obligation in Article 12.1 GDPR to ensure the communications referred to in Article 15 to
with 22 GDPR “if appropriate” to be provided by electronic means. Mutatis
The foregoing also applies mutandis to Article 15.3 GDPR, which in conjunction with the
other paragraphs of Article 15 GDPR must be complied with.
Finally, the Disputes Chamber emphasizes that the defendant is in the context of the proceedings
has indeed been given and used the opportunity to discuss this matter
defenses, as is clear from the conclusions in the rejoinder of the defendant respectively. are
response to the sanction form:
19EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 32, 134 and 148 et seq. Decision on the merits 07/2024 - 72/114
“To promote the exercise of the rights of data subjects, Black Tiger Belgium demands
There is no proof of identity from the persons involved. As a result, she sends her answers by post
to the address of the data subject known to her, which increases the risk of unauthorized
194
disclosure of data in case of identity theft is avoided'.
“With regard to the answers, further mail was sent to those involved
Black Tiger Belgium already explained that this was necessary to ensure that no
there was an unauthorized disclosure of personal data, which testifies to this
195
a high degree of care.”
173. Although it cannot be ruled out that dispatch by post would be more secure
then offer an electronic transmission if no proof of identity is requested,
the Disputes Chamber is of the opinion that in addition to regular e-mails, there are also other, more secure ones
communication channels exist to provide the requested information electronically
delivery, in accordance with Article 12.3 GDPR. We also offer shipping by e-mail
According to the Disputes Chamber, post no longer necessarily guarantees that the sent
information ultimately ends up with the 'right' person involved, since the defendant cannot
rule out that the person concerned has moved in the meantime. In a more general sense, the
Disputes Chamber that the defendant does not act carefully by not providing proof of identity
questions or to check the identity of applicants in advance.
The Disputes Chamber determines in this regard that the defendant has not received the (electronic)
contact details of the data subjects are already required 196 so that they can exercise their rights
exercise on the defendant's web page. All except the telephone number
fields required to be completed. Consequently, the Disputes Chamber rules that the defendant has
has sufficient information to check whether the e-mail address corresponds to the
contact details of the data subject that are already included in the database(s).
defendant, prior to further processing of the request. When in doubt
If necessary, the defendant could contact the person concerned via the already
known contact details in the databases, to ask him/her for confirmation whether the
access request is legitimate.
By consciously providing answers to requests from data subjects by post
the defendant also makes it more difficult for them to follow suit, if deemed desirable
to submit an additional request to the first response. The former and current
websites do not allow the first answer to be attached as an example
to be added to a new request submitted via the online contact form. The foregoing
19Conclusions of the defendant's rejoinder, submitted to the Disputes Chamber on March 7, 2022, p. 25-26
19Response from the defendant to the sanction form dated November 24, 2023, p. 2, (iii).
196
First name, last name, telephone number, email, street name, number, zip code and city of the data subject:
https://avg.blacktigerbelgium.tech/uw-rechten/. See also Piece 12 (Screenshots of the Bisnode Belgium website taken by
the Inspection Service on March 31, 2021) in the inventory. Decision on the merits 07/2024 - 73/114
was also expressly stated by the complainant during the hearing on February 22, 2023
197
raised and the defendant did so during the same hearing as well as in the context
was given the opportunity to object to his response to the official report
defend.
174. In short, the reasons given by the defendant for sending answers
requests for access via regular mail are not only unconvincing for the
Dispute Chamber, but also in violation of Article 12.1 as well as 12.3 GDPR in conjunction with 15.3
GDPR. In addition, the defendant does not act in line with its obligation to exercise
to facilitate their rights by data subjects, in accordance with Article 12.2 GDPR.
In view of the foregoing, the Disputes Chamber decides that the defendant violates Articles 12.1 and
has violated 12.2 GDPR as well as 12.3 in conjunction with 15.3 GDPR by providing answers to the
not to send requests for access from the complainants electronically but only by post,
which unnecessarily hindered the complainants from exercising their rights.
Sources of the personal data
175. With regard to the failure to indicate the precise sources of the personal data
of the complainant, the Dispute Chamber notes that the defendant only reports the
198
company ELE T ICKET SERVICE as a data source for the consumer database (CMX).
However, during the hearing and in his defenses, the defendant does not provide any explanation
for the lack of information about the source of the “statistical data on neighborhood
level".
176. According to Article 15.1 GDPR, the data subject has the right to obtain from the
controller to obtain clarity about whether or not to process
data concerning him. If the latter is the case, the data subject has it
right to inspect those personal data and information referred to in Article
15.1.a) to 15.1.h), such as the purpose of the processing of the
data as well as the sources and possible recipients of the data. The purpose of
the right of access is to enable the data subject to understand how his
personal data are processed and what the consequences are as well as the accuracy
of the processed data without having to confirm his intention
justify 19.
19 Official report of the hearing dated February 23, 2023, p. 5.
198
“The source of your data is Tele Ticket Service, which provided us with the addresses of its customers. Meanwhile, this one
collaboration with Tele Ticket Services has been terminated.” in Section 2 (“Response to the request for access dated 13 November 2020 from
Bisnode Belgium”) lodged with the defendant's response.
19See decision on the merits 57/2023 of 16 May 2023, edge no. 44 (available on the GBA website). Decision on the merits 07/2024 - 74/114
Since it is not likely that ELE TICKET SERVICE provides (has provided) residential data
to the defendant and the defendant has not given any explanation regarding the
origin of the “statistical data at neighborhood level”, although the aforementioned data
probably come from the National Institute for Statistics, the Disputes Chamber believes
it is sufficiently proven that the defendant does not mention all relevant data sources
has in his reply to the complainant.
In view of the foregoing, the Disputes Chamber therefore decides that the defendant is a
has committed an infringement of Article 15.1.g) GDPR by not providing all available information about the
immediately communicate the sources of the complainant's personal data.
Contact details of the DPO
177. Regarding the lack of DPO contact details in the response as well as the
alleged lack of indication of the rights of opposed data erasure, rules
the Disputes Chamber that the complainant's grievance was not determined by the Inspection Service
well-founded or is not supported by the documents before us. After all, Article 15 GDPR requires this
in no way that the contact details of the DPO are stated in the response to a
request for access, and it is certain that the aforementioned rights are effectively listed in
the response to the complainants' request. Furthermore, the Disputes Chamber notes that
the contact details of the DPO are clearly stated at the top of the contact form
on the defendant's website, as from the screenshots by the Inspection Service
It turns out that the GDPR does not require the controller to provide an e-mail address
the DPO shares with the parties involved. The communication of a postal address in combination with
contact form to handle requests in a structured manner is sufficient
as long as this does not hinder the exercise of their rights by the data subjects.
The Disputes Chamber therefore determines that the defendant does not have the GDPR on this point
violated.
Recipients of the personal data
178. With regard to the precise identification of the recipients to whom the defendant has transferred the
has handed over the complainant's personal data, the complainant points out the judgment
Austrian Post of the Court of Justice. In this case the Court ruled that
controllers are obliged to provide the actual information at the request of data subjects
to provide the identity of the recipients to whom data are or will be
provided. It is only possible when it is not (yet) possible to identify these recipients
20See edge no. 83 in this decision. Decision on the merits 07/2024 - 75/114
the controller is allowed to limit the information communicated
to the relevant categories of recipients 20.
179. In this case, the Disputes Chamber notes that the defendant at the time of the hearing
the complainants' requests has limited its response to the categories of
receivers. Notwithstanding the requests for access to the present proceedings
basis, precede the ruling of the Court of Justice, is the opinion
Disputes Chamber that the defendant was obliged to provide the precise identity of the recipients
to be communicated to the complainants from the first request for access. It rules in its judgment
After all, the CJEU states that the right of access of data subjects is indispensable to enable them to
202
to exercise other rights granted by the GDPR. This explanation proves
also from the EDPB's Right of Access Guidelines 20, as well as in the
guidelines on transparency, adopted by the Data Protection Working Party in 2017 Article
29 were approved and revised on April 11, 2018 204, well before the
defendant received the access requests.
It is therefore established that the right of access provided for in Article 15 GDPR
contrary to the right to information under Articles 13 and 14 GDPR, yes
requires the controller to provide specific information about the
processed personal data, with a sufficient degree of accuracy to ensure the
to enable the data subject to acquire “informational self-determination” 205and to,
where appropriate, to assess the compliance of the practice with the GDPR. It
sufficiently transparent and accurate nature of the information provided in the context of a
right of access is communicated also contributes to data subjects exercising their rights
can more easily exercise this under the GDPR in accordance with Article 12.2 GDPR.
By specifically indicating who the recipients are of the personal data held on them
data subjects can then exercise their rights directly
receivers.
Contrary to what the defendant stated in his response to the official report
hearing, so there is no retroactive effect of the judgment of 12 January
2023 of the CJEU, since that judgment merely provides interpretation of an obligation that
arises directly from Article 15.1.c) GDPR, which was already applicable beforehand.
20CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge nos. 39, 43 and 48.
202
CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge no. 38.
20EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 116-117.
204
Data Protection Working Party Article 29 – Guidelines on transparency in accordance with Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), pp. 43-44: “The (names of the) actual recipients of the personal data, or categories
personal data must be provided in accordance with the principle of propriety
controllers provide information about the recipients that is most meaningful to the data subjects
is. In practice, these will usually be named recipients, so that those involved know exactly who they are
has personal data.”
205
See Decision on the merits 15/2021 of February 9, 2021, edge no. 165 (available on the GBA website). Decision on the merits 07/2024 - 76/114
In view of the foregoing, the Disputes Chamber decides that the defendant has committed an infringement
committed on Article 15.1.c) GDPR, by not providing all available information about the specific
recipients of the complainants' personal data.
II.6. Use of cookies on the defendant's websites (Article 4.11), Article
5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR)
II.6.1. Position of the Inspection Service
180. The Inspection Service has established that the information provided by the defendant about the use
of cookies provided to website visitors, in the cookie window at the bottom of the
home page of the website https://bisnodeandyou.be, is only available in English.
In addition, the two options on the home page of the website are not available
a similar way is suggested, and the cookie window disappears after clicking on the
language button at the top right of the website homepage. Finally, the defendant provides
no explanation to website visitors about how they can withdraw their given consent.
181. With regard to the website https://www.permesso.besteltde Inspectiedienstvastdatde
information about the use of cookies is available in both Dutch and French
and makes it clear that in addition to essential cookies, other cookies are also placed.
In addition, the two options on the home page of the website are not available
an equivalent way is proposed, and the Dutch version of it disappears
cookie window after clicking the language button. Finally, the defendant provides no explanation
to website visitors about how they can subsequently withdraw their given consent.
