APD/GBA (Belgium) - 149/2023: Difference between revisions
No edit summary |
m (→Facts) |
||
Line 84: | Line 84: | ||
=== Facts === | === Facts === | ||
To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n. 1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply. | To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply. | ||
Thus, on 4 December 2020, complainant n. 1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she | Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request. | ||
On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account. | On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account. | ||
On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential | On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles. | ||
=== Holding === | === Holding === | ||
The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions. | The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions. | ||
Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under [[Article 4 GDPR#7|Article 4(7) GDPR]] since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the | Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under [[Article 4 GDPR#7|Article 4(7) GDPR]] since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller. | ||
Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]], providing information does not entail only the obligation to erase the data under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]] but also the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure, the DPA concluded that the controller failed to provide such information to complainant n.1, breaching [[Article 12 GDPR#3|Article 12(3) GDPR]]. | Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]], providing information does not entail only the obligation to erase the data under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]] but also the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure, the DPA concluded that the controller failed to provide such information to complainant n.1, breaching [[Article 12 GDPR#3|Article 12(3) GDPR]]. |
Revision as of 09:27, 6 February 2024
APD/GBA - DOS-2020-05649 and DOS-2021-05271 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 7(3) GDPR Article 12 GDPR Article 12(1) GDPR Article 13(1)(a) GDPR Article 13(1)(c) GDPR Article 13(2) GDPR Articles 5, 8.1 and 8.3 of the Belgian Law dd 8 August 1983 organizing a National Register of Natural Persons |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.12.2020 |
Decided: | 10.11.2023 |
Published: | |
Fine: | n/a |
Parties: | Madame X1 and Monsieur X2 Société Y1 and Société Y2 (or 'Platform Z') |
National Case Number/Name: | DOS-2020-05649 and DOS-2021-05271 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Belgian DPA (in FR) |
Initial Contributor: | n/a |
The Belgian DPA reprimanded a controller, an online booking platform, for failing to comply with Article 12(3) GDPR and because Article 6(1)(f) GDPR was not a valid legal basis to publish personal data of health professionals on the platform.
English Summary
Facts
To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply.
Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request.
On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account.
On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles.
Holding
The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions.
Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under Article 4(7) GDPR since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller.
Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to Article 12(3) GDPR, providing information does not entail only the obligation to erase the data under Article 17(1)(b) GDPR but also the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure, the DPA concluded that the controller failed to provide such information to complainant n.1, breaching Article 12(3) GDPR.
The Belgian DPA then decided to assess the legal basis of the data processing of the non-registered health professionals carried out by the controller, which the controller claimed to be legitimate interest under Article 6(1)(f) GDPR. While the DPA acknowledged the controller's legitimate societal interest and economic interest, the DPA noted that non-registered health professionals could not reasonably expect their data to be used by the controller without their prior consent. Indeed, while the information on the platform was the same information as published on the non-registered health professionals' own website or that of their practice, to which they agreed, they could not have expected their data to be republished on a platform such as the one in question. Therefore, there had been a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR.
Lastly, regarding the request for the NRN data, the DPA agreed with the controller that to access the information of the platform, there should be a strong identification system in place. Nonetheless, it stressed that such a system should not include the NRN. Moreover, the DPA stated that under Article 8 of the National Law organising the NRN (LRN), the NRN could be utilised only when granted by the Minister of the Interior to authorities, institutions, and persons explicitly referred to in Article 5(1) LRN, under which the controller did not fall in. Therefore, the controller breached Article 5(1)(a) GDPR and Article 6(1) GDPR, in conjunction with Article 8 LRN.
Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR.
Comment
Comment by the original contributor: The Belgian DPA had recently issued a fine against a similar platform, following a complaint by health professionals that their data had been processed without their informed consent. In this case, the complain comes from patients who complained to have been misled into believing that they had to create an account and provide unnecessary sensitive personal data to make a booking with a health professional, only to realize that the health professional of their choice did not offer online booking on that platform. This shows that the publication of health professional data on platform without consent poses issues both to health professionals and to patients. It is time online booking platform comply with the GDPR and the decisions of the Belgian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/36 Litigation Chamber Decision on merits 149/2023 of November 10, 2023 File numbers: DOS-2020-05649 and DOS-2021-05271 Subject: Complaints relating to the processing of personal data carried out by an online medical and paramedical appointment booking platform The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president, and gentlemen DirkVanDerKelenet YvesPoullet, members, resuming the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “LCA”); Having regard to the Law of August 8, 1983 organizing a National Register of individuals (hereinafter “LRN”); Considering the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the files; Has taken the following decision regarding: Complainant No. 1: Mrs. X1, (DOS-2020-05649); Complainant No. 2: Mr. X2, (DOS-2021-05271); The defendants: The company Y1, represented by Maîtres Florence Garcet and Claire Vandesande, lawyers, whose firm is established in 4000 Liège, rue des Augustins, 32, hereinafter “the first defendant” (DOS-2020-05649 and DOS-2021-05271); Company Y2, hereinafter “the second defendant” (DOS-2020-05649); Decision on merits 149/2023 — 2/36 Hereinafter referred to together as “the Defendants”. I. Facts and procedure I.1. As for the complaint of complainant no. 1 (DOS-2020-05649) 1. On December 4, 2020, complainant no. 1 filed a complaint with the Authority of data protection (DPA) against the defendants. 2. According to the terms of his complaint and the details provided in terms of conclusions and during the hearing (see below), complainant no. 1 reports the following facts. 3. At the beginning of October 2020, wishing to make an appointment with his dentist without calling him by telephone, complainant no. 1 notes that the site […] (hereinafter “Z” or “the platform” or “the platform Z") allows you to make an appointment directly online with health professionals. The contact details of his dentist can be found on the platform, complainant no. 1 creates an account to be able to make an appointment with her. 4. Complainant No. 1 reports that it was only after the creation of her account that she received the information that it was not possible for him to make an appointment with his dentist, only the contact details of the latter being referenced on the site without possibility of making an appointment with her via the platform itself. 5. For the proper understanding of this decision, the Litigation Chamber specifies here from the outset that the “Z” platform aims to facilitate rapid contact between patients and healthcare professionals – including doctors but not only - in particular through online appointment booking. When a patient accesses the platform, two options are available to him: - Either only the contact details of the practitioner sought appear on the platform without possibility of making an appointment with him via this. We then talk about “non-registered practitioner/professional”. In this case, the patient can make an appointment with this practitioner via the contact channels specific to this one starting from the contact details referenced on the platform. No account is required for this. - Either it is possible to make an appointment directly via the platform with the practitioner sought. We then speak of “registered practitioner/professional” on the platform. To make such an appointment, the patient must create a patient account for which he is asked to provide the following personal data: his name, his first name, his email address, his telephone number and his Register Number National (NRN). 6. On October 21, 2020, not having been able to make an appointment with his dentist (not registered) via the platform, complainant no. 1 requests the deletion of her account and data at Decision on the merits 149/2023 — 3/36 personal character that she transmitted during the creation of it. In terms of the email sent for this purpose to the email address info@[…], complainant no. 1 also makes part of his question regarding the obligation to provide his NRN when creating his account. 7. Complainant No. 1 indicates that it has not received a response to this erasure request. 8. Via a company specializing in data protection, complainant no. 1 requests on October 22, 2020 what are the legal bases on which the different data processing carried out from the platform, the reasons for processing the NRN as well as the exact identity of the data controller. Complainant No. 1 reports that this request also remained unanswered. 9. According to the terms of his complaint submitted to the APD on December 4, 2020, i.e. 1 and a half months later sending the above-mentioned requests, complainant no. 1 denounces both the lack of action given to his request for erasure and his questions about the legal bases of the different data processing carried out by the platform, including its NRN. 10. On January 5, 2021, complaint no. 1 was declared admissible by the Front Line Service (SPL) of the APD on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the er Litigation Chamber under article 62, § 1 of the LCA. 11. On February 2, 2021, in accordance with article 96, § 1 of LCA, the request of the Chamber Contentious to carry out an investigation is transmitted to the Inspection Service (SI). 12. On May 9, 2022 the IS investigation is closed, the report is attached to the file and it is transmitted by the SI to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the LCA). 