APD/GBA (Belgium) - 149/2023: Difference between revisions
From GDPRhub
mNo edit summary |
m (Nzm moved page APD/GBA (Belgium) - 149/2023 - DOS-2020-05649 and DOS-2021-05271 to APD/GBA (Belgium) - 149/2023 over redirect) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 79: | Line 79: | ||
}} | }} | ||
The Belgian DPA reprimanded a controller, an online booking platform, | The Belgian DPA reprimanded a controller, an online booking platform, for failing to comply with [[Article 12 GDPR#3|Article 12(3) GDPR]] and because [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was not a valid legal basis to publish personal data of health professionals on the platform. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply. | |||
Thus, on 4 December 2020, complainant n. 1 lodged a complaint with the Belgian DPA against the company that created the | Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request. | ||
On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the | On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account. | ||
On 2 August 2023, complainants n. 1 and no. 2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential | On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles. In light of this, the DPA also conducted an ''ex officio'' investigation into the legal basis of the data processing of the non-registered health professionals carried out by the controller for its platform. | ||
=== Holding === | === Holding === | ||
The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions. | The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions. | ||
Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the | Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under [[Article 4 GDPR#7|Article 4(7) GDPR]] since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller. | ||
Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]], | Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]], there is the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure and that it only failed to inform complainant n.1 of the erasure, the DPA concluded a breach of [[Article 12 GDPR#3|Article 12(3) GDPR]]. | ||
Regarding the request for the NRN data, the DPA agreed with the controller that to access the information of the platform, there should be a strong identification system in place. Nonetheless, it stressed that such a system should not include the NRN. Moreover, the DPA stated that under [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 8 of the National Law organising the NRN (LRN)], the NRN could be utilised only when granted by the Minister of the Interior to authorities, institutions, and persons explicitly referred to in [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 5(1) LRN], under which the controller did not fall in. Therefore, the controller breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]], in conjunction with [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 8 LRN]. | |||
Lastly, | Lastly, in its ''ex officio'' capacity, the Belgian DPA then decided to assess the legal basis of the data processing of the non-registered health professionals carried out by the controller, which the controller claimed to be legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. While the DPA acknowledged the controller's legitimate societal interest and economic interest, the DPA noted that non-registered health professionals could not reasonably expect their data to be used by the controller without their prior consent. Indeed, while the information on the platform was the same information as published on the non-registered health professionals' own website or that of their practice, to which they agreed, they could not have expected their data to be republished on a platform such as the one in question. Therefore, there had been a breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR. | Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR. | ||
Latest revision as of 08:50, 19 March 2024
| APD/GBA - DOS-2020-05649 and DOS-2021-05271 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 7(3) GDPR Article 12 GDPR Article 12(1) GDPR Article 13(1)(a) GDPR Article 13(1)(c) GDPR Article 13(2) GDPR Articles 5, 8.1 and 8.3 of the Belgian Law dd 8 August 1983 organizing a National Register of Natural Persons |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.12.2020 |
| Decided: | 10.11.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Madame X1 and Monsieur X2 Société Y1 and Société Y2 (or 'Platform Z') |
| National Case Number/Name: | DOS-2020-05649 and DOS-2021-05271 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Belgian DPA (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA reprimanded a controller, an online booking platform, for failing to comply with Article 12(3) GDPR and because Article 6(1)(f) GDPR was not a valid legal basis to publish personal data of health professionals on the platform.
English Summary
Facts
To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply.
Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request.
On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account.
On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles. In light of this, the DPA also conducted an ex officio investigation into the legal basis of the data processing of the non-registered health professionals carried out by the controller for its platform.
Holding
The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions.
Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under Article 4(7) GDPR since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller.
Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to Article 12(3) GDPR, there is the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure and that it only failed to inform complainant n.1 of the erasure, the DPA concluded a breach of Article 12(3) GDPR.
Regarding the request for the NRN data, the DPA agreed with the controller that to access the information of the platform, there should be a strong identification system in place. Nonetheless, it stressed that such a system should not include the NRN. Moreover, the DPA stated that under Article 8 of the National Law organising the NRN (LRN), the NRN could be utilised only when granted by the Minister of the Interior to authorities, institutions, and persons explicitly referred to in Article 5(1) LRN, under which the controller did not fall in. Therefore, the controller breached Article 5(1)(a) GDPR and Article 6(1) GDPR, in conjunction with Article 8 LRN.
Lastly, in its ex officio capacity, the Belgian DPA then decided to assess the legal basis of the data processing of the non-registered health professionals carried out by the controller, which the controller claimed to be legitimate interest under Article 6(1)(f) GDPR. While the DPA acknowledged the controller's legitimate societal interest and economic interest, the DPA noted that non-registered health professionals could not reasonably expect their data to be used by the controller without their prior consent. Indeed, while the information on the platform was the same information as published on the non-registered health professionals' own website or that of their practice, to which they agreed, they could not have expected their data to be republished on a platform such as the one in question. Therefore, there had been a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR.
Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR.
Comment
Comment by the original contributor: The Belgian DPA had recently issued a fine against a similar platform, following a complaint by health professionals that their data had been processed without their informed consent. In this case, the complain comes from patients who complained to have been misled into believing that they had to create an account and provide unnecessary sensitive personal data to make a booking with a health professional, only to realize that the health professional of their choice did not offer online booking on that platform. This shows that the publication of health professional data on platform without consent poses issues both to health professionals and to patients. It is time online booking platform comply with the GDPR and the decisions of the Belgian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/36
Litigation Chamber
Decision on merits 149/2023 of November 10, 2023
File numbers: DOS-2020-05649 and DOS-2021-05271
Subject: Complaints relating to the processing of personal data carried out by
an online medical and paramedical appointment booking platform
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president, and gentlemen DirkVanDerKelenet YvesPoullet, members, resuming
the case in this composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter
“LCA”);
Having regard to the Law of August 8, 1983 organizing a National Register of individuals (hereinafter
“LRN”);
Considering the internal regulations as approved by the House of Representatives on
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the files;
Has taken the following decision regarding:
Complainant No. 1: Mrs. X1, (DOS-2020-05649);
Complainant No. 2: Mr. X2, (DOS-2021-05271);
The defendants: The company Y1, represented by Maîtres Florence Garcet and Claire
Vandesande, lawyers, whose firm is established in 4000 Liège, rue des
Augustins, 32, hereinafter “the first defendant” (DOS-2020-05649 and
DOS-2021-05271);
Company Y2, hereinafter “the second defendant” (DOS-2020-05649); Decision on merits 149/2023 — 2/36
Hereinafter referred to together as “the Defendants”.
I. Facts and procedure
I.1. As for the complaint of complainant no. 1 (DOS-2020-05649)
1. On December 4, 2020, complainant no. 1 filed a complaint with the Authority of
data protection (DPA) against the defendants.
2. According to the terms of his complaint and the details provided in terms of conclusions and during
the hearing (see below), complainant no. 1 reports the following facts.
3. At the beginning of October 2020, wishing to make an appointment with his dentist without calling him by
telephone, complainant no. 1 notes that the site […] (hereinafter “Z” or “the platform” or “the
platform Z") allows you to make an appointment directly online with
health professionals. The contact details of his dentist can be found on the
platform, complainant no. 1 creates an account to be able to make an appointment with her.
4. Complainant No. 1 reports that it was only after the creation of her account that she received
the information that it was not possible for him to make an appointment with his
dentist, only the contact details of the latter being referenced on the site without
possibility of making an appointment with her via the platform itself.
5. For the proper understanding of this decision, the Litigation Chamber specifies here
from the outset that the “Z” platform aims to facilitate rapid contact between
patients and healthcare professionals – including doctors but not
only - in particular through online appointment booking. When a patient
accesses the platform, two options are available to him:
- Either only the contact details of the practitioner sought appear on the platform without
possibility of making an appointment with him via this. We then talk about
“non-registered practitioner/professional”. In this case, the patient can make an appointment
with this practitioner via the contact channels specific to this one starting from the contact details
referenced on the platform. No account is required for this.
- Either it is possible to make an appointment directly via the platform with the
practitioner sought. We then speak of “registered practitioner/professional” on the
platform. To make such an appointment, the patient must create a patient account
for which he is asked to provide the following personal data: his name,
his first name, his email address, his telephone number and his Register Number
National (NRN).
6. On October 21, 2020, not having been able to make an appointment with his dentist (not registered) via
the platform, complainant no. 1 requests the deletion of her account and data at Decision on the merits 149/2023 — 3/36
personal character that she transmitted during the creation of it. In terms
of the email sent for this purpose to the email address info@[…], complainant no. 1 also makes
part of his question regarding the obligation to provide his NRN when creating his
account.
7. Complainant No. 1 indicates that it has not received a response to this erasure request.
8. Via a company specializing in data protection, complainant no. 1 requests
on October 22, 2020 what are the legal bases on which the different
data processing carried out from the platform, the reasons for processing the NRN
as well as the exact identity of the data controller. Complainant No. 1 reports that
this request also remained unanswered.
9. According to the terms of his complaint submitted to the APD on December 4, 2020, i.e. 1 and a half months later
sending the above-mentioned requests, complainant no. 1 denounces both the lack of action given to
his request for erasure and his questions about the legal bases of the different
data processing carried out by the platform, including its NRN.
10. On January 5, 2021, complaint no. 1 was declared admissible by the Front Line Service
(SPL) of the APD on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the
er
Litigation Chamber under article 62, § 1 of the LCA.
11. On February 2, 2021, in accordance with article 96, § 1 of LCA, the request of the Chamber
Contentious to carry out an investigation is transmitted to the Inspection Service (SI).
12. On May 9, 2022 the IS investigation is closed, the report is attached to the file and it is
transmitted by the SI to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the LCA).