182. Based on the previous findings, the Inspection Service concludes that the defendant
does not obtain legally valid consent within the meaning of Article 4.11) GDPR, and therefore also
cannot demonstrate that those involved have given valid consent for the
placement of cookies on their devices.
II.6.2. Position of the defendant
183. The defendant acknowledges that there were certain shortcomings in its previous cookie policy,
but emphasizes that following the publication of the guidelines on the GBA website, in
2020, it was decided to conduct an analysis of the existing cookie practice of the
defendant in order to identify and remedy shortcomings. Due to the
However, this has faded into the background after several takeovers, according to the defendant, and
it was ultimately decided by BLACK T IGERBELGIUM to only use
strictly necessary cookies. Decision on the merits 07/2024 - 77/114
II.6.3. Judgment of the Disputes Chamber
184. The Disputes Chamber is solely based on the screenshots of
https://bisnodeandyou.be/ resp. https://www.permesso.be/ unable to reach the
to determine a violation of the regulations regarding the placement of cookies.
After all, with regard to the first website, it can only be deduced that the website is a
places a consent cookie (“OptanonConsent”), linked to the domain
bisnodeandyou.be, with an expiry period of one year. Therefore, the Disputes Chamber can
not decide that this cookie supports an unnecessary function. With respect to
the second website also cannot be deduced that the defendant uses unnecessary cookies
would post without the prior consent of those involved. The only cookies
that the Inspection Service has established are in addition to those already mentioned
Optanon also consents to two session cookies (PHPSESSID and wml_browser_redirect_test). This
are both functional cookies, linked to the permesso.be website. Furthermore, he stated
After its own research, GK has determined that the website https://bisnodeandyou.be/ is no longer
accessible, and the website https://www.permesso.be/ has not been accessible since at least July 25, 2021
in use longer.
Consequently, the Disputes Chamber decides to uphold the findings of the Inspection Service
are related to the placement of cookies on the two aforementioned websites
defendant, cannot be restrained.
II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as
articles 25.1 and 25.2 GDPR)
II.7.1. Position of the Inspection Service
185. In his answer to the Inspection Service's questions, the defendant refers to various
data protection initiatives and documents. The Inspection Service emphasizes
however, that the defendant has committed, among other things, a violation of Article 5.2, Article 24.1
and Article 25.1 GDPR, as well as with regard to certain articles of the GDPR on the
rights of the data subject. The uncompleted and unsigned model agreements
to which the defendant refers in his answers 206, according to the Inspection Service
does not indicate that these templates are used effectively and systematically. In addition
207
it does not appear from the documents provided by the defendant that they are effective
approved by the highest level of management of the defendant, nor that the
20 Pieces 10 to 12 transferred by the defendant to the Inspection Service.
20 Pieces 1 to 38 transferred by the defendant to the Inspection Service. Decision on the merits 07/2024 - 78/114
compliance with the rules and guidelines stated therein is effectively monitored and that
infringements are effectively sanctioned.
II.7.2. Position of the defendant
186. The defendant argues that the findings by the Inspection Service with regard to the
data protection documents are unfounded. Thedefendant
argues that during the investigation by the Inspectorate he always provided complete, precise,
has provided detailed and completely transparent information to all questions asked,
and points out that the shortcomings found are in any case minor and of no consequence
appear to be. Furthermore, the defendant regrets that there is no information in the inspection report
the more global implementation of the GDPR was taken into account by the
defendant to comply with its obligations under the regulation. The fact that he
has model agreements and standard documents, according to the
defendant just indicates that he has a reasonable level of internal compliance and preparedness
implemented in the event of the exercise of their rights by data subjects, or
of an investigation or audit by the GBA. The defendant also states that he
is in no way “obligated to prove that these templates are actually used,
especially since the Inspection Service does not mention any specific cases in which they have not been used
the defendant also demonstrates that he does indeed use standard answers to
respond to data subject access requests”.
187. The defendant then refutes the Inspection Service's findings
effective and systematic use of model agreements, approval
of policy documents by the highest levels of management, as well as the lack of
proof of the implementation of the control and sanction measures provided for in the event of
breaches of internal procedures. The defendant states that there is none
there is a legal obligation to prepare a report for each meeting of the
board of directors, in which the precise decisions are determined. He also refers
to the contradictory statements of the Inspection Service, which on the one hand accuses that
standard letters are used, and on the other hand the defendant does not accuse any
to use the standard documents submitted. The defendant believes that he
nor is it obligatory to prove that the templates transferred are actually used
be, especially because the Inspection Service does not mention any concrete cases in which the
templates would not have been used.
188. Furthermore, the defendant refers to the fact that BLACK TIGER BELGIUM in no way
was involved in the course of the events that the complainants accuse, and himself
moreover, very quickly reported to the GBA to make its position known.
In addition, the defendant emphasizes once again that the CMX database has now been decided on the merits 07/2024 - 79/114
is removed and the activities of Data Delivery continue three months after the takeover
BLACK TIGER have been terminated, and therefore asks the Disputes Chamber to carefully review this
to choose an appropriate sanction. In short, the defendant requests the Disputes Chamber for privilege
to declare that no sanction is necessary, as the defendant has committed the disputed
has permanently terminated processing on his own initiative. The defendant clarifies
that BLACK TIGERBELGIUM has exclusively since discontinuing the Data Delivery activities
still acts as a processor in the context of the Data Quality services to customers.
However, this does not prevent B LACK TIGER B ELGIUM from providing appropriate technical and
take organizational measures and maintain necessary documentation, such as
incidentally, it was transferred to the Inspectorate during the investigation. In addition, the
defendant to the letter from the CEO of LACK TIGER BELGIUM addressed to the GBA,
in which the changed strategy as well as the decision to switch to a pure one
Data Quality services were explained, but remained unanswered by the
Inspection service.
II.7.3. Judgment of the Disputes Chamber
189. The Disputes Chamber rules that there can be no doubts:LACK TIGERBELGIUM
must be held responsible for the processing activities that took place
before the takeover of B ISNODE BELGIUM by BLACK TIGER GROUP and subsequent ones
name change. This responsibility, which is separate from the involvement of the
'new' company in the controversial processing activity, is a direct result
the transition from BISNODE B ELGIUM to B LACK TIGER B ELGIUM, where the
decision-making power over the means and purposes of the processing of
personal data was taken over without further ado. Adopting the opposite would be the case
imply vacuum with regard to responsibility over transferred
personal data, to the detriment of the protection of fundamental rights and
freedoms of those involved, especially when the 'acquirer' takes over the
processing activities for a certain period after the acquisition.
In addition, the Disputes Chamber emphasizes that the company numbers of B ISNODE
BELGIUM resp. LACK TIGERBELGIUM are identical.
190. Article 5.2 and Article 24 GDPR impose general accountability obligations and
compliance requirements for data controllers. Article 5.2 GDPR states the
controller liable for compliance with the general principles
regarding their processing of personal data. Pursuant to Article 24 GDPR
controllers in particular, taking into account the nature, size,
the context and purpose of the processing, appropriate technical and organizational Decision on the merits 07/2024 - 80/114
to take measures to ensure and be able to guarantee the right to data protection
demonstrate that the processing is carried out in accordance with the GDPR.
191. In the present case, the Disputes Chamber has now ruled that the defendant
could not demonstrate that the disputed data processing complied with the provisions of the GDPR
appropriate methods of compliance. The Disputes Chamber has determined that the defendant is unjustified
relies on Article 6.1.f) GDPR as the basis for the CMX and Spectron databases
in which the personal data of the complainants are also processed. The defendant hereby has
has not properly weighed its own interests against those of its customers,
on the one hand, the interests as well as the fundamental rights and freedoms of those involved,
on the other hand208. Furthermore, the defendant unlawfully disregards his obligation to provide information
regarding the data subjects, to the data sources as well as to its customers,
as a result of which those involved are not informed in a timely manner of the processing of their data
personal data in the context of the commercial services offered by the
defendant 209. With regard to the handling of requests by those involved, the
Disputes Chamber also concluded that the chosen course of action, and with
in particular sending responses to requests for access by post, although the
requests can be submitted electronically is not in accordance with the regulations
210
of Article 15 GDPR. In addition, the Disputes Chamber notes that a number of submitted
policy documents have not been updated since their last change in 2018, although
a series of points an active follow-up of the controller's requirements
Disputes Chamber refers in particular to the established storage period of 15 years,
for which the controller indicated that he still needed a justification
to document. This finding is also supported by the statement “See
Data Retention Policy (under review)” in the register of processing activities
transferred to the Inspection Service by the defendant 21.
Accordingly, the Disputes Chamber considers the infringement of Article 5, Article 24.1, as well as Article
25.1 and 25.2 GDPR proven, with regard to the inability to guarantee nor
demonstrate that the processing takes place in accordance with the principles governing
data protection laid down in Article 5.1 GDPR and with due respect for the
fundamental rights and freedoms of those involved, as laid down in, among others
Articles 12, 14 and 15 GDPR.
20See marginal nos. 134 to 141 in this decision.
20See marginal nos. 151 to 162 in this decision.
210
See edge nos. 170 up to and including 173 in this decision.
21Article 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) as transferred by the defendant to the
Inspection service in the context of the investigation, p. 15 in fine.
212
Loosely translated: “See Data storage policy (currently being revised)” in Piece 30(“BisnodeBelgium - Copy of Record
of Processing”) as transferred by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 81/114
192. The Disputes Chamber, on the other hand, decides to uphold the other findings of the
Inspection service regarding the handing over of uncompleted and unsigned documents
model agreements, as well as the lack of control and sanction measures in one
number of documents, as well as formal approval by top management
level of the defendant, should not be taken into consideration. The Inspection Service makes
insufficiently plausible that the defendant actually committed an infringement in this regard
has committed the provisions of the GDPR related to the
accountability of the controller. Finally, these frame
findings not within the scope of the initial complaint.
II.8. Register of processing activities (Article 30.1, 30.2, and 30.3GDPR)
II.8.1. Position of the Inspection Service
193. The defendant considers itself a processor for various processing activities
included in its register of processing activities. However, the Inspection Service states:
determines that this register does not meet the minimum requirements as the description of the
categories of data subjects and categories of personal data is incomplete,
the retention periods of the personal data are not stated, a general one
description of the technical and organizational security measures (“TOMs”)
is missing, and finally the name and contact details of each
controller on behalf of whom the defendant acts as processor
are not listed in the register.
