APD/GBA (Belgium) - 146/24: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=146/24 |ECLI= |Original_Source_Name_1=Autorité de protection des données |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-146-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2=...") |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 79: | Line 79: | ||
}} | }} | ||
The DPA reprimanded | The DPA reprimanded a tech company for the centralised storage and disclosure of end-customers’ data to different retail companies. This practice violated the principles of data minimization, storage limitation, accountability, as well as data protection by default and by design. | ||
== English Summary == | == English Summary == | ||
Line 86: | Line 86: | ||
After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. | After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. | ||
Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial | Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller. | ||
Three main points were raised in the investigation. First, the | Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties. | ||
=== Holding === | === Holding === | ||
The DPA started its decision by | The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data between the controller and other companies, where the controller shared and updated all personal data of customers subscribed to the controller´s service, in exchange for advertisement of the controller´s website. | ||
The court found that the data | The court found that the data collection and sharing are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system. | ||
Therefore, the DPA considered it appropriate to examine whether or not | Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes of processing; and, second, of the means of processing. The purpose was found to be the data collection and processing, which is shared between the controller and the other brands. Similarly, the means are shared, with the controller collecting personal data from their website and app, and the other brands advertising this service. In light of this, the controller and the other brands were considered joint controllers as per [[Article 26 GDPR|Article 26 GDPR]]. | ||
Violation of Articles 5(2) and 7 GDPR | '''Violation of Articles 5(2) and 7 GDPR''' | ||
With regards to the lawfulness of the legal basis, the DPA found that a violation of Article 5(2) and 7 GDPR existed as the consent collected by the joint controllers was not “collected for specified, explicit and legitimate purposes”. | With regards to the lawfulness of the legal basis, the DPA found that a violation of [[Article 5 GDPR|Article 5(2)]] and [[Article 7 GDPR|7 GDPR]] existed as the consent collected by the joint controllers was not “collected for specified, explicit and legitimate purposes”. | ||
Violation of Articles 5(2), 7(3), 24 and 25 GDPR | '''Violation of Articles 5(2), 7(3), 24 and 25 GDPR''' | ||
Additionally, the DPA considers that the joint controllers did not respect the documentation requirements and liability arising from Articles 24 and 5(2) GDPR in matter of withdrawal of consent, as current mechanisms do not allow for a withdrawal of consent that is both simple and direct as required by [[Article 7 GDPR#3|Article 7(3) GDPR]], in accordance with the principle of data protection by design under [[Article 25 GDPR|Article 25 GDPR]]. | Additionally, the DPA considers that the joint controllers did not respect the documentation requirements and liability arising from [[Article 24 GDPR|Articles 24]] and [[Article 5 GDPR|5(2) GDPR]] in matter of withdrawal of consent, as current mechanisms do not allow for a withdrawal of consent that is both simple and direct as required by [[Article 7 GDPR#3|Article 7(3) GDPR]], in accordance with the principle of data protection by design under [[Article 25 GDPR|Article 25 GDPR]]. | ||
Violation of Articles 5(1)(c) and 25(1) GDPR | '''Violation of Articles 5(1)(c) and 25(1) GDPR''' | ||
A violation of the principle of data minimization under Article 5(1)(c) and of data protection by default under [[Article 25 GDPR#1|Article 25(1) GDPR]] was found as data concerning the municipality of issue of the identity card, the date of validity of the identity card and the history of this data has been collected, even if the DPA finds that it has no relevance in the framework of the processing carried out by the joint controllers. | A violation of the principle of data minimization under [[Article 5 GDPR|Article 5(1)(c) GDPR]] and of data protection by default under [[Article 25 GDPR#1|Article 25(1) GDPR]] was found as data concerning the municipality of issue of the identity card, the date of validity of the identity card and the history of this data has been collected, even if the DPA finds that it has no relevance in the framework of the processing carried out by the joint controllers. | ||
Violation of Articles 5(1)(e), 5(2), 24 and 25(1) GDPR | '''Violation of Articles 5(1)(e), 5(2), 24 and 25(1) GDPR''' | ||
Finally, the DPA found that a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], namely the storage limitation principle, as it established a data storage period of 8 years, which is | Finally, the DPA found that a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], namely the storage limitation principle, as it established a data storage period of 8 years, which is too long, and also does not have in place a good storage system to keep the data subject´s data safe from third party interventions. | ||
Reprimand | '''Reprimand''' | ||
In the case at hand, as per Article 100 of the Belgian LCA, the DPA considered it sufficient to reprimand the controller, but also imposed a deadline of | In the case at hand, as per [https://etaamb.openjustice.be/fr/loi-du-03-decembre-2017_n2017031916.html Article 100 of the Belgian LCA], the DPA considered it sufficient to reprimand the controller, but also imposed a deadline of four months to correct these GDPR violations. After those 4 months, a €5,000 daily fine will be imposed. | ||
Among the available corrective measures, the DPA required Freedelity, (a) to put into place mechanisms so that the data collection is based on freely-given, specific, univocal consent, (b) implement simple, accessible and direct technical and organisational measures to permit data subjects to give their consent, (c) to properly document the data collection process and (d) to stop the collection and processing of personal data from electronic ID cards, except in the context of processing made with the objective of having access to a classic fidelity program. | |||
== Comment == | == Comment == |
Latest revision as of 12:00, 11 December 2024
APD/GBA - 146/24 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 7 GDPR Article 7(3) GDPR Article 24 GDPR Article 25 GDPR Article 25(1) GDPR Article 26 GDPR Article 100 of the Belgian LCA |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 28.11.2024 |
Published: | |
Fine: | n/a |
Parties: | Freedelity |
National Case Number/Name: | 146/24 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | elu |
The DPA reprimanded a tech company for the centralised storage and disclosure of end-customers’ data to different retail companies. This practice violated the principles of data minimization, storage limitation, accountability, as well as data protection by default and by design.