13. The content of the IS report can be summarized as follows:
- The first defendant is the sole data controller within the meaning of article 4.7.
of the GDPR to the exclusion of the second defendant. As part of his analysis,
the Inspector General mentions a lack of clarity regarding the identification of the
data controller in the platform’s Privacy Policy (article
13.1.a) of the GDPR);
- As preliminary observations, the IS notes on the one hand that the platform has been the subject
of an evaluation in April 2020 by the General Secretariat. The SI notes that “some
shortcomings identified by the General Secretariat do not appear to have been the subject of
the recommended compliance” (page 10 of the investigation report). The SI points to this
regard to gaps in information relating to the basis for the lawfulness of the processing (article
13.1.c) of the GDPR) and the data retention period (13.2.a) of the GDPR). LeSIrelève
on the other hand that according to him the platform processes a significant volume of health data
within the meaning of Article 9 of the GDPR. Decision on merits 149/2023 — 4/36
- Starting from the facts denounced in the complaint, the SI then declares to note, in the
scope of this, a certain number of breaches of the GDPR:
o a violation by the first respondent of Article 12 of the GDPR in that it
did not provide any information to complainant no. 1 following her request
erasure of October 21, 2020;
o a violation by the first respondent of articles 7.3. in fine and 12.1. of
GDPR in that, in its capacity as data controller, it does not render the
deleting a “patient account” as simple as creating this account
and therefore does not facilitate the exercise of the rights of the persons concerned, in
the species, the complainant’s right to erasure;
o a violation by the first defendant of articles 15.1 and 19 of the GDPR,
that in its capacity as data controller, it has not given confirmation to
complainant no. 1 that personal data concerning her were not
no longer processed nor did it notify complainant no. 1 of the deletion of her data;
o a violation by the first respondent of articles 5.1 a), 5.2. and 6 of the GDPR
in that, in its capacity as data controller, the first defendant
cannot validly invoke its legitimate interest (article 6.1. f) of the GDPR) to
the referencing of “unregistered” health professionals on the platform;
o a potential violation by the first respondent in its capacity as
data controller, of Article 32 of the GDPR in that the use by the
leading defender of systems such as Cloudflare, AmazonWeb Services
and Runcloud to manage its infrastructure does not constitute a measure
appropriate technique to guarantee a level of security adapted to the
risk presented by its activity.
er
14. On June 15, 2022, the Litigation Chamber decides, under article 95, §1, 1° and article
98 of the ACL, that the case can be processed on its merits.
15. On this same date, the parties are informed by registered mail of the provisions such
as set out in article 95, §2 as well as article 98 of the LCA. They are also informed,
under section 99 of the LCA, deadlines for transmitting their conclusions. The date
limit for receipt of submissions in response from defendants was set on August 10
2022, that for the conclusions in reply of complainant no. 1 on September 1, 2022 and
that for the defendants' reply conclusions as of September 23, 2022.
1The SI, however, qualifies this observation in the introduction to its report, indicating that it noted certain aspects without, however,
carry out a complete review of all aspects relating to the processing security obligation. Decision on merits 149/2023 — 5/36
2
16. The parties are invited to defend themselves with regard to the following findings and grievances retained
by the Litigation Chamber:
- The qualification of the first defendant as sole controller of the processing
within the meaning of article 4.7 of the GDPR;
- A breach of articles 13.1. a), 13.1 c) and 13.2 of the GDPR in respect of the first
defendant in that the platform's Privacy Policy does not mention
not adequately identify and contact details of the data controller (article
13.1.a) of the GDPR), does not mention the legal basis of the data processing carried out
– including data relating to health within the meaning of article 4.19 of the GDPR – (article
13.1. c) of the GDPR) and does not mention the data retention periods
personal data processed (article 13.2. a) of the GDPR more precisely);
- A breach of Article 12 of the GDPR in that the first defendant did not provide
no information to complainant no. 1 following her request to exercise the right to
erasure;
- A breach of articles 7.3 in fine and 12.1 of the GDPR, in that the first
defendant did not make the deletion of a “patient account” as simple as
creation of this account (it is therefore not as simple to withdraw consent as
to give it) and therefore does not facilitate the exercise of the rights of the persons concerned;
- A breach of articles 5.1.a), 5.2.and 6 of the GDPR in which the legitimate interest invoked
by the first defendant the basic title of lawfulness of treatment of professionals
referenced but “not registered” on the platform, is not validly invoked.
17 The Litigation Chamber also invites the parties to present their arguments
in relation to the basis of lawfulness which underlies the processing by the first respondent of the
NRN questioned by complainant no. 1 under the terms of her complaint. The Litigation Chamber
also informs the parties that a complaint relating to this same question is
2
As part of its own assessment, the Litigation Chamber is free to retain one or other findings of the inspection
to include them in the list of grievances on which it asks the parties to defend in the letter based on article 98
of the aforementioned LCA. No other conclusion can be drawn from the abandonment of one or other grievance other than the fact that the Chamber
Litigation does not consider it appropriate to bring the parties to a conclusion regarding them. It cannot be deduced from this that the Chamber
Litigation confirms compliance with the GDPR on these aspects. In view of this own assessment, the Chamber
Litigation specifies that the LCA does not require it to use the Inspection Service. In fact, the Litigation Chamber decides
sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63, 2° of the LCA and art. 94, 1° of
the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber can process the complaint
without having recourse to the Inspection Service. It thus has a power of appreciation of the complaint which is independent of the inspection
(Market Court (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Market Court (19th ch. A), December 7
2022, 2022/AR/556). Decision on merits 149/2023 — 6/36
also pending before the Litigation Chamber (DOS-2021-05271 – complaint no. 2 below)
After).
18. On 2 August 2022, the first respondent agreed to receive all communications
relating to the case electronically. By the same letter, she requests a copy of the
file (art. 95, §2, 3° LCA), which is sent to him on August 4, 2022
19. On August 10, 2022, complainant no. 1 requested a copy of the file (art. 95, §2, 3° LCA),
which is transmitted to him on August 11, 2022.
20. On August 10, 2022, the Litigation Chamber received the conclusions in response to the first
defendant. The first respondent having filed submissions in reply and
synthesis, its argument is summarized in point 22 below.
21. On September 1, 2022, the Litigation Chamber receives the conclusions in response to the
complainant no. 1. In summary, she defends the following:
- The first and second defendants are data controllers
spouses (article 4.7. of the GDPR) taking into account a range of elements from which it
results that the second defendant is not only an investor in the
project of the first defendant;
- Identification of the data controller under the terms of the Privacy Policy
confidentiality of the platform is not sufficiently clear and does not meet the
requirements of section 13.1. a) of the GDPR since the first defendant is not
not mentioned as such. Only two natural persons,
directors of the first defendant are indicated in the data
of contact ;
- Article 13.1.c) of the GDPR is not respected because the Confidentiality Policy
of the platform does not mention the legal bases for each processing
individualized, limited to mentioning article 6.1. of the GDPR in its entirety and
making no reference to Article 9.2. a) of the GDPR for the different treatments
health data operated via the platform;
- The platform's Privacy Policy does not contain information on
data retention periods (article 13.2. a) of the GDPR);
- Not having been informed of the measures taken following his request
erasure, there has been a breach of article 12.3. GDPR;
- Articles 7.3.infine and 12.2. of the GDPR are violated when the deletion of a
account turns out to be more complex than creating it. Furthermore, two
separate procedures co-exist to exercise the right to erasure on the one hand and
to exercise other rights on the other hand; Decision on merits 149/2023 — 7/36
- Complainant no. 1 indicates that she fully agrees with the SI's reasoning regarding
the invalidity of the legitimate interest (article 6.1.f) of the GDPR) for the processing of
personal data of non-registered practitioners such as a dentist and share as soon as possible
upon finding a violation of articles 5.1.a), 5.2. and 6 of the GDPR by the
defendants;
- Your complaint is admissible including with regard to the processing of your NRN from then on
that the legal principle “ne bis in idem” invoked by the first defendant is
inapplicable in this case.
- As for the basis of lawfulness of the processing of the NRN, complainant no. 1 emphasizes that the
processing of NRN is in principle prohibited except in the cases provided for by the Law of 8
August 1983 organizing a National Register of Natural Persons (LRN – article
5) and in principle subject to authorization from the Minister of the Interior (article 8.1.). There
exemption from authorization provided for in article 8.3 of the LRN, the first of which is invoked
defendant is not applicable since the introduction of the NRN on the
platform does not allow the person to be identified or authenticated as required by
said article 8.3.
22. On September 23, 2022, the Litigation Chamber receives the conclusions in reply and
summary of the first defendant. In summary, she defends the following.
- The mere fact of the second defendant acting as an investor/shareholder
does not imply ipso facto that it is responsible for processing within the meaning of the article
4.7 of the GDPR. In fact, the second respondent did not take any decision
relating neither to the purposes nor to the means of processing personal data
operated within the framework of the platform;
- Emphasizing that the IS does not formally consider breaches of the articles
13.1a), 13.1c) and 13.2. of the GDPR with regard to the Privacy Policy of the
platform, the first defendant nonetheless exposes (without recognizing a
any breach) that it intends to draft a new Policy of
confidentiality which will clarify the elements of information concerned by the articles
above;
- She actually granted the request for erasure of complainant no. 1, alone
the email confirming the deletion took place was not sent to this
last ;
- It is no less easy to delete an account than to create one, both
procedures carried out, without being formally identical, in several stages
and requiring active steps in both cases (article 7.3. in fine); Decision on merits 149/2023 — 8/36
- The action of the APD with regard to the basis of lawfulness of data processing of
non-registered professionals is inadmissible. The complaint of plaintiff no. 1 does not
concerning according to the first defendant in no way this question, this one
should have been the subject of a separate procedure. The first defendant considers
not having to justify this in the context of this procedure and vis-
towards complainant no. 1. Alternatively, she sets out the reasons why she
believes it can rely on its legitimate interest within the meaning of article 6.1.f) of the GDPR
to base these processing operations (see also point 88 below).