II.8.2. Position of the defendant
194. The defendant states that Article 30.1.c) GDPR does not oblige him in any way to inform the data subjects
identified form in its register of processing activities. According to the
defendant, it is sufficient to appoint the persons concerned as consumers,
customers (clients), employees (staff), etc. Furthermore, Article 30.1.c) GDPR merely obliges
provide a description of the categories of personal data processed. The
The defendant believes that this is satisfied by, among other things, listing the following categories
in the data register: identification data (contact data), social demographic and
lifestyle data (socio-demo andlifestyle data) and family typology. The
The defendant also disputes that he violated Article 30 of the GDPR because of it
merely refer to internal policy documents stating the intended retention periods
as well as a description of the technical and organizational measures
are. The defendant believes that the register of processing activities mainly
is intended for internal use as a supporting document, and must be in accordance with Decision on the merits 07/2024 - 82/114
agree with the operational reality of the controller. Finally
the defendant that his activities as a processor are included in the internal register of
processing activities are included, but are only accessible “for certain
persons”. Since the Inspection Service did not request it, the defendant
this information, which is available, is not provided.
II.8.3. Judgment of the Disputes Chamber
195. The Disputes Chamber notes that the submitted register of processing activities
limited to mentioning the categories of data subjects, without these categories
nearing definition. Article 30.1.c)GDPR expressly requires that the register “a
description of the categories of data subjects and of the categories of
personal data” (own underlining). Since the requirement to obtain the relevant
categories to actually describe, also in the English and French translation of the
AVG is present 21, so according to the Disputes Chamber there can be no doubt about the
scope of this provision. As mentioned earlier in this decision, the differences differ
descriptions of the categories of personal data processed by the defendant
depending on the policy document referred to 21. However, it is extreme
It is important that each controller clearly defines for himself which
personal data are processed exactly under his supervision, and this too
documents in the register of processing activities, as required under the
215
accountability(article5.2juncto24GDPR) . An appropriate granularity internally
register of processing activities is all the more important because the information that
controllers under Articles 13 and 14 GDPR must provide to
data subjects are limited to the categories of personal data concerned. As soon as
However, a data subject exercises his right of access
controller in accordance with the guidelines of the EDPB, nevertheless
to communicate a complete picture of the processed personal data to the requester, with
including the precise personal data concerning him or her that the
216
controller actually processes. Accordingly, the
Dispute Chamber the infringement of Article 30.1.c) GDPR by the defendant as proven.
196. With regard to the reference to external policy documents containing the retention periods
as well as the technical and organizational measures are described, the
Dispute Chamber, in contrast to the Inspection Service, which does not provide such information
21“(c) a description of the categories of data subjects and of the categories of personal data;” and “c) une description des
categories of persons concerned and the categories of données à caractère personnel;'
21See edge no. 107 in this decision.
215
Decision on the merits 15/2020 of April 15, 2020, edge no. 142 (available on the GBA website).
21EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge no. 115. Decision on the merits 07/2024 - 83/114
must be systematically included in the register of processing activities
the different wording of Article 30.1.f) and 30.1.g) GDPR. As long as the register is up
refers appropriately to the policy documents containing the aforementioned information
can be easily verified, according to the Disputes Chamber there is no such thing
infringement of Article 30.1 GDPR.
197. In his conclusions, the defendant takes the position that the Inspection Service
could have received a register of processing activities as a processor
if he had requested this. From further investigation of the relevant register, the
Disputes Chamber, however, notes that it is possible to conduct activities as a processor ("processor")
filter under the column “Controller or processor?”. The Disputes Chamber decides accordingly
that the defendant uses one central processing register, in which the
data processing as controller as well as the processing that the
defendant is responsible for processing on behalf of another person,
are documented.
198. However, the Disputes Chamber notes that the processing activities that belong to the second
category, do not indicate “a) the name and contact details […] of
any controller on whose behalf the processor acts, and, in
where applicable, from the representative of the controller […] and
of the data protection officer;' The infringement of Article 30.2.a) GDPR is
so fixed.
199. Finally, the Disputes Chamber rules that no infringement of Article 30.3 GDPR can be
retained, solely due to the determination that the register of processing activities
does not contain all mandatory information.
II.9. Involvement of the DPO (Article 38.1 and Article 39.1GDPR)
II.9.1. Position of the Inspection Service
200. Although the role of the DPO is clearly defined and supported in the
performance of its duties, the Inspection Service determines that the defendant does not provide any information
and/or advice from the DPO on (a) transparent information to data subjects and (b) the
has provided a register of processing activities to the Inspection Service, and the
defendant therefore does not recognize the involvement of the DPO in the aforementioned subjects
has shown. Most of the documents the defendant cites to prove the
activities of his DPO do not show how and when the DPO
concrete intervention has been made, or what concrete measures the defendant may have taken
has taken in response to advice from his DPO. Decision on the merits 07/2024 - 84/114
II.9.2. Position of the defendant
201. The defendant declares that compliance with Articles 38.1 and 39.1 GDPR is
demonstrated by the evidence of the commitment and key role played by DPOs since 2018
to play. This includes maintaining GEBs for each of the databases, creating them
website of www.bisnodeetvous.be as well as the creation of a process for
requests from data subjects to exercise their rights, the revision of the
technical and organizational measures and finally the rollout of the GEB process.
More generally, it describes the role of the DPO, its duties and its importance within the company
demonstrated by the production of two essential documents from the B ISNODE GROUP , which
the then B ISNODE BELGIUM mutatis mutandis took over after their departure from the
group. The defendant refutes the Inspection Service's finding that he
would not have shown that the DPO was indeed, together with other legal
advisors within the company, were involved in recording the data to those involved
provide information, as well as in the preparation of the register. According to the defendant
After all, it is sufficiently clear from the documents sent that the DPO at all levels
was, and is, involved in the projects, decisions as well as the daily operations regarding it
the processing of personal data. The fact that specific documents do not meet the
Inspection service has been provided, according to the defendant, does not prove that the DPO was not present
has been involved. The defendant refers in this regard to the lack of questions
addressed to the defendant in this regard during the investigation. In addition, the
defendant points out that the GDPR nowhere prescribes how a
controller can or must demonstrate the involvement of the DPO. The
indication of the different functions involved in a project or to a
document have contributed, is not only usual, but according to the defendant
at least a beginning of evidence, or a reasonable indication of the involvement of
the aforementioned functions.
II.9.3. Judgment of the Disputes Chamber
202. The Disputes Chamber understands from the documents submitted and the arguments put forward
by the defendant that B ISNODEB ELGIUM already before the entry into force of the GDPR
has started an extensive implementation process217, as well as that the then DPO and his
substitute were involved in drafting related policy documents
with the processing of personal data by the controller.
In addition, the Disputes Chamber notes that the Inspection Service in the context of
21Document 32 as submitted by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 85/114
investigation did not ask the defendant any additional questions, in order to
obtain evidence of the DPO's involvement in concrete projects.
The Disputes Chamber therefore does not have sufficient elements to substantiate this
the violation of Articles 38.1 and 39.1 GDPR retained by the Inspection Service. Consequently
the Disputes Chamber can investigate the violations of the
GDPR regarding the involvement of the DPO.
II.10. Additional considerations regarding the inspection report
203. The inspection report lists three circumstances that concern the Inspection Service
would play a role in assessing the seriousness of the alleged infringements.
i. the defendant processes personal data systematically and on a large scale as
core activity;
ii. the nature of the infringements found is serious, and the defendant makes his
promises not true;
iii. the register of processing activities is incomplete and unclear.
204. The defendant believes that these circumstances are wrongly put forward.
Firstly, the defendant cannot be blamed for large-scale
processes personal data, as long as he complies with the rules on the protection of
personal data. In addition, the defendant emphasizes that the size and
scope of the processing and not further qualified or characterized in it
report from the Inspection Service, which is limited to establishing that the defendant is
profiles itself as a specialist in direct marketing.
The Disputes Chamber, on the other hand, rules that the determination of a large-scale
data processing should not be regarded solely as an aggravating circumstance
be taken, but certainly as part of the balancing test between the
fundamental rights and freedoms of those involved, on the one hand, and the submitted
interests of the defendant and its customers, on the other.
205. Secondly, the defendant argues that the investigation report identifies the infringements as such
would confuse with the aggravating circumstances of the same infringements. So would the
Inspection Service have not presented any concrete circumstances, apart from the
alleged infringement itself, on the basis of which the seriousness of the infringement could be assessed
become. With regard to the privacy statements on the website, the defendant disputes the
allegations, which are not even proven, that the defendant has the confidence of
deliberately wanted to mislead those involved. Decision on the merits 07/2024 - 86/114
The Disputes Chamber has already ruled in the present decision that there is sufficient
there are indications that the defendant consciously opted out of the information obligation
with regard to the data subjects, mainly with its partners (who process the personal data
supply) and its customers (who receive the personal data). The
The Disputes Chamber has also come to the decision that such a course of action is not acceptable
comply with the requirements of Article 14 GDPR 218.
206. Thirdly, according to the defendant, it cannot reasonably be disputed that he is robust and
has put in place adequate internal procedures, policies and rules to
to protect personal data, nor whether the defendant has attempted in good faith
to comply with the GDPR in both its spirit and its letter. The defendant refers to his
choice to discontinue Data Delivery activities on its own initiative — which choice
had not yet been published at the time the inspection report was issued —
as well as to limit its current activities to data analysis and services that do not
role as a data broker. This reorientation would, according to the defendant, be a
must play a decisive role in assessing the seriousness of the alleged infringements
as well as the good faith of the defendant.
The Disputes Chamber will consider the fact that the defendant decided after the takeover to
number of services to be discontinued, to be taken into account in the context of the
the following determination of sanctions and corrective measures.
207. Fourth, the defendant claims that he, even without knowledge of the investigation reports
made several attempts before it was released on May 20, 2021
to contact the Inspector General and the then chairman of the
GBA, in order to inform them of this important adjustment to the
business activities, and to enter into a constructive dialogue with him such as the
defendant had also done the same with the CNIL in France. The defendant believes that he
However, it was not possible to obtain a meeting with the GBA.
In this regard, the Dispute Chamber reminds that a party during an ongoing
investigation cannot in principle demand to be heard, given the specific nature of the investigation
219
powers granted to the Inspection Service. The Marktenhof has in its own right
judgment of March 1, 2023 also ruled that the GBA is the supervisory authority
pursuant to Article 52 GDPR is completely independent in the performance of the tasks and
220
powers assigned to it in accordance with the GDPR.
21See edge no. 166 in this decision
219 See point 4.1.e of the Charter of the Inspection Service available on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/charter-van-de-onderzoekdienst.pdf.