English Summary
Facts
After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation.
Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller.
Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties.
Holding
The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data between the controller and other companies, where the controller shared and updated all personal data of customers subscribed to the controller´s service, in exchange for advertisement of the controller´s website.
The court found that the data collection and sharing are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system.
Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes of processing; and, second, of the means of processing. The purpose was found to be the data collection and processing, which is shared between the controller and the other brands. Similarly, the means are shared, with the controller collecting personal data from their website and app, and the other brands advertising this service. In light of this, the controller and the other brands were considered joint controllers as per Article 26 GDPR.
Violation of Articles 5(2) and 7 GDPR
With regards to the lawfulness of the legal basis, the DPA found that a violation of Article 5(2) and 7 GDPR existed as the consent collected by the joint controllers was not “collected for specified, explicit and legitimate purposes”.
Violation of Articles 5(2), 7(3), 24 and 25 GDPR
Additionally, the DPA considers that the joint controllers did not respect the documentation requirements and liability arising from Articles 24 and 5(2) GDPR in matter of withdrawal of consent, as current mechanisms do not allow for a withdrawal of consent that is both simple and direct as required by Article 7(3) GDPR, in accordance with the principle of data protection by design under Article 25 GDPR.
Violation of Articles 5(1)(c) and 25(1) GDPR
A violation of the principle of data minimization under Article 5(1)(c) GDPR and of data protection by default under Article 25(1) GDPR was found as data concerning the municipality of issue of the identity card, the date of validity of the identity card and the history of this data has been collected, even if the DPA finds that it has no relevance in the framework of the processing carried out by the joint controllers.
Violation of Articles 5(1)(e), 5(2), 24 and 25(1) GDPR
Finally, the DPA found that a violation of Article 5(1)(e) GDPR, namely the storage limitation principle, as it established a data storage period of 8 years, which is too long, and also does not have in place a good storage system to keep the data subject´s data safe from third party interventions.
Reprimand
In the case at hand, as per Article 100 of the Belgian LCA, the DPA considered it sufficient to reprimand the controller, but also imposed a deadline of four months to correct these GDPR violations. After those 4 months, a €5,000 daily fine will be imposed.