- Concerning the question of the basis of lawfulness of the processing of the NRN, she is surprised
that this question can be the subject of two separate procedures (both in the
framework of complaint no. 1 and complaint no. 2 – see. infra and point 32), emphasizing
3
that it has already concluded on this issue in the context of complaint no. 2.
Continuing a game for identical facts without having provided a solution
definitive in the first dispute is, according to her, not compatible with the right to trial
fair enshrined in Article 6 of the European Convention on Human Rights
man (ECHR). Therefore, the first respondent judges the request of the
complainant no. 1 (and the APD) inadmissible on this point. Alternatively, the first
defend her submission to the conclusions she filed in the context of the complaint
No. 2 on this aspect (point 46).
23. On August 2, 2023, the Litigation Chamber notifies the parties that the hearing will take place on August 15
September 2023.
24. In this same letter, the parties are informed that on June 14, 2023, the Chamber
Litigation adopted decision 75/2023. Taking into account this decision unknown to the 5
parties at the time when they were invited to conclude, the Litigation Chamber gives the
parties the possibility of concluding additionally on its position in this
decision 75/2023, in particular on the aspects which would be relevant with regard to the
complaint no. 1 until August 31, 2023.
25. On 31 August 2023, in response to the opportunity given to it, the first respondent
submits final conclusions.
3The Litigation Chamber explains in this regard that this decision addresses in chronological order of introduction of
each of the complaints, firstly the progress of the procedure relating to complaint no. 1 lodged in 2020 and then, the progress of the
procedure relating to complaint no. 2 filed in 2021. However, complaint no. 2 not having been sent to the inspection service
whose report was communicated to the Litigation Chamber on February 9, 2022, the parties to this second complaint were
invited to conclude before the parties to complaint no. 1 even though complaint no. 2 was therefore lodged after the
complaint #1.
4https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-75-2023.pdf
5
It was also made clear to the parties that an action for annulment had been filed against this decision before the Courts
markets. See. also the mention made in the decision published when the appeal is filed:
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr..75-2023.pdf Decision on the merits 149/2023 — 9/36
26. She specifies that these replace the motivation that she developed in her
previous conclusions with regard to the invoked basis of lawfulness of legitimate interest
(article 6.1.f) of the GDPR) for the processing of data from “non-
registered”. The first defendant maintains that she was justified in relying on the article
6.1. f) of the GDPR to process the data of unregistered healthcare professionals.
27. Nevertheless, the first defendant indicates that, following legal monitoring, it has
scrupulous, taken into account since the summer of the decision 75/2023 of the Litigation Chamber
and having made the decision to now rely on the consent of the said
professionals and have initiated a process of obtaining their consent
from the summer. The first defendant also produces the latest version of the Policy
confidentiality of the platform put online in August 2023, which is now
reference to the aforementioned request for consent from unregistered professionals.
28. On 15 September 2023, plaintiff no. 1 and the representatives of the first defendant
are heard by the Litigation Chamber, the second defendant not appearing
not. They each present the argument developed in terms of conclusions. At the invitation
of the Litigation Chamber, the first defendant shows the methods of creation
and account deletion when leaving the platform. She also presents the version
test of the platform which will now work without requesting the NRN, the first
defendant renouncing, in view of the two complaints in particular, to work with this
identifier. She confirms what she had indicated in conclusion, namely the progressive collection of
consent of non-registered health professionals and the abandonment of the basis of legality of
legitimate interest.
29. On September 28, 2023, the minutes of the hearing are submitted to the parties present at
this one. The second defendant receives a copy for information.
30. As of October 6, 2023, the Litigation Chamber does not receive from the first
defendant and plaintiff no. 1 present at the hearing no remarks relating to the
minutes.
I.2. As for Complainant No. 2's Complaint (DOS-2021-05271)
31. On July 31, 2021, complainant no. 2 filed a complaint (hereinafter complaint no. 2) with
the ODA against the first respondent.
32. Under the terms of the complaint, complainant no. 2 reports that he noticed that in order to be able to take
an appointment on the “Z” platform, you need to create your account without
which no appointment can be made - you must communicate your NRN and that
this practice seems to him to be contrary to the law. Decision on merits 149/2023 — 10/36
33. Complainant No. 2 produces the email he sent to the first respondent on July 17
2021 in which he emphasizes that it is according to him (sic) “strictly prohibited by law, to a
private company like yours, to request the National Number. You are asked to
remove this mandatory field to make an appointment.
34. The same day, the first respondent replied that (sic) “your national number is
requested for security reasons and it is fully encrypted in our database
therefore unusable by a third party. A national number is much more difficult to guess by
anyone than an email address and therefore more secure. Especially in the context of a
healthcare-related application.”
35. As mentioned in point 32, complainant no. 2, dissatisfied with the response received,
filed a complaint with the APD on July 31, 2021.
36. On August 16, 2021, his complaint was declared admissible by the SPL of the APD on the basis of the articles
58 and 60 of the LCA and transmitted to the Litigation Chamber under Article 62, § 1 of er
the LCA.
37. It does not appear from the complaint filed that complainant no. 2 communicated his NRN to
the first defendant. On the contrary, it seems that complainant no. 2 has given up on creating a
account on the grounds that his NRN was requested from him. In its conclusions (point 46 below), the
first defendant indicates in this sense that it is not able to determine whether the
Complainant No. 2 actually made an appointment via the platform. She adds that to all
less, when a search is launched from its name in the database of the
platform, it is noted that he does not have any account on it. In other words,
it therefore appears that the first defendant did not process data of a personal nature
personnel relating to complainant no. 2 (including his NRN). The latter is therefore not a person
concerned within the meaning of articles 4.1. and 77 of the GDPR.
38. This lack of standing does not, however, deprive complainant no. 2 of his right to file
complaint to the DPA in support of article 77 of the GDPR supplemented by articles 58 et seq.
LCA. In this regard, the Litigation Chamber recalls that in a judgment of October 7, 2021, 7
the Court of Cassation thus stated:
6Article 56 of the LCA provides as follows: Any person may file a complaint or a written request, dated and signed
with the Data Protection Authority. It must be read in combination with the admissibility criteria of the complaint
detailed in Article 60 of the LCA which do not include the condition of being a data subject. There is no less
limits to the admissibility of a complaint linked to the complainant's interest in taking action as described by the Litigation Chamber in
terms of its Note relating to the position of the complainant in the procedure before the Litigation Chamber and in a certain
many of its decisions. See. for example: Decision on the merits 30/2020 of June 8, 2020 (points 4-7); Decision as to
fund 80/2020 of December 17, 2020 (points 44-52); Decision on the merits 63/2021 of June 1, 2021 (points 10-18); Decision
as to the merits 117/2021 of October 22, 2021 (points 29-35); Decision 49/2022 of April 5, 2022 (points 7-12); Decision as to
fund 106/2022 of June 27, 2022. https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-
complainant-in-the-procedure-within-the-litigation-chamber.pdf
7
https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05K
LU7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE
= Decision on merits 149/2023 — 11/36
“3. It incontestably emerges from all the legal provisions
mentioned above that a data subject has the right to lodge a complaint
to the Data Protection Authority against a processing practice
which she considers to be violating her rights under the GDPR (...). This is also the case
when the personal data of the data subject themselves
have not been processed but the latter has not obtained the advantage or
service because, precisely because of the existence of the practice constituting
allegedly a violation, she refused to consent to the treatment” 8
39. In this case, complainant no. 2 is effectively denouncing a practice since the NRN is
requested for any account creation with the platform. This complaint no. 2 is by
elsewhere the second that the APD receives on this subject, the first being that of complainant no. 1
questioned above (DOS-2020-05649).
40. On January 21, 2022, the first defendant and plaintiff No. 2 (i.e. the parties concerned
by this complaint no. 2) are informed by registered mail of the provisions such as
repeated in article 95, § 2 as well as article 98 of the LCA. They are also informed, in
under article 99 of the LCA, deadlines for transmitting their conclusions. The deadline
for the receipt of the submissions in response from the first respondent was set for 4
March 2022, that for the conclusions in reply of complainant no. 2 as of March 28, 2022 and that
for the first respondent's reply submissions as of April 19, 2022.
41. In terms of this letter, the first respondent and complainant no. 2 are requested to make
present their arguments with regard to the potential breaches of the GDPR revealed by the
practice of processing NRN denounced, i.e. a potential breach of articles 5.1.a)
(principle of lawfulness), 5.1.c) (data minimization), 5.1.e) (limited retention period),
6.1. (lawfulness), 12 (transparency), 13 (obligation of information), 5.2. and 24
(responsibility/accountability) and 32 (security obligation) of the GDPR as well as the
corollary provisions of the LRN in particular its article 5 (processing authorization).
42. On February 22, 2022, the first respondent requested a copy of the file (art. 95, §2, 3°
LCA), which is sent to him on February 25, 2022.
43. On this same date, the first respondent agreed to receive all the
communications relating to the case by electronic means.
8
See. in this regard, decision 126/2021 of the Litigation Chamber:
https://www.autoriteprotectiondonnees.be/publications/classement-sans-suite-n-126-C’estpdfla Chambre
Contentious which underlines. Decision on merits 149/2023 — 12/36
44. On March 3, 2022, the Litigation Chamber received the conclusions in response to the first
defendant. The first respondent having filed submissions in reply and
synthesis, the summary of its argument is set out in point 46 below.
45. On April 13, 2022, the first respondent announced her request to be heard, and this
in accordance with section 98 of the LCA.