22Court of Appeal Brussels (Markten Court section), X t. GBA, Judgment 2022/AR/1085 of March 1, 2023, p 7. Decision on the merits 07/2024 - 87/114
III.Sanctions and corrective measures
III.1. Established infringements
208. The Disputes Chamber is of the opinion that the present case is serious
violations of the fundamental rights of those involved. The Disputes Chamber will judge
furthermore, that these violations must be classified separately
conduct 22. More specifically, the Disputes Chamber finds violations of the following
provisions of the GDPR, relating to three different ones, set out below
conduct of the controller:
i. Infringement of Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; article 24
GDPR and Article 25 GDPR — The Disputes Chamber rules that the defendant op
indirectly, on a large scale and for a period of at least 15 years
collected personal data of data subjects, without providing a
individual information to those involved by the defendant
nevertheless had contact details for both Data Delivery and Data
Quality services.
The processing involved or are going to be with these services
after all, contrary to Article 5.1 GDPR, and more specifically the principle of
legality, propriety and transparency (5.1.a) GDPR), the principle of
minimum data processing (5.1.c) GDPR) and the principle of storage limitation
(5.1.e) GDPR). By opting for an indirect one due to serious negligence
provision of information to those involved, either 'upstream' by the
data sources of the defendant, either 'downstream' by the customers of
the defendant when meeting the persons involved for the first time
communicate, the defendant also violates his obligation to provide information, such as
laid down in Articles 14.1 and 14.2 GDPR, read in conjunction with Article 12.1 GDPR.
For the processing of personal data without proactive
the defendant is therefore unable to provide information to those involved
legitimately rely on its legitimate interests or those of its customers
(6.1.f) GDPR), as these interests do not outweigh the interests
and fundamental rights of data subjects, and the
data processing activities that support these interests are not
fall within the reasonable expectations of those involved. Also has the
defendant violated Article 25 GDPR due to the lack of appropriate
technical and organizational measures to ensure compliance with the
221
“Conducts” in the EDPB –Guidelines 04/2022 on the calculation of administrative fines under theGDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 88/114
data protection principles, and in particular the principles of minimum
data processing and storage limitation, in an effective manner
guarantees. Finally, because the defendant does not provide sufficient evidence — such as
however required under the accountability obligations imposed on each
controller rests — that the processing of data
of those involved in the context of the aforementioned services
in accordance with data protection principles and with
respect for the fundamental rights and freedoms of those involved
the defendant also committed an infringement of Article 5.2 GDPR, read in
connection with Article 24.1 GDPR.
ii. Infringement of Article 12 GDPR as well as Article 15 GDPR — The Disputes Chamber decides
that the defendant improperly processed the complainants' requests for access
has handled, in violation of the obligation to protect the rights of data subjects
facilitating and the requirement to provide full access and information to those involved
regarding the processing of their personal data.
The defendant has opted for his written answers
to the complainants' requests for access by post instead of in a conventional manner
electronic form, which constitutes a violation of Article 12.1 and
12.2 GDPR as well as Article 12.3 in conjunction with 15.3 GDPR. In addition, the defendant has
failed to identify the source of the statistical information regarding the complainants
mention in the answers to their requests for access, with the result that the
defendant has also violated Article 15.1.g) GDPR. Finally, it is certain that the
defendant has committed an infringement of article due to serious negligence
15.1.c) GDPR, read in light of the guidelines of the Article 29 Working Group
and the EDPB as well as the case law of the Court of Justice in its judgment C-154/21,
by only communicating the categories of recipients in the reply to
the complainants, although the respondent was able to identify the specific recipients
222
identify .
iii. Infringement of Article 30GDPR—The defendant has finally failed to do so
indication of the categories of data subjects and of those processed
personal data also include a description of these categories
register of processing activities, as prescribed in Article
30.1.c)GDPR.The defendant has also violated Article 30.2.a)GDPR by
to be included in the centralized processing register, in which the
processing activities as a controller as well as in the
capacity of processor is documented, the identity of
222
CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 89/114
data controllers for whom the defendant is considered
processor acts.
209. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:
“1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order a suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and its notification to the
to order recipients of the data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or a
international institution;
15° to transfer the file to the public prosecutor's office in Brussels, who will file it in
informs you of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.”
III.2. Measures imposed by the Disputes Chamber
III.2.1. Corrective measures to bring the processing into compliance with
the GDPR
210. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the
Disputes Chamber issues an order to the defendant for the violation of Article 5.1 GDPR,
Article 6.1 GDPR, Article 12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B
Data Quality services to be terminated and kept terminated until processing commences
is brought into line with the GDPR.
The defendant can comply with this by processing personal data in the
Spectron database, before the persons involved from whom the defendant has access
has contact details to proactively and individually inform you of the processing Decision on the merits 07/2024 - 90/114
of their personal data by the defendant. The defendant must also:
those involved for a period of 3 months from the provision of information
to provide the opportunity to object to the objection in a simple and effective manner
processing their personal data before resuming processing.
As for the other categories of data subjects of which the defendant does not
contact details in its possession, the Disputes Chamber will decide to suspend the processing of their
to permanently ban personal data, in the absence of a lawful right
processing ground.
Considering the fact that the defendant already had the CMX (incl. Permesso) database on July 30, 2021
destroyed, the B2C Data Quality services are therefore no longer available since that date
is offered, and the B2C Data Delivery service since October 30, 2021
223
has been completely stopped, the Disputes Chamber does not consider it necessary in the present case
to order the defendant to stop data processing in connection with the
to bring the aforementioned services into compliance with the GDPR 224.
211. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the
orders the defendant to commit the violation of articles 5.1 and 5.2 GDPR, article
24.1 GDPR, as well as Articles 25.1 and 25.2 GDPR, by appropriate technical and
to take organizational measures to ensure that the retention period of the data
— which the defendant may only process further on the condition that the previous
order has been complied with — is proportionate to the purposes of the processing, and
so that the defendant, in the context of its current Data Quality services, only
maintains the most up-to-date data of data subjects, as required by the principle
of minimal data processing.
In addition, the Disputes Chamber orders the defendant to submit the current documentation
in connection with the processing of data and compliance with the GDPR
or adapt it to take account of actual circumstances
in which the defendant processes personal data and thus accountability
which rests with the defendant.
212. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the
orders the defendant to comply with the violation of Articles 30.1 and 30.2 GDPR
remedy by supplementing the register of processing activities with a clear
description of the categories of personal data and data subjects, as well as by
all controllers for whom the defendant acts as processor
intends to act, to be mentioned by name.
22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (ii), (iii) and (iv) a.
22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (iv) d. Decision on the merits 07/2024 - 91/114
213. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the Disputes Chamber lays
the order to the defendant within a period of three months after notification
of the decision the proof of the achievement of the aforementioned compliance measures
to be submitted to the Disputes Chamber.
III.2.2. Administrative fines
214. In addition to the corrective measure to bring the processing into compliance with
Articles 5, 6, 12, 14, 15, 24, 25 and 30 GDPR, the Disputes Chamber also decides to impose
of administrative fines that do not serve to correct a violation
end, but are imposed with a view to vigorous enforcement of the
rules of the GDPR. As is clear from recital 148 GDPR 22, the GDPR states
first and foremost that in the case of every serious infringement - including the first detection of an infringement -
penalties, including administrative fines, in addition to or instead of appropriate ones
measures are imposed. In the same sense, the CJEU recently confirmed 226that
“the principles, prohibitions and obligations set out in the GDPR are specifically addressed
are among the 'controllers' who - as stated in Recital 74 of the GDPR
emphasized — be responsible for any processing carried out by them or on their behalf
of personal data and therefore not only appropriate and effective measures
must take, but must also be able to demonstrate that their processing activities
comply with the GDPR, which means, among other things, that the
measures are effective to ensure that compliance. When an in
Article 83, paragraphs 4 to 6, of this Regulation, the infringement referred to has been committed, this constitutes
responsibility is the basis for an administrative decision in accordance with Article 83
impose a fine on the controller”.
215. As regards the administrative fine that may be imposed under Article 83 of
the GDPR and Articles 100, 13° and 101 WOG, Article 83.1 and 83.2 GDPR stipulates:
“1. Each supervisory authority shall ensure that the administrative fines imposed
imposed under this article for the infringements referred to in paragraphs 4, 5 and 6
this Regulation shall be effective, proportionate and dissuasive in each case.
225Recital 148 GDPR states: “In order to ensure stronger enforcement of the rules of this Regulation,
penalties, including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in
instead of appropriate measures imposed by the supervisory authorities under this Regulation.
If it concerns a minor infringement or if the expected fine would impose a disproportionate burden on one
natural person, a reprimand can be chosen instead of a fine. However, this must be taken into account
taken into account the nature, seriousness and duration of the infringement, the intentional nature of the infringement, with
damage mitigation measures, with the degree of responsibility, or with previous relevant infringements, with the manner
upon which the infringer has come to the notice of the supervisory authority, with compliance with the measures taken
taken against the controller or the processor, with the connection with a code of conduct and other others
aggravating or mitigating factors. The imposition of penalties, including administrative fines, must
are subject to appropriate procedural guarantees in accordance with the general principles of Union law and
Charter, including effective judicial remedy and fair administration of justice” (own underlining).
226
CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 38. Decision on the merits 07/2024 - 92/114
2. Administrative fines will be imposed, depending on the circumstances of the specific case
case, imposed in addition to or instead of those referred to in Article 58(2)(a) to (h) and (j)
measures referred to. When deciding whether to impose an administrative fine
imposed and the amount thereof will be duly taken into account in each specific case
taking into account the following:
a) the nature, severity and duration of the infringement, taking into account its nature, extent or
the purpose of the processing in question as well as the number of data subjects affected and the
extent of the damage they suffered;
b) the intentional or negligent nature of the infringement;
(c) the measures taken by the controller or processor to ensure the
limit damage suffered by those involved;
d) the extent to which the controller or processor is responsible
given the technical and organizational measures he has implemented
in accordance with Articles 25 and 32;
e) previous relevant infringements by the controller or processor;
f) the extent of cooperation with the supervisory authority to resolve the infringement
remedy and limit the possible negative consequences thereof;
g) the categories of personal data affected by the breach;
h)the manner in which the supervisory authority became aware of the infringement, with
name whether, and if so to what extent, the controller or processor committed the infringement
has reported;
(i) compliance with the measures referred to in Article 58(2), to the extent that they have been implemented earlier
with regard to the controller or processor in question with regard to
the same matter have been taken;
j) adherence to approved codes of conduct in accordance with Article 40 or of
approved certification mechanisms in accordance with Article 42; and
k) any other aggravating or
mitigating factor, such as financial gains made, or losses avoided, whether or not
arise directly from the infringement”
216. The Disputes Chamber points to the guidelines regarding the calculation of administrative costs
fines 227which the EDPB adopted on May 24, 2023 after a public consultation, and
that the Disputes Chamber takes into account when determining the fine amounts
the case at hand.