13. The content of the IS report can be summarized as follows: - The first defendant is the sole data controller within the meaning of article 4.7. of the GDPR to the exclusion of the second defendant. As part of his analysis, the Inspector General mentions a lack of clarity regarding the identification of the data controller in the platform’s Privacy Policy (article 13.1.a) of the GDPR); - As preliminary observations, the IS notes on the one hand that the platform has been the subject of an evaluation in April 2020 by the General Secretariat. The SI notes that “some shortcomings identified by the General Secretariat do not appear to have been the subject of the recommended compliance” (page 10 of the investigation report). The SI points to this regard to gaps in information relating to the basis for the lawfulness of the processing (article 13.1.c) of the GDPR) and the data retention period (13.2.a) of the GDPR). LeSIrelève on the other hand that according to him the platform processes a significant volume of health data within the meaning of Article 9 of the GDPR. Decision on merits 149/2023 — 4/36 - Starting from the facts denounced in the complaint, the SI then declares to note, in the scope of this, a certain number of breaches of the GDPR: o a violation by the first respondent of Article 12 of the GDPR in that it did not provide any information to complainant no. 1 following her request erasure of October 21, 2020; o a violation by the first respondent of articles 7.3. in fine and 12.1. of GDPR in that, in its capacity as data controller, it does not render the deleting a “patient account” as simple as creating this account and therefore does not facilitate the exercise of the rights of the persons concerned, in the species, the complainant’s right to erasure; o a violation by the first defendant of articles 15.1 and 19 of the GDPR, that in its capacity as data controller, it has not given confirmation to complainant no. 1 that personal data concerning her were not no longer processed nor did it notify complainant no. 1 of the deletion of her data; o a violation by the first respondent of articles 5.1 a), 5.2. and 6 of the GDPR in that, in its capacity as data controller, the first defendant cannot validly invoke its legitimate interest (article 6.1. f) of the GDPR) to the referencing of “unregistered” health professionals on the platform; o a potential violation by the first respondent in its capacity as data controller, of Article 32 of the GDPR in that the use by the leading defender of systems such as Cloudflare, AmazonWeb Services and Runcloud to manage its infrastructure does not constitute a measure appropriate technique to guarantee a level of security adapted to the risk presented by its activity. er 14. On June 15, 2022, the Litigation Chamber decides, under article 95, §1, 1° and article 98 of the ACL, that the case can be processed on its merits. 15. On this same date, the parties are informed by registered mail of the provisions such as set out in article 95, §2 as well as article 98 of the LCA. They are also informed, under section 99 of the LCA, deadlines for transmitting their conclusions. The date limit for receipt of submissions in response from defendants was set on August 10 2022, that for the conclusions in reply of complainant no. 1 on September 1, 2022 and that for the defendants' reply conclusions as of September 23, 2022. 1The SI, however, qualifies this observation in the introduction to its report, indicating that it noted certain aspects without, however, carry out a complete review of all aspects relating to the processing security obligation. Decision on merits 149/2023 — 5/36 2 16. The parties are invited to defend themselves with regard to the following findings and grievances retained by the Litigation Chamber: - The qualification of the first defendant as sole controller of the processing within the meaning of article 4.7 of the GDPR; - A breach of articles 13.1. a), 13.1 c) and 13.2 of the GDPR in respect of the first defendant in that the platform's Privacy Policy does not mention not adequately identify and contact details of the data controller (article 13.1.a) of the GDPR), does not mention the legal basis of the data processing carried out – including data relating to health within the meaning of article 4.19 of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2. a) of the GDPR more precisely); - A breach of Article 12 of the GDPR in that the first defendant did not provide no information to complainant no. 1 following her request to exercise the right to erasure; - A breach of articles 7.3 in fine and 12.1 of the GDPR, in that the first defendant did not make the deletion of a “patient account” as simple as creation of this account (it is therefore not as simple to withdraw consent as to give it) and therefore does not facilitate the exercise of the rights of the persons concerned; - A breach of articles 5.1.a), 5.2.and 6 of the GDPR in which the legitimate interest invoked by the first defendant the basic title of lawfulness of treatment of professionals referenced but “not registered” on the platform, is not validly invoked. 17 The Litigation Chamber also invites the parties to present their arguments in relation to the basis of lawfulness which underlies the processing by the first respondent of the NRN questioned by complainant no. 1 under the terms of her complaint. The Litigation Chamber also informs the parties that a complaint relating to this same question is 2 As part of its own assessment, the Litigation Chamber is free to retain one or other findings of the inspection to include them in the list of grievances on which it asks the parties to defend in the letter based on article 98 of the aforementioned LCA. No other conclusion can be drawn from the abandonment of one or other grievance other than the fact that the Chamber Litigation does not consider it appropriate to bring the parties to a conclusion regarding them. It cannot be deduced from this that the Chamber Litigation confirms compliance with the GDPR on these aspects. In view of this own assessment, the Chamber Litigation specifies that the LCA does not require it to use the Inspection Service. In fact, the Litigation Chamber decides sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63, 2° of the LCA and art. 94, 1° of the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber can process the complaint without having recourse to the Inspection Service. It thus has a power of appreciation of the complaint which is independent of the inspection (Market Court (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Market Court (19th ch. A), December 7 2022, 2022/AR/556). Decision on merits 149/2023 — 6/36 also pending before the Litigation Chamber (DOS-2021-05271 – complaint no. 2 below) After). 18. On 2 August 2022, the first respondent agreed to receive all communications relating to the case electronically. By the same letter, she requests a copy of the file (art. 95, §2, 3° LCA), which is sent to him on August 4, 2022 19. On August 10, 2022, complainant no. 1 requested a copy of the file (art. 95, §2, 3° LCA), which is transmitted to him on August 11, 2022. 20. On August 10, 2022, the Litigation Chamber received the conclusions in response to the first defendant. The first respondent having filed submissions in reply and synthesis, its argument is summarized in point 22 below. 21. On September 1, 2022, the Litigation Chamber receives the conclusions in response to the complainant no. 1. In summary, she defends the following: - The first and second defendants are data controllers spouses (article 4.7. of the GDPR) taking into account a range of elements from which it results that the second defendant is not only an investor in the project of the first defendant; - Identification of the data controller under the terms of the Privacy Policy confidentiality of the platform is not sufficiently clear and does not meet the requirements of section 13.1. a) of the GDPR since the first defendant is not not mentioned as such. Only two natural persons, directors of the first defendant are indicated in the data of contact ; - Article 13.1.c) of the GDPR is not respected because the Confidentiality Policy of the platform does not mention the legal bases for each processing individualized, limited to mentioning article 6.1. of the GDPR in its entirety and making no reference to Article 9.2. a) of the GDPR for the different treatments health data operated via the platform; - The platform's Privacy Policy does not contain information on data retention periods (article 13.2. a) of the GDPR); - Not having been informed of the measures taken following his request erasure, there has been a breach of article 12.3. GDPR; - Articles 7.3.infine and 12.2. of the GDPR are violated when the deletion of a account turns out to be more complex than creating it. Furthermore, two separate procedures co-exist to exercise the right to erasure on the one hand and to exercise other rights on the other hand; Decision on merits 149/2023 — 7/36 - Complainant no. 1 indicates that she fully agrees with the SI's reasoning regarding the invalidity of the legitimate interest (article 6.1.f) of the GDPR) for the processing of personal data of non-registered practitioners such as a dentist and share as soon as possible upon finding a violation of articles 5.1.a), 5.2. and 6 of the GDPR by the defendants; - Your complaint is admissible including with regard to the processing of your NRN from then on that the legal principle “ne bis in idem” invoked by the first defendant is inapplicable in this case. - As for the basis of lawfulness of the processing of the NRN, complainant no. 1 emphasizes that the processing of NRN is in principle prohibited except in the cases provided for by the Law of 8 August 1983 organizing a National Register of Natural Persons (LRN – article 5) and in principle subject to authorization from the Minister of the Interior (article 8.1.). There exemption from authorization provided for in article 8.3 of the LRN, the first of which is invoked defendant is not applicable since the introduction of the NRN on the platform does not allow the person to be identified or authenticated as required by said article 8.3. 22. On September 23, 2022, the Litigation Chamber receives the conclusions in reply and summary of the first defendant. In summary, she defends the following. - The mere fact of the second defendant acting as an investor/shareholder does not imply ipso facto that it is responsible for processing within the meaning of the article 4.7 of the GDPR. In fact, the second respondent did not take any decision relating neither to the purposes nor to the means of processing personal data operated within the framework of the platform; - Emphasizing that the IS does not formally consider breaches of the articles 13.1a), 13.1c) and 13.2. of the GDPR with regard to the Privacy Policy of the platform, the first defendant nonetheless exposes (without recognizing a any breach) that it intends to draft a new Policy of confidentiality which will clarify the elements of information concerned by the articles above; - She actually granted the request for erasure of complainant no. 1, alone the email confirming the deletion took place was not sent to this last ; - It is no less easy to delete an account than to create one, both procedures carried out, without being formally identical, in several stages and requiring active steps in both cases (article 7.3. in fine); Decision on merits 149/2023 — 8/36 - The action of the APD with regard to the basis of lawfulness of data processing of non-registered professionals is inadmissible. The complaint of plaintiff no. 1 does not concerning according to the first defendant in no way this question, this one should have been the subject of a separate procedure. The first defendant considers not having to justify this in the context of this procedure and vis- towards complainant no. 1. Alternatively, she sets out the reasons why she believes it can rely on its legitimate interest within the meaning of article 6.1.f) of the GDPR to base these processing operations (see also point 88 below). - Concerning the question of the basis of lawfulness of the processing of the NRN, she is surprised that this question can be the subject of two separate procedures (both in the framework of complaint no. 1 and complaint no. 2 – see. infra and point 32), emphasizing 3 that it has already concluded on this issue in the context of complaint no. 2. Continuing a game for identical facts without having provided a solution definitive in the first dispute is, according to her, not compatible with the right to trial fair enshrined in Article 6 of the European Convention on Human Rights man (ECHR). Therefore, the first respondent judges the request of the complainant no. 1 (and the APD) inadmissible on this point. Alternatively, the first defend her submission to the conclusions she filed in the context of the complaint No. 2 on this aspect (point 46). 23. On August 2, 2023, the Litigation Chamber notifies the parties that the hearing will take place on August 15 September 2023. 