46. On April 15, 2022, the Litigation Chamber receives the conclusions in reply and summary
of the first defendant. In summary, she defends the following:
- The processing of the NRN is based on the free consent of the person concerned
(article 5.1. a) and 6 of the GDPR): the patient is in fact free to create an account or not. He
can also benefit from the platform’s information service and contact the
healthcare professional of their choice via their own communication channels
on the basis of the contact information thus made available to him;
- When a search is launched from the name of complainant no. 2 in the database
data from the platform, it is noted that he does not have any account on it
- The choice to use the NRN is motivated by the absolute necessity of identifying the patient
certain and unique way. There is therefore no infringement of the principle of minimization (article
5.1. c) of the GDPR) with regard to the processing of this NRN;
- The data is only kept for the time necessary for identification and
the patient's authentication and deleted as soon as the latter unsubscribes from the
platform (article 5.1.e) of the GDPR);
- Regarding transparency and information obligations, a specific tab is
dedicated to information regarding the processing of the NRN on the platform (FAQ –
confidentiality). The reasons why this NRN is requested are described there;
- By opting for the processing of the NRN for identification and authentication purposes
sole of the person concerned, the first respondent correctly put in place
implements article 32 of the GDPR, taking into account the risks linked to the nature of the data
processed. All processed data (including the NRN) is included in a database
encrypted and protected data (article 32 of the GDPR);
- It results from the measures put in place (information and security in particular)
that the first defendant has respected the obligations incumbent upon it in execution
of articles 5.2. and 24 of the GDPR;
- Concerning respect for the NRN, the first defendant only treats the NRN for purposes
identification and authentication of the platform user. She is therefore
exempt from prior authorization from the Minister of the Interior in application of article
8.3. of the NRL. The first respondent adds that she does not in any way consult the Decision on the merits 149/2023 — 13/36
National Register of Natural Persons and the data contained therein (pages 15
of its conclusions – last paragraph) and that it is therefore not subject to the article
5 of the LRN.
47. On 2 August 2023, the first respondent and complainant no. 2 were informed that
the hearing will take place on September 15, 2023. It should be noted that in response to the invitation to
the hearing, complainant no. 2 – who did not conclude – indicates that he had no other intention in
filing a complaint than reporting a potential breach of the DPA. As far as
necessary, the Litigation Chamber specifies that this assertion in no way calls into question
the admissibility of his complaint (paragraphs 36-39) and should also not be interpreted as
removal of it. Even assuming that it was conceived as a crime by complainant no. 2,
the Litigation Chamber remains free to continue examining the complaint notwithstanding a
such withdrawal as soon as it considers the breach reported sufficiently serious or
revealing the existence of a practice likely to undermine the principles
fundamentals of the protection of personal data as is the case in
the species.
48. On September 15, 2023, the first respondent was heard by the Chamber
Contentious. Complainant No. 2 does not appear.
49. On September 28, 2023, the minutes of the hearing are communicated to the first
defendant. Complainant No. 2 receives a copy for information.
50. As of October 6, 2023, the Litigation Chamber does not receive from the first
defendant no remarks relating to the minutes.
I.3. As for the joining of complaints no. 1 and no. 2
51. By this decision, the Litigation Chamber decides to join complaints no. 1 and no. 2
that it considers linked by such a close relationship that there is an interest in taking a single decision
with regard to them in order to guarantee the consistency of its decisions. Both complaints, if they are
certainly introduced by distinct complainants (no. 1 and no. 2), nonetheless aim at the same
platform and also denounce a common grievance linked to the treatment of the NRN as it was
mentioned in points 9 (complaint no. 1) and 32 (complaint no. 2) above. In other words,
the objective of consistency pursued by the Litigation Chamber in the treatment of
complaints submitted to it opposes their separate examination.
9 See. the Disclosure Policy of the Litigation Chamber
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
contentieuse.pdf Decision on the merits 149/2023 — 14/36
II. Motivation
II.1. As for the qualification of the second defendant (DOS-2020-05649)
II.1.1. The point of view of the SI and the parties
52. As mentioned in point 1, complainant no. 1 lodges her complaint both against the first
and the second defendants whom it describes as joint data controllers in the
meaning of article 4.7. of the GDPR.
53. Complainant No. 1 is in fact of the opinion that a body of serious and consistent evidence supports
in favor of this thesis: (1) in 2018, the second defendant - whose creation and management
of internet sites is part of the fields of activity - massively invested in the project
creation of the platform from both a financial and operational point of view, (2) “the platform
Z” identified himself at the time of the facts reported in his Privacy Policy as
being the co-ownership of the first and second defendants, dedicating to the latter
a page on its site in its capacity as a sole investor and thus offering it a real
showcase, (3)the two companies are closely linked, two entities of the second defendant
being directors of the first defendant.
54. As reported above, the IS retains the status of data controller
solely on the part of the first defendant (paragraph 13). The first defendant
shares this analysis and qualifies as the sole “data controller” with regard to the
data processing carried out by the platform (point 22).
II.1.2. The appreciation of the Litigation Chamber
55. The Litigation Chamber is not bound by the quality recognized by the first
defendant, nor by that which the SI would attribute to it. She must appreciate the reality of this
qualification and if necessary to reject it if it should result from its analysis that it does not
can be retained.
56. The Litigation Chamber recalls that a data controller is defined as “the
natural or legal person or any other entity which alone or jointly with
others, determines the purposes and means of processing personal data
personal” (article 4.7 of the GDPR). This is an autonomous concept, specific to the regulations
in terms of data protection, the assessment of which must be based on the criteria
that it sets out: the determination of the purposes of the data processing concerned as well as
that of the means thereof.
10See. in this sense Brussels (Cour des Marchés), June 8, 2022, 2022/AR/42, p. 6. Decision on the merits 149/2023 — 15/36
57. The Litigation Chamber also recalls that the essential criterion for there to be –
as plaintiff #1 pleads – joint responsibility for treatment is participation
joint action of two or more entities in determining the purposes and means of a
treatment. More precisely, joint participation must encompass, on the one hand, the
determination of the ends and on the other, the determination of the means. A contribution
joint to this determination implies that more than one entity exercises influence
decisive on the question of knowing if, for what purpose and how the processing takes place. In
In practice, joint participation can take the form of a joint decision taken
by two or more entities or result from convergent decisions adopted by them at
subject of the purposes and essential means of processing.
58. In this case, the Litigation Chamber notes that the elements provided by complainant no. 1
certainly show, as the SI underlines and as the first does not dispute
defendant, that the second defendant invested in the project to create the
platform by the first defendant (then a young start-up). The quality of responsibility
spouse presupposes, however, as has just been recalled, participation in the
determination of the purposes and means of processing. The mere fact of supporting
financially a project does not necessarily mean that there is determination of these
purposes and means through common or convergent decisions of the defendants
on data processing. When, in its Guidelines relating to the concepts
controller and processor, the EDPS emphasizes that all types of
partnership, cooperation or collaboration do not imply that the entities are
joint controllers of the processing, it presupposes that these entities each play a role
with regard to data processing; role which, depending on the case, will carry the qualification of
joint data controller or not. In this case, the Litigation Chamber considers
that there is no element which even attests to any role of the second
defendant with regard to the data processing as such. The participation of
the second defendant is financial and neither the documents produced by plaintiff no. 1 nor the
findings of the SI only allow the Litigation Chamber to conclude that the second
defendant actually participated in determining the purpose and means
data processing carried out by the platform.
59. In conclusion of the above, the Litigation Chamber concludes that the second
The defendant is not a data controller (spouse) within the meaning of Article 4.7. of
GDPR with regard to the platform's data processing.
60. The Litigation Chamber notes that during the proceedings, the first respondent
clarified the identification and contact details of the data controller (article 13.1. a) of the
GDPR) in its Privacy Policy by now providing a clause which does not
1https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_fr.pdf Decision on the merits 149/2023 — 16/36
no longer mentions the names of the natural persons who were its directors at
the time. It also removed the mention “co-owners of the platform” from the
of these. This information is foreign to the qualification of roles in terms of protection
data does not necessarily have its place in a confidentiality policy and
risk at the very least creating confusion.
II.2. As for the breach of article 12.3 of the GDPR by the first defendant: the absence
information relating to the follow-up of the request to exercise the right to erasure of the
complainant no. 1 (DOS-2020-05649)
II.2.1. The point of view of the SI and the parties
61. As explained in points 7, 9 and 21 above, complainant no. 1 denounces the absence
response from the first defendant to its request to delete the patient account
that she had created and all the personal data concerning her that she had
communicated on the occasion of its creation.
62. According to its investigation report (point 13), the SI indicates that it became aware
a screenshot which would attest that complainant no. 1 is no longer listed in the database
data of the first defendant. The SI is no less relevant than the first
defendant recognizes – as the latter writes in its conclusions (point 22) – not
not having confirmed to complainant no. 1 that her personal data had actually been
been erased.
II.2.2. The appreciation of the Litigation Chamber
63. It is therefore not disputed that the first respondent refrained from providing the
complainant no. 1 information on the measures taken following her request
erasure as soon as possible and in any event within a period of one month from
from receipt, on October 21, 2020, of its request as required by article 12.3.
of the GDPR.
64. The Litigation Chamber insists in this regard on the fact that following up on the exercise of the right
to the erasure of the data subject not only carries the obligation to erase the
data concerning them when the conditions for this erasure are met (article 17.1 b)
of the GDPR in this case – withdrawal of consent) but also that of informing the
data subject on the measures taken following the erasure request, within the
as soon as possible and in any event within one month from receipt of
the request (article 12.3. of the GDPR).
65. In support of the above, the Litigation Chamber concludes that there has been a breach of article
12.3. of the GDPR in the case of the first defendant. Decision on merits 149/2023 — 17/36
66. The Litigation Chamber notes that the request for erasure of complainant no. 1 is
following the fact that she could not have noticed that the dentist she was seeking to
contact was not registered on the platform until after having created his account (in
October 2020). In this regard, complainant no. 1, on January 9, 2021, informed the APD that following
of a change on the site, a pop-up now warns the patient that the practitioner is not
not registered on the platform. Received the complaint on February 2, 2021, the IS indicates that it has not been
able to observe the situation to which complainant number 1 describes having been confronted.
The first defendant, for her part, defends that this pop-up has always existed.