217. It is important to place the defendant's shortcomings in context in order to determine the
to determine the most appropriate sanction. The Disputes Chamber will take this into account
227EDPB — Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, May 24, 2023). Decision on the merits 07/2024 - 93/114
with all relevant circumstances of the case, including - within the limits they
indicates below — of the defendant's response to the proposed sanctions imposed on him
were communicated by means of the sanction form 22.
218. The Disputes Chamber would also like to point out that it is its sovereign responsibility as
is an independent administrative authority — subject to the relevant Articles
of the GDPR and the WOG — to determine the appropriate corrective measure(s) and sanction(s).
set. This follows from Article 83 of the GDPR itself, but the Market Court has also stated this
case law establishes the existence of a broad discretionary power of the Disputes Chamber
emphasizes regarding the choice of the sanction and its scope, including its
229
judgments of July 7, 2021, September 6, 2023 respectively. December 20, 2023 .
219. Below, the Disputes Chamber shows that the main infringements committed by the defendant
committed violations that are by no means minor. The fact that it is a first
determination of an infringement of the GDPR committed by the defendant, does so
in no way prejudices the possibility for the Disputes Chamber to resolve a
to impose an administrative fine in application of Article 58.2.i) GDPR. The instrument
of an administrative fine is by no means solely intended to end infringements;
GDPR and the WOG provide for a number of corrective measures, including:
orders referred to in article 100, § 1, 8° and 9° WOG.
220. In the following marginal numbers, the Disputes Chamber motivates the imposition of a
administrative fine in concrete terms, for each of the three distinguished above
conduct of the defendant, taking into account Article 83 GDPR and case law
vanhet Marktenhof 230, as well as with the criteria laid down in the guidelines of the
EDPB on the calculation of administrative fines 23.
III.2.2.1. Annual turnover of the controller
221. For the purpose of imposing fines that are effective, proportionate and dissuasive
the supervisory authorities should change the definition of the term “undertaking”.
as established by the Court of Justice of the European Union for the
application of Articles 101 and 102 TFEU, namely that the concept of undertaking becomes
understood as an economic entity created by the parent company and all involved
subsidiaries can be formed. In accordance with EU law and the
case law, an undertaking must therefore be seen as an economic entity
228
Sanction form dated October 31, 2023; Response from the defendant to the sanction form dated November 24, 2023.
22Court of Appeal Brussels (Markten Court section), Xt. GBA, Judgment 2021/AR/320 of 7 July 2021, p.37-47; Court of Appeal Brussels
(section Marktenhof),
Marktenhof), X t. GBA, Judgment 2023/AR/817 (2023/8986) of 20 December 2023, edge nos. 61 et seq.
230
Brussels Court of Appeal (Markten Court section), X t. GBA, Judgment 2020/1471 of February 19, 2020.
23EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 94/114
that carries out commercial/economic activities, regardless of its legal form 23.
After all, according to the case law of the ECJ, there is a rebuttable presumption that this is the case
parent company actually exercises decisive influence on the behavior of a
subsidiary of which it holds 100% of the capital 23.
222. Furthermore, Articles 83.4 and 83.6 GDPR prescribe that the total worldwide annual turnover of the
previous fiscal year must be used for the calculation of administrative
fine, partly to prevent the fine from having a disproportionately heavy impact
on the defendant. In this regard, the term “prior” is in accordance with
the case law of the CJEU in competition law must be interpreted,
so that the relevant event for the calculation is the fine decision of the
234
supervisory authority, and not the time of the sanctioned violation.
223. When the Disputes Chamber relies on the powers it has under Article
58.2 GDPR, decides to indict the defendant - who is currently part of B LACK TIGER
G ROUP 235 within the meaning of Articles 101 and 102 TFEU — an administrative fine
in accordance with Article 83 GDPR, the Disputes Chamber must therefore act accordingly
the latter provision, read in the light of recital 150 GDPR, in the calculation
of the administrative fines due to the offenses referred to in Articles 83.4 to 83.6 of the GDPR
base infringements on the concept of “undertaking” within the meaning of Articles 101 and 102
236
TFEU .
224. In accordance with the foregoing, the Disputes Chamber therefore rules that
can base on the consolidated turnover figures of the 2022 financial year of B LACK TIGER
BELGIUM as well as of the parent company [the parent company Z1] (B LACK TIGER
G ROUP ) — now “[the parent company Z2]” — or […] for determining the
amount of the administrative fine that it intends to impose on the
defendant. The Disputes Chamber refers to:
- the report with registration number […], as filed with the Registry of
Commercial Court of Paris on […], which shows that [the
23Recital 150 of the GDPR; EDPB – Guidelines on the application and setting of administrative fines
the meaning of the GDPR (WP 253), p. 6-7. The definition in the case law of the European Court of Justice is: “the concept
enterprise includes any entity that carries out an economic activity, regardless of its legal form and the manner in which it is carried out
is financed' (CJEU, C-41/90, Höfneren Elser v Macrotron, (ECLI:EU:C:1991:161, paragraph 21). Under the concept of undertaking
“must be understood as an economic unit, even if this economic unit is formed from a legal point of view
by different natural or legal persons” (CJEU, C-217/05, Confederación Española de Empresarios de Estaciones
de Servicio, ECLI:EU:C:2006:784, paragraph 40).
23CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t. Commission, ECLI:EU:C:2009:536), marginal nos. 60-61.
234
EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 131. See
alsoCJEU, 5 December 2023, C-807/21, Deutsche Wohnen SE v. StaatsanwaltschaftBerlin (ECLI:EU:C:2023:950), edge nos. 55
up to and including 58.
23See edge no. 37 in this decision.
236
CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 59. Decision on the merits 07/2024 - 95/114
parent company] — now “[the parent company Z2]” — 100% of
237
owns the capital of BLACK T IGERBELGIUM;
- the annual accounts of B LACK T IGERB ELGIUM as filed with the National
Bank of Belgium (NBB) on June 19, 2023, from which a report for the 2022 financial year
turnover appears to be […]; and
- the annual accounts of [the parent company Z1] — now “[de
parent company Z2]” — as filed with the Registry of the Court
van Koophandel in Paris 23, which shows turnover for the 2022 financial year
by […].
225. The Disputes Chamber specifies in this regard that at the time of sending the
sanction form dated October 31, 2023 did not yet have the turnover figures for the year
2022 and therefore had to take the turnover figures of 2021 into account. Since the
turnover of [the parent company Z1] — of which public since November 16, 2023
it is known that the name was changed to “[the parent company Z2]”, which is the
defendant has also not mentioned in his response to the sanction form — for the year
2022 has increased slightly compared to 2021, the Disputes Chamber will reduce its administrative
calculate fines based on the most recent available turnover figures.
Since the defendant has failed to provide the turnover figures as stated in the
239
if necessary, refute the sanction form on the basis of more recent annual accounts,
the Disputes Chamber assumes that there are no other turnover figures available than these
which it takes into account in the present decision.
III.2.2.2. First conduct — Unlawful and unfair processing of
personal data, without the data subjects being proactive, individual and op
transparent manner, and lack of guarantees for compliance with the
core principles of the GDPR
Categorization in the abstract of the violation under Article 83.4 to
83.6 GDPR
226. The Disputes Chamber has already decided that the defendant is a
has infringed Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR;
as well as Article 24 GDPR and Article 25 GDPR. The Disputes Chamber rules that the first
conduct is characterized by a single act of several violations,
23Cf. Annex III.
238
https://commandes.greffe-tc-paris.fr/fr/societe/[...].
239Sanction form dated October 31, 2023, p. 10; Response from the defendant to the sanction form dated November 24, 2023,
p. 3-4. Decision on the merits 07/2024 - 96/114
that arise from a uniform will and are so closely related both spatially and temporally
are connected, that they must be regarded as one coherent act.
227. After all, due to the conscious choice not to proactively or individually inform those involved
inform them about the indirect collection of their personal data from third parties,
as well as on the subsequent processing of their personal data in the context of
commercial services, for a period of 15 years and in violation of the
core principles of data minimization and storage limitation, the defendant can
cannot legally rely on his or her legitimate interests
data sources or customers, as a basis for data processing.
228. For a violation of the basic principles of processing in accordance with Article 5
and 6GDPR, as well as the rights of the data subject in accordance with Articles 12 and 14GDPR,
the Disputes Chamber may order an administrative
impose a fine of up to EUR 20,000,000 or, for a company, up to 4% of the total
worldwide annual turnover in the previous financial year, whichever is higher. A violation
of the aforementioned provisions therefore gives rise to, in accordance with Article 83.5 GDPR
the highest fines.
Seriousness of the violations in the case at hand
229. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should
authorities to take due account of the nature, severity and duration of the
violation, taking into account the nature, extent or purpose of the violation in question
data processing, as well as the number of data subjects affected and the
extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent
nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data
to which the infringement relates (Article 83.2.g) GDPR).
230. Nature, seriousness and duration of the infringement (Article 83.2.a) GDPR) — Regarding the seriousness
of the violation, the Disputes Chamber notes that the principles of legality
(Article 5.1.a) and Article 6 GDPR) and transparency (Articles 12 and 14 GDPR) fundamental
are the principles of protection guaranteed by the GDPR.
The provisions laid down in Article 5.2 GDPR and further elaborated in Article 24 GDPR
accountability principle is also central to the GDPR and reflects the
paradigm shift that the GDPR brings about, namely a shift from a
arrangement that is based on prior declarations and authorizations by the
supervisory authority towards greater accountability and
responsibility of the controller. Compliance with its decision on the merits 07/2024 - 97/114
obligations by the controller and its ability to fulfill them
have therefore only become more important.
A valid legal basis and transparent information are among the core elements of
the fundamental right to data protection. After all, the principle of transparency constitutes the
“gateway” that strengthens data subjects' control over their data
and enables the exercise of other rights granted by the GDPR to data subjects
grants, such as the right to object and the right to have data erased.
Breaches of the certain principles therefore constitute serious infringements, which are the highest
administrative fines provided for in the GDPR may be punished.
The controversial processing in the context of Data Delivery and Data Quality
services that form the basis of the present decision were resp.
are still part of the defendant's core activities, which means that the
The Dispute Chamber is forced to give more weight to violations of the GDPR
arising from these core activities.
The defendant has also acknowledged in policy documents that the processing of
personal data could have negative consequences for the data subjects,
such as annoyance, irritation or stress, but also the feeling that they had to change their lifestyle
adjust if they agree to any processing of their personal data by the defendant and
its customers wanted to prevent 24. The Disputes Chamber also emphasized that the
controversial processing activities could potentially lead to invisible discrimination
on the basis of the profiling data compiled by the defendant 24.
