APD/GBA (Belgium) - 112/2024: Difference between revisions

From GDPRhub
No edit summary
 
Line 86: Line 86:


== Comment ==
== Comment ==
''Share your comments here!''
In the case [[APD/GBA (Belgium) - 113/2024]], the fact that the data subject was a trainee represented by ''noyb'' didn't influence the proceedings and the APD/GBA upheld the complaint.


== Further Resources ==
== Further Resources ==

Latest revision as of 09:35, 11 September 2024

APD/GBA - 112/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 80(1) GDPR
Article 80(2) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 06.09.2024
Published:
Fine: n/a
Parties: Roularta Media Group N.V.
noyb
National Case Number/Name: 112/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: ADP/GBA (Belgium) (in NL)
Initial Contributor: wp

The DPA dismissed the complaint lodged by a representative under Article 80(1) GDPR due to the lack of interest of data subject. Additionally, the website operator was advised to implement appropriate measures regarding the processing activities via Google Analytics.

English Summary

Facts

A data subject visited website flair.be, operated by Roularta Media Group N.V. The Google Analytics HTML code was embedded within the website. Because of that, the personal data concerning the data subject were processed, including its transfer to the USA.

The data subject, represented by noyb under Article 80(1) GDPR, filed a complaint with the Belgian DPA (ADP/GBA).

During the investigation, the DPA questioned the existence data subject’s interest to initiate the proceedings, in particular, due to the fact the data subject was an trainee at noyb by that time.

Holding

The DPA rejected the complaint.

The violation of the GDPR at hand was “artificial”. If it wasn’t for noyb’s project, the data subject wouldn’t found the website concern nor the alleged violation. There was not evidence that the data subject visited the website concerned regularly. For the DPA it meant the visit on the website was done only to allow the violations of the GDPR occur. The data subject didn’t determine the details necessary to bring a case before the DPA on their own as the details were “predetermined” by noyb. Hence, the data subject didn’t enjoy their own “litigation interest”.

Moreover, according to the DPA the abuse of rights took place in the case at hand. The Belgian law didn’t implement Article 80(2) GDPR. Therefore, noyb tried to pursue their own interest, under the cover of the data subject one. Besides, the data subject didn’t act at their discretion, being a trainee interested in satisfying their employer (noyb). Since the data subject was instructed on the details of the case to lodge the complaint as a part of noyb project, not their own interest, the DPA found noyb abused the right to complaint under Article 80(1) GDPR.

For the subject matter of the case, the DPA referred to the report prepared by its investigatory body. The DPA advised the website operator to implement appropriate technical and organisational measures.

Comment

In the case APD/GBA (Belgium) - 113/2024, the fact that the data subject was a trainee represented by noyb didn't influence the proceedings and the APD/GBA upheld the complaint.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/33

Dispute resolution

Decision on the merits 112/2024 of 6 September 2024

File number: DOS-2020-03924

Subject: dismissal of a complaint file concerning the transfer of personal data to

the United States due to a defect in the representation mandate, under

Article 80.1 GDPR.

The Dispute Resolution of the Data Protection Authority, composed of Mr.

Hielke HIJMANS , chairman, and Messrs. Christophe Boeraeve and Dirk Van Der Kelen, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR";

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter referred to as the "WOG";

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

15 January 2019;

Having regard to the documents in the file;

1The new Internal Rules (“RIO”), following the amendments made by the law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (GBA), entered into force on 1 June 2024.

In accordance with Article 56 of the law of 25 December 2023, the new RIO only applies to complaints,
mediations, inspections and proceedings before the Dispute Chamber that were initiated on or after that date:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-
gegevensbeschermingsautoriteit.pdf

Cases initiated before 1 June 2024, as in the present case, are subject to the provisions of the WOG as they were not
amended by the law of 25 December 2023 and the RIO as it was before that date existed:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf. Decision on the merits 112/2024 — 2/33

Has taken the following decision regarding:

Complainant: X, represented by Noyb – European Center for Digital Rights),
hereinafter “the complainant” or “complaining party”;

Defendants: Roularta Media Group N.V., represented by Mr. Tom DE CORDIER and
Mr. Valeska DE PAUW, hereinafter “the first defendant”;

Google LLC, represented by Mr. Jan CLINCK, Mr. Florence

NIEUWBOURG, Mr. Pierre ANTOINE and Mr. Gerrit VANDENDRIESSCHE, hereinafter

“the second defendant”. Decision on the merits 112/2024 — 3/33

I. Facts and procedure

1. The subject of the complaint concerns the alleged tracking of the complainant by the second

defendant when visiting a website (flair.be) of the first defendant. In this

process, "HTML code" (for the Google Analytics tool) was allegedly placed

('embedded') via the website of the first defendant, which could be

linked to the complainant's account with the second defendant. According to the

complaint, related personal data were illegally forwarded to the United States of America in this

context. 2

2. On 18 August 2020, the complainant, through his representative,

lodged a complaint with the Data Protection Authority against the defendants. The

complaint was filed in French. 3. On 26 August 2020, the complaint is declared admissible by the First Line Service on the basis of

Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG

.

4. On 25 September 2020, the Dispute Chamber decides on the basis of Article 63, 2° and 94, 1°
WOG to request an investigation from the Inspection Service.

5. Subsequently, on 25 September 2020, in accordance with Article 96, § 1 WOG, the request

from the Dispute Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. Given that the first

defendant is located in a Dutch-speaking legal area and the second defendant

is established in the United States of America, the proceedings are conducted in Dutch in accordance

with Article 57 WOG. The Inspection Service's investigation will be conducted in Dutch, and the Inspection Service's report will be filed in Dutch.

6. On 13 October 2022, the Inspection Service will complete the investigation, add the report to the file and transfer the file to the chairman of the Dispute Chamber by the Inspector General (Article 91, § 1 and § 2 WOG). This

investigation report addresses a number of issues related to the filing of the

3
complaint.

7. In its report, the Inspection Service first states that Noyb does not show in the complaint "what the

'sufficient and concrete interest' is of the data subject (a natural person residing in

Vienna, Austria) to file a complaint against the specific website . . . In addition,

the Inspection Service notes that the website […] is a Dutch/French website

2Complaint in DOS-2020-03924, p. 2: “The transfer of data from the complainant to the United States is illegal”; loosely translated: “The
transfer of data from the complainant to the United States is illegal.”

3Inspection Service investigation report in DOS-2020-03924, pp. 18-24. Decision on the merits 112/2024 — 4/33

concerns . . . while the person concerned . . . does not speak Dutch”. Furthermore, the

Inspection Service states: “In view of the aforementioned procedural objections, the Inspection Service can question the

request from Noyb – European Center for Digital Rights as a valid ‘complaint’ under

national law.”

8. Secondly, the investigation report states that a semi-automatic ‘bulk’ method was

used for the requests processed by Noyb that were submitted to the GBA in

August 2020. . . The various requests for investigation submitted in August 2020

had a similar layout and signature. The subsequent sending of additional documents

took place in a linked e-mail[…] The same person concerned who gave power of attorney to Noyb – European

Center for Digital Rights 6
always returns for the various requests.”

9. Thirdly, the Inspection Service points out that the procedure “must meet the usual basic requirements of any power of attorney... that is to say, clearly formulate against whom a complaint is being

lodged.” The Inspection Service then refers to “the power of attorney” in

question, which is intended to be used “with regard to the Irish Supervisor and not

with regard to the Belgian Supervisor” and which merely refers to (at that time internal)

file numbers (of Noyb) as regards the identity of the first defendant. The

Inspection Service concludes: “The content of the power of attorney also shows that Noyb – European

Center for Digital Rights was not properly mandated” as various elements in the

mandate were not formulated, were unclear or were formulated ambiguously.

10. Fourthly, the Inspection Service points out that the complainant was “employed” as an intern at Noyb

at the time of the power of attorney of this organisation as a representative. The Inspection Service

points in this context to several personal communications that the complainant made on the public

forum (via social media), in which the person referred to his work in connection

with the Noyb project. For example, at one point the person mentions that he is happy

to have “worked” on the project. The Inspection Service “has not been able to establish any

motivation for a personal interest of the person concerned.” The Inspection Service further states:

“In the absence of transparency about Noyb’s working methods . . . the

perception is therefore created that Noyb . . . uses its employees to submit . .

requests/complaints in the interest of Noyb . .

instead of[…] a personal interest of a complainant.” And

further: “ . . . confirms the indication that this constitutes an improper use of the

procedure under Article 80 GDPR. The Inspection Service notes that interns . . . for the aforementioned

4Ibid., investigation report p. 19.
5Ibid., investigation report p. 20.

6Ibid., investigation report p. 21.
7
Ibid., investigation report p. 21.
8Ibid., investigation report, p. 24.
9
Ibid., investigation report, p. 24. Decision on the merits 112/2024 — 5/33

requests of 2021 were systematically entered as “complainant” in the activities of Noyb

– European Center for Digital Rights. The above may possibly be an indication of the

mixing of interests.” 10

11. The substantive findings of the Inspectorate are, in function of the
readability of the decision, resumed under section III of this decision.