Among the available corrective measures, the DPA required Freedelity, (a) to put into place mechanisms so that the data collection is based on freely-given, specific, univocal consent, (b) implement simple, accessible and direct technical and organisational measures to permit data subjects to give their consent, (c) to properly document the data collection process and (d) to stop the collection and processing of personal data from electronic ID cards, except in the context of processing made with the objective of having access to a classic fidelity program.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/67 Contentious Chamber Decision on the merits 146/2024 of 28 November 2024 Case number: DOS-2019-04308 Subject: Investigation concerning two processing operations implemented by Freedelity The Contentious Chamber of the Data Protection Authority, consisting of Mr. Hielke Hijmans, President, and Messrs. Yves Poullet and Romain Robert, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; 1 Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter the "LCA"); Having regard to the internal regulations as approved by the Chamber of Representatives on 20 December 2 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The defendant: Freedelity, whose registered office is established at Rue Altiero Spinelli7, 1401 Nivelles, registered under company number 0818.399.886, represented by Maîtres Christian Defauw, Alexandre Cassart, Etienne Wéry, Victoria Ruelle and Fanny Cotton, hereinafter: "the defendant" 1The DPA recalls that the revised organic law entered into force on 01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024, such as this case, are subject to the provisions of the old version of the LCA accessible here: https://www.autoriteprotectiondonnees.be/publications/loi-organique-de-l-apd.pdf 2 The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023 amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA), came into force on 01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024 are subject to the provisions of the internal regulations as they existed before that date. Decision on the merits 146/2024 – 2/67 I. Facts and procedure 1. On 8 July 2019, the newspaper l’Echo published an article entitled “Freedelity proposes to pool customer data management”. On 2 August 2019, a member of the Management Committee proposed to the Chairman of the Management Committee to examine this service. 2. This discussion was put on the agenda of the Management Committee meeting of 20 August 2019. At this meeting, the Management Committee decided to send a letter to the defendant to inquire about the operation of the service described in the article in l’Echo. 3. On 30 August 2019, the Director of the General Secretariat sent a letter containing a series of approximately 10 questions to the defendant. On 9 October 2019, the defendant forwarded its answers to the General Secretariat. 4. On the basis of these answers, the General Secretariat drafted a letter to the Management Committee entitled “DIRCO Report – Preliminary Information Letter – Freedelity”. On 6 December 2019, on the basis of the latter, the Management Committee of the Data Protection Authority (hereinafter “DPA”) decided to request an investigation from the Inspection Service, pursuant to Article 63.1° of the LCA. 5. On 20 April 2022, the Inspection Service's investigation was closed, the report was attached to the file and the latter was forwarded by the Inspector General to the President of the Litigation Chamber (Art. 91, § 1 and § 2 of the LCA). The Inspection Service notes, broadly, that: - Finding 1: Freedelity was unable to demonstrate the collection of valid consent (in accordance with Article 4.11 of the GDPR) in violation of Articles 5.1.a., 6.1.a., 7 and 5.2. of the GDPR. - Finding 2: Freedelity was unable to demonstrate that appropriate measures had been put in place to facilitate the withdrawal of consent in violation of Article 7.3. of the GDPR, read in light of the principle of accountability (Articles 5.2., 24 and 25 of the GDPR). - Finding 3: Freedelity was unable to demonstrate that it has implemented appropriate measures to ensure the validity and collection of consent (within the meaning of Article 4.11. of the GDPR) for the processing operations for which Freedelity acts as data controller, in violation of Articles 5.2., 24 and 25 of the GDPR. - Finding 4: Freedelity has violated the principle of data minimization set out in Article 5.1.c. of the GDPR and Article 25.1 of the GDPR. 3 This article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de- mutualiser-la-gestion-des-donnees-clients/10143718.html Decision on the merits 146/2024 – 3/67 - Finding 5: Freedelity failed to justify the data retention periods determined in violation of Articles 5.1.e., 5.2., 24 and 25.1. of the GDPR. 6. On 6 July 2022, the Litigation Chamber decided, pursuant to Article 95, § 1, 1° and Article 98 of the LCA, that the case could be dealt with on the merits. 7. On the same day, the defendant is informed by registered mail of the provisions as set out in Articles 95§2 and 98 of the LCA. It is also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting its submissions. 8. The deadline for receipt of the submissions in response from the defendant was set at 31 August 2022 9. On 7 July 2022, the defendant requests a copy of the file (Art. 95, §2, 3° LCA), which is sent to it on 12 July 2022. 10. On 18 July 2022, the defendant agrees to receive all communications relating to the case by electronic means and expresses its intention to use the possibility of being heard, in accordance with Article 98 of the LCA. She also requests an extension of the deadline for submitting submissions to 30 October 2022. 11. On 2 August 2022, the Litigation Chamber accepts an extension of the deadline to 21 September 2022. 12. On 15 September 2022, the defendant requests to be able to consult the paper version of the administrative file. She also requests an extension of the deadline for submitting submissions to 21 October 2022. 