Regarding the scope of processing, the EDPB guidelines for
data protection impact assessments are recommended to include in addition to the number of data subjects
also the volume of data, the duration or the permanent nature of the
data processing, as well as the geographical scope of the processing
to determine whether personal data are processed on a large scale 24. In this regard
the Disputes Chamber first establishes that the defendant's activities
Belgian market. The fact that the defendant is a significant market player and that
in addition, the disputed processing activities related to two different ones
markets (B2C and B2B), the Disputes Chamber comes to the conclusion that in this case it is indeed the case
there is a large-scale processing of personal data.
As regards the duration of the infringement, the Disputes Chamber notes that the
defendant, after the takeover of BISNODE B ELGIUM, has decided to
24See edge no. 129 in this decision.
241
See edge nos. 129-133 in this decision.
24 Working Party on Data Protection Article 29 – Guidelines on data protection impact assessments and determination whether
a processing ''is likely to involve a high risk'' within the meaning of Regulation 2016/679 (WP248, rev01, October 4
2017), p. 12. Decision on the merits 07/2024 - 98/114
to stop processing activities associated with Data Delivery. This
However, this does not prevent the personal data from being processed prior to the
takeover of B ISNODE BELGIUM by B LACK T IGER has been non-transparent for a long time
were processed unlawfully, and that the defendant remains responsible for the
processing of the acquired B ISNODE BELGIUM, including the
processing activities that, due to contractual agreements, also occur after the official
date of discontinuation remained intact. Also taking into account the established retention period
of 15 years and the fact that the defendant is still publicly announcing his
website 244 states that the company “has been active in the Belgian and Belgian markets since the early 1970s.”
European market” and “has built up more than 30 years of expertise in data quality and
data management” when it was part of “several international groups ([…]en
Bisnode), before becoming part of the Black Tiger group,” the Disputes Chamber concludes
that the disputed processing took place for at least 15 years, until
245
by July 30, 2021 .
231. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — The Dispute Chamber
recalls that “intent” usually involves both knowledge and willfulness regarding the
includes characteristics of a criminal offense, while “unintentional” means that there is no intent
was to cause the infringement, although the controller or the
246
processor has violated the duty of care prescribed by law. There are others
words two cumulative elements required for an infringement to be deemed intentional
consider, i.e., the knowledge of the violation and the intentionality with regard to it
247
act .
As to whether or not the infringement was intentional or negligent
committed by a controller, the CJEU stated in its recent judgment
clarifies that a supervisory authority under Article 83 GDPR a
administrative fine due to the infringement referred to in Articles 83.4 to 83.6 GDPR
can impose, if it has been demonstrated that the controller has committed this infringement
committed intentionally or negligently. To impose such a fine
248
The condition therefore applies that the infringement in question was committed culpably.
With regard to the intentionality component, the Dispute Chamber also reminds this
that the CJEU has set a high threshold for an act to be considered intentional
24See also edge no. 114 in this decision.
244
https://www.blacktigerbelgium.tech/wie-zijn-wij/?lang=nl, accessed December 15, 2023.
24On this date, according to the defendant, the CMX database was destroyed.
246
Working Party on Data ProtectionArticle 29 – Guidelines for the Application of Administrative Fines
within the meaning of Regulation (EU) 2016/679 (WP253, October 3, 2017), p. 12.
24See also EDPB – Binding Decision1/2023 on thedispute submitted by the IE SA on datatransfers byMeta Platforms Ireland
Ltd (Facebook), edge no. 103, available at https://edpb.europa.eu/system/files/2023-
05/edpb_bindingdecision_202301_ie_sa_facebooktransfers_en.pdf.
248
CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 75. Decision on the merits 07/2024 - 99/114
consider. For example, the CJEU has ruled in criminal cases that there is “serious
negligence” rather than “intention” when “the person liable is a qualified
commits a violation of his duty of care that he should and could have observed
take into account his capacity, his knowledge, his skills and his
individual situation”49. Even if it is a company whose processing is carried out
personal data is the core of the business activities, expect it to be sufficient
takes measures to protect personal data and that it has its obligations in this
thoroughly recognized, does not show such a qualified violation
necessarily indicates that there is an intentional violation250.
In other words, this means that a controller can also become
punished with an administrative fine under Article 83 GDPR for a
conduct falling within the scope of this Regulation, where it
controller could not have been unaware of the fact that his conduct
constituted an infringement, regardless of whether he was aware that he was violating the provisions of the GDPR
violated 251.
In this case, the Dispute Chamber notes that B ISNODE POLAND was in 2019 by the Polish
252
Data protection authority was fined for a breach of the information obligation.
There is therefore no doubt that the defendant was aware of that decision
but did not consider it necessary to subsequently provide information to Belgian data subjects
who the defendant indirectly collected the personal data, on a
(more) proactively. Although the Disputes Chamber cannot with certainty
can establish that the defendant has deliberately violated Article 14 GDPR, for his part
However, the Dispute Chamber has sufficient indications that there is evidence in this regard, in particular
the nature of the disputed processing activities, there is the highest degree of
negligence on the part of the defendant, who consciously chose not to fulfill his obligation to provide information
pursuant to Article 14 GDPR mainly to third parties.
The foregoing means that there is no infringement of the processing basis
is of an intentional nature, because the defendant has indeed made an extensive analysis
has to determine which legal basis would be the most appropriate in the present case. Er
there is therefore no - apparent - intention on the part of the defendant to fully comply with the GDPR
24CJEU, 3 June 2008, C-308/06, Intertanko and others (ECLI:EU:C:2008:312), edge no. 77
250
See also EDPB – Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority
regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, July 28, 2022, edge no. 204.
25CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 76.
See alsoCJEU, 18 June 2013, C‑681/11, Schenker& Co. and others (ECLI:EU:C:2013:404), edge no. 37;CJEU, March 25, 2021, Lundbeck v.
Commission, C‑591/16 P (ECLI:EU:C:2021:243), marginal no. 156; and CJEU 25 March 2021, C‑601/16 P, Arrow Group and Arrow
Generics t. Commission (ECLI:EU:C:2021:244), marginal no. 97.
25See edge no. 161 in this decision. Decision on the merits 07/2024 - 100/114
knowledge of the facts and intentionally violate it through an inappropriate processing basis
to be used, but at least there is serious negligence.
232. Categories of personal data affected by the breach (Article 83.2.g)
GDPR) — As established earlier in this decision, the disputed processing is wrong
the contact details of those involved and also on data with which those involved
could be segmented for direct marketing-related purposes. The nature
of the personal data processed therefore includes different categories, including
financial information (average income), housing, family composition, as well as
socio-demographic and lifestyle data such as the social class of those involved
belong.
Although such personal data are prima facie not of a sensitive or special nature,
the Disputes Chamber rules that they nevertheless belong to categories of
personal data of such a nature that they may affect the privacy of those involved
and which those involved would generally not reasonably expect
collected indirectly from and subsequently processed by third parties.
Categorization in concrete terms of the seriousness of the violations and determination
of the correct starting amount
233. Based on the evaluation of the criteria set out above, the infringement is deemed
of low, medium or high severity. These categories do not detract from
ask whether or not a fine can be imposed.
▪ When calculating the administrative fine for minor infringements
severity, the supervisory authority will set the basic amount for further calculation
set at an amount between 0 and 10% of the applicable legal amount
maximum.
▪ When calculating the administrative fine for infringements of
medium severity, the supervisory authority will determine the starting amount
further calculation determine an amount between 10 and 20% of the
applicable legal maximum.
▪ When calculating the administrative fine for infringements with a high
severity level, the supervisory authority will determine the starting amount for further
set the calculation at an amount between 20 and 100% of the applicable amount
253
legal maximum .
253
EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60. Decision on the merits 07/2024 - 101/114
234. In this case, the Disputes Chamber rules that the violations of legality, propriety
and transparency principles (Article 5.1.a) GDPR), as well as the accountability principle
(Article 5.2 GDPR), in combination with the violations of the obligation to provide information regarding the
those involved (Article 12 in conjunction with 14 GDPR), are of high seriousness. The Dispute Chamber serves
therefore for the violations related to the first conduct (falling under
Article 83.5 GDPR, with a high degree of severity) a theoretical starting amount for the further
calculation of the administrative fine to be used between EUR 4,000,000 and
EUR 20,000,000.
235. Based on the previous assessment of the circumstances in the light of Article
83.2.a), b) eng) GDPR25, the Disputes Chamber decides to set a theoretical starting amount of
EUR 10,000,000 to be taken into account.
236. Taking into account the minimum and maximum amounts set in the directives
per level, on the one hand, and the relevant annual turnover of the controller,
on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for
the first category of infringements (falling under Article 83.5 GDPR, with a high degree of severity).
reduce to an adjusted starting amount of EUR 185,000 EUR 255.
Aggravating and mitigating factors
237. After assessing the nature and severity of the infringement, as well as the intentional or negligent
nature of the infringement and the categories of personal data involved, the
supervisory authority shall also take into account the remaining aggravating and
mitigating factors, as listed under Article 83.2 GDPR.
238. Measures taken to limit the damage suffered by those involved
(Article 83.2.c) GDPR) — The Disputes Chamber takes into account the efforts made by the
defendant has provided to ensure transparency towards those involved
by means of web pages as well as the mandatory indication of identity
from B ISNODE BELGIUM , now LACK TIGERB ELGIUM, at the bottom of the direct marketing communications
that the data subjects receive from the defendant's customers.
The Disputes Chamber also takes the initiative of the defendant into account
acquisition of B ISNODE BELGIUM to discontinue the Data Delivery activities and the CMX
to destroy the database prior to the substantive treatment by the
Dispute room 25.
25See marginal nos. 230 up to and including 232 in this decision.
255
EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65.
25Response from the defendant to the sanction form dated November 24, 2023, p. 1, (i). Decision on the merits 07/2024 - 102/114
239. Extent to which the defendant is responsible in view of the technical and organizational aspects
measures it has implemented in accordance with Articles 25 and 32 GDPR (Article
83.2.d) GDPR) — In the context of the substantive proceedings, and in particular during the
hearing of 22 February 2023, the defendant has always taken the position
that the provision of information by the recipients of the personal data, being the
customers of B LACK T IGER B ELGIUM, was sufficient to meet the information and
to meet transparency obligations. It is also established that B LACK TIGER BELGIUM after the
takeover bears full responsibility for establishing an appropriate
retention period for the processed personal data, as well as compliance with the
basic principles of the GDPR in the context of continued data processing. To
For these reasons, the Disputes Chamber considers it proven that B LACK T IGER BELGIUM
can be held responsible for the further processing of personal data
of those involved, including the complainants, after the takeover of BISNODE BELGIUM.