12. On 13 March 2024, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG.

They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG.

13. In the art. 98 WOG letter, the parties are requested at this stage of the procedure only to

explain their position with regard to the legality of the submission of the complaint and the way in which the mandate was granted by the complainant to the representative in a

specific context (investigated and explained by the Inspectorate),

specifically in light of articles 80.1 and 77.1 GDPR. In addition, the Dispute Chamber

requested the parties to take a position on the question of whether the possible unlawful nature

of the creation of the mandate ‘impacts’ the file as a whole.

14. On 10 May 2024, the Dispute Chamber receives the conclusion of the answer from the two

defendants with regard to these procedural aspects.

15. On 29 May 2024, the Dispute Chamber receives the conclusion of the reply from the complainant,

with regard to these procedural aspects.

16. On 21 June 2024, the Dispute Chamber receives the conclusion of the reply from the defendant

regarding these procedural aspects.

17. On 12 June 2024, the parties are informed that the hearing will

take place on 1 July 2024.

18. On 1 July 2024, the parties are heard by the Dispute Chamber. Following a request

to that effect from the complaining party, and the subsequent express agreement of both

defendants, the hearing takes place in a hybrid form. One person from Noyb is

physically present, and one person from the same association via video connection from

Austria.

19. On 8 July 2024, the minutes of the hearing are submitted to the parties.

20. On 12 July 2024, the Dispute Resolution Chamber receives from the complainant, on 16 July 2024

from the second defendant, and on 17 July 2024 from the first defendant,

10Ibid., investigation report, p. 24-5; the Dispute Resolution Chamber emphasised and underlined in the first sentence. Decision on the merits 112/2024 — 6/33

comments on the minutes, which it decides to include in

its deliberations.

II. Reasons

II.1. Preliminary points

21. A first preliminary issue concerns a document filed by the representative

of the complainant after the conclusion rounds have been completed. Three days before the

hearing takes place, a document is filed by the representative of the complainant. The defendants both oppose the admissibility of this

document, since it was submitted after the conclusion rounds. The complainant does not clarify at

the hearing whether there are valid reasons for the late submission.

In view of the opposition of the defendants, the document dated 28 June 2024 is

excluded from the debates in its entirety and will not be included in the

deliberations for this file.

22. A second preliminary issue concerns new documents that are submitted at the

hearing by the representative of the complainant. Both defendants oppose the submission of these documents and their

addition to the file. Given the

extremely late nature of the submission of the documents, the opposition of the

defending parties to the submission, and in the absence of any

well-founded reason for the late nature of the submission, the documents

are excluded from the debates in their entirety and are not included in the

deliberations of the Dispute Chamber.

23. In connection with these first two preliminary points, the Dispute Chamber

points out that, as a body of a supervisory authority, it must be able to

take into account all the elements that have come to its attention, in order to

be able to guarantee a high level of data protection. This does not alter the fact that the

procedure must meet the requirements of adversarial proceedings and equality of

parties. The procedure provided for under the subsection “deliberation and decision on the merits” in

art. 98 et seq. WOG is precisely intended to

provide for an adversarial procedure. In administrative law, special account must be taken of the duty to hear and the rights of defence.

24. A third preliminary point concerns the legally valid appearance of the person who appears (physically) for the

representative of the complainant at the hearing. When the hearing

takes place, both defendants indicate that they have questions about the

11Opdebeek I. and De Somer S., General Administrative Law: Foundations and Principles, Ed. 2, Antwerp, 2019 Intersentia,
specific part V, Chapter III, Section 7 regarding the duty to hear. Decision on the merits 112/2024 — 7/33

mandate of the person to act for Noyb in accordance with the articles of association of

this association.

25. It should be noted that Noyb has registered as a representative with the

Dispute Chamber, by sending a message via a specific e-mail address. For the presence

of the person in question at the hearing, prior to the hearing the representative had reported via the e-mail address that the employee

of Noyb would be present as representative. The Dispute Chamber is not obliged to

investigate ex officio or at the request of the parties how the designation of this

employee took place in concreto. The notification by the organisation Noyb by e-mail of the

identity of the employee in question is sufficient. This employee has thus legally

appeared at the hearing for the representative of the complainant.

26. As a fourth and final preliminary point: at the hearing the complaining party, for the

first time and without prior notice, but not in limine litis, questions in its pleadings the

“independence” of the chairman of the Dispute Chamber for the handling

of this case. Furthermore, the complaining party asks the chairman of the

Dispute Chamber to withdraw. The complainant refers to

anonymous “sources” who allegedly heard in private conversations that there was a strategy

to reject complaints “from Noyb”, and to a public event where the

chairman of the Dispute Chamber was present. No further concrete

elements are provided to substantiate the lack of “independence” of the sitting member.

27. The Dispute Chamber understands from the wording of the complainant that it is more (or

at least also) about the impartiality than the independence of the

Dispute Chamber. Such ‘requests for disqualification’ must in any case be handled with caution and

accurately by the requesting parties. Expressing dissatisfaction

about (the outcome or course of) a procedure is something different than

raising requests for disqualification with regard to members of public institutions, whose

14
legitimacy is precisely based on their independence and impartiality.

28. Specifically with regard to the oral request of the complaining party to withdraw

from the chair, the chair decides not to grant this request for the following reasons.

1L. Van Den Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP,
2024, Ed. 4, 215-230, specifically section 2.1 “types of (im)partiality and evidence”; Compare with regard to the confusion of concepts in the context of the judiciary: Ooms A., “Judicial impartiality is not always what it seems. A historical and
prospective analysis of the boundary between objective and subjective impartiality.”, Croniques de droit public, 14(2010)4, p.
499-524; Opdebeek I. and De Somer S., General Administrative Law: foundations and principles, Ed. 2, Antwerp, 2019
Intersentia, specifically part V, Chapter III, Section 8 regarding the principle of impartiality for the administration.
13
Comparison art. 835 Judicial Code for disqualification requests with regard to members of the judicial order, which states, among other things, that
such disqualification requests with the reasons for the disqualification must be filed with the registry in a formal document,
and that only by lawyers with more than 10 years of experience at the bar.
14 In this regard, the legislator anchors a number of measures in art. 44 WOG. Decision on the merits 112/2024 — 8/33

29. First and foremost, the complainant was sufficiently aware that the chairman was handling this file

(jointly), at least as recently as 13 March 2024 when the parties were

invited to submit their defences in this file in a letter signed by

that chairman. The complainant had the opportunity to take the necessary steps.

The late nature of the request for withdrawal is in itself sufficient to

not grant this request.

30. In addition, reference can be made to the following facts. The remarks regarding

the (procedural) interest of the complainant and the mandate were raised

on their own initiative by the Inspection Service of the GBA. The Inspection Service

operates as a separate and autonomous body within the GBA and has in this way highlighted

the possible problems regarding the mandate and the (procedural) interest, not the Dispute

Chamber, nor its chairman. It is therefore not correct to suggest a bias

that can be traced back to a person or a strategy of the Dispute Chamber or its

chairman.

31. The Dispute Resolution Chamber cannot then be asked not to address

the findings of that Inspection Service and the arguments of the parties. Moreover,

it is precisely the task of the Dispute Resolution Chamber to address the submitted

arguments, which must be assessed on a case-by-case basis. 16

32. After the findings by the Inspection Service in the

Dispute Resolution Chamber, the parties were given the opportunity to first submit

their arguments regarding these procedural elements in the interest of the efficient course of the

proceedings.

33. The Dispute Resolution Chamber will of course rule in an independent and

impartial manner, without fear or favour for one party or the other.

34. In the course of these proceedings and related

procedures, the Dispute Resolution Chamber has cooperated with other supervisory authorities

within the European Economic Area, in accordance with Chapter VII of the GDPR. This is publicly

known information. The fact that

in the context of the confidentially organised cooperation and the loyal sharing of

information within and between supervisory authorities, information could be

15 See also Dispute Chamber, decision 22/2024 of 24 January 2024, available via:
https://gegevensbeschermingsautoriteit.be/publications/besluit-ten-gronde-nr.-22-2024.pdf, §§ 11 and 35.

16Cf. Judgment of the Brussels Court of Appeal (Market Court Section) of 16 September 2020, 2020/AR/1160, §5.7: “It is not appropriate in a
constitutional state that the Dispute Chamber of the GBA could ‘choose’ which argument it does or does not provide an answer to.” 17
European Data Protection Board, EDPB promotes consistent approach for 101 NOYB data transfers
complaints, 19 April 2023.
It also appears from document 4 in the first defendant's summary conclusion that precisely this information sharing "à charge" was publicly regarded as positive by NOYB - in the light of, among other things, the present file.