24. In this same letter, the parties are informed that on June 14, 2023, the Chamber Litigation adopted decision 75/2023. Taking into account this decision unknown to the 5 parties at the time when they were invited to conclude, the Litigation Chamber gives the parties the possibility of concluding additionally on its position in this decision 75/2023, in particular on the aspects which would be relevant with regard to the complaint no. 1 until August 31, 2023. 25. On 31 August 2023, in response to the opportunity given to it, the first respondent submits final conclusions. 3The Litigation Chamber explains in this regard that this decision addresses in chronological order of introduction of each of the complaints, firstly the progress of the procedure relating to complaint no. 1 lodged in 2020 and then, the progress of the procedure relating to complaint no. 2 filed in 2021. However, complaint no. 2 not having been sent to the inspection service whose report was communicated to the Litigation Chamber on February 9, 2022, the parties to this second complaint were invited to conclude before the parties to complaint no. 1 even though complaint no. 2 was therefore lodged after the complaint #1. 4https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-75-2023.pdf 5 It was also made clear to the parties that an action for annulment had been filed against this decision before the Courts markets. See. also the mention made in the decision published when the appeal is filed: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr..75-2023.pdf Decision on the merits 149/2023 — 9/36 26. She specifies that these replace the motivation that she developed in her previous conclusions with regard to the invoked basis of lawfulness of legitimate interest (article 6.1.f) of the GDPR) for the processing of data from “non- registered”. The first defendant maintains that she was justified in relying on the article 6.1. f) of the GDPR to process the data of unregistered healthcare professionals. 27. Nevertheless, the first defendant indicates that, following legal monitoring, it has scrupulous, taken into account since the summer of the decision 75/2023 of the Litigation Chamber and having made the decision to now rely on the consent of the said professionals and have initiated a process of obtaining their consent from the summer. The first defendant also produces the latest version of the Policy confidentiality of the platform put online in August 2023, which is now reference to the aforementioned request for consent from unregistered professionals. 28. On 15 September 2023, plaintiff no. 1 and the representatives of the first defendant are heard by the Litigation Chamber, the second defendant not appearing not. They each present the argument developed in terms of conclusions. At the invitation of the Litigation Chamber, the first defendant shows the methods of creation and account deletion when leaving the platform. She also presents the version test of the platform which will now work without requesting the NRN, the first defendant renouncing, in view of the two complaints in particular, to work with this identifier. She confirms what she had indicated in conclusion, namely the progressive collection of consent of non-registered health professionals and the abandonment of the basis of legality of legitimate interest. 29. On September 28, 2023, the minutes of the hearing are submitted to the parties present at this one. The second defendant receives a copy for information. 30. As of October 6, 2023, the Litigation Chamber does not receive from the first defendant and plaintiff no. 1 present at the hearing no remarks relating to the minutes. I.2. As for Complainant No. 2's Complaint (DOS-2021-05271) 31. On July 31, 2021, complainant no. 2 filed a complaint (hereinafter complaint no. 2) with the ODA against the first respondent. 32. Under the terms of the complaint, complainant no. 2 reports that he noticed that in order to be able to take an appointment on the “Z” platform, you need to create your account without which no appointment can be made - you must communicate your NRN and that this practice seems to him to be contrary to the law. Decision on merits 149/2023 — 10/36 33. Complainant No. 2 produces the email he sent to the first respondent on July 17 2021 in which he emphasizes that it is according to him (sic) “strictly prohibited by law, to a private company like yours, to request the National Number. You are asked to remove this mandatory field to make an appointment. 34. The same day, the first respondent replied that (sic) “your national number is requested for security reasons and it is fully encrypted in our database therefore unusable by a third party. A national number is much more difficult to guess by anyone than an email address and therefore more secure. Especially in the context of a healthcare-related application.” 35. As mentioned in point 32, complainant no. 2, dissatisfied with the response received, filed a complaint with the APD on July 31, 2021. 36. On August 16, 2021, his complaint was declared admissible by the SPL of the APD on the basis of the articles 58 and 60 of the LCA and transmitted to the Litigation Chamber under Article 62, § 1 of er the LCA. 37. It does not appear from the complaint filed that complainant no. 2 communicated his NRN to the first defendant. On the contrary, it seems that complainant no. 2 has given up on creating a account on the grounds that his NRN was requested from him. In its conclusions (point 46 below), the first defendant indicates in this sense that it is not able to determine whether the Complainant No. 2 actually made an appointment via the platform. She adds that to all less, when a search is launched from its name in the database of the platform, it is noted that he does not have any account on it. In other words, it therefore appears that the first defendant did not process data of a personal nature personnel relating to complainant no. 2 (including his NRN). The latter is therefore not a person concerned within the meaning of articles 4.1. and 77 of the GDPR. 38. This lack of standing does not, however, deprive complainant no. 2 of his right to file complaint to the DPA in support of article 77 of the GDPR supplemented by articles 58 et seq. LCA. In this regard, the Litigation Chamber recalls that in a judgment of October 7, 2021, 7 the Court of Cassation thus stated: 6Article 56 of the LCA provides as follows: Any person may file a complaint or a written request, dated and signed with the Data Protection Authority. It must be read in combination with the admissibility criteria of the complaint detailed in Article 60 of the LCA which do not include the condition of being a data subject. There is no less limits to the admissibility of a complaint linked to the complainant's interest in taking action as described by the Litigation Chamber in terms of its Note relating to the position of the complainant in the procedure before the Litigation Chamber and in a certain many of its decisions. See. for example: Decision on the merits 30/2020 of June 8, 2020 (points 4-7); Decision as to fund 80/2020 of December 17, 2020 (points 44-52); Decision on the merits 63/2021 of June 1, 2021 (points 10-18); Decision as to the merits 117/2021 of October 22, 2021 (points 29-35); Decision 49/2022 of April 5, 2022 (points 7-12); Decision as to fund 106/2022 of June 27, 2022. https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du- complainant-in-the-procedure-within-the-litigation-chamber.pdf 7 https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05K LU7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE = Decision on merits 149/2023 — 11/36 “3. It incontestably emerges from all the legal provisions mentioned above that a data subject has the right to lodge a complaint to the Data Protection Authority against a processing practice which she considers to be violating her rights under the GDPR (...). This is also the case when the personal data of the data subject themselves have not been processed but the latter has not obtained the advantage or service because, precisely because of the existence of the practice constituting allegedly a violation, she refused to consent to the treatment” 8 39. In this case, complainant no. 2 is effectively denouncing a practice since the NRN is requested for any account creation with the platform. This complaint no. 2 is by elsewhere the second that the APD receives on this subject, the first being that of complainant no. 1 questioned above (DOS-2020-05649). 40. On January 21, 2022, the first defendant and plaintiff No. 2 (i.e. the parties concerned by this complaint no. 2) are informed by registered mail of the provisions such as repeated in article 95, § 2 as well as article 98 of the LCA. They are also informed, in under article 99 of the LCA, deadlines for transmitting their conclusions. The deadline for the receipt of the submissions in response from the first respondent was set for 4 March 2022, that for the conclusions in reply of complainant no. 2 as of March 28, 2022 and that for the first respondent's reply submissions as of April 19, 2022. 41. In terms of this letter, the first respondent and complainant no. 2 are requested to make present their arguments with regard to the potential breaches of the GDPR revealed by the practice of processing NRN denounced, i.e. a potential breach of articles 5.1.a) (principle of lawfulness), 5.1.c) (data minimization), 5.1.e) (limited retention period), 6.1. (lawfulness), 12 (transparency), 13 (obligation of information), 5.2. and 24 (responsibility/accountability) and 32 (security obligation) of the GDPR as well as the corollary provisions of the LRN in particular its article 5 (processing authorization). 42. On February 22, 2022, the first respondent requested a copy of the file (art. 95, §2, 3° LCA), which is sent to him on February 25, 2022. 43. On this same date, the first respondent agreed to receive all the communications relating to the case by electronic means. 8 See. in this regard, decision 126/2021 of the Litigation Chamber: https://www.autoriteprotectiondonnees.be/publications/classement-sans-suite-n-126-C’estpdfla Chambre Contentious which underlines. Decision on merits 149/2023 — 12/36 44. On March 3, 2022, the Litigation Chamber received the conclusions in response to the first defendant. The first respondent having filed submissions in reply and synthesis, the summary of its argument is set out in point 46 below. 45. On April 13, 2022, the first respondent announced her request to be heard, and this in accordance with section 98 of the LCA. 46. On April 15, 2022, the Litigation Chamber receives the conclusions in reply and summary of the first defendant. In summary, she defends the following: - The processing of the NRN is based on the free consent of the person concerned (article 5.1. a) and 6 of the GDPR): the patient is in fact free to create an account or not. He can also benefit from the platform’s information service and contact the healthcare professional of their choice via their own communication channels on the basis of the contact information thus made available to him; - When a search is launched from the name of complainant no. 2 in the database data from the platform, it is noted that he does not have any account on it - The choice to use the NRN is motivated by the absolute necessity of identifying the patient certain and unique way. There is therefore no infringement of the principle of minimization (article 5.1. c) of the GDPR) with regard to the processing of this NRN; - The data is only kept for the time necessary for identification and the patient's authentication and deleted as soon as the latter unsubscribes from the platform (article 5.1.e) of the GDPR); - Regarding transparency and information obligations, a specific tab is dedicated to information regarding the processing of the NRN on the platform (FAQ – confidentiality). The reasons why this NRN is requested are described there; - By opting for the processing of the NRN for identification and authentication purposes sole of the person concerned, the first respondent correctly put in place implements article 32 of the GDPR, taking into account the risks linked to the nature of the data processed. All processed data (including the NRN) is included in a database encrypted and protected data (article 32 of the GDPR); - It results from the measures put in place (information and security in particular) that the first defendant has respected the obligations incumbent upon it in execution of articles 5.2. and 24 of the GDPR; - Concerning respect for the NRN, the first defendant only treats the NRN for purposes identification and authentication of the platform user. She is therefore exempt from prior authorization from the Minister of the Interior in application of article 8.3. of the NRL. The first respondent adds that she does not in any way consult the Decision on the merits 149/2023 — 13/36 National Register of Natural Persons and the data contained therein (pages 15 of its conclusions – last paragraph) and that it is therefore not subject to the article 5 of the LRN. 47. On 2 August 2023, the first respondent and complainant no. 2 were informed that the hearing will take place on September 15, 2023. It should be noted that in response to the invitation to the hearing, complainant no. 2 – who did not conclude – indicates that he had no other intention in filing a complaint than reporting a potential breach of the DPA. As far as necessary, the Litigation Chamber specifies that this assertion in no way calls into question the admissibility of his complaint (paragraphs 36-39) and should also not be interpreted as removal of it. Even assuming that it was conceived as a crime by complainant no. 2, the Litigation Chamber remains free to continue examining the complaint notwithstanding a such withdrawal as soon as it considers the breach reported sufficiently serious or revealing the existence of a practice likely to undermine the principles fundamentals of the protection of personal data as is the case in the species. 