13. On 21 September 2022, the Litigation Chamber agrees to extend the deadline for filing submissions by two weeks, until 5 October 2022. It reminds the defendant that, at her request, she had already obtained a complete digital copy of the administrative file on 12 July 2022. However, she adds that she can consult the file by contacting the registry. 14. On 28 September 2022, the consultation of the paper administrative file took place in the premises of the APD. 15. On 5 October 2022, the Litigation Chamber received the submissions from the defendant. When sending its submissions, the defendant also requested, before ruling on the matter, documents that it considered necessary for the exercise of the rights of the defence. It also requested to be granted a new deadline for submissions after receipt of these documents. 16. On 2 May 2023, the Litigation Chamber sent the defendant numerous documents and also authorised the defendant to conclude on these elements until 17 May 2023. Decision on the merits 146/2024 – 4/67 17. On 3 May 2023, the defendant requested that the deadline for submission of conclusions be extended to 15 June. 18. On 8 May 2023, the Litigation Chamber agreed to extend the deadline by one week, until 24 May 2023. 19. On 9 May 2023, the parties were informed that the hearing would take place on 14 June 2023. 20. On 23 May 2023, the defendant informed the Litigation Chamber that it wished to receive a full copy of the minutes of the Management Committee meeting of 6 December 2019. It requested a copy of the decision to lift the mandate of the President of the APD in 2022 and, in the event that the APD did not have it, it demanded that the latter take steps to obtain it. It considers that the deadlines for submitting the submissions granted to it are unreasonable, that the hearing is premature and that the file is not ready. 21. On 24 May 2023, the Litigation Chamber receives the additional submissions from the defendant. 22. On 2 June 2023, the Litigation Chamber responds to the defendant, stating that the extracts from the minutes of the Management Committee meeting contain all the information relating to this file. It adds that it has provided all the documents at its disposal and that it is up to the defendant to present in support of its submissions all the documents it considers useful. The Litigation Chamber concludes that the file is ready and that the hearing can take place. 23. On 12 June 2023, the defendant informed the Litigation Chamber that it had filed a request with the Commission for Access to Administrative Documents (hereinafter, “CADA”) against the Litigation Chamber. It requested a further postponement of the hearing. 24. On 12 June 2023, the Litigation Chamber reiterated the position expressed on 2 June 2023. It added that the APD did not currently consider itself subject to the law of 11 April 1994 on the publicity of the administration. 25. On 12 June 2023, the defendant informed the Litigation Chamber that one of its counsel was unavailable due to illness and that it was therefore unable to argue the case on the scheduled hearing date. 26. On 13 June 2023, the Litigation Chamber informed the defendant that the hearing had been postponed to 29 June 2023. 27. On 15 June 2023, the defendant sent the Litigation Chamber a request for 4 disqualification of its president on the basis of Article 828, 1° of the Judicial Code. 4 Art. 828 of the Judicial Code: "Any judge may be challenged for the following reasons: 1° if there is legitimate suspicion (…)" Decision on the merits 146/2024 – 5/67 28. On June 19, 2023, the President of the Litigation Chamber dismissed the challenge request recalling in particular that the Judicial Code is not applicable to him, and that the defendant's arguments concerning the lack of impartiality of the President of the Litigation Chamber are unfounded. 29. On 20 June 2023, the defendant filed a challenge application with the Market Court, which informed the Litigation Division on 22 June 2023. 30. On 26 June 2023, the registry of the Litigation Division informed the defendant that the hearing scheduled for 29 June 2023 was postponed to a date to be determined. 31. On 27 June 2023, the defendant sent an email to the President of the Data Protection Authority. In this email, the defendant recalled its various requests concerning the documents and indicated that it considered that this issue should be dealt with by the President of the DPA or the DPA Management Committee and not by the President of the Litigation Division. 32. On 4 July 2023, the APD received Opinion No. 2023-95 from the CADA. The latter considered itself competent to give an opinion on a request for access to a document made to the APD. It also considered that the defendant's request was admissible. 33. In its opinion, the CADA indicated that the APD was not required to guarantee access to a document that it did not possess, but that it must designate, if it was aware of it, the authority that held the requested document. Following this opinion, the defendant again requested access to documents that it considered necessary for the exercise of the rights of the defense. 34. On 11 July 2023, the Litigation Division responded to the defendant, informing it that it was forwarding its request to the APD's Management Committee. 35. On 18 July 2023, the Management Committee, through the Chair of the APD, responded to the defendant. She first stated that the CADA’s position constituted a reversal of its previous position. She added that she was not taking a position at this stage on the applicability of the law of 11 April 1994 to the APD, but she saw no objection to the fact that, in this case, the agenda and minutes of the Management Committee meeting of 6 December 2019 were provided to the defendant, with the removal of information concerning other data controllers. 36. On 31 October 2023, the Market Court issued a judgment 2023/7566 concerning the application for disqualification filed by the defendant against the President of the Contentious Chamber. In this judgment, the Market Court declared itself without jurisdiction and without competence to hear the application for disqualification filed by the defendant against the President of the Contentious Chamber. 