18Cf. Article 54.2 GDPR and Article 48 § 1 WOG.
19
See in particular Article 70.1.u GDPR. Decision on the merits 112/2024 — 9/33

provided that would raise critical legal questions on a particular issue is an inherent

element of the cooperation procedure in Chapter VII of the GDPR. 20

35. In a credible dispute, one arrives at a fact-finding

based on facts and qualitative arguments in a considered manner. In this context,

(legal) questions must of course be able to be asked without this in itself

entailing partiality.

36. The mere fact that a previous case 21 before the Dispute Chamber with similar

circumstances, entails a possible adverse outcome for the same party or its

representative, does not of course in itself justify the recusal of a sitting member in another

(i.e. this) case.

37. If a party does not agree with a decision of an authority, it is

free under Article 78 GDPR to institute proceedings against that decision. In the

Belgian legal system, this can also be done by any interested third party at the

Market Court in accordance with Article 108, §3 WOG. If Noyb therefore believes it has an

interest in appealing against such a decision, it has such access to

justice if necessary. The fact that no appeal could be lodged in an earlier case because

the complainant concerned did not wish this – as raised at the hearing – is not an argument

that is attributable to the Disputes Chamber (or the GBA) and is not further relevant.

II.2. Complaint lodged under art. 80.1 GDPR

38. Article 80 GDPR reads as follows:

Representation of data subjects

1. The data subject shall have the right to mandate a non-profit body, organisation or association

which has been properly constituted in accordance with the law of a Member State,

the statutory objectives of which are in the public interest and which is active in

the field of the protection of the data subject's rights and freedoms with regard

to the protection of his or her personal data, to lodge the complaint on his or her behalf,

to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf,

and to exercise the right to compensation referred to in Article 82 on his or her behalf,

where Member State law so provides. 20
The principle of impartiality cannot be applied contra legem in this regard in connection with the circumstances of
international information sharing, cf. Judgment of the Council of State of 23 June 2020, Lossau, no. 224.038; discussion in L. Van Den
Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP, 2024, Ed. 4,
(215)219, §11.
21 In this sense, reference is made in the conclusions and pleadings by various parties in the proceedings to Decision
22/2024 of 24 January 2024 of the Disputes Chamber, against which no appeal was lodged with the Market Court.

22 In the comments of the complainant in the Minutes of the hearing, it is written: “. . . since the failure to appeal against this decision was not in the interest of noyb itself.” Decision on the substance 112/2024 — 10/33

2. Member States may provide that a body, organisation or association referred to in paragraph 1

of this Article, independently of a data subject’s mandate, has the right to lodge a complaint in that Member State with the supervisory

authorities competent in accordance with Article 77 and to exercise the rights referred to in Articles 78 and 79,
if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

In this light, recital 142 of the preamble is also relevant:

Where a data subject considers that his or her rights under this Regulation have been infringed, he or she should have the right to authorise a non-profit-making body, organisation or association,

established in accordance with the law of a Member State, which has statutory objectives that are in the public interest and which is active in the field of

the protection of personal data, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right

to a judicial remedy on behalf of data subjects, or to receive compensation on behalf of data subjects, where provided for by

Member State law. Member States may provide that these bodies, organisations or associations have the right

to lodge a complaint in that Member State, irrespective of any authorisation by a data subject, and the right to an effective judicial remedy, if

they have reason to believe that the rights of a data subject have been infringed

as a result of the processing of personal data in breach of this

Regulation. It may be determined for these bodies, organisations or associations that they

do not have the right to claim compensation on behalf of a data subject without the

authorisation of the data subject.

39. The circumstances in which Noyb lodged the complaint on behalf of the complainant can

be visualised as follows. Decision on the substance 112/2024 — 12/33

The Litigation Chamber finds that there was no explicit coercion

against the complainant; the Dispute Chamber emphasises that the complainant indicates that this

person filed the complaint voluntarily, and that the person still supports the

filing of the complaint. This does not alter the fact that the initiative lies with Noyb, not

with the complainant. The representative of the complainant also indicates at the hearing that in

the present case a “model case” is being used for which interns and

employees are asked whether they wish to file a complaint in such model cases and whether they

wish to become a data subject in this regard.

42. Thirdly, at the time of the allocation of the project and the

commitment of the data subject to allow an infringement of the complainant’s rights and

subsequently file a complaint in this regard, there was a working relationship (in this case an internship)

between the complainant and Noyb.

Noyb emphasised at the hearing that this internship was extremely voluntary,

whereby the intern could go wherever he wanted. A workspace and materials were made available, and there was a limited compensation of 30 euros.

43. Fourthly, the complainant believes that there has been a breach of the GDPR and that the person's rights have been harmed. In addition, it is unclear to what extent damage has occurred

with regard to the complainant. The Inspection Service has been able to establish that the breach(es)

would have actually occurred, and that the complainant can therefore be genuinely aggrieved by

a breach.

44. Fifthly, the complainant mandated Noyb after the project guidelines had been

set out, and the controllers had been identified (by Noyb) and

assigned (to the complainant).

45. Sixthly, a complaint was filed on behalf of the complainant by Noyb's

representative. The complaint was formulated in consultation with the complainant and

submitted to the Data Protection Authority.

46. All this is clear from the report of the Inspectorate and the debates. The entire course of events is therefore indisputably established.

II.3. Dismissal: reasons and consequences

47. In this case, the Litigation Chamber essentially identifies two main problems with

the delegation and subsequent representation:

1) the prior coordination by the representative, in which the subject matter, content (including the identity of the controller) and

the “type of infringements” of complaints were determined to a far-reaching extent, without full autonomy for the

25 Mentioned in English at the hearing as a “model case”. Decision on the substance 112/2024 — 13/33

complainant, which prevents free delegation, especially in the case of an internship

relationship between the complainant and his representative. 2) the trick that the representative performs in order to be able to rely on the

objectives of the procedure provided for under art. 80.2 GDPR, whereby the distinction with art.

80.1 GDPR that the European legislator has explicitly established is

stripped of all content.

48. These main problems are divided into three grounds for dismissal. Each of these grounds

separately is sufficient to establish problems with the lodging of a complaint in accordance with art. 80.1

in conjunction with art. 77 GDPR, and to proceed to dismissing the complaint.

II.3.1. Ground for dismissal I: lodging a complaint on the basis of a pre-constructed
"model case" by Noyb creates artificial (procedural) interest and constitutes

abuse of rights

49. First of all, the infringements of the processing of the complainant's personal data

are at least partly artificially constructed by Noyb. Noyb determines the manner in which

the complainant must provoke (alleged) infringements by processing his/her personal

data with a view to filing the complaint (apart from any

26
‘general’ infringements that do not require the processing of personal data in

concreto).

50. Without Noyb’s project, the alleged infringements that are offensive

to the complainant would not have occurred. In this regard, it is expressly acknowledged at the hearing

that Noyb “asks” persons such as the complainant (in any case interns and possibly

other members of Noyb’s staff) whether they wish to “become” a “data subject”.

51. The artificiality of the situation is further illustrated by the short visits; 28

these visits are apparently intended solely to allow the infringements to take place or

to establish them, as the defendants rightly emphasise in their conclusions. The representative does not even state at any stage of the procedure that the complainant

would have been a regular or even occasional visitor to the website pages concerned. All this indicates that the complaining party artificially creates its own (procedural) interest in

favor of the representative.

52. The Dispute Chamber points out in general terms that the right to complain under the GDPR provides broad and easy access to involved complainants to reach supervisory

authorities, where desired via an order to a representative. The importance of the right to complain for an involved citizen has recently been

reaffirmed in

26An example could be an infringement of Article 25 GDPR.

27At the hearing, the word “staff” is used in English by the representative of Noyb.

28Compare Decision 22/2024 of the Dispute Chamber dd. 24 January 2024, §§53 et seq.

29The website pages are in French and Dutch. Decision on the merits 112/2024 — 14/33

30
the case law of the Court of Justice. This broad access to justice requires that the

right to complain must be protected against its abusive use by

companies or associations with their own policy objectives and associated projects.

a) Abuse of rights in the European legal order

53. As regards the non-compliance with Article 80.1 in conjunction with Article 77 GDPR, reference is made to the settled

case law of the Court of Justice in connection with the abusive use of a subjective right under

EU law, as a general principle of EU law. In addition,

abuse of rights is based on circumvention, which distinguishes the concept from fraud –

which is based on deception.32

54. The Court of Justice of the EU itself frames the prohibition of abuse of rights as follows:

“In this regard, it is settled case-law that there is a general

legal principle in EU law according to which individuals cannot rely on EU law by

fraud or abuse . . .

(…)

It follows from that principle that a Member State must refuse to apply the

provisions of EU law if they are not invoked to achieve the objectives of those

provisions but to obtain an advantage under EU law, while the conditions for claiming that

advantage are only formally met. (…)

It follows that the general principle of prohibition of abuse must be invoked

against a person who relies on certain EU-law rules

which provide an advantage, in a manner that is not in accordance

with the objectives of those rules.

30Judgment of the Court of Justice of the EU, 7 December 2023, UF v. Schufa, C-26/22 and C-64/22, ECLI:EU:C:2023:958, specifically paragraph 58; see
also Judgment of the Court of Justice of the EU of 16 July 2020, DPC v. Facebook Ireland and Maximilian Schrems (‘Schrems II’), c-311/18.