In view of the documents submitted as well as the defenses submitted, the
However, the Disputes Chamber is not sufficiently convinced that the defendant has appropriate technical
and organizational measures, notwithstanding that he has sufficient
had the means and influence to do so to ensure compliance with the basic principles of the GDPR
— such as the principles of storage limitation and data minimization — too
guarantees.
240. Previous relevant breaches by the controller or processor
(Article 83.2.e) GDPR) — Although the facts in the present case are very similar
exhibit with the circumstances in the decision regarding B ISNODE POLAND of the
Polish Supervisory Authority, the Disputes Chamber shall, however, take it into account
given that B ISNODE BELGIUM, now LACK TIGERB ELGIUM, was declared not guilty of
previous violations of the GDPR.
241. The extent to which there was cooperation with the supervisory authority to investigate the infringement
remedy and limit its possible negative consequences (Article 83.2.f) GDPR) —
The Disputes Chamber determines that the defendant, by letter dated April 27, 2021
from the DPO of B ISNODE BELGIUM addressed to the Inspector General, in an early phase of
the procedure has made known its position on the complaints of the complainants. Also
the Disputes Chamber acknowledges the goodwill of the defendant in the investigation
handed over extensive policy documents to the Inspection Service and expressed its willingness
to answer further questions from the Inspection Service.
242. Other aggravating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber holds
first take into account the fact that the defendant made a profit arising from the
unlawful processing, as an aggravating circumstance. The argument of the
defendant that the Disputes Chamber would not take into account the business loss of Decision on the merits 07/2024 - 103/114
B LACK TIGER BELGIUM in 2022, following the discontinuation of the Data Delivery activities, is
not sufficient in this regard because the adjusted starting amount is already sufficient
takes into account the operating loss suffered in 2022. In addition, the Disputes Chamber notes that
the defendant both in his written defense and during the hearing
has maintained the position that B LACK TIGER BELGIUM was in no way forced to
to inform data subjects directly and individually about the processing, although
Article 14 GDPR prescribes that communications to data subjects are subject to the
responsibility of the controller and in principle proactive
must be done.
Decision of the Disputes Chamber with regard to the first conduct
243. All of the elements set out above justify an effective,
proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account
the assessment criteria specified therein. The Disputes Chamber will set the right order for this
that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would
lead to a different administrative fine than that imposed by the Disputes Chamber
framework of this decision.
244. In view of the previous assessment of the relevant documents as well as the circumstances
specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR
as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR
to impose an administrative fine of EUR 129,500 on the defendant.
245. The Disputes Chamber rules that the defendant's serious negligence
personal data of complainants and other involved parties has been processed for years
has commercialized without respecting the core principles of the GDPR, and
in particular, information and transparency obligations are imposed on data subjects
appropriate manner should be punished with an administrative fine.
In addition, the further processing of personal data must be carried out without proactive measures
individual information provision to those involved should be vigorously discouraged.
Finally, the Disputes Chamber is of the opinion that the amount of the fine is, by the way
remains well below the maximum amount within the permitted range, is proportional to the
seriousness of the infringements contained in the first conduct. Decision on the merits 07/2024 - 104/114
III.2.2.3. Second conduct — Failure to act appropriately
the requests from data subjects to exercise their right of access
Categorization in the abstract of the violation under Article 83.4 to
83.6 GDPR
246. The Disputes Chamber recalls that the right of access is in addition to Article 15 GDPR
is included in Article 8.2 of the European Charter and is therefore one of the
constitutes core elements of the fundamental right to data protection. By following
omit to cite all sources to the complainant, the defendant has committed an infringement
committed under Article 15 GDPR. It is also established that the defendant in this case deliberately acted
failed to process the requests for access, which were nevertheless submitted electronically,
also to be answered electronically, in violation of Article 12 in conjunction with 15 GDPR.
Naturally, Article 15 GDPR must be read in conjunction with Article 12 GDPR,
whereby the controller can exercise rights under the GDPR
those involved must facilitate. Finally, the Disputes Chamber rules that the
defendant has also violated Article 15 GDPR by merely specifying the categories of
recipients in the response to the complainants, notwithstanding the defendant
was then able to identify the specific recipients.
247. For a violation of the rights of data subjects in accordance with Articles 12 and 15
GDPR, the Disputes Chamber may, on the basis of Article 83.5.a) and 83.5.b) GDPR, issue a
impose an administrative fine of up to EUR 20,000,000 or, for a company, up to 4% of
the total worldwide annual turnover in the previous financial year, if this figure is higher. A
violation of the aforementioned provisions therefore results in accordance with Article 83.5 GDPR
lead to the highest fines.
Seriousness of the violations in the case at hand
248. In accordance with the GDPR, as explained in the EDPB Guidelines, the
supervisory authorities should take due account of the nature, the seriousness
duration of the violation, taking into account the nature, scope or purpose of the violation
relevant data processing, as well as the number of data subjects involved
affected and the extent of the damage suffered by them (Article 83.2.a) GDPR); It
intentional or negligent nature of the infringement (Article 83.2.b) GDPR); and the categories of
personal data to which the infringement relates (Article 83.2.g) GDPR).
249. Nature, severity and duration of the violation (Article 83.2.a)GDPR) - The right of access constitutes the
gateway and therefore also the cornerstone for the exercise of other rights
provided by the GDPR, such as the right to object to the processing of
personal data (Article 21 GDPR) and the so-called right to be forgotten (Article 17 Decision on the merits 07/2024 - 105/114
GDPR). It is therefore extremely important that data subjects exercise their right of access
to actually obtain access to all data relating to them
collected by the controller, as well as concise, transparent and
receive understandable information about the circumstances in which their personal data
are processed. By not providing complete and sufficiently detailed information
to the data subjects, the controller deprives them of the
ability to exercise an appropriate degree of control over their own
personal data.
In addition, the complainant rightly notes that the failure to comply immediately after the first request
to provide relevant information, the further exercise of their rights by the
unnecessarily complicates those involved. Although the Disputes Chamber determines that the
defendant has responded to the requests in a timely manner, the fact that the defendant has provided bears responsibility
answers were not complete from the start and that it was not for those involved
was easy to respond to — e.g., in order to verify the information provided
dispute or request further explanation — contributes to unnecessary harm to those involved
were prevented from exercising their rights.
257
250. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — With regard to
the manner in which the defendant in this case granted those involved access to the data
processing of their personal data, and in particular by only the categories of
recipients although the defendant has the specific identity of these
recipients must have; by not communicating the sources in an exhaustive manner; and
by delivering the responses by post even though the requests became electronic
submitted, the Disputes Chamber considers it sufficiently proven that the defendant has violated the articles
12 and 15 GDPR due to serious negligence.
251. Categories of personal data affected by the breach (Article 83.2.g)
GDPR) — As established earlier in this decision, the disputed processing operations were successful
in addition to the contact details of those involved, also on various personal data
with which the data subjects can subsequently be segmented for direct marketing purposes
related purposes. The nature of the personal data processed therefore includes
different categories, including financial information (average income),
housing, family composition, as well as socio-demographic and lifestyle data such as
the social class to which those involved belong.
Although such data are primafacie not of a sensitive or special nature,
the Disputes Chamber rules that they nevertheless belong to categories of
25See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 106/114
personal data that data subjects would generally not reasonably expect
that they are collected indirectly from and subsequently processed by third parties.
Categorization in concrete terms of the seriousness of the violations and determination
of the correct starting amount based on the annual turnover of the
controller
252. Based on the evaluation of the criteria set out above, the infringement is deemed
of low, medium or high severity. These categories do not detract from
ask whether or not a fine can be imposed.
▪ When calculating the administrative fine for minor infringements
severity, the supervisory authority will set the basic amount for further calculation
set at an amount between 0 and 10% of the applicable legal amount
maximum.
▪ When calculating the administrative fine for infringements of
medium severity, the supervisory authority will determine the starting amount
further calculation determine an amount between 10 and 20% of the
applicable legal maximum.
▪ When calculating the administrative fine for infringements with a high
severity level, the supervisory authority will determine the starting amount for further
set the calculation at an amount between 20 and 100% of the applicable amount
legal maximum 258.
253. In this case, the Disputes Chamber rules that the violations are related to the law
access by data subjects (Article 15 GDPR), are of medium seriousness. The
Disputes Chamber therefore serves for violations related to the second
conduct (falling under Article 83.5 GDPR, with a medium degree of seriousness) a theoretical
starting amount for the further calculation of the administrative fine
between EUR 2,000,000 and EUR 4,000,000.
254. Relying on the foregoing assessment of the circumstances in the light of Article
83.2.a), b) eng) GDPR59, the Dispute Chamber decides to set a theoretical starting amount of
EUR 2,800,000 to be taken into account.
255. Taking into account the minimum and maximum amounts set in the directives
per level, on the one hand, and the relevant annual turnover of the controller,
on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for
25EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60.
25See marginal nos. 230 up to and including 232 in this decision. Decision on the merits 07/2024 - 107/114
the second category of infringements (falling under Article 83.5 GDPR, with medium
260
severity level) to an adjusted starting amount of EUR 51,800.
Aggravating and mitigating factors
256. After assessing the nature and severity of the infringement, as well as the intentional or negligent
nature of the infringement and the categories of personal data involved, the
supervisory authority shall also take into account the remaining aggravating and
mitigating factors, as listed under Article 83.2 GDPR.
257. Extent to which the defendant is responsible in view of the technical and organizational aspects
measures it has implemented in accordance with Article 25 (Article 83.2.d) GDPR)
— It is established before the Dispute Chamber, and is not disputed by the
defendant, that BLACK T IGERB ELGIUM is fully responsible for the management of the
website, including the online contact form with which data subjects exercise their rights
can exercise with regard to the defendant, as well as the manner in which the
requests from those involved are granted, if necessary.
258. Other mitigating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber states
established that the defendant offers a centralized contact form on its website,
with which data subjects request to exercise their rights under the GDPR
can submit. This shows that the defendant fully intends to have the submission of
261
to facilitate requests by those involved.
Furthermore, the Disputes Chamber is of the opinion that every controller must always:
is obliged to communicate all specific information to those involved who require it
questions in the context of their request for access. However, the Disputes Chamber is of the opinion
aware that the CJEU only confirmed the disputed facts under what circumstances
controller and the exact identity or categories of recipients
must be communicated.
Finally, the Dispute Chamber decides to evaluate the efforts of the defendant, i.e., the fact that
the defendant actually — but not completely nor in a common electronic format
form — and has responded in a timely manner to the requests for access
262
to take .
259. Other aggravating circumstances (Article 83.2.k) GDPR) — The foregoing means
that the defendant also determines which personal data, in this case identification and
contact details are collected and include both the means and purposes of the
26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65.