48. On September 15, 2023, the first respondent was heard by the Chamber Contentious. Complainant No. 2 does not appear. 49. On September 28, 2023, the minutes of the hearing are communicated to the first defendant. Complainant No. 2 receives a copy for information. 50. As of October 6, 2023, the Litigation Chamber does not receive from the first defendant no remarks relating to the minutes. I.3. As for the joining of complaints no. 1 and no. 2 51. By this decision, the Litigation Chamber decides to join complaints no. 1 and no. 2 that it considers linked by such a close relationship that there is an interest in taking a single decision with regard to them in order to guarantee the consistency of its decisions. Both complaints, if they are certainly introduced by distinct complainants (no. 1 and no. 2), nonetheless aim at the same platform and also denounce a common grievance linked to the treatment of the NRN as it was mentioned in points 9 (complaint no. 1) and 32 (complaint no. 2) above. In other words, the objective of consistency pursued by the Litigation Chamber in the treatment of complaints submitted to it opposes their separate examination. 9 See. the Disclosure Policy of the Litigation Chamber https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre- contentieuse.pdf Decision on the merits 149/2023 — 14/36 II. Motivation II.1. As for the qualification of the second defendant (DOS-2020-05649) II.1.1. The point of view of the SI and the parties 52. As mentioned in point 1, complainant no. 1 lodges her complaint both against the first and the second defendants whom it describes as joint data controllers in the meaning of article 4.7. of the GDPR. 53. Complainant No. 1 is in fact of the opinion that a body of serious and consistent evidence supports in favor of this thesis: (1) in 2018, the second defendant - whose creation and management of internet sites is part of the fields of activity - massively invested in the project creation of the platform from both a financial and operational point of view, (2) “the platform Z” identified himself at the time of the facts reported in his Privacy Policy as being the co-ownership of the first and second defendants, dedicating to the latter a page on its site in its capacity as a sole investor and thus offering it a real showcase, (3)the two companies are closely linked, two entities of the second defendant being directors of the first defendant. 54. As reported above, the IS retains the status of data controller solely on the part of the first defendant (paragraph 13). The first defendant shares this analysis and qualifies as the sole “data controller” with regard to the data processing carried out by the platform (point 22). II.1.2. The appreciation of the Litigation Chamber 55. The Litigation Chamber is not bound by the quality recognized by the first defendant, nor by that which the SI would attribute to it. She must appreciate the reality of this qualification and if necessary to reject it if it should result from its analysis that it does not can be retained. 56. The Litigation Chamber recalls that a data controller is defined as “the natural or legal person or any other entity which alone or jointly with others, determines the purposes and means of processing personal data personal” (article 4.7 of the GDPR). This is an autonomous concept, specific to the regulations in terms of data protection, the assessment of which must be based on the criteria that it sets out: the determination of the purposes of the data processing concerned as well as that of the means thereof. 10See. in this sense Brussels (Cour des Marchés), June 8, 2022, 2022/AR/42, p. 6. Decision on the merits 149/2023 — 15/36 57. The Litigation Chamber also recalls that the essential criterion for there to be – as plaintiff #1 pleads – joint responsibility for treatment is participation joint action of two or more entities in determining the purposes and means of a treatment. More precisely, joint participation must encompass, on the one hand, the determination of the ends and on the other, the determination of the means. A contribution joint to this determination implies that more than one entity exercises influence decisive on the question of knowing if, for what purpose and how the processing takes place. In In practice, joint participation can take the form of a joint decision taken by two or more entities or result from convergent decisions adopted by them at subject of the purposes and essential means of processing. 58. In this case, the Litigation Chamber notes that the elements provided by complainant no. 1 certainly show, as the SI underlines and as the first does not dispute defendant, that the second defendant invested in the project to create the platform by the first defendant (then a young start-up). The quality of responsibility spouse presupposes, however, as has just been recalled, participation in the determination of the purposes and means of processing. The mere fact of supporting financially a project does not necessarily mean that there is determination of these purposes and means through common or convergent decisions of the defendants on data processing. When, in its Guidelines relating to the concepts controller and processor, the EDPS emphasizes that all types of partnership, cooperation or collaboration do not imply that the entities are joint controllers of the processing, it presupposes that these entities each play a role with regard to data processing; role which, depending on the case, will carry the qualification of joint data controller or not. In this case, the Litigation Chamber considers that there is no element which even attests to any role of the second defendant with regard to the data processing as such. The participation of the second defendant is financial and neither the documents produced by plaintiff no. 1 nor the findings of the SI only allow the Litigation Chamber to conclude that the second defendant actually participated in determining the purpose and means data processing carried out by the platform. 59. In conclusion of the above, the Litigation Chamber concludes that the second The defendant is not a data controller (spouse) within the meaning of Article 4.7. of GDPR with regard to the platform's data processing. 60. The Litigation Chamber notes that during the proceedings, the first respondent clarified the identification and contact details of the data controller (article 13.1. a) of the GDPR) in its Privacy Policy by now providing a clause which does not 1https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_fr.pdf Decision on the merits 149/2023 — 16/36 no longer mentions the names of the natural persons who were its directors at the time. It also removed the mention “co-owners of the platform” from the of these. This information is foreign to the qualification of roles in terms of protection data does not necessarily have its place in a confidentiality policy and risk at the very least creating confusion. II.2. As for the breach of article 12.3 of the GDPR by the first defendant: the absence information relating to the follow-up of the request to exercise the right to erasure of the complainant no. 1 (DOS-2020-05649) II.2.1. The point of view of the SI and the parties 61. As explained in points 7, 9 and 21 above, complainant no. 1 denounces the absence response from the first defendant to its request to delete the patient account that she had created and all the personal data concerning her that she had communicated on the occasion of its creation. 62. According to its investigation report (point 13), the SI indicates that it became aware a screenshot which would attest that complainant no. 1 is no longer listed in the database data of the first defendant. The SI is no less relevant than the first defendant recognizes – as the latter writes in its conclusions (point 22) – not not having confirmed to complainant no. 1 that her personal data had actually been been erased. II.2.2. The appreciation of the Litigation Chamber 63. It is therefore not disputed that the first respondent refrained from providing the complainant no. 1 information on the measures taken following her request erasure as soon as possible and in any event within a period of one month from from receipt, on October 21, 2020, of its request as required by article 12.3. of the GDPR. 64. The Litigation Chamber insists in this regard on the fact that following up on the exercise of the right to the erasure of the data subject not only carries the obligation to erase the data concerning them when the conditions for this erasure are met (article 17.1 b) of the GDPR in this case – withdrawal of consent) but also that of informing the data subject on the measures taken following the erasure request, within the as soon as possible and in any event within one month from receipt of the request (article 12.3. of the GDPR). 65. In support of the above, the Litigation Chamber concludes that there has been a breach of article 12.3. of the GDPR in the case of the first defendant. Decision on merits 149/2023 — 17/36 66. The Litigation Chamber notes that the request for erasure of complainant no. 1 is following the fact that she could not have noticed that the dentist she was seeking to contact was not registered on the platform until after having created his account (in October 2020). In this regard, complainant no. 1, on January 9, 2021, informed the APD that following of a change on the site, a pop-up now warns the patient that the practitioner is not not registered on the platform. Received the complaint on February 2, 2021, the IS indicates that it has not been able to observe the situation to which complainant number 1 describes having been confronted. The first defendant, for her part, defends that this pop-up has always existed. 67. The Litigation Chamber is not in a position to note a possible breach of the GDPR which would arise from the situation described by complainant no. 1. She doesn't insist less, without this constituting any corrective measure or sanction in the sense of article 100 of the LCA, that it must be perfectly clear to the patient that the creation of a account is only required if he can contact a practitioner via the platform written on it. Thus, the information according to which a practitioner is or is not registered (and therefore information whether or not it is possible to make an appointment with the latter via the platform) must be accessible before any account is created. Failing this, the respect owed by the first defendant to its obligation of transparency and its duty of loyalty could be questioned (articles 12.1 and 5.1. a) of the GDPR). The Litigation Chamber notes in this regard that the first defendant specified that in addition to the pop-up in place, it is, following a modification made during the procedure, now explicitly provided for in its Privacy policy that it is not necessary to create an account to view the contact data of healthcare professionals, whether registered or non-registered. 