31Velaers J. “Rechtsmisbruik: betekenis, gronden en legitimiteit” in Rozie J., Rutten S., Van Oevelen A. (eds.), Rechtsmisbruik,
Antwerpen, Intersentia, (1)4, verwiin vn. 19 naar o.m. Hof van Justitie 5 mei 2007, Hans Markus Kofoed v.
Skatteministeriet, C-321/05, ECLI:EU:C:2007:408.;

Danon R. et al, “The Prohibition of Abuse of Rights after the ECJ Danish Cases” in Intertax, Vol. 49, Is. 6/7, 2021, 482-516,
https://doi.org/10.54648/taxi2021050 ; López Rodríguez J., “Some Thoughts to Understand the Court of Justice Recent Case-Law in the Danmark Cases on Tax
Abuse”, Ec Tax Review, Vol. 29, Is. 2, 71-83, https://doi.org/10.54648/ecta2020009.
32
Cf.: “If both frauds and abuses of law aim at wrongfully obtaining a benefit from the legal system, frauds involve
misrepresentation, whereas abuses of law rely on circumvention.” in A. SAYDE, Abuse of EU Law and the Regulation of the
Internal Market, Oxford, Hart Publishing, 2014, 24; free translation of the quote: “Where both frauds and abuses of law
aim at wrongfully obtaining a benefit from the legal system, fraud involves
misrepresentation, whereas abuses of law rely on circumvention.” Decision on the substance 112/2024 — 15/33

(…)

. . . this provision cannot be interpreted as excluding the application of the

general principle of EU law prohibiting abuse, since the

application of that principle does not require its transposition . . .

(…)

The fact that a taxpayer seeks the tax scheme that is most advantageous

to him is not sufficient in itself to establish a general presumption of fraud or abuse . . .

but that does not alter the fact that that taxpayer is not eligible

for a right or advantage arising from EU law if the arrangement in

question is purely artificial from an economic point of view and is intended to circumvent the

legislation of the Member State concerned . . . “

(the Dispute Chamber underlines)

33

55. The Court’s case law puts forward two cumulative elements in order to speak of

a violation of the prohibition on abuse of rights, on the one hand a subjective and on the other

34
objective element.

56. As regards objective element 35: the intended purpose of the right to complain

under mandate (art. 77 in conjunction with art. 80.1 GDPR) in this case is not respected: art. 80.1 GDPR

states that it is the data subject who retains the right to represent an

person commissioning an organisation. The wording “data subject” shows first of all that

personal data and associated processing in the context of the complaints cited

must have existed before (the coordination prior to) the mandate.

57. The wording “to give an order” indicates that the order goes in one direction: from the complainant to the representative, not the other way around. 36

33
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, respectively §§ 96, 97, 102, 105 and 109;
See the followingJudgments of the Court of Justice of the EU:1) 14 December 2000, Emsland-Stärke, C-110-99;2) 21 February 2006, Halifax, C-255/02; 3) 22 November 2017, Cussens, C-251/16.

34Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §139; Meirlaen M.,
Unwritten legal boundaries – Prohibition of evasion of legal rules, fraus omnia corrumpit and prohibition of (legal) abuse,
Antwerp, Intersentia, 2022, 353: “The subjective element means that, despite formal compliance with the conditions imposed by the
Union regulation, the objective pursued by that regulation was not achieved. The objective element requires
that it is apparent from a set of objective circumstances that the essential purpose of the conduct is to
obtain an unjustified advantage.”

35Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §139: “... a set of
objective circumstances showing that the conditions of the Union regulation have indeed been formally complied with, but
that the objective pursued by that regulation has not been achieved . . .”
36
The complaint is also lodged in the name of the data subject, so it is the data subject who forms the central starting point.
Cf. Frenzel E.M., “Art. 80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030)1033: “However, in comparison with the English language, it is noted that . . . from the concept of

“Beauftragung” and from the meaning a purpose of Article 1, that the Organisation for the purpose of determining the rights in the name of the
person concerned must be entitled to sue.” Decision on the substance 112/2024 — 16/33

58. Furthermore, recital 143 of the GDPR clarifies that the data subject must first “consider”

that there is a problem under the GDPR, and not following a specific

instruction from the representative, before the mandate takes place. The infringement

is provoked by Noyb in order to be able to qualify the complainant as a data subject.

59. As regards the subjective element: the representative wishes to create a

standing to bring proceedings with the GBA; standing to bring proceedings cannot exist without the complainant

as an individual on the basis of Belgian legislation. This shows the artificial

38
nature of fulfilling the conditions under art. 80.1 GDPR.

60. In this way, the representative attempts to circumvent national law, since art.

39
80.2 GDPR was not activated in Belgian legislation. This is also

indirectly apparent from the arguments put forward by the complainant in the reply and the pleadings at the

hearing: it is stated that this complaint should actually also be allowed under art. 80.2 GDPR and that the non-activation of this provision

could be discriminatory. 61. In this context, the Dispute Resolution Chamber emphasises that the GDPR leaves the national legislator a discretionary margin to activate or not Article 80.2. The choice of the Belgian legislator is obvious. According to the wording of Article 80.1 and the existence of Article 80.2 GDPR, the GDPR does not intend the representative to exercise such a right of complaint on the basis of Article 80.1.

62. According to the Dispute Resolution Chamber, the artificiality of the construction is established since the

identity of the controllers and the grievances raised were not determined by the

complainant concerned (although in advance by the representative), and by the

short visits of the complainant concerned, established by the Inspection Service and mentioned

by both defendants in their defences. The representative himself publicly indicates that this complaint

is part of a general project concerning data transfers. It is stated1

at the hearing that trainees can “become” a data subject without obligation.

Free translation: “However, a comparison with the English version shows that . . . the wording ‘to give an order’ and the role and purpose of paragraph 1 show that the organisation is entitled to exercise the rights on behalf of the data subject.”
37
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §124: “. . . subjective
element, namely the intention to obtain an advantage granted by the Union legislation by artificially
creating the conditions under which the right to that advantage arises. . .”
38On the artificial nature of the fulfilment of the conditions, see A. SAYDE, Abuse of EU Law and the Regulation of the

Internal Market, Oxford, Hart Publishing, 2014, 25.
39 On the distinction, see Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale
Bundesverband e.V., C-319/20; cf. the related issues under point c in this section.
40
Infra, section II.3.3; the discrimination here would be based on art. 10-11 GW in the relationship between art. 220 GBW and art. 17
Ger. W.
41
Summary conclusion of the second defendant, document 5 ("101 Complaints on EU-US transfers filed", freely translated: "101 complaints
filed about <data>EU-US transfers"). Decision on the merits 112/2024 — 17/33

63. The inducement to create access to justice entails an unjustified advantage

which constitutes the subjective element of abuse of rights under EU law on the part of

Noyb. In this case, the advantage is aimed at pursuing the general (policy)

objectives of the association Noyb. 42

64. The two conditions for speaking of abuse of rights under EU law are thus

met and, in accordance with the case-law of the Court, it follows that the Litigation Chamber

must refuse the use of the right (i.e. the lodging of a complaint) by Noyb. 43

b) Abuse of rights applied in the Belgian legal order

65. Secondly, the lodging of a complaint must take place in accordance with the procedural rules established

nationally, of course within the limits set by EU law. As the Court of

Justice has already stated, “in accordance with the principle of procedural autonomy, it is a matter for the

domestic legal order of the Member States . . . to determine the procedural rules

for legal actions brought for the protection of the rights of individuals . . .”

66. The fact that the legal rule from which the subjective right to complain derives (in this case, art. 77j°art. 80.1

GDPR) does not expressly exclude the possibility of lodging a complaint on the basis of a

created grievance does not of course mean that the legal rule is being used properly.

As this is framed in recent Belgian legal doctrine: “The unqualified interpretation of the

legal rule seems to allow the subjective right to be exercised in any way and

in any circumstances. The prohibition of abuse of rights . . . makes it clear that this is not the case.”

67. The Court of Cassation has already ruled on the application of the

prohibition of abuse of rights on several occasions. 46 The link with the interpretation of this legal principle

by the Court of Justice for its application in a national context is evident. 47The

Court of Cassation is also clear about the fact that ignoring the objective of a

42Cf. the section ‘abuse of rights as a gain-seeking choice of law’: A. SAYDE, “I. The Basics: Abuse of Law as Gain-
Seeking Choice of Law” in Abuse of EU Law and the Regulation of the Internal Market, Oxford, Hart Publishing, 2014, 24
43
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §110. “It follows that

national authorities . . . the enjoyment of the rights . . . must be refused if these rights are claimed
by means of . . . abuse.”
44Judgment of the Court of Justice of the EU, 4 May 2023, Österreichische Post, C-300/32, §53.