5Judgment of the Market Court of 31 October 2023, No. 2023/AR/821 (judgment not registrable) Decision on the merits 146/2024 – 6/67 37. On 28 November 2023, the defendant was informed that the hearing would take place on 15 January 2024. 38. On 22 December 2023, the defendant filed a summons for interim relief with the Interim Relief Chamber of the Brussels Court of First Instance requesting the production of all documents relating to Freedelity under penalty of a penalty payment. 39. The Chamber of Interim Relief issued a first order on 12 February 2024 in which it declared Freedelity’s application unfounded with regard to the production of the decision to lift the mandate of the former president of the APD and the documents that are not linked to the decision of the Management Committee of 6 December 2019. It ordered the APD to produce several of the documents requested by the defendant. 40. On 20 March 2024, the Chamber of Interim Relief issued an order in which it found Freedelity’s application to be partially founded and ordered the APD to produce several additional documents, including internal emails between APD employees that were included in the inventory of exhibits. 41. On 22 March 2024, the APD provided the additional exhibits to Freedelity. In accordance with the second order of the Chamber of Interim Relief, it grants a period of 15 days to Freedelity to conclude on all the documents provided by the APD and invites it to the hearing which will take place on April 11. 42. On April 9, Freedelity files its additional submissions. 43. On April 11, 2024, the defendant is heard by the Litigation Chamber. 44. On April 29, 2024, the minutes of the hearing are submitted to the defendant. 45. On May 3, 2024, the defendant informs the Litigation Chamber that it does not wish to comment on the minutes of the hearing and that it sticks to its procedural writings and pleadings. II. Reasons II.1. Background 46. Since its creation in 2010, Freedelity has offered technology aimed at simplifying the collection and updating of personal data, in particular by using data contained in the chip of the Belgian electronic identity card (hereinafter, "eID"). 47. Freedelity's services make it possible to centralise commercial advantages offered by different brands to consumers, as well as the latter's loyalty cards or proofs of purchase. These services are offered both (i) by Freedelity to its customers of the "brand" type (according to a B2B model, as part of the CustoCentrix service), and (ii) by Freedelity to consumers (according to a B2C model). Decision on the merits 146/2024 – 7/67 48. While the article in the aforementioned Echo focused on the presentation of CustoCentrix, from the inspection phase, the investigation focused on the “Freedelity file”, maintained by Freedelity as data controller, this file remaining largely supplied by data collected by the brands. 49. As Freedelity explains in its responses to the inspection service (Exhibit 5 of the file), “the Freedelity file allows the personal identification of each consumer, access to the Myfreedelity portal as well as the management of the process of pooling the maintenance of consumer data between Freedelity customers”. 50. The Inspection Service has only analysed the conformity of the processing operations relating to the Freedelity file, and consequently (1) the collection of personal identification and contact data, (2) the pooling of these personal data, and (3) the transfer of identity data contained in the Freedelity file to third parties such as Z1 and Z2. 51. The Litigation Chamber will successively analyse the legality of the processing operations (1) and (2) referred to above in section II.5. However, it notes that the Inspection Service’s investigation report does not contain sufficient elements to allow an in-depth examination of the processing operation (3), in particular concerning the possible legal bases and the roles of the actors involved. Consequently, this decision will not concern this processing operation (3). II.2. Preliminary question: Deportation of the President of the Litigation Division 52. As a preliminary point, the defendant requests the President of the Litigation Division to withdraw due to the legitimate doubt that exists as to his impartiality. For the purposes of readability and clarity of this decision, the response of the Litigation Division to this argument will be examined later in the decision, in the section devoted to respect for the rights of the defence, and more particularly to the impartiality of the members of the Management Committee, including the President of the Litigation Division (section II.4.1.1). II.3. Procedure: Stages of the procedure 53. The Litigation Division notes that the defendant has raised a significant number of arguments relating to all stages of the procedure. However, without prejudging its jurisdiction and the extent of its duty to provide reasons with regard to the arguments raised - questions which have not been decided by the Markets Court -, the Litigation Chamber wishes to respond to them below for the proper understanding of the decision. 6Freedelity’s role as the data controller of this file is not contested. Decision on the merits 146/2024 – 8/67 II.3.1. The questioning of the Director of the General Secretariat (at the time also Chairman of the Management Committee) by the Director of the Knowledge Centre 54. The defendant considers that the Director of the Knowledge Centre at the time had no authority to question the Director of the General Secretariat, either in her capacity as a member of the Management Committee or as Director of the Knowledge Centre. 