68. Concerning more generally the erasure policy and retention periods data, the Litigation Chamber recalls that data protection authorities er are of the opinion that both the elements of information provided for in §1 of articles 13 and 14 of the GDPR that those provided for in §2 of these same articles must be communicated to the person 13 concerned. Thus, the data retention periods provided for in article 13.2. a)and14.2. has) of the GDPR must always be brought to the attention of the persons concerned. There Litigation Chamber notes in this regard that the first respondent has modified its policy of confidentiality during the procedure and that this now provides for deadlines for conservation according to treatment categories. 12See. in this regard point 10 of the EDPS Guidelines on transparency (Article 29 Group, WP 260 taken from account by the EDPS during its inaugural session on 25 May 2018: https://edpb.europa.eu/our-work-tools/our- documents/article-29-working-party-guidelines-transparency-under-regulation_en) which emphasizes that: “an essential aspect of the principle of transparency highlighted in these provisions is that the data subject should be able to determine in advance what the scope and consequences of the processing encompass so as not to be caught off guard at a later stage as to how his personal data was used. 13 See. the EDPS Guidelines on transparency (https://edpb.europa.eu/our-work-tools/our- documents/article-29-working-party-guidelines-transparency-under-regulation_en) already cited (point 23). Decision on merits 149/2023 — 18/36 II.3. As for the breach of article 7.3. in fine of the GDPR and in article 12.1. of the GDPR by first respondent (DOS-2020-05649): withdrawal of consent and facilitation of the exercise of rights II.3.1. The point of view of the SI and the parties a) As for the withdrawal of consent (article 7.3. in fine) 69. According to its investigation report (point 13), the SI concluded that there was a violation by the first defendant, of articles 7.3 in fine of the GDPR in that the first defendant does not would not make deleting a “patient account” as simple as creating that account. 70. The IS details in this regard that the creation of an account simply requires entry of personal data on the platform and securing the account via the receipt of a SMS. Conversely, the deletion of an account cannot be done directly on the site and requires sending an email to the address suppression@[…] or contacting the first defendant from the platform via the chatbot. This difference constitutes according to the SI a violation of article 7.3. of the GDPR under which it must be “as easy to withdraw as to give consent”. 71. Complainant no. 1 agrees with the analysis of the SI (point 21). 72. In her conclusions, the first defendant states that at the time of the events, the patient who chose to create an account was invited to provide identification data already cited (point 5). The patient then received an SMS with a code that he had to enter on the platform in order to confirm the creation of your account. Concretely, the patient had to click on a first link, which took him to a second, to a third and finally to a 4th (4-step procedure). Once clicked on the last “Registration” link, the candidate When creating an account, you were asked to provide the above-mentioned data. What followed was a double verification by entering the SMS code received. 73. As for the deletion of the account, the first respondent explains that the withdrawal of its consent by the patient required at the time of the facts that the latter send an e-mail to the address dedicated to this purpose deletion@[…] mentioned in the FAQ “How to delete my data ? The patient had to click on 4 links (4-step procedure), the last one Link to the deletion email.” He could also use the chatbot. b) Regarding the facilitation of the exercise of rights 74. The SI further considers that it follows from its finding regarding the withdrawal of consent (point 13), that the first defendant does not facilitate the exercise of the right to erasure provided for in Article 17 of the GDPR, including that of complainant no. 1 (pages 18 and 19 of the IS report). SO that the IS introduces its reasoning starting from article 12.2 of the GDPR (page 17 of the report investigation), he concludes that there has been a violation of this obligation by erroneously referring to Decision on the merits 149/2023 — 19/36 Litigation Chamber in article 12.1 of the GDPR and not in article 12.2. GDPR which establishes this obligation. 75. Complainant No. 1 adds that the fact that the first respondent provides two addresses of contact, a general one for the exercise of info@[…] rights and a specific one for the exercise of right of erasure deletion@[…] has also not facilitated the exercise of his right to erasure. She points out that in addition, the Confidentiality Policy of the first defendant does not correctly reflect these procedures. 76. Concluding with regard to article 12.1 of the GDPR as raised by the SI, the first defendant explains that clear information is given as to the terms of withdrawal of consent. II.3.2. The appreciation of the Litigation Chamber a) As for the withdrawal of consent (article 7.3. in fine) 77. The Litigation Chamber recalls that article 7.3 in fine of the GDPR provides that the controller must ensure that it is also simple for the person concerned to withdraw than to give consent, and that this can be done at any time. 78. As stated by the European Data Protection Committee (EDPS) in its Guidelines 14 guidelines 05/2020 devoted to consent, the GDPR gives an important place upon withdrawal of consent. 79. The EDPS nevertheless emphasizes that the GDPR does not specify that the person concerned must always be able to withdraw their consent by means of the same action (point 113). However, the EDPS is of the opinion that “when consent is obtained electronically only by clicking, tapping or swiping, the data subjects must, in practice, be able to withdraw this consent by the same bias. When consent is obtained through a specific user interface to the service (for example through a website, an application, an account with identifier, the interface of an IoT device or by email), it is obvious that a data subject must be able to withdraw consent through the same interface electronic, since changing interface for the sole purpose of withdrawing consent would require unnecessary effort” (point 114). 80. Finally, the EDPS adds that “the GDPR considers the existence of easy withdrawal as a necessary aspect for valid consent. If the right of withdrawal does not meet the GDPR requirements, the data controller’s consent mechanism is not GDPR compliant. As mentioned in section 3.1 on the condition of consent 14European Data Protection Board (EDPS), Guidelines 05/2020 on consent within the meaning of Regulation (EU) 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on merits 149/2023 — 20/36 informed, the data controller must inform the data subject of the right of withdrawal of consent before giving consent, in accordance with Article 7, paragraph 3 of the GDPR. As part of the obligation of transparency, the person responsible for processing must also inform the data subjects of how they can exercise their rights” (point 116). 81. It does not appear to the Litigation Chamber that the procedure to follow for the deletion of their account and the erasure of their data by a patient is less easy than the steps to follow to register on the platform. As explained above by the first defendant (paragraphs 72-73), in each case, several steps are necessary. If the creation of the account can be done from the platform, it is not done “in a simple clic” or in a few clicks on it but also requires the receipt of a code by SMS to reintroduce afterwards. Sending an e-mail from the platform as well as the possible use of the chatbot to request the deletion of said account are, according to the Litigation Chamber, do not constitute a less easy procedure in that these procedures can also be done from the site and also require several steps. As recalled above (point 79), the procedures by which consent is given and withdrawn must not be strictly identical. Upon examination of each of them, the Litigation Chamber is not of the opinion that the procedure for deleting the account is characterized by a greater degree of difficulty than that of creating the account. There Litigation Chamber concludes that the first defendant did not surrender guilty of a breach of article 7.3 in fine of the GDPR. 82. Without this element entering into the foregoing conclusion, the Chamber Litigation notes that the first defendant has, during the proceedings, either after the facts denounced, added a button on which you just have to click to request the account deletion and clarified the procedure for requesting account deletion in its Privacy Policy. b) As for the facilitation of the exercise of rights (article 12.2. of the GDPR) 83. As for article 12.2. of the GDPR (see the remark in point 74 above), the Chamber Contentious simply points out the following without this constituting a any corrective measure and/or sanction within the meaning of article 100 of the LCA. 84. The establishment of internal and standardized procedures dedicated to the exercise of rights of data subjects in terms of data protection is essential and nature to contribute to the effective application of these rights. It certainly facilitates their exercise as required by Article 12.2. of the GDPR. However, when in the context of such a procedure a contact address dedicated to the exercise of these rights exists, it does not the persons concerned may be accused of using another communication channel to address their requests. No harmful consequences for the person Decision on merits 149/2023 — 21/36 concerned cannot be derived from the fact – even in the event that it is correctly been informed – that she would not have used the appropriate form or would have contacted the data controller by another means, via an incorrect e-mail address for example. 15 In this case, the first respondent noted in this regard that complainant no. 1 had send your deletion request to the general address of the platform and not to the address dedicated to the exercise of the right to erasure but that this had no impact on the processing of his deletion request, his data having been erased. Bedroom Litigation notes that, barring exceptions, this is indeed the attitude that is expected data controllers. II.4. As for the breach of articles 5.1. a), 5.2. and 6 of the GDPR by first defendant: the basis of the lawfulness of the processing of health professionals’ data non-registered (DOS-2020-05649) II.4.1. The point of view of the SI and the parties 85. According to its investigation report, the SI concludes that the first respondent cannot rely on article 6.1.f) of the GDPR as the basis of lawfulness for data processing data from non-registered health professionals, particularly because they are not satisfied to the weighting test (see below) in that “the publication of the contact data of these doctors on the Internet (whether through an official service such as the Banque Carrefour des Companies or no) does not allow them to reasonably expect that this data be processed and in this case reproduced without their consent, on the website of a private company offering IT solutions to doctors in return for different subscription rates (…) (page 26 of the report).” 