45Meirlaen M., o.c., 277; see also the discussion of the legal origin in Velaers J. “Rechtsmisbruik: betekenis,
grondslag en legitimiteit” in Rozie J., Rutten S., Van Oevelen A. (eds.), Rechtsmisbruik, Antwerpen, Intersentia, (1)1-4; For
illustrative purposes, cf. art. 1.10, paragraph 2 of the new Civil Code: “Anyone who exercises his right in a manner that clearly exceeds the limits of the normal exercise of that right by a prudent and reasonable person in the same circumstances
is abusing his right.”.

46Recently in the judgment of the Court of Cassation of 16 November 2023, Docpharma v. Belgian State, C.23.0053.N.
47
Cf. Conclusion of the Public Prosecutor at the Court of Cassation of 11 January 2024, K. v. Belgian State, F.23.0008.N:
here the application of the objective and subjective element is discussed in full. Decision on the merits 112/2024 — 18/33

subjective right, can constitute a form of abuse of rights. The Court of Cassation clarifies in a judgment of 15 February 2019:

Abuse of rights consists in the exercise of a right in a manner that clearly

exceeds the limits of the exercise of the right by a prudent and

prudent person. Such abuse may also consist in the use of legal rules or legal institutions

contrary to the purpose for which they were established.48

68. The Litigation Chamber notes that the concept of abuse of rights may also

apply to the exercise of procedural rights. Noyb's conduct in this case appears to

exceed the limits of a normal and proportionate exercise of the right to representation, as

provided for in Article 80.1 GDPR.

69. A legal subject who exercises a subjective right must also adhere to

the general standard of care when reading and interpreting the objective standard

on which it bases its subjective right, and take into account the “ […] implicit,
49
material limits that are also contained therein”. A legal subject may not disregard the
50
objective of the legal provision from which the subjective right follows.

The existence of art. 80.2 GDPR is important in this respect.

70. The fact that the representative determines in what way an infringement must be

endured, in order to be able to grant a mandate to be able to exercise the right to complain under art. 77 j°

art. 80.1 GDPR before the Belgian authority, means that the general

standard of care is disregarded by the representative and thus constitutes

abuse of law. It is not the objective of art. 80.1 GDPR to ‘create’ complainants in this way. 51 The Disputes Chamber does not pass judgment on the fact that there may be well-intentioned motives behind the method; it merely states that

48Judgment of the Court of Cassation of 15 February 2019, G.C. v. KBC Bank NV, C.18.0428.N, §1; cf. also Judgment of the Court of Cassation of 1
October 2020, C.18.0584.F, which essentially explains that abuse of rights consists in the exercise of a right in a manner that clearly exceeds the limits of the normal exercise of that right by a prudent and deliberate
person and that this is the case, among other things, when the damage caused is disproportionate to the benefit that the holder of that right intends or has obtained. 49
Meirlaen M., o.c., 282; Rozie J., Rutten S., Van Oevelen A.(eds.), Abuse of Law, Antwerp, Intersentia, 12.
50 Meirlaen M., Unwritten legal boundaries – Prohibition of evasion of legal rules, fraus omnia corrumpit and prohibition of

(legal) abuse, Antwerp, Intersentia, 2022, vn. 898: “Cass. 15 February 2019, ARC. 18.0428. N; Cass. 28 September 2018, AR
C. 18.0058. N; Cass. 2 April 2015, AR C. 14.0281. F; Cass. 13 January 2012, AR C. 11.0135. F; Cass. September 7, 2006, AR
C.04.0032.F; Cass. September 24, 2001, AR S.00.0158.F; Cass. April 28, 1972, Arr.Cass. 1972, 815; Pas. 1972, 797; RW 1972-73,
noteR.Butlzer.”;ibid.p.323:“Whenitcanbedemonstratedthatthelegalrule,thesubjectiverightarisingtherefrom,
canonlybeusedforaspecificpurpose,itsufficientforabusetoestablishthatthe(intended)useisnotdirectedtothispurpose.” 51
Regarding abuse of rights by using a right whose purpose is disregarded, see: Cornet L., “L’abus
de droit et le nouveau droit des contrats” in Kohl B. (eds.), L’abus de droit, Liège, Anthemis, 2024, (1)25-6. Decision on the substance 112/2024 — 19/33

the right to complain is used improperly and in particular not in accordance with

national legislation, which has excluded an appeal by an organisation in its own name, independently

of a data subject.

71. The Court of Cassation states that when there is abuse of rights, the exercise of

the right must be limited to its normal use. In this case, the complaint

was lodged by Noyb as representative. For that reason, this fact alone

already requires the entire file to be closed. II.3.2. Reason for dismissal II: fictitious mandate by pre-established grievances and

controller within internship relationship

72. The grievances are determined in advance in the name of the complainant, just as the method of

working with mandates within the meaning of Article 80.1 GDPR is determined in advance. In addition,

the identity of the requested controller is also determined by

the representative before the complainant accepts the “model case” and grants a

mandate in this regard.53

73. Although it is certainly not excluded that the complainant, as the person concerned, had a say in

determining the project’s guidelines, these guidelines were at least not solely

established by the complainant as the person concerned, as evidenced by the fact that identical (read:

quasi-identical) complaints were filed by different complainants in the context of the project. This

is evident from the findings of the Inspectorate in connection with the “bulk” method.

74. In this context, the Dispute Resolution Chamber points out that it is difficult for an employee to question the overall design of a project and not to agree to grant the mandate according to the guidelines set out, just as it is difficult for a data subject to give consent under many circumstances in an employment relationship to the processing of personal data within the meaning of Article 6.1.a GDPR. 54

75. In particular, the European Data Protection Board (“EDPB”) has indicated in its

Guidelines 5/2020 on consent that, given the disproportion

between an employer and its employees and the resulting hierarchical dependency, it is unlikely that an employee could freely respond to a request from his employer without feeling obliged to consent. 55

The same applies mutatis mutandis to trainees, however non-binding the commitment may be:

52Judgment of the Court of Cassation of 23 May 2019, V.M. v. P.B., C.16.0474.F, paraphrasing the French text: "The penalty for an
abuse of the right may be resider in the reduction of this right to its normal use."
53
In its summary conclusion, the first defendant cites on p. 6 a press release from the representative of the complainant,
which explains how the identification took place: "The websites were selected on the basis of the TLD of the Member State . . . We searched on
major websites in each EU Member State . . . “ (free translation by the first defendant from English of document 3 in her
summary conclusion; the Litigation Chamber edits the layout and underlines).

54Compare here with the Decision 22/2024 of the Litigation Chamber dated 24 January 2024, §§46-52.

55EDPB, Guidelines 5/2020 on consent under Regulation (EU) 2016/679, points 21-23. Decision on the substance 112/2024 — 20/33

it can indeed be pointed out that a successful or unsuccessful internship

can have consequences for a person's career.

76. It should also be noted once again that the legal provision on delegation (Article 80.1 GDPR),

which states that it is the data subject who retains the right to mandate an organisation

to represent the person. The wording "data subject" firstly shows

that personal data and associated processing in the context of the cited

grievances had to exist before (the coordination prior to) the

delegation. The wording "to give an order" then again points to the fact that the

mandate goes in one direction: from the complainant to the representative, not the other way

around. Moreover, recital 143 GDPR indicates that the data subject must first "believe" that there is a

problem under the GDPR, and not as a result of a specific instruction from the

representative, before the delegation takes place. 77. It should be noted that this fictitious mandate also entails a problem

of potential damage to the complainant concerned, which could not arise if

the representative did not initiate the project and induce those involved

to allow infringements to be committed and subsequently file a complaint about that infringement. This applies

firstly to the processing of the complainant's personal data,

possibly in conflict with the provisions of the GDPR.

78. Whatever the case, it is clear that the grievances are recorded in advance by the
representative of the complainant, and that the legitimate and free mandate by the complainant

who is also a trainee with the representative is thus compromised. This is sufficient to

establish that the mandate is problematic and more specifically fictitious, and

not in accordance with Article 80.1 of the GDPR.

II.3.3. Reason for dismissal III: trick to raise global and accessory issues for policy objectives of an association

79. The third and final reason for dismissal concerns the way in which the representative Noyb –

beyond the artificially created interest in the proceedings and the fictitious mandate – also tries to raise global and accessory issues by means of the

access to the proceedings, and in particular the allegedly unlawful data transfers to the US from the European

Economic Area after the Schrems II judgment of the Court of Justice of the EU. This is7

closely related to policy objectives of the association Noyb. As the Inspectorate

rightly notes, this involves a problem of possible conflicting or

56
See also art. 1984 BW, which states that a person gives another person the power to do something for the principal and

in his name. Also art. 1989 BW may be mentioned, which stipulates that the proxy may not do anything that exceeds the limits of his mandate; this supports the argument that the complainant himself must determine the limits of the mandate.
57Synthesis conclusion of the second defendant, document 5: “101 Complaints on EU-US transfers filed”, freely translated as “101 complaints
filed about <data>EU-US transfers”. Decision on the merits 112/2024 — 21/33

at least other types of interests. In a representation assignment, the

representative must put the interests of the complainant concerned first, and not pursue his own

policy objectives.