55. For all practical purposes, the Litigation Chamber recalls that the Management Committee is composed of the five directors of the APD (Article 12 of the LCA). In this capacity, the Director of the Knowledge Centre was, along with this function, a member of the Steering Committee at the time of the questioning of the Director of the General Secretariat. Furthermore, the Director of the General Secretariat at the time was also the President of the Data Protection Authority, and therefore, in this capacity, chaired the Steering Committee in accordance with Article 13§1 of the LCA. 56. Article 10§1 of the LCA provides that “The Steering Committee shall monitor developments in the technological, commercial and other fields that have an impact on the protection of personal data” (emphasis added). 57. It is clear from the documents in the case that the Director of the Knowledge Center (member of the Management Committee) proposed to the Chairman of the Management Committee to examine a Freedelity service whose operation was described as innovative in an article in L’Echo published on 8 July 2019, entitled “Freedelity proposes to pool the management of customer data”. 58. The APD, through its predecessor the Commission for the Protection of Privacy (hereinafter “CPVP”), was aware of the existence of the service offered by Freedelity, consisting of an innovative technology allowing access from one’s identity card to economic advantages (e.g. points accumulated on a loyalty card). However, the L’Echo article presented an evolution of the technological service in question: “Today, the Nivelles company is going a step further. With Custocentrix, it is launching a cloud platform enabling retailers to better organise and keep up to date all of their customers' personal and behavioural data". 59. It should be noted that an evolution of a technological service offered by a private company requiring the use of the Belgian identity card, which contains a unique identifier of a highly sensitive and regulated nature (the national register number), has an impact on the protection of personal data in Belgium. If the members of the APD Management Committee were not able to understand the extent of 7As of 1 June 2024, this service is called the "Authorisation and Advice Service". 8The Echo article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de- mutualiser-la-gestion-des-donnees-clients/10143718.html 9Without however being considered as a special category of personal data within the meaning of Article 9 of the GDPR. Decision on the merits 146/2024 – 9/67 the impact of this development on the basis of a simple newspaper article, nor whether the processing of the national register number was involved in this development, the latter have fully assumed their responsibility by deciding to analyse said development on the basis of Article 10 of the LCA. Any contrary interpretation of this article would amount to limiting this monitoring power conferred specifically on the members of the Management Committee 10 and to emptying it of its meaning. The Director of the Knowledge Center was therefore entitled to formally request the Chairman of the Management Committee that this discussion be placed on the agenda of the Management Committee meeting of 20 August 2019. 60. Under the conditions mentioned in the two preceding paragraphs, any member of the Management Committee is authorized to formally request the Chairman of the Management Committee to place a discussion concerning such monitoring on the agenda of Management Committee meetings. For the Litigation Chamber, this interpellation comes within the framework of this obligation to monitor developments in technological fields, falling to the APD and therefore, first and foremost, to the members of the Management Committee. Such monitoring requires the possibility of an internal interpellation between members of the Management Committee and is therefore perfectly justified. 61. A member of the Management Committee wished to put on the agenda a discussion concerning the new service proposed by Freedelity, in order to allow the Management Committee to monitor this development in the technological field. This legitimate questioning occurs within the framework of Article 10§1 of the LCA and is therefore in accordance with the law. II.3.2. Sending of a letter requesting information to the defendant by the Chairman of the General Secretariat (at the time, also Chairman of the Management Committee) 62. First, the defendant considers that following the decision of the Management Committee to monitor the Freedelity service, the General Secretariat exceeded its powers by sending a letter requesting information to the defendant (Exhibit 2 of the file). It relies in particular on a report from the Court of Auditors which, according to it, criticises the fact that the General Secretariat grants itself a "role of filtering files". Secondly, the defendant argues that sending this letter requesting information in Dutch to the defendant is contrary to the law on the use of languages in administrative matters and that by application of Article 58 of the Law of 18 July 1966, the nullity of this act must be established and, by extension, that of the entire procedure. 10It should be noted that the members of the Management Committee make particularly moderate use of this monitoring power conferred by Article 10 of the LCA. This power is included in the new version of the LCA, as applicable to files initiated after 01/06/2024. Decision on the merits 146/2024 – 10/67 63. First, the Litigation Chamber points out that during the meeting of the Management Committee, its members decided that a letter could be sent on the basis of Article 20§1,1° of the LCA, after consulting the files that had previously been opened concerning the defendant with the Front Line Service (“FLS”). The first letter was drafted by the General Secretariat and sent to the defendant on 30 August 2019. 