67. The Litigation Chamber is not in a position to note a possible breach of the
GDPR which would arise from the situation described by complainant no. 1. She doesn't insist
less, without this constituting any corrective measure or sanction in the sense
of article 100 of the LCA, that it must be perfectly clear to the patient that the creation of a
account is only required if he can contact a practitioner via the platform
written on it. Thus, the information according to which a practitioner is or is not registered (and therefore
information whether or not it is possible to make an appointment with the latter via the platform) must
be accessible before any account is created. Failing this, the respect owed by the first
defendant to its obligation of transparency and its duty of loyalty could be
questioned (articles 12.1 and 5.1. a) of the GDPR). The Litigation Chamber notes in this regard
that the first defendant specified that in addition to the pop-up in place, it is, following a
modification made during the procedure, now explicitly provided for in its
Privacy policy that it is not necessary to create an account to view the
contact data of healthcare professionals, whether registered or non-registered.
68. Concerning more generally the erasure policy and retention periods
data, the Litigation Chamber recalls that data protection authorities
er
are of the opinion that both the elements of information provided for in §1 of articles 13 and 14 of the GDPR
that those provided for in §2 of these same articles must be communicated to the person
13
concerned. Thus, the data retention periods provided for in article 13.2. a)and14.2. has)
of the GDPR must always be brought to the attention of the persons concerned. There
Litigation Chamber notes in this regard that the first respondent has modified its policy
of confidentiality during the procedure and that this now provides for deadlines for
conservation according to treatment categories.
12See. in this regard point 10 of the EDPS Guidelines on transparency (Article 29 Group, WP 260 taken from
account by the EDPS during its inaugural session on 25 May 2018: https://edpb.europa.eu/our-work-tools/our-
documents/article-29-working-party-guidelines-transparency-under-regulation_en) which emphasizes that: “an essential aspect
of the principle of transparency highlighted in these provisions is that the data subject should be able to
determine in advance what the scope and consequences of the processing encompass so as not to be caught off guard at a
later stage as to how his personal data was used.
13 See. the EDPS Guidelines on transparency (https://edpb.europa.eu/our-work-tools/our-
documents/article-29-working-party-guidelines-transparency-under-regulation_en) already cited (point 23). Decision on merits 149/2023 — 18/36
II.3. As for the breach of article 7.3. in fine of the GDPR and in article 12.1. of the GDPR by
first respondent (DOS-2020-05649): withdrawal of consent and
facilitation of the exercise of rights
II.3.1. The point of view of the SI and the parties
a) As for the withdrawal of consent (article 7.3. in fine)
69. According to its investigation report (point 13), the SI concluded that there was a violation by the first
defendant, of articles 7.3 in fine of the GDPR in that the first defendant does not
would not make deleting a “patient account” as simple as creating that account.
70. The IS details in this regard that the creation of an account simply requires entry of
personal data on the platform and securing the account via the receipt of a
SMS. Conversely, the deletion of an account cannot be done directly on the site and
requires sending an email to the address suppression@[…] or contacting the
first defendant from the platform via the chatbot. This difference
constitutes according to the SI a violation of article 7.3. of the GDPR under which it must be
“as easy to withdraw as to give consent”.
71. Complainant no. 1 agrees with the analysis of the SI (point 21).
72. In her conclusions, the first defendant states that at the time of the events, the patient
who chose to create an account was invited to provide identification data
already cited (point 5). The patient then received an SMS with a code that he had to enter on
the platform in order to confirm the creation of your account. Concretely, the patient had to
click on a first link, which took him to a second, to a third and finally to
a 4th (4-step procedure). Once clicked on the last “Registration” link, the candidate
When creating an account, you were asked to provide the above-mentioned data. What followed was a double
verification by entering the SMS code received.
73. As for the deletion of the account, the first respondent explains that the withdrawal of its
consent by the patient required at the time of the facts that the latter send an e-mail to
the address dedicated to this purpose deletion@[…] mentioned in the FAQ “How to delete
my data ? The patient had to click on 4 links (4-step procedure), the last one
Link to the deletion email.” He could also use the chatbot.
b) Regarding the facilitation of the exercise of rights
74. The SI further considers that it follows from its finding regarding the withdrawal of consent (point
13), that the first defendant does not facilitate the exercise of the right to erasure provided for in
Article 17 of the GDPR, including that of complainant no. 1 (pages 18 and 19 of the IS report). SO
that the IS introduces its reasoning starting from article 12.2 of the GDPR (page 17 of the report
investigation), he concludes that there has been a violation of this obligation by erroneously referring to Decision on the merits 149/2023 — 19/36
Litigation Chamber in article 12.1 of the GDPR and not in article 12.2. GDPR which establishes
this obligation.
75. Complainant No. 1 adds that the fact that the first respondent provides two addresses
of contact, a general one for the exercise of info@[…] rights and a specific one for the exercise of
right of erasure deletion@[…] has also not facilitated the exercise of his right to
erasure. She points out that in addition, the Confidentiality Policy of the first
defendant does not correctly reflect these procedures.
76. Concluding with regard to article 12.1 of the GDPR as raised by the SI, the first
defendant explains that clear information is given as to the terms of withdrawal
of consent.
II.3.2. The appreciation of the Litigation Chamber
a) As for the withdrawal of consent (article 7.3. in fine)
77. The Litigation Chamber recalls that article 7.3 in fine of the GDPR provides that the
controller must ensure that it is also simple for the person concerned
to withdraw than to give consent, and that this can be done at any time.
78. As stated by the European Data Protection Committee (EDPS) in its Guidelines
14
guidelines 05/2020 devoted to consent, the GDPR gives an important place
upon withdrawal of consent.
79. The EDPS nevertheless emphasizes that the GDPR does not specify that the person
concerned must always be able to withdraw their consent by means of the same
action (point 113). However, the EDPS is of the opinion that “when consent is obtained
electronically only by clicking, tapping or swiping, the
data subjects must, in practice, be able to withdraw this consent by the same
bias. When consent is obtained through a specific user interface
to the service (for example through a website, an application, an account with
identifier, the interface of an IoT device or by email), it is obvious that a
data subject must be able to withdraw consent through the same interface
electronic, since changing interface for the sole purpose of withdrawing consent
would require unnecessary effort” (point 114).
80. Finally, the EDPS adds that “the GDPR considers the existence of easy withdrawal as a
necessary aspect for valid consent. If the right of withdrawal does not meet the
GDPR requirements, the data controller’s consent mechanism is not
GDPR compliant. As mentioned in section 3.1 on the condition of consent
14European Data Protection Board (EDPS), Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on merits 149/2023 — 20/36
informed, the data controller must inform the data subject of the right of withdrawal
of consent before giving consent, in accordance with Article 7,
paragraph 3 of the GDPR. As part of the obligation of transparency, the person responsible for
processing must also inform the data subjects of how they can
exercise their rights” (point 116).
81. It does not appear to the Litigation Chamber that the procedure to follow for the deletion
of their account and the erasure of their data by a patient is less easy than the steps
to follow to register on the platform. As explained above by the first
defendant (paragraphs 72-73), in each case, several steps are necessary. If the
creation of the account can be done from the platform, it is not done “in a simple
clic” or in a few clicks on it but also requires the receipt of a code by
SMS to reintroduce afterwards. Sending an e-mail from the platform as well as
the possible use of the chatbot to request the deletion of said account are, according to
the Litigation Chamber, do not constitute a less easy procedure in that these
procedures can also be done from the site and also require several
steps. As recalled above (point 79), the procedures by which consent
is given and withdrawn must not be strictly identical. Upon examination of each of them,
the Litigation Chamber is not of the opinion that the procedure for deleting the account is
characterized by a greater degree of difficulty than that of creating the account. There
Litigation Chamber concludes that the first defendant did not surrender
guilty of a breach of article 7.3 in fine of the GDPR.
82. Without this element entering into the foregoing conclusion, the Chamber
Litigation notes that the first defendant has, during the proceedings, either after
the facts denounced, added a button on which you just have to click to request the
account deletion and clarified the procedure for requesting account deletion in
its Privacy Policy.
b) As for the facilitation of the exercise of rights (article 12.2. of the GDPR)
83. As for article 12.2. of the GDPR (see the remark in point 74 above), the Chamber
Contentious simply points out the following without this constituting a
any corrective measure and/or sanction within the meaning of article 100 of the LCA.
84. The establishment of internal and standardized procedures dedicated to the exercise of rights
of data subjects in terms of data protection is essential and
nature to contribute to the effective application of these rights. It certainly facilitates their
exercise as required by Article 12.2. of the GDPR. However, when in the context
of such a procedure a contact address dedicated to the exercise of these rights exists, it does not
the persons concerned may be accused of using another communication channel
to address their requests. No harmful consequences for the person Decision on merits 149/2023 — 21/36
concerned cannot be derived from the fact – even in the event that it is correctly
been informed – that she would not have used the appropriate form or would have contacted the
data controller by another means, via an incorrect e-mail address for example. 15
In this case, the first respondent noted in this regard that complainant no. 1 had
send your deletion request to the general address of the platform and not to the address
dedicated to the exercise of the right to erasure but that this had no impact on the
processing of his deletion request, his data having been erased. Bedroom
Litigation notes that, barring exceptions, this is indeed the attitude that is expected
data controllers.
II.4. As for the breach of articles 5.1. a), 5.2. and 6 of the GDPR by first
defendant: the basis of the lawfulness of the processing of health professionals’ data
non-registered (DOS-2020-05649)
II.4.1. The point of view of the SI and the parties
85. According to its investigation report, the SI concludes that the first respondent cannot
rely on article 6.1.f) of the GDPR as the basis of lawfulness for data processing
data from non-registered health professionals, particularly because they are not satisfied
to the weighting test (see below) in that “the publication of the contact data of these
doctors on the Internet (whether through an official service such as the Banque Carrefour des
Companies or no) does not allow them to reasonably expect that this data
be processed and in this case reproduced without their consent, on the website of a
private company offering IT solutions to doctors in return for
different subscription rates (…) (page 26 of the report).”