80. Art. 80.2 GDPR (not art. 80.1 GDPR) serves as a provision for associations to independently

58
report certain practices.

81. The European legislator has therefore indeed provided the possibility to file

complaints on one’s own initiative for organisations such as Noyb, but only if the

59
national legislator allows this. The Belgian legislator has, however, excluded this. For

the Dispute Resolution Chamber, this choice of the legislator deserves some context.

82. Indeed, it is important that Article 80.2 GDPR is drafted separately from Article 80.1 GDPR

and must be activated separately in the national legal sphere. The national

legislator is given the opportunity to determine the ‘activation’ of the article, for example to

avoid an unmanageable influx of complaints, just as the GDPR provides for

complaints from individual data subjects and the possibility for supervisory authorities to

refuse to deal with them in the event of excessive use. According to the Court of

Justice, Article 80.2 GDPR has a preventive function, whereby the

organisations involved are given the opportunity to raise issues in a global manner, if they

believe that the rights of a data subject under the GDPR have been violated

as a result of the processing. 83. The fact that Noyb acted in a case 62 before the Court of Justice in which it represented an involved (ex-)employee, and that therefore acting before the GBA would be permitted,

63
is anything but a correct conclusion. Even if the circumstances were exactly

the same as in the present case - which is not the case - access to justice through the

courts and tribunals is still different from that through the supervisory authority. In addition,

trademarks, defendants are right to have the preliminary issue in question brought before the Court

in vain.

58About art. 80.2 GDPR, one author writes: “The right to complain is therefore accessory to the (alleged) violation of
subjective rights, and the association is therefore merely a ‘complainant behind the complainant’.” Free translation from: Frenzel E.M., “Art. 80 DS-GVO” in

PaalB.P.andPaulyD.A.,DatenschutzgrundverordnungBundesdatenschutzgesetz,C.H.Beck,Ed.3,(1030)1034:“The right to complain
is therefore essential to (actually) injury to subjective rights, the relationship being only ‘the complainant hunts the complainant’
59Both defendants refer to the legislative preparations of the Belgian Chamber:

1) summary conclusion of the first defendant, p. 18, and;

2) summary conclusion of the second defendant, par. 69 – referring in footnote to: Bill of 11 June 2018 on the
protection of natural persons with regard to the processing of personal data, Parl. St. Chamber, 2017-18, no. 54-3126/001, 226. 60Cf. art. 57.4 GDPR.

61Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale Bundesverband e.V., C-319/20, § 76;
Judgment of the Court of Justice of 11 July 2024, MetaPlatforms Ireland Ltd. V. Bundesverbandder Verbraucherzentralene.a., C-757/22, ECLI:EU:C:2024:598, §64.
62 Judgment of the Court of Justice of 4 May 2023, CRIF, C-487/21.
63In the reply, the complainant states as follows: “If even the CJEU considers such representation to be

legally valid, the DPA must also allow it.” Decision on the merits 112/2024 — 22/33

had to do with the power of representation for an authority within the meaning of

Article 80 GDPR.

84. When complaints are filed on a large scale that reflect actual infringements

on the basis of fictitiously drawn up complaints under Article 80.1 GDPR, the task of the

supervisory authority to take action may become de facto impossible, and its supervisory tasks in the

public interest are compromised. 64 This disregards the intention of the

European legislator, which leaves the autonomy to the national legislator to judge

the desirability of such access to justice for interest groups. 85. It should be noted that the low-threshold right to complain prompts hundreds of individual data subjects to file a complaint with the GBA as a complainant. Many of these complaints are dealt with substantively, are thoroughly investigated and lead to (corrective) measures. In any case, complaints from individuals have already led to hundreds of decisions by the Dispute Resolution Chamber.

86. Within the European Economic Area, (well) over 100,000

66
complaints are filed annually under the GDPR complaints regime, and according to the most recent publicly available figures, just under

67
4,000 employees would be employed within all supervisory authorities in 2024. The handling of complaints from

individual data subjects deserves the necessary attention and careful handling with the limited resources available to the

authorities.

87. All this outlines the context within which it is important that the limits of the legislator

must be respected. These limits were also confirmed by the Court of

Justice.8

88. This does not mean, of course, that civil society should not play a role in

data protection law litigation, or in filing complaints. Moreover, organisations as representatives can

also be involved in the obligations for the supervisory authority to take measures when establishing infringements
during the administrative procedure, see CJEU, Opinion Advocate General Pikamäe of 11 April 2024, TR v Land Hessen,
C-768/21.
65
The proposal of the European Commission would not make national ‘activation’ mandatory; this shows that
it is a deliberate and important consideration of the European legislator to leave this choice to the national legislator.
COM 2012, 11 final, Art 73.2;

see also Frenzel E.M., “Art.80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030) 1032: “In accordance with Art. 76 Abs. 2 DS-GVO-E (Rat), the right to lodge a complaint was no longer

provided for as a basic situation for an association, but the transposition was left to the Member States . . .”
66Communication of the European Commission of 25 July 2024, Second report on the application of the General Data Protection Regulation, COM(2024) 357 final, section 2.3, see also section 2.5.2 on the “processing of large numbers of complaints”.

67Based on the sum of the projections provided by the supervisory authorities in EDPB, Contribution of the EDPB
to the report on the application of the GDPR under Article 97, 12 December 2023, p. 28-9.
68
Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale Bundesverband e.V., C-319/20, § 59. Decision on the substance 112/2024 — 23/33

Belgium certainly plays a role in facilitating the lodging of complaints through

representation and informing data subjects and controllers

of their rights and obligations. However, this is something different from drafting complaints for

non-existent complainants at that time.

89. The method whereby the complaint, at the initiative of the representative, attempts to address a general

pre-established practice, by dealing with this accessory in a complaint

from an individual data subject, shows that an artifice has taken place in the light of

Article 80.1 GDPR in lodging this complaint, in order to be able to

address practices in a manner exclusively provided for under Article 80.2 GDPR.9This method

may also give rise to potential conflicts of interest during the

representation assignment. The Dispute Chamber finds that the use of art.

80.1 GDPR by the representative in this case is not lawful for these reasons.

II.3.4. Dismissal

90. The reasons given above illustrate that this case is not a purely

semantic issue, but that the method used in the present case also causes or

can cause real problems. Each of the reasons is sufficient to prove non-compliance with the

choices of the European and Belgian legislators: the method used in this case

by the complaining party is contrary to the law in several ways. The Dispute Chamber

has carefully and objectively examined the case and cannot but conclude

that the complaint lodged must be dismissed for the aforementioned reasons.

II.3.5. Consideration of the consequences of the discontinuation

91. The fact that the mandate and the (procedural) interest in this case are fundamentally

problematic elements has been proven on the basis of several aforementioned

reasons. This leads to the discontinuation under art. 100, §1, 1° WOG. However, this does not

exclude the possibility that the complainant, as the person concerned, feels aggrieved after an

alleged infringement has been committed, since that alleged infringement can also effectively

take place as a result of the actions prior to and as a result of the fictitious

mandate.

92. Firstly, the representative argues that the complainant could also have filed a complaint

without representation, which would have resulted in the file being

continued in full; in addition, the representative also argues that the

‘autonomous’ representation without the complainant concerned under art. 80.2 AVG

may simply be an option for the representative in Belgium.

69 EU law may not be abused to circumvent national legislation, cf. Judgment Court of Justice, Halifax, C-255/02. Decision on the merits 112/2024 — 24/33

93. In this case, it is precisely the improper use of the right to complain (including the

use of a fictitious mandate that creates the infringement on the part of the person concerned) that

gives rise to the dismissal of this complaint file.

94. The Dispute Resolution Chamber rejects the argument that the infringement or damage had already taken place,

and that the file should therefore be continued. The Dispute Resolution Chamber considers that

procedural – just like substantive – rules must be complied with, regardless of whether

a particular outcome in terms of policy objectives of one party seems most favourable

or desirable. 95. In other words: the complainant did not file a complaint without representation, so the Dispute Chamber does not treat the complaint file as such. The Dispute Chamber cannot requalify a complaint in a manner in which it was not filed.

96. The representative also did not invoke art. 80.2 GDPR for filing a complaint, so the Dispute Chamber does not treat the file as such. For this last point, the

representative does not refer to the existing legal standards, but to the possible (under the constitution) discriminatory situation

in which Noyb can represent the courts and tribunals in this

‘independent’ manner under art. 17 Judicial Code, but not for the GBA. However, the GDPR leaves the

possibility to the Belgian legislator to activate art. 80.1 GDPR separately, so

there is no reason to consider this situation as discriminatory for the Dispute Chamber. 70Unequal cases do not have to be treated equally.

97. The mere fact that these infringements would have taken place, or that damage would have occurred in that context, does not justify accepting the fictitious mandate and the artificially created procedural interest. Procedural rules are in the interest of the quality and fairness of a procedure.