64. The President of the APD (and therefore of the Management Committee) was assisted in the performance of his tasks by the General Secretariat (Article 13§3 of the LCA). In addition, the General Secretariat has its own mission of “monitoring” technological developments, which have an impact on the protection of personal data (Article 20§1,1° of the LCA). This mission presents a certain redundancy with that of the Management Committee, consisting of “monitoring” developments in the technological field having an impact on the protection of personal data (Article 10 of the LCA). However, the “monitoring” mission11 of the General Secretariat implies a priori an active control of a higher degree than that implied by the notion of “monitoring” incumbent on the Management Committee. Furthermore, the Management Committee does not have its own department and cannot ensure its monitoring without going through another body of the APD to assist it, which was in this case the General Secretariat, whose director chaired the Management Committee. 65. The Litigation Chamber does not share the defendant’s reading according to which the General Secretariat arrogated to itself in this case “investigative” powers (a mission incumbent solely on the Inspection Service) or “filtering of files”. In the present case, the General Secretariat sent about ten neutral questions concerning the operation of the new Freedelity service, in order to understand how it works. The General Secretariat is in fact authorized to exercise such surveillance under Article 20§1,1° of the LCA), which is distinct in all respects from the power of investigation reserved for the Inspection Service (Article 28 of the LCA). 66. Thus, the criticisms of the Court of Auditors concerning the fact that the General Secretariat would play a role of filtering files are not relevant to the present case, since in this case, the file was opened at the request of a member of the Management Committee and the Management Committee decided to send a letter on 20 August 2019. The General Secretariat merely assisted the Chairman of the Management Committee while remaining within the limits of its legal powers, and, in this way, enabled the Management Committee to monitor developments in the technological field in question. 1According to the Larousse dictionary, the primary meaning of the term "surveillance" is defined as: "Action of monitoring, of controlling something, someone". See in this sense the online version available on the following link: https://www.larousse.fr/dictionnaires/francais/surveillance/75897 12 According to the Larousse dictionary, the primary meaning of the term "monitoring" is defined as: "Set of operations consisting of monitoring and controlling a process to achieve the desired result in the best conditions". See in this sense the online version available at the following link: https://www.larousse.fr/dictionnaires/francais/suivi/75313 Decision on the merits 146/2024 – 11/67 67. Prohibiting the General Secretariat from contacting the stakeholders concerned regarding technological developments in order to fully assume its “monitoring” mission, would amount for the APD to requesting the intervention of another body (for example the Inspection Service) to ensure this monitoring. This mode of operation would be completely contrary to the spirit of the LCA, and to the logic of the distribution of internal powers between the bodies of the APD, as explained above: it is not only provided in the text that the General Secretariat follows technological developments, but it is also logical that the General Secretariat assists the Management Committee in the performance of its tasks, particularly when Article 13§3 of the LCA provides that the President of the APD – therefore the President of the Management Committee – is assisted in the performance of his tasks by the General Secretariat. Furthermore, the Inspection Service could not be contacted at this stage, since its referral cannot come from a request from the General Secretariat (Article 63 of the LCA) and no procedure justifies the sharing of an investigation by the Inspection Service with the General Secretariat, which must remain secret as a matter of principle (Article 28 of the LCA). 68. For these reasons, the General Secretariat remained within the limits of its powers by contacting Freedelity, as part of its monitoring mission, in order to measure itself the impact of a technological development on data protection, as provided for by Article 20§1,1° of the LCA, to inquire about the technological development that constitutes the new service offered by Freedelity, a service whose impact was certain due to the sensitive nature of the processing in question requiring the use of the identity card. Sending a letter requesting information concerning the processing of personal data in the context of the new Freedelity service therefore constitutes a proportionate measure in the context of the monitoring mission of the General Secretary and of monitoring technological developments within the remit of the Management Committee. 69. Secondly, regarding the use of language, as the Market Court has already decided, "Despite its public policy nature, an illegality relating to the language of a decision cannot give rise to annulment if it is not such as to affect the meaning of the decision, if it has not deprived the interested parties of any guarantee or if it has not had the effect of influencing the competence of the author of the decision" (free translation). In this case, Exhibit 2 of the file was processed by the defendant without difficulty, and it was sent at a stage prior to the investigation by the Inspection Service. 70. In this case, the Litigation Chamber recalls the chronology of the facts: - Sending of a letter requesting information in Dutch (Exhibit 2) - 30.08.2019; 13Judgment of the Market Court, of September 4, 2019, 2018/AR/1446 and others, original version: “Ondanks zijn karakter van de open order, kan een eventuale onwettigheid in verband met de taal van een beslissing, een aanleiding geven tot vernietiging indian deze onwettigheid niet van aard is om, te dezen, een invloed hebben op de richting van de beslissing, zij de belanghebbende partijen geen waarborg heeft ontzegd de zij niet het effect heeft gehad om van invloed te zijn op de bevoegdheid van de auteur van het besluit”. Decision on the merits 146/2024 – 12/67 - Freedelity requests to be able to respond in French – 10.09.2019; - APD agrees that the file be handled in French – 20.09.2019; - Freedelity sends its responses in French – 09.10.2019 - The rest of the file is handled in its entirety in French. 