86. Complainant No. 1 declares for her part that she fully agrees with the analysis of the IS. 87. As for the first defendant, she mainly argues that this complaint should have been the subject of a separate procedure since it does not emerge from the complaint filed by the complainant no. 1. It is therefore inadmissible in his eyes. 88. In the alternative, the first defendant pleads (1) that she pursues a legitimate interest (which consists of making it easier for patients to maintain contact with health professionals of their choice), (2) that the data it processes relating to non-registered health professionals are necessary for the realization of the interest it 15See. the EDPS Guidelines on transparency (WP 260 of the Article 29 Group taken up by EDPB during its inaugural session on May 25, 2018): https://edpb.europa.eu/our-work-tools/our-documents/article-29- working-party-guidelines-transparency-under-regulation_en and those relating to the right of access (Guidelines 01/2022) https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf 16 See the EDPS Guidelines 01/2022 on the right of access: https://edpb.europa.eu/system/files/2023- 04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf (points 53 et seq.). Decision on merits 149/2023 — 22/36 continues (i.e. the provision of contact details for information and possible making contact) and (3) that the weighing exercise it carried out allows it to conclude that it can rely on this legitimate interest. The first defendant indicates that she thus taking into account the public and professional nature of the data (taken from the Bank Carrefour des Entreprises (BCE) and Google), the absence of obvious harm to life deprived of the practitioners concerned or any other of their fundamental rights, the absence of harm in their physical, economic or social situation (on the contrary, a benefit in term of visibility would be provided to them), their reasonable expectations and the existence of a right of opposition in their head. The result of this weighting authorized him to conclude that it satisfied the 3 tests of purpose (1), necessity (2) and weighting (3) required by article 6.1.f) of the GDPR. The first defendant therefore defends that she could found the processing of data of non-registered health professionals on this basis lawfulness. II.4.2. The appreciation of the Litigation Chamber 89. With the SI, the Litigation Chamber is of the opinion that the question of the basis of legality of the processing of data of non-registered practitioners must, in this case, be considered as part of the scope of complaint no. 1 since (1) this question is raised – admittedly in general terms – by complainant no. 1 in her complaint, (2) that the latter, even before filing it, questioned the first defendant on this subject without receiving a response and (3) that the request for erasure of complainant no. 1 is following the fact that the dentist with whom she was seeking to make an appointment was precisely an unregistered health professional and that due to this absence registration, complainant no. 1 was unable to make the planned appointment. Bedroom Litigation recalls that in any event, once seized, the IS can in the exercise of its own competence, broaden the scope of its investigations. 90. As for the merits, the Litigation Chamber recalls that in order to be able to rely on the basis of legality of “legitimate interest” in application of article 6.1.f) of the GDPR, the person responsible for the treatment, i.e. the first respondent in this case, must demonstrate that a) the interest it continues via the data processing concerned can be recognized as legitimate (the "test purpose"); b) that the processing envisaged is necessary to achieve this interest (the "test of necessity") and that c) the weighting of this interest in relation to the interests, freedoms and fundamental rights of the persons concerned weigh in their favor or in favor of the third party (the "weighting test"). 91. The Litigation Chamber will verify whether in this case, these 3 tests are satisfied with regard to concerns the processing in dispute, i.e. the provision on the data platform personal data of non-registered health professionals in the sense already specified, i.e. Decision on the merits 149/2023 — 23/36 health professionals whose first and last names were included by the first defendant, specialty, address and professional telephone number on the platform without possibility to make an appointment with them via this one. As for the purpose test (a): is there a question of a legitimate interest? 92. The Litigation Chamber recalls that in order to be qualified as “legitimate”, the interest sued by the data controller (or the third party but this is not the case of species) must be lawful under the law, determined in a sufficiently clear manner and precise, to be real and present (born and actual) and not fictitious or hypothetical. 93. By making the contact details of doctors available to users of the platform and other health professionals even if their agenda is not linked to the platform, the first defendant pursues the objective of enabling patients to find and easily contact a healthcare professional by sharing data necessary for possible contact with the latter (see also below). This Therefore, the Litigation Chamber is of the opinion that the first defendant contributes to the right of each patient to access health care as well as their right to consult the practitioner (registered) of his choice as guaranteed by article 6 of the Law of August 22, 2002 relating to patient rights. The data processing carried out by the first defendant are thus part of the pursuit of a legitimate societal interest to which is coupled a economic interest specific to the first defendant, also legitimate, based on the freedom of enterprise, in particular enshrined in article 16 of the Charter of Rights fundamentals of the Union. 94. In support of the above, the Litigation Chamber is of the opinion that the interest pursued by the first defendant is legitimate. Therefore, the “finality test” of Article 6.1.f) of the GDPR. As for the necessity test (b): is the treatment necessary? 95. Regarding the test of necessity, the Litigation Chamber recalls that the Court of Justice of the European Union (CJEU) ruled among others in the “TK” judgment on this condition of necessity of treatment, insisting on the strict interpretation of this condition 17which is also not specific to article 6.1. f) of the GDPR but common to all 17"As regards the second condition laid down in Article 7(f) of Directive 95/46, relating to the necessity of the appeal to the processing of personal data for the realization of the legitimate interest pursued, the Court recalled that derogations and restrictions from the principle of protection of personal data must take place within the limits of what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑‑13/16, EU:C:2017:336, paragraph 30 and case law cited). Decision on merits 149/2023 — 24/36 bases of legality listed in article 6.1 of the GDPR with the exception of the consent provided for in article 6.1. has). 96. The CJEU also observes that the condition relating to the necessity of the processing must be examined in conjunction with the so-called “data minimization” principle enshrined in Article 6(1)(c) of Directive 95/46, according to which the data to be personal character must be "adequate, relevant and not excessive with regard to the purposes for which they are collected and for which they are processed later”. 97. The CJEU also clarified that while there are realistic and less intrusive alternatives to treatment carried out, this treatment is not “necessary”. In other words, the person responsible treatment must ensure that there is no less intrusive means of achieving its objective than to implement the treatment envisaged (for example a device treating no personal data, or different treatment more protective of the right to privacy and the protection of the personal data of the data subject). 98. This case law formulated in relation to Articles 7 and 6 of Directive 95/46/EC remains relevant to this day. Article 6.1 of the GDPR in fact repeats the terms of article 7 of the directive 95/46/EC - the legitimate interest of the data controller being retained (article 7 f) and article 6.1. f), certainly in slightly different terms. Article 5.1. c) of the relative GDPR to the principle of minimization reinforces the terms of article 6.1.c) of the directive 95/46/EC to which the CJEU also refers. As the first defendant points out, the “video surveillance” context of the TK judgment is certainly distinct from that in which the disputed treatment is relevant to this case. However, this does not justify that the principles stated by the CJEU with regard to the conditions of legitimate interest as the basis of lawfulness are excluded. These requirements are expressed in general terms applicable to all mixed contexts. 99. In this case, the Litigation Chamber is of the opinion that the processing of data personal data of non-registered doctors is necessary for the realization of the pursued interest by the first defendant through its platform and consisting of linking (future) patients and healthcare professionals. As for the data processed, the Chamber Contentieuse considers that the principle of minimization is respected: it is in fact a matter of 18This condition requires the referring court to verify that the legitimate interest in the processing of the data pursued by the video surveillance at issue in the main proceedings, which consists, in substance, of ensuring the security of goods and persons and to prevent the occurrence of offenses, cannot reasonably be achieved as effectively by other means less detrimental to the freedoms and fundamental rights of the persons concerned, in particular the rights to respect for private life and the protection of personal data guaranteed by Articles 7 and 8 of the Charter." It is the Litigation Chamber which underlines. Decision on the merits 149/2023 — 25/36 provide platform users (patients) with limited and necessary information relating to the identity of the practitioner, his specialty (is it appropriate to make an appointment or not with him? ), to its geographical proximity or at least its location via its address (is it appropriate to contact him rather than someone else?) as well as his number professional telephone (to allow appointments to be made if necessary via the platform but also live via this number). As for the weighting test (c): 100. The Litigation Chamber recalls that in addition to the two conditions mentioned above, article 6.1. f) of GDPR can only be mobilized if the interests or fundamental freedoms and rights of the person concerned does not prevail over the interest pursued by speaking to the person responsible for processing or the third party. In other words, the data controller must carry out an implementation balance, a weighting between the rights and interests involved, and verify within this framework that the interests (commercial, security of goods, fight against fraud, etc.) that it pursues do not create an imbalance to the detriment of the rights and interests of people whose data is processed. If the interests and rights of the latter prevail, article 6.1. f) of GDPR cannot be used. 101. Concretely, the data controller must first identify the consequences any impact its treatment can have on the people concerned: on their lives private but also, more broadly, on all the rights and interests covered by the Protection of personal data. This involves evaluating the degree of intrusion of the treatment considered in the individual sphere, measuring its impact on private life people (processing of sensitive data, processing relating to people vulnerable, profiling, etc.) and on their other fundamental rights (freedom of expression, freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of treatment of their situation (monitoring or surveillance of their activities or movements, exclusion of access to services, etc.). These impacts must be measured in order to determine, on a case-by-case basis, the extent of the intrusion caused by the treatment into the lives of the people. The principle of data minimization will also be taken into account. 102. The data controller must then take into account, in the weighting between its legitimate interest and the rights and interests of the data subjects, “expectations reasonable” of the latter. This consideration is essential when it comes to treatments which can be implemented without the prior consent of the persons: in the absence of a positive and explicit act on their part, legitimate interest requires not to surprise people in the implementation methods as well as in the consequences of the treatment. 103. In this case, the Litigation Chamber finds that the data processed are indeed publicly accessible and professional data. This nature of the data Decision on the merits 149/2023 — 26/36 processed is a factor that can contribute to tipping the scales in favor of the person responsible processing on the condition that the data subjects can reasonably expect the use of their data for the purpose pursued by the said data controller processing without their prior consent. 