98. Secondly, the Dispute Chamber emphasises that this does not mean that an employee of an organisation such as Noyb could never file a complaint with Noyb as a representative.

II.4. Delegation under Article 80.1 GDPR: form and components.

99. Firstly, various elements emerge during the procedure that indicate

possible problems with the formulation of the mandate. The representative

of the complainant states at the hearing that the provision of EU law should be interpreted autonomously

70DeBotD., The application of the General Data Protection Regulation in the Belgian context: commentary on the
AVG, the Data Protection Act and the Data Protection Authority Act, Mechelen, Wolters Kluwer, 2020, 1164-5
(§2998-9). Decision on the merits 112/2024 — 25/33

to state that a mandate does not contain any formal requirements71

, referring to the purely oral possibilities to do so. The

defendants, on the other hand, argue, like the Inspection Service, that there are certain formal

or substantive defects, which relate to the essential elements72 of the mandate agreement, as well as its sufficiency as evidence73 of the

representation. In her mandate agreement enclosed with the complaint, the

first defendant is not explicitly named.

100. In the agreement enclosed with the complaint, the complainant refers to 25 different

(Noyb) file numbers in the one document for the mandate, which further

confirms what was previously stated about the artificially created procedural interest within

the project with model cases of Noyb. The fact that 25 complaints are filed already

raises the question of the applicability of the excessive use of the right to complain - for the sake of clarity, without the Disputes Chamber deciding to do so in this case.

101. The complainant has attempted to rectify the criticism of the initial mandate by attaching to its summary conclusion another document concerning the granting of a mandate, in which the individual controllers (in particular also the first defendant) are identified – together with the identification of controllers in three other complaint files with the DPA which are not formally related to the present complaint file. This document is signed solely by the complainant in this file (unlike the document attached to the complaint). 75

102. Given that in this file the decision to discontinue the proceedings is already based on several other

grounds for discontinuance, the Dispute Resolution Chamber will not proceed hic et nunc to the further

71
As regards the form, the European legislator does not clarify whether the “order” in Article 80.1 GDPR refers to the instrumentum (the written agreement or other) or to the negotium (the agreement). As regards the instrumentum, classical national legal doctrine has held that a mandate agreement can be solo consensu (Tilleman B., “Titel V: Vorm van de Endgevingsovereenkomst” in Lastgeving, Gent, Story-Scienta, 1997, §§139 et seq.).

In the specialized legal doctrine concerning the GDPR, it is doubted whether a mandate under Article 80.1 GDPR does not require a written document:
cf. Frenzel E.M., “Art. 80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030)1033-4: “This requires – at least for reasons of certainty in legal transactions and the exclusion of the risk of abuse – an explicit, written statement . . .” (the Litigation Chamber is editing the drafting);

free translation: “This requires – at least for reasons of certainty in legal transactions and the exclusion of the risk of
abuse – an express, written statement . . .”
72
The legal acts that the representative must perform could be regarded as an essential element,
but arguably also the identity of the data controller targeted in a GDPR complaint. See also: Van
OevelenA.,PrinciplesofBelgianPrivateLaw.10:Agreements.2:Specialagreements.E:Contractingwork
– power of attorney, Mechelen, Wolters Kluwer, 2017, §389;
See also article 1988 of the Civil Code: “Power of attorney, expressed in general terms, only includes acts of management;”

73It is up to the person who relies on a power of attorney agreement to prove its existence, see: Tilleman B., O.c.,
§172; Van OevelenA., o.c., §417: “In addition, the power of attorney contract shows this special feature that the agent, in
executing his mandate, performs legal acts in relation to a third party in relation to whom he must be able to demonstrate his
power of representation.”; ibid, §419.

74Cf. art. 57.4 GDPR.
75
In civil law, the representative's expression of intent can also be demonstrated by his or her actions, cf. Van Oevelen A., o.c.,
§416 in fine: "The signature of the proxy is not necessary . . . but does have the advantage that it proves the proxy's express acceptance of his or her mandate and therefore also the existence of the mandate." Decision on the merits 112/2024 — 26/33

examining the legality of the correction of the allegedly inadequate

aspects of the mandate in the document attached to the complaint by

the document filed with the reply of the complaining party. These concern only

considerations in the context of transparency regarding the pleas and

arguments raised. 103. Secondly, both defendants allege a shortcoming on the part of the complaining party under Belgian law. This concerns article 220 § 2 GBW, whereby the defendants note that the representative has not been active in the field of personal data protection for "at least three years" or that she has at least not provided the correct evidence to that effect (submission of evidence required under article 220, §3 GBW), as well as under the same legal provision that she is not an association established "in accordance with Belgian law".

104. With regard to this point, the complainant states at the hearing that it was established more than

three years before the complaint was filed; its objectives are aimed at

promoting and enforcing the rights of data subjects and natural persons in the digital sphere.

105. In addition, the Dispute Resolution Chamber points out that the requirement that an association within the meaning of

Article 80 GDPR must be established under “Belgian legislation” in accordance with

Article 220 GBW is not in line with European Union law, and in particular the exhaustive

nature of Article 80.1 GDPR and the wording of the accompanying recital 142 of the preamble.

In this sense, the primacy of EU law obliges the Dispute Resolution Chamber to disregard

national legislation that is clearly in conflict with EU law. Art. 80.1

GDPR is directly applicable in the Belgian legal order. The complainant rightly raises this, referring to the relevant case law in this regard. 76

106. In any event, the Dispute Chamber cannot submit preliminary questions, neither to the Court of Justice nor to the Constitutional Court.7

107. Given the multiple reasons on which this decision to discontinue the case is already based, the

Dispute Chamber will not proceed to further investigation of these aspects and these only concern

considerations in the context of transparency regarding the pleas and

arguments raised. 108. Thirdly, the defendants argue that the person who signed the agreement 78with the complainant

on behalf of Noyb would not be authorised under the articles of association to do so –

76The complainant refers to the ECJ judgments of 9 March 1978, C-106/77 (Simmenthal), of 19 June 1990, C-213/89
(Factortame), para. 13, and of 22 June 2010, C-188/10 and C-189/10 (Melki).
77The Litigation Chamber is an administrative body, albeit with quasi-jurisdictional powers; cf. also the wording

“semi-judicial” in the judgment of the Brussels Court of Appeal (Chamber 19A, Market Court section) of 28 October 2020, 2020/AR/582, § 7.4.
78This concerns the document that was attached to the complaint (document 1 administrative file). Decision on the merits 112/2024 — 27/33

and for that reason the representative in this case could not be validly bound in law.

In this regard, the Dispute Chamber merely notes that there is no written evidence in the

administrative file that shows that the person in question could validly bind the

representative. Given the multiple motives on which this

decision to discontinue the proceedings is already based, the Dispute Chamber will not proceed to further

examine this aspect and this is merely a consideration in the context of transparency

regarding the resources and arguments raised.

III. The substantive findings of the Inspectorate

109. This decision deals solely with aspects relating to the correct

representation and the (procedural) interest of the complaining party, which can be

traced back to procedural issues concerning the complaint. It does not

make binding decisions with regard to the two defendants, other than to the extent that the

file, which was initiated with regard to them on the basis of a complaint, is

closed.

110. Nevertheless, the Dispute Chamber considers it appropriate to

include the findings of the Inspectorate in this decision, as part of the

statement of facts, since the extensive investigation by the Inspectorate (the final report

of which alone contains 191 pages) must also demonstrate that the complaint

has been thoroughly investigated in its entirety. 111. The findings are presented below by the Dispute Chamber as a

concise summary of what was established by the Inspection Service to

present the general lines of the report, without wishing to present a complete overview of all

incriminating or mitigating elements from the report.

- Finding 1: the personal data of the data subject are exported to the

processor (second defendant) by using the functionality "Google Analytics" on the website

https://www.flair.be/:

o The Inspection Service has framed these findings in a comparison based on

technical findings (in the period after the aforementioned decision 21/2021 of the

Dispute Chamber) for the cookie settings between 9 August 2022 and 15 September 2022; it was noted that

several adjustments were made to the cookie banner (such as the

addition of a “reject all cookies” button) and that use is made of

the Didomi “consent management platform”.

79
cfr. reference supra, part I decision. Decision on the merits 112/2024 — 28/33

o Furthermore, the Inspection Service has established that also in the most recent situation

the cookies “Google Advertising Products” and “Google Analytics” are listed

with the partners, and reference is made to the fact that these partners

are supplied via the “Transparency and Consent Framework” of
vzw IAB Europe.

o The processing register of the first defendant shows, among other things, that

“Google Analytics” is described as “reporting and analysis of digital

visiting and reading behaviour (only aggregated anonymous statistics)” and that the
controller bases himself on the legitimate interest for

the processing.

o With regard to the Google Analytics tool, the first defendant states

to the Inspection Service that, in accordance with the terms of use

of that tool, the first defendant “has no other choice than to

transfer personal data, if and to the extent that the data can be qualified as

personal data, to the US.”

o The Inspection Service refers to various decisions of foreign

supervisory authorities that raised a similar issue, and this in connection with

transfers to the second defendant in the US, with the latter as “data importer”.