86. Complainant No. 1 declares for her part that she fully agrees with the analysis of the IS.
87. As for the first defendant, she mainly argues that this complaint should have been
the subject of a separate procedure since it does not emerge from the complaint filed by the
complainant no. 1. It is therefore inadmissible in his eyes.
88. In the alternative, the first defendant pleads (1) that she pursues a legitimate interest (which
consists of making it easier for patients to maintain contact with
health professionals of their choice), (2) that the data it processes relating to
non-registered health professionals are necessary for the realization of the interest it
15See. the EDPS Guidelines on transparency (WP 260 of the Article 29 Group taken up by
EDPB during its inaugural session on May 25, 2018): https://edpb.europa.eu/our-work-tools/our-documents/article-29-
working-party-guidelines-transparency-under-regulation_en and those relating to the right of access (Guidelines 01/2022)
https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf
16
See the EDPS Guidelines 01/2022 on the right of access: https://edpb.europa.eu/system/files/2023-
04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf (points 53 et seq.). Decision on merits 149/2023 — 22/36
continues (i.e. the provision of contact details for information and possible
making contact) and (3) that the weighing exercise it carried out allows it to conclude
that it can rely on this legitimate interest. The first defendant indicates that she thus
taking into account the public and professional nature of the data (taken from the Bank
Carrefour des Entreprises (BCE) and Google), the absence of obvious harm to life
deprived of the practitioners concerned or any other of their fundamental rights, the absence
of harm in their physical, economic or social situation (on the contrary, a benefit in
term of visibility would be provided to them), their reasonable expectations and the existence of a
right of opposition in their head. The result of this weighting authorized him to conclude
that it satisfied the 3 tests of purpose (1), necessity (2) and weighting (3) required
by article 6.1.f) of the GDPR. The first defendant therefore defends that she could found
the processing of data of non-registered health professionals on this basis
lawfulness.
II.4.2. The appreciation of the Litigation Chamber
89. With the SI, the Litigation Chamber is of the opinion that the question of the basis of legality of the
processing of data of non-registered practitioners must, in this case, be considered
as part of the scope of complaint no. 1 since (1) this question is
raised – admittedly in general terms – by complainant no. 1 in her complaint, (2) that
the latter, even before filing it, questioned the first defendant on this
subject without receiving a response and (3) that the request for erasure of complainant no. 1 is
following the fact that the dentist with whom she was seeking to make an appointment
was precisely an unregistered health professional and that due to this absence
registration, complainant no. 1 was unable to make the planned appointment. Bedroom
Litigation recalls that in any event, once seized, the IS can in the exercise of its
own competence, broaden the scope of its investigations.
90. As for the merits, the Litigation Chamber recalls that in order to be able to rely on the basis of
legality of “legitimate interest” in application of article 6.1.f) of the GDPR, the person responsible for the
treatment, i.e. the first respondent in this case, must demonstrate that a) the interest it
continues via the data processing concerned can be recognized as legitimate (the "test
purpose"); b) that the processing envisaged is necessary to achieve this interest (the "test
of necessity") and that c) the weighting of this interest in relation to the interests, freedoms and
fundamental rights of the persons concerned weigh in their favor or in favor of the third party (the
"weighting test").
91. The Litigation Chamber will verify whether in this case, these 3 tests are satisfied with regard to
concerns the processing in dispute, i.e. the provision on the data platform
personal data of non-registered health professionals in the sense already specified, i.e. Decision on the merits 149/2023 — 23/36
health professionals whose first and last names were included by the first defendant,
specialty, address and professional telephone number on the platform without possibility
to make an appointment with them via this one.
As for the purpose test (a): is there a question of a legitimate interest?
92. The Litigation Chamber recalls that in order to be qualified as “legitimate”, the interest
sued by the data controller (or the third party but this is not the case
of species) must be lawful under the law, determined in a sufficiently clear manner and
precise, to be real and present (born and actual) and not fictitious or hypothetical.
93. By making the contact details of doctors available to users of the platform
and other health professionals even if their agenda is not linked to the platform, the
first defendant pursues the objective of enabling patients to find and
easily contact a healthcare professional by sharing data
necessary for possible contact with the latter (see also below). This
Therefore, the Litigation Chamber is of the opinion that the first defendant contributes to the right
of each patient to access health care as well as their right to consult the practitioner
(registered) of his choice as guaranteed by article 6 of the Law of August 22, 2002 relating to
patient rights. The data processing carried out by the first defendant
are thus part of the pursuit of a legitimate societal interest to which is coupled a
economic interest specific to the first defendant, also legitimate, based on the
freedom of enterprise, in particular enshrined in article 16 of the Charter of Rights
fundamentals of the Union.
94. In support of the above, the Litigation Chamber is of the opinion that the interest pursued by
the first defendant is legitimate. Therefore, the “finality test” of
Article 6.1.f) of the GDPR.
As for the necessity test (b): is the treatment necessary?
95. Regarding the test of necessity, the Litigation Chamber recalls that the Court of Justice
of the European Union (CJEU) ruled among others in the “TK” judgment on this
condition of necessity of treatment, insisting on the strict interpretation of this condition
17which is also not specific to article 6.1. f) of the GDPR but common to all
17"As regards the second condition laid down in Article 7(f) of Directive 95/46, relating to the necessity of the appeal
to the processing of personal data for the realization of the legitimate interest pursued, the Court recalled that
derogations and restrictions from the principle of protection of personal data must take place within
the limits of what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑‑13/16, EU:C:2017:336, paragraph 30 and case law
cited). Decision on merits 149/2023 — 24/36
bases of legality listed in article 6.1 of the GDPR with the exception of the consent provided for in article
6.1. has).
96. The CJEU also observes that the condition relating to the necessity of the processing must
be examined in conjunction with the so-called “data minimization” principle enshrined
in Article 6(1)(c) of Directive 95/46, according to which the data to be
personal character must be "adequate, relevant and not excessive with regard to the
purposes for which they are collected and for which they are processed
later”.
97. The CJEU also clarified that while there are realistic and less intrusive alternatives to
treatment carried out, this treatment is not “necessary”. In other words, the person responsible
treatment must ensure that there is no less intrusive means of achieving its
objective than to implement the treatment envisaged (for example a device treating
no personal data, or different treatment more protective of the right to privacy
and the protection of the personal data of the data subject).
98. This case law formulated in relation to Articles 7 and 6 of Directive 95/46/EC remains
relevant to this day. Article 6.1 of the GDPR in fact repeats the terms of article 7 of the
directive 95/46/EC - the legitimate interest of the data controller being retained (article 7
f) and article 6.1. f), certainly in slightly different terms. Article 5.1. c) of the relative GDPR
to the principle of minimization reinforces the terms of article 6.1.c) of the directive
95/46/EC to which the CJEU also refers. As the first defendant points out,
the “video surveillance” context of the TK judgment is certainly distinct from that in which the
disputed treatment is relevant to this case. However, this does not justify that the principles
stated by the CJEU with regard to the conditions of legitimate interest as the basis of lawfulness
are excluded. These requirements are expressed in general terms applicable to all
mixed contexts.
99. In this case, the Litigation Chamber is of the opinion that the processing of data
personal data of non-registered doctors is necessary for the realization of the pursued interest
by the first defendant through its platform and consisting of linking
(future) patients and healthcare professionals. As for the data processed, the Chamber
Contentieuse considers that the principle of minimization is respected: it is in fact a matter of
18This condition requires the referring court to verify that the legitimate interest in the processing of the data pursued
by the video surveillance at issue in the main proceedings, which consists, in substance, of ensuring the security of goods and
persons and to prevent the occurrence of offenses, cannot reasonably be achieved as effectively by
other means less detrimental to the freedoms and fundamental rights of the persons concerned, in particular
the rights to respect for private life and the protection of personal data guaranteed by Articles 7 and 8
of the Charter." It is the Litigation Chamber which underlines. Decision on the merits 149/2023 — 25/36
provide platform users (patients) with limited and necessary information
relating to the identity of the practitioner, his specialty (is it appropriate to make an appointment
or not with him? ), to its geographical proximity or at least its location via its
address (is it appropriate to contact him rather than someone else?) as well as his number
professional telephone (to allow appointments to be made if necessary via the
platform but also live via this number).
As for the weighting test (c):
100. The Litigation Chamber recalls that in addition to the two conditions mentioned above, article 6.1. f) of
GDPR can only be mobilized if the interests or fundamental freedoms and rights of the
person concerned does not prevail over the interest pursued by speaking to the person responsible for processing
or the third party. In other words, the data controller must carry out an implementation
balance, a weighting between the rights and interests involved, and verify within this framework that
the interests (commercial, security of goods, fight against fraud, etc.) that it pursues
do not create an imbalance to the detriment of the rights and interests of people whose
data is processed. If the interests and rights of the latter prevail, article 6.1. f) of
GDPR cannot be used.
101. Concretely, the data controller must first identify the consequences
any impact its treatment can have on the people concerned: on their lives
private but also, more broadly, on all the rights and interests covered by the
Protection of personal data. This involves evaluating the degree of intrusion of the
treatment considered in the individual sphere, measuring its impact on private life
people (processing of sensitive data, processing relating to people
vulnerable, profiling, etc.) and on their other fundamental rights (freedom of expression,
freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of
treatment of their situation (monitoring or surveillance of their activities or movements,
exclusion of access to services, etc.). These impacts must be measured in order to
determine, on a case-by-case basis, the extent of the intrusion caused by the treatment into the lives of the
people. The principle of data minimization will also be taken into account.
102. The data controller must then take into account, in the weighting between its
legitimate interest and the rights and interests of the data subjects, “expectations
reasonable” of the latter. This consideration is essential when it comes to
treatments which can be implemented without the prior consent of the
persons: in the absence of a positive and explicit act on their part, legitimate interest requires
not to surprise people in the implementation methods as well as in the
consequences of the treatment.