104. The Litigation Chamber is of the opinion that in this case, the disputed treatment is not part reasonable expectations of the non-registered healthcare professionals concerned. THE contact details of the latter are published on their own website or on that of their office, or even that of a hospital in which they provide services. They have a direct link with this practice or hospital. The Litigation Chamber starts from the idea that they have indicated their agreement for these publications which are part of relationships professional relationships that they have established themselves. However, they cannot reasonably expect that their data will be republished on a platform such as that of the first defendant which beyond the “directory” function that it offers for these non-registered health professionals, more generally pursues a commercial interest by offering different priced services including that of making appointments you directly via the platform and electronic diary management. That the first defendant could have thought that increased visibility of health professionals could being beneficial can certainly be conceived. However, the Litigation Chamber concludes that in the case, the fact that the processing cannot be considered as falling within the reasonable expectations of these practitioners is decisive and tips the balance in favor rights and freedoms of the latter. Therefore, the “weighting test” is not satisfied. Conclusion 105. At the end of the above analysis, the Litigation Chamber concludes that there was a violation of Article 5.1. a) (lawfulness requirement) and Article 6.1. of the GDPR by the first defendant in that it could not validly rely on the basis of lawfulness of Article 6.1.f) of the GDPR to legitimize the processing of healthcare professionals’ data not registered on its platform and therefore did not have a valid legal basis for founding said treatments. II.5. As for the processing of the National Register Number (DOS-2020-05649 and DOS-2021- 05271) II.5.1. The parties' point of view 106. Both complainant No. 1 and complainant No. 2 denounce the terms of their respective complaints the processing of the NRN by the first respondent and question the lawfulness of the processing of it with regard to the LRN. Decision on merits 149/2023 — 27/36 107. Complainant No. 1 highlights that in principle, the use of NRN is prohibited. Only the persons exhaustively listed in article 5.1. of the LRN may, subject to authorization from the Minister of the Interior, use it. By way of derogation, Article 8.3. delaLRN predicts that “authorization to use the National Register number is not required if the National Register number is used exclusively for identification purposes and authentication of a natural person within the framework of a computer application offered by a private or public institution under Belgian law or by the authorities, institutions and persons referred to in Article 5, § 1”. Complainant no. 1 considers that it is wrong that the first defendant relies on this exemption since the introduction by the patient of its NRN on the platform does not allow it to be identified or authenticated (the NRN seems rather be used as a user number of the data subject), the first defendant not having access to the National Register nor to the electronic identity card of the patient.Therefore, it is necessary to consider, according to complainant number 1, that the first defendant processes the NRN of users of the platform illegally. 108. As for the first defendant, she sets out in terms of conclusions that she opted for the NRN to identify and authenticate users of the platform in a secure manner, in the case of a unique identifier of which only the person concerned has, a priori, knowledge (item 22). She considered it essential given the (health) data which could be exchanged through the platform between a patient and a professional health, that the user is identified and authenticated in a unique and certain manner. There The first respondent indicates that she believed she could rely on Article 8.3. of the LRN cited above while stating that it does not access the National Register. 109. During the hearing, the first respondent indicated, as has already been mentioned at point 28, that it had made the decision not to request the NRN from users of the platform, thus breaking with a choice that had been made at the time of the creation of the platform by the previous management. II.5.2. The appreciation of the Litigation Chamber 110. Article 87 of the GDPR provides that “Member States may specify the conditions specific to the processing of a national identification number or any other identifier of general application. In this case, the national identification number or any other identifier of general application is only used subject to appropriate safeguards for the rights and freedoms of the data subject adopted pursuant to this regulations”. Decision on merits 149/2023 — 28/36 111. Under Belgian law, the processing of the NRN which constitutes such a national identification number is strictly regulated in the LRN already cited. This determines restrictively in its article 5, the authorities, bodies, organizations or people who can access it. 112. Article 8 of the LRN sets out the need to be, except in exceptional circumstances, authorized by the Minister of the Interior to, as in this case, use this number. An exemption from authorization is provided if, as mentioned above, the NRN is used exclusively “for purposes identification and authentication of a natural person in the context of a computer application offered by a private or public institution under Belgian law or by er the authorities, institutions and persons referred to in Article 5, § 1”. 20 113. As pointed out by the Commission for the Protection of Privacy (CPVP) in its opinion 21 19/2018 of February 28, 2018 relating to a preliminary draft law introducing in particular modifications to the LRN including the aforementioned article 8.3, “the authentication of a person consists to verify that she really has the identity she claims to have. This is the authentication certificate (including the National Register number) present on the electronic identity card which allows it through the technique of cryptography” (point 31 of the opinion). 114. In the present case, it appears from the explanations provided by the first defendant herself that it did not carry out the identification or authentication of the user of the platform from the NRN that the latter was invited to communicate. Indeed, the first Defendant admits not having access to the National Register. It therefore does not proceed, via a access to RN data and reading of the electronic identity card, verification of the identity of the person nor verifies that the person is who they claim to be. first defendant only asks the patient to enter an access “code” (his NRN in this case) without checking that it reveals his certain identity. It is not in no way excludes this person mentioning an NRN which is not theirs, coupled with their real identity what, without reading the electronic identity card, the first defendant will not be able to detect. If the Litigation Chamber shares the analysis of the first defendant that strong identification and authentication are necessary taking into account the processing of data (sensitive if applicable) which takes place via the platform, it nonetheless concludes that the first defendant was wrong argues that it was within the conditions of exemption of article 8.3. of the NRL. 19In application of article 4.1 of the LCA, the APD (and the Litigation Chamber) has jurisdiction to monitor compliance with the Law RN: “The Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the protection of personal data, within the framework of this law and laws containing provisions relating to to the protection of the processing of personal data”. 20The APD succeeded the Commission for the Protection of Private Life (CPVP) in execution of the Law of December 3, 2017 relating to creation of the Data Protection Authority (LCA): article 3. 21 Commission for the Protection of Privacy, Opinion 19/2018 of February 28, 2018 relating to the preliminary draft law establishing various “Interior” provisions. Decision on merits 149/2023 — 29/36 115. Thus, even in the event that, as in the present case, users of the platform consent to communicate their NRN, this consent, also in accordance with the requirements of articles 6 and 7 of the GDPR, if applicable, is not sufficient to authorize processing since the processing of the NRN must be lawful and comply with the requirements of the LRN, including its articles 5 and 8. The Litigation Chamber concludes that failing the first defendant to found under the conditions of these provisions, she was not authorized to use this NRN and therefore to solicit them, in violation of articles 5.1. a) and 6.1.GDPR in combination with article 8 of the LRN. 116. The Litigation Chamber took note of the decision of the first respondent to refrain from requesting the NRN from users of the platform. She recalls that this change does not erase the past breach and must be reflected in the Policy confidentiality of the first defendant. III. As for corrective measures and sanctions 117. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to: 1° close the complaint without further action; 2° order the dismissal of the case; 3° pronounce a suspension of the sentence; 4° propose a transaction; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise their rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or definitive ban on processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of certification bodies; 12° give fines; 13° issue administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; Decision on merits 149/2023 — 30/36 15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Authority of Data protection. III.1. With regard to the first defendant (DOS-2020-05649 and DOS-2020-05271) III.1.1. The shortcomings 118. It follows from the above that the first defendant was guilty of breach of article 12.3 of the GDPR (point 65), articles 5.1.a (lawfulness) and 6.1 of the GDPR with regard to the processing of data of unregistered health professionals (point 105) as well as article 5.1. a) (lawfulness) and 6.1. of the GDPR read in conjunction with Article 8 of the LRN with regard to the processing of the NRN of users of the platform (point 115). 119. It is the responsibility of the Litigation Chamber to determine the corrective measure and/or the sanction most appropriate to these shortcomings. 120. The Litigation Chamber first specifies the following with regard to the principle “ne bis in idem” invoked by the first respondent with regard to the complaint based on the legality of the NRN treatment. The first defendant is indeed surprised to have been invited to conclude on this question in the context of the two complaints (point 22) and declared during the hearing to question the respect of this principle by the Litigation Chamber if it was to sanction the same breach twice over an identical period. 121. The Litigation Chamber recalls that the general principle of law “non bis in idem” carries that “no one can be prosecuted or punished a second time due to an offense (even otherwise qualified) for which he has already been acquitted or convicted by a judgment definitive in accordance with the law and criminal procedure of each country. In other words, second prosecutions are prohibited on grounds of identical or substantially identical facts identical which, having been the subject of previous proceedings, gave rise to a decision final decision of acquittal or conviction. By “identical facts or substantially identical'', it is necessary to understand a set of concrete factual circumstances relating to a same suspect, which are inseparably linked in time and place (Cass., April 24, 2015, No. F.14.0045.N). 