- Finding 2: regarding the first defendant - infringements of Articles 5.1.a, 12.1,

13.1.b), 13.1.c), 13.1.d), 13.1.e), 13.1.f), 13.2.a, 13.2.c), 13.3, 14.1.a), 14.1.b), 14.1.c), 14.2.a) and

14.2.b) and an infringement of Article 10/2 1° GBW: the right to transparent information.

o In preparation for this finding, the Inspection Service examined various
historical versions with – at that time – the most current version (version 7 of 23 August 2022) of the first defendant's

privacy policy. In this context, the Inspection Service notes that new facts have emerged compared to a previous investigation into the first defendant.

o The Inspection Service has established that there was no transparency about new versions and version management of the cookie policy and the privacy policy for 23

August 2022. In the version of 23 June 2021, the first defendant made

"substantial additions", according to the Inspection Service, with regard to the information provided in the "cookie tables".

o In accordance with the new version of 23 August 2022 of the privacy policy in

combination with a cookie policy, the Inspection Service notes that the information

offered in the Didomi "consent management platform" corresponds to Decision on the merits 112/2024 — 29/33

that in the aforementioned policy overviews. The Inspection Service states that it "welcomes" the

adjustments. Nevertheless, the Inspection Service still found several

"imperfections" after the changes of 23 August 2022,

including the use of the English language on the Didomi CMP (while the

website pages are in Dutch and French), and the inaccessible nature of the

policy when no choice has yet been made via the cookie banner.

o In general, the Inspection Service indicates that vague wording is sometimes used in

the privacy policy, such as the use of the wording "some", "etc" and "among others" without further

specification: according to the Inspection Service, this information is less vague in the cookie policy.

Specific information about the data protection officer is also missing, as is

information about processing based on art. 6.1.c) and 6.1.f) GDPR,

information on the (categories of) recipients of personal data and

information on the transfer of persons to a third country cf. articles

46, 47 or 49.1 GDPR. In addition, according to the Inspectorate, the

retention periods for certain personal data (per type) are missing, as is

specific information on the withdrawal of consent and the

resale or commercialisation of certain personal data. Finally,

information on received personal data that were not collected

directly from the data subject, within the meaning of article 14 GDPR, is missing.

- Finding 3: regarding the first defendant - infringement of articles 13.1.b), 37.7 and

38.4 GDPR: the contact details of the data protection officer.

- Finding 4: regarding the first defendant - infringements of Articles 30.1.a), 30.1.b),

30.1.c), 30.1.d), 30.1.e) GDPR regarding the register of processing activities.

o The Inspection Service points out in this regard that the processing activities of the

first defendant are incompletely presented, referring to

findings regarding processing concerning personnel activities,

processing via camera surveillance aimed at visitors to its buildings and

the presentation of processors in the register.

o In addition, the Inspection Service refers to missing elements in the

processing register, including the list of all possible processing purposes of personal

data cf. Article 30.1.b) GDPR, a

description of the categories of recipients to whom the personal data

have been or will be provided cf. Article 30.1.d) GDPR. Decision on the merits 112/2024 — 30/33

- Finding 5: infringement for invoking art. 6.1.f) GDPR for invoking the

legitimate interest for placing non-strictly necessary analytical

cookies – use of Google Analytics from 25 May 2018 to 20 August 2020.

o In this context, the Inspection Service points out that the legislation on placing

cookies has been in place for quite some time, and that the first defendant also

sat idle for two years after 25 May 2018, i.e.

blocking non-strictly necessary cookies from the website

pages without permission. Here, the Inspection Service notes as an additional fact that no

documented assessment was made when starting (or continuing) the processing

activity after the GDPR came into force.

- Finding 6: infringements of Articles 5, 6 and 4.11 in conjunction with Article 7 GDPR and Article 10/2

GBW: the principles of processing personal data and the lawfulness of processing for the DIDOMI CMP since 20 August 2020

o Since 20 August 2020, the first defendant has relied on the consent

for (the personal data processing following) the placement of non-essential analytical cookies; in this respect, the Inspection Service considers the

transparency insufficient and the consent ambiguous, referring to the "misleading colours" used - the Inspection Service refers in this

case to the difference in colours and contrast ratio based on the "rgb code or

hex code".

o Furthermore, the Inspection Service states that the "withdrawal of consent" is not

valid due to the placement of the "reject all" button on the second

information level.

- Finding 7: Infringement of Articles 5 and 6 GDPR: the principles for the processing of

personal data and the lawfulness of the processing for the cookie _gat_UA-#

of the second defendant

o The Inspection Service points out that the aforementioned cookie is listed as a

necessary cookie, where the Inspection Service states that Google Analytics is not

strictly necessary for the website to function.

- Finding 8: Infringement of Articles 5.1.e) and 25 GDPR: principles for the processing of

personal data: storage limitation and data protection by design and by

default settings.

o The Inspection Service points out that relatively long retention periods are still used for several cookies that "can be seen as disproportionate": during the consultation on 15 September 2022, the Inspection Service specifically questions whether the retention period is proportionate to the purpose of the processing, particularly for 21 of the 298 cookies examined.

- Finding 9: infringement of Article 32.1 GDPR: Security of processing - no

pseudonymisation from 25 May 2018 to 30 September 2022.

o In this context, the Inspection Service also indicates that the defendants cannot

strongly demonstrate that certain processing in the context of the cookies at issue is

anonymous. - Finding 10: infringement of Articles 5.2, 13.1.f), 24.1, 28.1, 32.2 GDPR on the points where

there is cooperation with a processor.

o The second defendant has confirmed to the

Inspection Service in the context of the investigation that it is the processor in light of the

processing at issue (in connection with analytical cookies).

o The Inspection Service further states with regard to the first defendant that it has

taken the appropriate organizational and technical measures that specifically relate to the processing

agreement and the conclusion of "Standard Contractual Clauses" ("SCC") or Model Contractual Clauses

regarding Data Protection ("MCB"). On the other hand, the Inspection Service states that the

first defendant nevertheless failed to be appropriately transparent with regard to the

data subjects in this regard. - Finding11: InfringementsofArticle32.2,44and46.1GDPR: assessmentoftheadequatelevelofsecurityandprovidingappropriatesafeguardsensuringdata subjectshaveenforceablerightsandeffectivelegalremediespriortothetransferofpersonaldatatoathirdcountryoraninternationalorganisation

byacontroller.

o Inthiscontext,theInspectoratepoints–inthelightofthecaselawoftheCourtof JusticeoftheEUonthismatter–tothefirstdefendant’sdutytoinvestigate.

o AfterreferringtoseveralindependentinvestigationsontheissuesconcerningdatatransferstotheUSA,theInspectoratefindsthatatransferofpersonaldataistakingplacetotheUSA(totheseconddefendantas“dataimporter”)outsidetheEEAthroughtheuseofGoogleAnalytics. When in this context reliance is placed on

Article 46 GDPR (appropriate safeguards) and so-called "model contractual

clauses", the Inspection Service considers this insufficient to meet the legal requirements

in light of the interpretation of the Court of Justice. The Inspection Service also refers in this context to the lack of evidence regarding

Decision on the merits 112/2024 — 32/33

the implementation of organizational measures for the assessment of the

legislation of the third country.

o Furthermore, the Inspection Service points out that the second defendant did publish new

SCC on 21 March 2022, but that the last examined privacy statement

does not contain any information about those (alleged) adjustments.

112. Furthermore, the Inspection Service submits a number of “additional considerations”,

including the interaction of the findings with the earlier decision of

the Dispute Chamber concerning the first defendant. In addition, the Inspection Service also points

to the presence of several elements in the file that belong to the strategic priorities

of the GBA, and the listed nature of the first defendant in particular.

113. In any case, the defendants have been made aware of the findings by the Inspection Service, and

they are advised – in accordance with their obligations in this regard under Articles 5.2 and 24 GDPR –

to take proper educational note of the findings by the Inspection Service. The defendants are also in possession of the integral investigation report and

the administrative file with all the substantive and technical elements that precede and underlie

that report.

IV. Publication of the decision

114. Given the importance of transparency with regard to the decision-making of the

Dispute Resolution Chamber, this decision is published on the website of the

Data Protection Authority.

115. Given that the representative of the complainant has already proceeded to

publish the entirety of the 80

data of the defendants in this dispute, and given the size of the

defendants and the unaddressed findings of the Inspectorate regarding

their activities pursuant to procedural issues, the Dispute Resolution Chamber decides to

publish the data of all parties.

116. However, it is not at all necessary for

social or any other reason that the identity of the complainant be made

known. 80Synthesis of conclusion of the first defendant, document 5: “Overview of NOYB cases, 101 complaints”; synthesis of conclusion of the second defendant,
document 7: “Overview drawn up by the defendant of all 101 complaints submitted by NOYB in the context of transfers of
personal data.”