103. In this case, the Litigation Chamber finds that the data processed are indeed
publicly accessible and professional data. This nature of the data Decision on the merits 149/2023 — 26/36
processed is a factor that can contribute to tipping the scales in favor of the person responsible
processing on the condition that the data subjects can reasonably
expect the use of their data for the purpose pursued by the said data controller
processing without their prior consent.
104. The Litigation Chamber is of the opinion that in this case, the disputed treatment is not part
reasonable expectations of the non-registered healthcare professionals concerned. THE
contact details of the latter are published on their own website or on that of their
office, or even that of a hospital in which they provide services. They have
a direct link with this practice or hospital. The Litigation Chamber starts from the idea that they
have indicated their agreement for these publications which are part of relationships
professional relationships that they have established themselves. However, they cannot
reasonably expect that their data will be republished on a platform
such as that of the first defendant which beyond the “directory” function that it
offers for these non-registered health professionals, more generally pursues a
commercial interest by offering different priced services including that of making appointments
you directly via the platform and electronic diary management. That the first
defendant could have thought that increased visibility of health professionals could
being beneficial can certainly be conceived. However, the Litigation Chamber concludes that in
the case, the fact that the processing cannot be considered as falling within the
reasonable expectations of these practitioners is decisive and tips the balance in favor
rights and freedoms of the latter. Therefore, the “weighting test” is not satisfied.
Conclusion
105. At the end of the above analysis, the Litigation Chamber concludes that there was a violation of
Article 5.1. a) (lawfulness requirement) and Article 6.1. of the GDPR by the first
defendant in that it could not validly rely on the basis of lawfulness of
Article 6.1.f) of the GDPR to legitimize the processing of healthcare professionals’ data
not registered on its platform and therefore did not have a valid legal basis for founding
said treatments.
II.5. As for the processing of the National Register Number (DOS-2020-05649 and DOS-2021-
05271)
II.5.1. The parties' point of view
106. Both complainant No. 1 and complainant No. 2 denounce the terms of their respective complaints
the processing of the NRN by the first respondent and question the lawfulness of the processing
of it with regard to the LRN. Decision on merits 149/2023 — 27/36
107. Complainant No. 1 highlights that in principle, the use of NRN is prohibited. Only
the persons exhaustively listed in article 5.1. of the LRN may, subject to
authorization from the Minister of the Interior, use it. By way of derogation, Article 8.3. delaLRN predicts
that “authorization to use the National Register number is not required if the
National Register number is used exclusively for identification purposes and
authentication of a natural person within the framework of a computer application
offered by a private or public institution under Belgian law or by the authorities, institutions
and persons referred to in Article 5, § 1”. Complainant no. 1 considers that it is wrong that the
first defendant relies on this exemption since the introduction by the patient
of its NRN on the platform does not allow it to be identified or authenticated (the NRN seems
rather be used as a user number of the data subject), the first
defendant not having access to the National Register nor to the electronic identity card of the
patient.Therefore, it is necessary to consider, according to complainant number 1, that the first defendant
processes the NRN of users of the platform illegally.
108. As for the first defendant, she sets out in terms of conclusions that she opted for
the NRN to identify and authenticate users of the platform in a secure manner,
in the case of a unique identifier of which only the person concerned has, a priori, knowledge
(item 22). She considered it essential given the (health) data which
could be exchanged through the platform between a patient and a professional
health, that the user is identified and authenticated in a unique and certain manner. There
The first respondent indicates that she believed she could rely on Article 8.3. of the
LRN cited above while stating that it does not access the National Register.
109. During the hearing, the first respondent indicated, as has already been mentioned
at point 28, that it had made the decision not to request the NRN from users of
the platform, thus breaking with a choice that had been made at the time of the creation of the
platform by the previous management.
II.5.2. The appreciation of the Litigation Chamber
110. Article 87 of the GDPR provides that “Member States may specify the conditions
specific to the processing of a national identification number or any other identifier
of general application. In this case, the national identification number or any other
identifier of general application is only used subject to appropriate safeguards
for the rights and freedoms of the data subject adopted pursuant to this
regulations”. Decision on merits 149/2023 — 28/36
111. Under Belgian law, the processing of the NRN which constitutes such a national identification number
is strictly regulated in the LRN already cited. This determines restrictively in
its article 5, the authorities, bodies, organizations or people who can access it.
112. Article 8 of the LRN sets out the need to be, except in exceptional circumstances, authorized by the
Minister of the Interior to, as in this case, use this number. An exemption from authorization
is provided if, as mentioned above, the NRN is used exclusively “for purposes
identification and authentication of a natural person in the context of a
computer application offered by a private or public institution under Belgian law or by
er
the authorities, institutions and persons referred to in Article 5, § 1”.
20
113. As pointed out by the Commission for the Protection of Privacy (CPVP) in its opinion
21
19/2018 of February 28, 2018 relating to a preliminary draft law introducing in particular
modifications to the LRN including the aforementioned article 8.3, “the authentication of a person consists
to verify that she really has the identity she claims to have. This is the authentication certificate
(including the National Register number) present on the electronic identity card which
allows it through the technique of cryptography” (point 31 of the opinion).
114. In the present case, it appears from the explanations provided by the first defendant herself
that it did not carry out the identification or authentication of the user of the
platform from the NRN that the latter was invited to communicate. Indeed, the first
Defendant admits not having access to the National Register. It therefore does not proceed, via a
access to RN data and reading of the electronic identity card, verification of
the identity of the person nor verifies that the person is who they claim to be.
first defendant only asks the patient to enter an access “code”
(his NRN in this case) without checking that it reveals his certain identity. It is not
in no way excludes this person mentioning an NRN which is not theirs, coupled with their
real identity what, without reading the electronic identity card, the first
defendant will not be able to detect. If the Litigation Chamber shares the analysis of the
first defendant that strong identification and authentication are necessary
taking into account the processing of data (sensitive if applicable) which takes place via the
platform, it nonetheless concludes that the first defendant was wrong
argues that it was within the conditions of exemption of article 8.3. of the NRL.
19In application of article 4.1 of the LCA, the APD (and the Litigation Chamber) has jurisdiction to monitor compliance with the Law
RN: “The Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the
protection of personal data, within the framework of this law and laws containing provisions relating to
to the protection of the processing of personal data”.
20The APD succeeded the Commission for the Protection of Private Life (CPVP) in execution of the Law of December 3, 2017 relating to
creation of the Data Protection Authority (LCA): article 3.
21
Commission for the Protection of Privacy, Opinion 19/2018 of February 28, 2018 relating to the preliminary draft law establishing
various “Interior” provisions. Decision on merits 149/2023 — 29/36
115. Thus, even in the event that, as in the present case, users of the platform consent
to communicate their NRN, this consent, also in accordance with the requirements of articles 6 and
7 of the GDPR, if applicable, is not sufficient to authorize processing since the
processing of the NRN must be lawful and comply with the requirements of the LRN, including its articles 5 and
8. The Litigation Chamber concludes that failing the first defendant to
found under the conditions of these provisions, she was not authorized to use this NRN and
therefore to solicit them, in violation of articles 5.1. a) and 6.1.GDPR in combination
with article 8 of the LRN.
116. The Litigation Chamber took note of the decision of the first respondent to
refrain from requesting the NRN from users of the platform. She recalls that this
change does not erase the past breach and must be reflected in the Policy
confidentiality of the first defendant.
III. As for corrective measures and sanctions
117. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:
1° close the complaint without further action;
2° order the dismissal of the case;
3° pronounce a suspension of the sentence;
4° propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the requests of the person concerned to exercise their rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or definitive ban on processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of the accreditation of certification bodies;
12° give fines;
13° issue administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body; Decision on merits 149/2023 — 30/36
15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection.
III.1. With regard to the first defendant (DOS-2020-05649 and DOS-2020-05271)
III.1.1. The shortcomings
118. It follows from the above that the first defendant was guilty of
breach of article 12.3 of the GDPR (point 65), articles 5.1.a (lawfulness) and 6.1 of the GDPR
with regard to the processing of data of unregistered health professionals (point 105)
as well as article 5.1. a) (lawfulness) and 6.1. of the GDPR read in conjunction with Article 8 of the
LRN with regard to the processing of the NRN of users of the platform (point 115).
119. It is the responsibility of the Litigation Chamber to determine the corrective measure and/or the sanction
most appropriate to these shortcomings.
120. The Litigation Chamber first specifies the following with regard to the principle “ne bis in
idem” invoked by the first respondent with regard to the complaint based on the legality of the
NRN treatment. The first defendant is indeed surprised to have been invited to
conclude on this question in the context of the two complaints (point 22) and declared during
the hearing to question the respect of this principle by the Litigation Chamber if it
was to sanction the same breach twice over an identical period.
121. The Litigation Chamber recalls that the general principle of law “non bis in idem”
carries that “no one can be prosecuted or punished a second time due to an offense
(even otherwise qualified) for which he has already been acquitted or convicted by a judgment
definitive in accordance with the law and criminal procedure of each country. In other words,
second prosecutions are prohibited on grounds of identical or substantially identical facts
identical which, having been the subject of previous proceedings, gave rise to a decision
final decision of acquittal or conviction. By “identical facts or substantially
identical'', it is necessary to understand a set of concrete factual circumstances relating to a
same suspect, which are inseparably linked in time and place (Cass., April 24, 2015,
No. F.14.0045.N).
122. The respect due to this general principle of law in no way prevents the Chamber from
Litigation invites the parties concerned to defend themselves with regard to the same grievance
raised in various pending proceedings and in which it has not yet taken
decision.The Litigation Chamber is free to invite a conclusion in a case pending
following a complaint even subsequent to another which would raise the same grievance
during the same time period. It remains free to adopt its decisions according to the Decision on the merits 149/2023 — 31/36
calendar of priorities that it establishes. The Litigation Chamber adds that if having regard to the
case in point, the nature of the sanctions it imposes can, depending on the case, be described as
criminal, this is not necessarily always the case.