122. The respect due to this general principle of law in no way prevents the Chamber from Litigation invites the parties concerned to defend themselves with regard to the same grievance raised in various pending proceedings and in which it has not yet taken decision.The Litigation Chamber is free to invite a conclusion in a case pending following a complaint even subsequent to another which would raise the same grievance during the same time period. It remains free to adopt its decisions according to the Decision on the merits 149/2023 — 31/36 calendar of priorities that it establishes. The Litigation Chamber adds that if having regard to the case in point, the nature of the sanctions it imposes can, depending on the case, be described as criminal, this is not necessarily always the case. 123. In this case, the Litigation Chamber having not yet taken any decision with regard to one or the other of complaints n°1 and n°2, it remained in any case free to invite the parties to conclude with regard to this complaint of the lawfulness of the processing of the NRN within the framework of two complaints. With regard to this decision, the Litigation Chamber has, as it was presented in point 51, decided to join these complaints n°1 and n°2, in particular with regard to the grievance common point that they raised as well as to adopt, as will be specified below, a single sanction with regard to the breach identified in point 115 above. III.1.2. The assessment of the sanction/adequate corrective measure by the Chamber Litigation 124. In assessing the most appropriate sanction with regard to the breaches noted, The Litigation Chamber takes into account the following elements specific to the specific case. Thus, it takes into account the decisions and changes initiated by the first defendant who both in its final conclusions (point 27) and during the hearing (point 28) specified that following decision 75/2023 of the Litigation Chamber, it had initiated a process of obtaining consent from non-health professionals registered. In the same sense, the first defendant decided to give up requesting the NRN of platform users at the time of account creation and presented a test version without this NRN during the hearing (point 28). The Litigation Chamber is also sensitive to the successive adaptations made by the first defendant to its Confidentiality Policy in a concern for constant improvement regarding the implementation implementation of its obligations arising from the GDPR (points 60 and 68). Finally, the Chamber Litigation generally highlights the good cooperation of the first defendant both with itself and with the IS, notwithstanding article 31 of the GDPR which requires such collaboration. However, all these elements are not likely to remove the shortcomings it noted (point 118). 125. On this basis, the Litigation Chamber is of the opinion that addressing a reprimand to the first respondent for the breaches noted is appropriate and holds both take into account the reality of these failings and the fact that they are attributable to a young start-up with a limited number of employees (2), who throughout the procedure showed themselves wishing to comply, has taken a number of decisions in this direction and has initiated the operational changes resulting from these decisions. Decision on merits 149/2023 — 32/36 126. The Litigation Chamber adds that for the remainder, it is not required to present the reasons why it does not retain this or that sanction, for example suggested by the complainant. 127. In this case, the Litigation Chamber nevertheless intends to react to the fact that in its reply and summary conclusions, the first respondent argues that the Chamber Litigation would not be justified in imposing an administrative fine on him for reasons based on the fact that the fine is only the 13th sanction in the list of the article 100 of the LCA as well as due to the considerations issued by the Court of Markets (CdM) as for this in its judgment of January 27, 2021 (RG 2020/AR/1333, p.19.) as well as that of terms of which, in a judgment of May 26, 2021, the said Court would rule out the possibility for the Chamber Contentious to impose a fine from the first offense committed by inadvertence (GR 2021/AR/163). 128. The Litigation Chamber recalls that article 58.2 of the GDPR states that each authority supervisory authority has the authority to adopt all corrective measures listed. The fine administrative appears in the penultimate position (9th – litera i)), just before the 10th allows you to order the suspension of flows. Consider that there is a form of hierarchy between the measures finds no support in the text of the GDPR, on the contrary since the litera j) specifies that each supervisory authority may impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to herein paragraph, depending on the specific characteristics of each case. In addition, the measurement referred to in letter j) (suspension of flows) cannot of course be conditioned by the prior existence of a fine that would have been imposed. That wouldn't make any sense. 129. Regarding article 100.1. LCA taken in execution of the GDPR, the same reasoning applies. It should be noted in this regard that the LCA does not take over the full terms of the article 58.2. of the GDPR, namely that the administrative fine can be ordered in addition or instead of the measures referred to in this paragraph, depending on the characteristics specific to each case. Certainly the fine is mentioned in 13th position in litera 13 but this must be read with the precision which was omitted by the Belgian legislator. The measures which are referred to in litera 14, 15 and 16 (publicity of the decision) of article 100.1. LCA are not elsewhere not conceived as being able to intervene only “after a fine”. 130. In summary, the place of the fine in the list of corrective measures/sanctions provided for in the GDPR and the LCA does not mean, a fortiori in support of the text of article 58.2.i) of the GDPR itself, that it is a measure of last resort conditional on adoption Decision on merits 149/2023 — 33/36 other corrective measures/sanctions - considered less onerous, even in the event of first breach by negligence. 22 131. The Litigation Chamber adds that since these judgments cited by the first defendant, the CdM returned to this position. The CdM subsequently brought more clarifications to the judgments cited by the first defendant, in particular by recalling the possibility of imposing a fine (and even a fine higher than the minimum amount of the range) to the data controller committing an offense for the first 23 times . 132. As already mentioned, the Litigation Chamber must, however, adopt the measure corrective action and/or the appropriate sanction in the specific case. 133. If the Litigation Chamber judges that the reprimand is an appropriate sanction in this case (point 125), the changes decided upon mentioned above must nonetheless be materialize to put an end to the breaches denounced in articles 5.1. a) and6 of GDPR as quickly as possible. The CC therefore combines its reprimand with orders to implement compliance in accordance with the system below and a ban on processing data concerned beyond a deadline set at January 15, 2024. It goes without saying that the first defendant will have to draw all the consequences, for example, in terms erasure of said data in the absence of a legal basis which would authorize the processing beyond this date and adaptation of its Privacy Policy. 134. The Litigation Chamber specifies that as for obtaining the consent of practitioners non-registered, the first respondent may request the consent of each healthcare professional concerned by sending a personalized letter. III.2. With regard to the second defendant (DOS-2020-05649) 135. The Litigation Chamber decides to adopt a classification decision without further action with regard to of the second defendant. 22In its guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679 (WP 253 of the GDPR, the EDPB clarified in this regard that: “The assessment of the effective, proportionate and dissuasive nature in each case must also take into consideration the objective pursued by the corrective measure adopted, namely to restore respect rules or punish unlawful behavior (or both). The EDPB also states that fines are a important instrument that supervisory authorities should use in appropriate circumstances. Supervisory authorities are encouraged to take a considered and balanced approach when implementing corrective measures to to respond to the violation in a manner that is both effective, dissuasive and proportionate. This is not about considering fines as a last resort or fear of imposing them, but, on the other hand, they must not be used in such a way either. way that their effectiveness would be reduced. See. also recital 148 of the GDPR. 23See. Court of Markets, July 7, 2021, 2021/AR/320, published on the APD website. Decision on merits 149/2023 — 34/36 136. In matters of dismissal, the Litigation Chamber must justify its decision by step and: - pronounce a classification without technical follow-up if the file does not contain or not sufficient elements likely to lead to a sanction or if it includes a technical obstacle preventing it from rendering a decision; - or pronounce a classification without further opportunity, if despite the presence of elements likely to lead to a sanction, the continuation of the examination of the file does not seem appropriate given the priorities of ODA such as specified and illustrated in the Chamber's No Action Policy Contentious. 137. In the event of classification without follow-up on the basis of several reasons (respectively, classification without technical and/or appropriate action), the reasons for classification without action must be treated in order of importance. 138. In the present case, the Litigation Chamber decides to proceed with a classification without continued for technical reason based on the absence of any breach of the GDPR or the laws including it is responsible for ensuring the respect that can be observed in the head of the second defendant. Indeed, the latter is not responsible for processing (spouse), nor sub-contractor. treating party, no breach is alleged against him in this case with regard to the complaints raised in against him by complainant no. 1. 139. Therefore, the Litigation Chamber closes complaint no. 1 without further action for technical reasons on the basis of article 100.1.1° of the LCA. 11. IV. Publication of the decision 140. Given the importance of transparency regarding the decision-making process of the Chamber Contentious, this decision is published on the website of the Protection Authority data (APD). However, it is not necessary for this purpose that the data identification of the parties are directly mentioned. Decision on merits 149/2023 — 35/36 FOR THESE REASONS , the Litigation Chamber of the Data Protection Authority (APD) decides, after deliberation: - Under article 100, § 1, 5° of the LCA, to issue a reprimand with regard to of the first respondent for the violation of articles (i) 12.3. of the GDPR, (ii) 5.1. a) (lawfulness) and 6.1. of the GDPR with regard to the processing of personal data healthcare professionals not registered on the platform and (iii), 5.1. a) and 6.1. of GDPR read in combination with article 8 of the LRN with regard to the processing of national register number of platform users. - Under article 100.8. and 9. of the LCA. to accompany this reprimand with an order to the first respondent to put a definitive end to the violations referred to above above (ii) and (iii) by providing by January 15, 2024 a basis of legality valid for the processing of data of unregistered health professionals and the abandonment of the collection of the national register number (NRN) of users of the platform. The Litigation Chamber must be informed, documents supporting evidence. - Under article 100.1.1° of the LCA, to classify complaint no. 1 without further action with regard to the second defendant. In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (Cour of Appeal of Brussels), with the Data Protection Authority (DPA) as a party defendant. Decision on merits 149/2023 — 36/36 Such an appeal may be introduced by means of an interlocutory request which must contain the 24 information listed in article 1034ter of the Judicial Code. The interlocutory request must be 25 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber 24The request contains barely any nullity: 1° indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; the signature of the applicant or his lawyer. 25 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.