261
Response from the defendant to the sanction form dated November 24, 2023, p. 2, (ii).
26Ibid. Decision on the merits 07/2024 - 108/114
processing. However, the Disputes Chamber notes that the defendant is in addition to
postal address of data subjects also collects their electronic contact details,
notwithstanding that the defendant consciously opted to send the requests exclusively by post
to answer. Thus, the defendant violates the principle of minimum
data processing under Article 5.1.c) GDPR as well as the principle of
data protection by design provided for in Article 25 GDPR. Since this observation
however, was not subjected to adversarial debate in the context of the proceedings
grounds, the Disputes Chamber decides not to pay the adjusted starting amount
to increase.
Decision of the Disputes Chamber with regard to the second conduct
260. All of the elements set out above justify an effective,
proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account
the assessment criteria specified therein. The Disputes Chamber will set the right order for this
that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would
lead to a different administrative fine than that imposed by the Disputes Chamber
framework of this decision.
261. In view of the previous assessment of the relevant documents as well as the circumstances
specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR
as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR
to impose an administrative fine of EUR 41,440 on the defendant.
262. The Disputes Chamber considers it justified, in view of the specific
circumstances as well as the conscious choice of the defendant regarding the manner in which
requests from those involved have been processed, to impose an administrative fine
with the aim of appropriately sanctioning this behavior and in order to
to encourage the defendant to request the exercise of rights granted under
the GDPR, no longer to comply in such a manner in the future. The Dispute Chamber is
also believes that the amount of this fine, which is well below the
maximum amount remains within the permitted range is proportional to the severity of the
infringements contained in the second conduct. Decision on the merits 07/2024 - 109/114
III.2.2.4. Third conduct — Failure to provide a description of the categories of
data subjects and the categories of personal data, as well as to
identity of the controllers for whom the defendant is considered
processor acts, to be included in the processing register
Categorization in the abstract of the violation under Article 83.4 to
83.6 GDPR
263. The Disputes Chamber establishes that the defendant has failed to add:
of the categories of data subjects and of the personal data processed
to include a description of these categories in its register of processing activities,
as expressly prescribed in Article 30 GDPR. In addition, the
defendant violated Article 30 GDPR by failing to disclose the identity of
controllers, for whom the defendant acts as processor
document in the centralized processing register. In this regard, the
Dispute Chamber reminds that the register of processing activities is an essential and
central file, that every controller who is obliged to do so under
Article 30 GDPR must be drawn up and supplemented in an appropriate manner and upon request
must be able to submit to the supervisor. This is why the EU
The legislature has expressly provided for the possibility of imposing a fine for
failure to comply with the aforementioned provision, contrary to other policy documents
which rather fall under Article 24GDPR, for which no penalty is provided for
Article 83.4 GDPR nor Article 83.5 GDPR.
264. For a breach of the obligations of the controller and the
processor in accordance with Article 30 GDPR, the Disputes Chamber may, on the basis of Article
83.4.a) GDPR impose an administrative fine up to EUR 10,000,000
or, for a company, up to 2% of the total worldwide annual turnover in the foregoing
financial year if that figure is higher.
Seriousness of the violations in the case at hand
265. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should
authorities to take due account of the nature, severity and duration of the
violation, taking into account the nature, extent or purpose of the violation in question
data processing, as well as the number of data subjects affected and the
extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent
nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data
to which the infringement relates (Article 83.2.g) GDPR). Decision on the merits 07/2024 - 110/114
266. Nature, severity and duration of the violation (Article 83.2.a) GDPR) — The Disputes Chamber rejects
points out that, in order to effectively implement the obligations contained in the GDPR, the
It is essential that the controller and processors are complete
and maintain an accurate overview of the processing of personal data that they
to carry out. This register is therefore primarily an instrument to
to assist the controller or processor in complying with the GDPR for the
various data processing operations that it carries out because the register is the most important
makes its features visible. The Disputes Chamber is of the opinion that this
processing register is an essential instrument in the context of the already mentioned
accountability (Article 5.2 GDPR and Article 24 GDPR) and that this register is the basis
is subject to all obligations that the GDPR places on the controller and processor
imposes. It is therefore extremely important that this is complete and correct.
267. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) 263—In the present
case, the Disputes Chamber rules that the infringement of Article 30 GDPR is due to a
serious negligence on the part of the controller, given the nature of the
core activities of the defendant as well as the statements made by the defendant
activities are in accordance with the GDPR.
Categorization in concrete terms of the seriousness of the violations and determination
of the correct starting amount based on the annual turnover of the
controller
268. Based on the evaluation of the criteria set out above, the infringement is deemed
of low, medium or high severity. These categories do not detract from
ask whether or not a fine can be imposed.
▪ When calculating the administrative fine for minor infringements
severity, the supervisory authority will set the basic amount for further calculation
set at an amount between 0 and 10% of the applicable legal amount
maximum.
▪ When calculating the administrative fine for infringements of
medium severity, the supervisory authority will determine the starting amount
further calculation determine an amount between 10 and 20% of the
applicable legal maximum.
▪ When calculating the administrative fine for infringements with a high
severity level, the supervisory authority will determine the starting amount for further
26See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 111/114
set the calculation at an amount between 20 and 100% of the applicable amount
264
legal maximum .
269. In this case, the Disputes Chamber rules that the violation regarding the register of
processing activities (Article 30 GDPR) is of low severity. The Dispute Chamber serves
therefore for the violations related to the third conduct (falling under
Article 83.4 GDPR, with a low degree of severity) a theoretical starting amount for the further
calculation of the administrative fine of a maximum of EUR 1,000,000.
270. Relying on the foregoing assessment of the circumstances in the light of Article
83.2.a), b) eng) GDPR26, the Disputes Chamber decides to set a theoretical starting amount of
EUR 200,000 to be taken into account.
271. Taking into account the minimum and maximum amounts set in the directives
per level, on the one hand, and the relevant annual turnover of the controller,
on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for
the third category of infringements (falling under Article 83.4 GDPR, with a low degree of severity)
266
to be reduced to an adjusted starting amount of EUR 3,700.
Aggravating and mitigating factors
272. After assessing the nature and severity of the infringement, as well as the intentional or negligent
nature of the infringement and the categories of personal data involved, the
supervisory authority shall also take into account the remaining aggravating and
mitigating factors, as listed under Article 83.2 GDPR.
Given the specific nature of this violation, and in the absence of any comments
In this regard, on behalf of the defendant, the Disputes Chamber will not take any further aggravating action
or mitigating circumstances into account.
Decision of the Disputes Chamber with regard to the third conduct
273. All of the elements set out above justify an effective,
proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account
the assessment criteria specified therein. The Disputes Chamber will set the right order for this
that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would
lead to a different administrative fine than that imposed by the Disputes Chamber
framework of this decision.
26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60.
265
See edge nos. 230 up to and including 232 in this decision.
26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65. Decision on the merits 07/2024 - 112/114
274. In view of the previous assessment of the relevant documents as well as the circumstances
specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR
as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR
to impose an administrative fine of EUR 3,700 on the defendant for
the violation of Article 30 GDPR for failure to keep an exhaustive and
sufficiently detailed register of processing activities.
III.3.Other grievances
275. The Disputes Chamber decides to consider the other grievances and findings of the
Inspection Service267, as the Disputes Chamber based on the facts
documents from the file cannot lead to the conclusion that there has been an infringement
the GDPR. These grievances and findings by the Inspection Service are therefore regarded as:
considered manifestly unfounded within the meaning of Article 57.4 of the GDPR26.
IV. Publication of the decision
276. Considering the importance of transparency with regard to the decision-making of the
Dispute Chamber, this decision will be published on the website of the
Data protection authority indicating the identification details of the
defendant, in view of the public interest of this decision, on the one hand, and the
unavoidable re-identification of the defendant in case of pseudonymization,
on the other hand. On the other hand, it is not necessary that the identification details of the complainants are included
this publication will be announced.
26See marginal nos. 192, 196, 199 and 202 in this decision.
268 See point 3.1.A.2 of the Dismissal Chamber's dismissal policy dated June 18, which can be consulted via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 07/2024 - 113/114
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the
to order the defendant to commit the violation of Article 5.1 GDPR, Article 6.1 GDPR, Article
12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B Data Quality
services, to terminate and to keep them terminated until the processing in
is brought into compliance with the GDPR, through the processing of
to enter personal data in the Spectron database before informing those involved of
proactively and individually inform the defendant who has contact details
of the processing of their personal data by the defendant. Hereby
the defendant must also serve the persons involved for a period of
three months from the date of information provision
to object to the processing of their data in a simple and effective manner
personal data before resuming processing. What the other categories
of data subjects for whom the defendant has no contact details
has, the Disputes Chamber decides, in the absence of a lawful
processing ground, to permanently prohibit the processing of their data.
- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant
order to commit the violation of articles 5.1 and 5.2 GDPR, article 24.1 GDPR as well as
Articles 25.1 and 25.2 GDPR by appropriate technical and
to take organizational measures to ensure that the retention period of the
personal data — which the defendant may only further process on
condition that the previous order has been complied with - is proportionate to the
purposes of the processing, and so that the defendant can, in the context of his current
Data Quality services only maintain the most current personal data
data subjects, as required by the principle of data minimization.
In addition, the Disputes Chamber orders the defendant to submit the current documentation
in connection with the processing of data and compliance with the GDPR
fill or adjust to take into account the actual data
circumstances in which the defendant processes data
accountability imposed on the defendant. Decision on the merits 07/2024 - 114/114
- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant
order to remedy the violation of Article 30.1.c) GDPR as well as Article 30.2 GDPR
remedy by supplementing the register of processing activities with a
clear description of the categories of personal data and of
data subjects, as well as by all controllers on behalf of
which the defendant believes to act as processor.
- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant
order within a period of three months after notification of the
decision provides evidence of the achievement of the aforementioned compliance measures
to be submitted to the Disputes Chamber.
- Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,
in accordance with Article 83.2 GDPR, an administrative fine amounting to:
EUR 129,500 to be imposed on the defendant for the violation of Article 5 of the GDPR;
Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; Article 24 GDPR and Article 25 GDPR.
- Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,
an administrative fine in accordance with Article 83.2 GDPR
of EUR 41,440 to be imposed on the defendant for the violation of Article 12
GDPR and Article 15 GDPR.
- Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,
in accordance with Article 83.2 GDPR, an administrative fine amounting to:
to impose EUR 3,700 on the defendant for the violation of Article 30 GDPR.
This decision can be appealed on the basis of Article 108, § 1 WOG
by registered letter within thirty days of the notification
Marktenhof, with the Data Protection Authority as defendant.
(get). Hielke IJMANS
Chairman of the Disputes Chamber