123. In this case, the Litigation Chamber having not yet taken any decision with regard to
one or the other of complaints n°1 and n°2, it remained in any case free to invite the
parties to conclude with regard to this complaint of the lawfulness of the processing of the NRN within the framework of
two complaints. With regard to this decision, the Litigation Chamber has, as it was
presented in point 51, decided to join these complaints n°1 and n°2, in particular with regard to the grievance
common point that they raised as well as to adopt, as will be specified below, a
single sanction with regard to the breach identified in point 115 above.
III.1.2. The assessment of the sanction/adequate corrective measure by the Chamber
Litigation
124. In assessing the most appropriate sanction with regard to the breaches noted,
The Litigation Chamber takes into account the following elements specific to the specific case.
Thus, it takes into account the decisions and changes initiated by the first
defendant who both in its final conclusions (point 27) and during the hearing (point
28) specified that following decision 75/2023 of the Litigation Chamber, it had
initiated a process of obtaining consent from non-health professionals
registered. In the same sense, the first defendant decided to give up requesting the
NRN of platform users at the time of account creation and presented a
test version without this NRN during the hearing (point 28). The Litigation Chamber is
also sensitive to the successive adaptations made by the first defendant
to its Confidentiality Policy in a concern for constant improvement regarding the implementation
implementation of its obligations arising from the GDPR (points 60 and 68). Finally, the Chamber
Litigation generally highlights the good cooperation of the first
defendant both with itself and with the IS, notwithstanding article 31 of the GDPR which
requires such collaboration. However, all these elements are not likely to
remove the shortcomings it noted (point 118).
125. On this basis, the Litigation Chamber is of the opinion that addressing a reprimand to the
first respondent for the breaches noted is appropriate and holds both
take into account the reality of these failings and the fact that they are attributable to a young
start-up with a limited number of employees (2), who throughout the procedure showed themselves
wishing to comply, has taken a number of decisions in this direction and has
initiated the operational changes resulting from these decisions. Decision on merits 149/2023 — 32/36
126. The Litigation Chamber adds that for the remainder, it is not required to present the
reasons why it does not retain this or that sanction, for example suggested by
the complainant.
127. In this case, the Litigation Chamber nevertheless intends to react to the fact that in its
reply and summary conclusions, the first respondent argues that the Chamber
Litigation would not be justified in imposing an administrative fine on him for
reasons based on the fact that the fine is only the 13th sanction in the list of the article
100 of the LCA as well as due to the considerations issued by the Court of Markets (CdM)
as for this in its judgment of January 27, 2021 (RG 2020/AR/1333, p.19.) as well as that of
terms of which, in a judgment of May 26, 2021, the said Court would rule out the possibility for the
Chamber Contentious to impose a fine from the first offense committed by
inadvertence (GR 2021/AR/163).
128. The Litigation Chamber recalls that article 58.2 of the GDPR states that each authority
supervisory authority has the authority to adopt all corrective measures listed. The fine
administrative appears in the penultimate position (9th – litera i)), just before the 10th
allows you to order the suspension of flows. Consider that there is a form of hierarchy
between the measures finds no support in the text of the GDPR, on the contrary since the
litera j) specifies that each supervisory authority may impose an administrative fine
pursuant to Article 83, in addition to or instead of the measures referred to herein
paragraph, depending on the specific characteristics of each case. In addition, the measurement
referred to in letter j) (suspension of flows) cannot of course be conditioned by
the prior existence of a fine that would have been imposed. That wouldn't make any sense.
129. Regarding article 100.1. LCA taken in execution of the GDPR, the same reasoning
applies. It should be noted in this regard that the LCA does not take over the full terms of the article
58.2. of the GDPR, namely that the administrative fine can be ordered in addition or
instead of the measures referred to in this paragraph, depending on the characteristics
specific to each case. Certainly the fine is mentioned in 13th position in litera 13 but
this must be read with the precision which was omitted by the Belgian legislator. The measures which
are referred to in litera 14, 15 and 16 (publicity of the decision) of article 100.1. LCA are not
elsewhere not conceived as being able to intervene only “after a fine”.
130. In summary, the place of the fine in the list of corrective measures/sanctions provided for
in the GDPR and the LCA does not mean, a fortiori in support of the text of article 58.2.i) of the
GDPR itself, that it is a measure of last resort conditional on adoption Decision on merits 149/2023 — 33/36
other corrective measures/sanctions - considered less onerous, even in the event of
first breach by negligence. 22
131. The Litigation Chamber adds that since these judgments cited by the first defendant,
the CdM returned to this position. The CdM subsequently brought more
clarifications to the judgments cited by the first defendant, in particular by recalling the
possibility of imposing a fine (and even a fine higher than the minimum amount
of the range) to the data controller committing an offense for the first
23
times .
132. As already mentioned, the Litigation Chamber must, however, adopt the measure
corrective action and/or the appropriate sanction in the specific case.
133. If the Litigation Chamber judges that the reprimand is an appropriate sanction in this case
(point 125), the changes decided upon mentioned above must nonetheless be
materialize to put an end to the breaches denounced in articles 5.1. a) and6 of
GDPR as quickly as possible. The CC therefore combines its reprimand with orders to implement
compliance in accordance with the system below and a ban on processing
data concerned beyond a deadline set at January 15, 2024. It goes without saying that the
first defendant will have to draw all the consequences, for example, in terms
erasure of said data in the absence of a legal basis which would authorize the processing
beyond this date and adaptation of its Privacy Policy.
134. The Litigation Chamber specifies that as for obtaining the consent of practitioners
non-registered, the first respondent may request the consent of each
healthcare professional concerned by sending a personalized letter.
III.2. With regard to the second defendant (DOS-2020-05649)
135. The Litigation Chamber decides to adopt a classification decision without further action with regard to
of the second defendant.
22In its guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679
(WP 253 of the GDPR, the EDPB clarified in this regard that: “The assessment of the effective, proportionate and dissuasive nature in each
case must also take into consideration the objective pursued by the corrective measure adopted, namely to restore respect
rules or punish unlawful behavior (or both). The EDPB also states that fines are a
important instrument that supervisory authorities should use in appropriate circumstances. Supervisory authorities
are encouraged to take a considered and balanced approach when implementing corrective measures to
to respond to the violation in a manner that is both effective, dissuasive and proportionate. This is not about considering fines
as a last resort or fear of imposing them, but, on the other hand, they must not be used in such a way either.
way that their effectiveness would be reduced. See. also recital 148 of the GDPR.
23See. Court of Markets, July 7, 2021, 2021/AR/320, published on the APD website. Decision on merits 149/2023 — 34/36
136. In matters of dismissal, the Litigation Chamber must justify its decision by
step and:
- pronounce a classification without technical follow-up if the file does not contain or not
sufficient elements likely to lead to a sanction or if it includes a
technical obstacle preventing it from rendering a decision;
- or pronounce a classification without further opportunity, if despite the presence
of elements likely to lead to a sanction, the continuation of the examination of the
file does not seem appropriate given the priorities of ODA such as
specified and illustrated in the Chamber's No Action Policy
Contentious.
137. In the event of classification without follow-up on the basis of several reasons (respectively, classification
without technical and/or appropriate action), the reasons for classification without action must be
treated in order of importance.
138. In the present case, the Litigation Chamber decides to proceed with a classification without
continued for technical reason based on the absence of any breach of the GDPR or the laws including
it is responsible for ensuring the respect that can be observed in the head of the second
defendant. Indeed, the latter is not responsible for processing (spouse), nor sub-contractor.
treating party, no breach is alleged against him in this case with regard to the complaints raised in
against him by complainant no. 1.
139. Therefore, the Litigation Chamber closes complaint no. 1 without further action for technical reasons on
the basis of article 100.1.1° of the LCA.
11.
IV. Publication of the decision
140. Given the importance of transparency regarding the decision-making process of the Chamber
Contentious, this decision is published on the website of the Protection Authority
data (APD). However, it is not necessary for this purpose that the data
identification of the parties are directly mentioned. Decision on merits 149/2023 — 35/36
FOR THESE REASONS ,
the Litigation Chamber of the Data Protection Authority (APD) decides, after
deliberation:
- Under article 100, § 1, 5° of the LCA, to issue a reprimand with regard to
of the first respondent for the violation of articles (i) 12.3. of the GDPR, (ii)
5.1. a) (lawfulness) and 6.1. of the GDPR with regard to the processing of personal data
healthcare professionals not registered on the platform and (iii), 5.1. a) and 6.1. of
GDPR read in combination with article 8 of the LRN with regard to the processing of
national register number of platform users.
- Under article 100.8. and 9. of the LCA. to accompany this reprimand with an order to
the first respondent to put a definitive end to the violations referred to above
above (ii) and (iii) by providing by January 15, 2024 a basis of legality
valid for the processing of data of unregistered health professionals and
the abandonment of the collection of the national register number (NRN) of users of the
platform. The Litigation Chamber must be informed, documents
supporting evidence.
- Under article 100.1.1° of the LCA, to classify complaint no. 1 without further action
with regard to the second defendant.
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days from its notification, to the Court of Markets (Cour
of Appeal of Brussels), with the Data Protection Authority (DPA) as a party
defendant. Decision on merits 149/2023 — 36/36
Such an appeal may be introduced by means of an interlocutory request which must contain the
24
information listed in article 1034ter of the Judicial Code. The interlocutory request must be
25
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).
(sé). Hielke H IJMANS
President of the Litigation Chamber
24The request contains barely any nullity:
1° indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
Business Number;
3° the surname, first name, address and, where applicable, the status of the person to be summoned;
4° the object and summary of the grounds of the request;
5° indication of the judge who is seized of the request;
the signature of the applicant or his lawyer.
25
The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.