71. The responses provided by the defendant to the letter requesting information in Dutch were written in French by the defendant, who was therefore perfectly able to understand the questions addressed to it. 72. In accordance with the defendant’s request, the rest of the procedure was conducted in its entirety in French. The defendant was therefore in no way deprived of procedural guarantees that could affect the present procedure. 73. Consequently, the Disputes Chamber considers that the sending of a letter requesting information to the defendant by the President of the General Secretariat (at the time, also President of the Management Committee) complies with Articles 10 and 20§1,1° of the LCA. The fact that this letter was written in Dutch is not such as to taint the proceedings with nullity since the rights of the defence were not affected. II.3.3. Sending of a note to the Management Committee by the General Secretariat (“DIRCO Report – Preliminary Information Letter – Freedelity”) 74. First, the defendant criticises the fact that the General Secretariat drafted a note (“Preliminary Information Letter”) for the Management Committee on the basis of the responses provided by the defendant (document 6 of the file). It also criticises that this note uses elements from the contacts between the CPVP and the responses provided by Freedelity to the questions of the General Secretariat. Secondly, the defendant claims that the document entitled “probe letter” which is attached to the decision of the Management Committee of 6 December 2019 is not produced in the file. It adds that the use of the terminology “probe” demonstrates the implementation of exploratory, abusive, unfair and arbitrary procedures. It concludes that in this case, the APD had no serious evidence at the time it contacted Freedelity. 75. Firstly, the Litigation Chamber notes that following the defendant’s response to the letter requesting information, an opinion was drawn up by the General Secretariat for the Management Committee on the basis of the responses provided (document 6 of the file). On this basis, the Management Committee decided on 6 December 2019 to ask the Inspection Service to open an investigation. 76. As stated above, the Litigation Chamber recalls that the General Secretariat has a monitoring mission (Article 20§1, 1° of the LCA). When this Decision on the merits 146/2024 – 13/67 monitoring mission follows a request for monitoring from the Management Committee (Article 10 of the LCA), it is logical that a document be drawn up on the basis of the answers provided to the questions asked, to enable the Management Committee to ensure the continuity of its monitoring (Article 10 of the LCA). 77. Indeed, in order to pursue “developments in the technological field” (emphasis added) within the meaning of Article 10 of the LCA, it is necessary for the Management Committee to take into account all information relevant to understanding such developments. The Management Committee has therefore legitimately cross-checked and used the information made available by Freedelity during its contacts with the CPVP, of which the APD is the continuation. 78. The provision of information necessary for monitoring cannot be carried out by the Management Committee itself since it does not have a department - as already indicated previously - and must therefore necessarily be carried out by a body of the APD. In this case, the General Secretariat was the natural APD department to do this: the request for information already came from the General Secretariat, which logically followed up on its letter, not to mention that this body is entrusted by Article 10 of the LCA with a mission to monitor technological development. 79. The Litigation Chamber concludes that the General Secretariat was perfectly justified in drafting an opinion for the Management Committee by gathering the information made available to it so that the Management Committee could decide to open an investigation at a later stage. Moreover, it was only on the basis of the information reported by the General Secretariat that the Management Committee was able to assess the follow-up to be given to the procedure. No opinion or recommendation is binding on the Management Committee, which is sovereign in its assessment. In this case, the Management Committee decided that the next step in the procedure would be the implementation of Article 63.1° of the LCA. 80. Secondly, the document entitled “probe letter” whose legality the defendant is contesting is indeed document 6 of the inventory which has been part of the file since the beginning of the case and which was provided to the defendant when it requested a copy of the file. 81. Furthermore, the term "probe" on which Freedelity's complaint is based is used only once by a legal adviser who wrote the opinion to the Management Committee on which the latter ruled on 6 December 2019. The term is never used again subsequently and the letter is officially entitled ("DIRCO Report - Preliminary Information Letter - Freedelity"). 82. In its internal communications, the APD alternately uses the terms "monitoring" or "system surveillance procedure" in relation to this letter. The unfair nature of the APD cannot be deduced from the simple use of these terms. Indeed, these terms are taken from the very letter of the LCA, at most they are translated into English. The Litigation Chamber recognises at most the use of different terms in the internal communications to identify the procedure in question, which has no legal consequences on the procedure. 83. The actions taken by the General Secretariat constitute a necessary step in order to be able to provide a complete file to the Management Committee so that it can make an informed decision. The defendant wrongly confuses on the one hand (i) the preparatory actions for the follow-up of a file as well as the decision of the Management Committee, and on the other hand (ii) the investigation itself. 84. The Litigation Chamber firmly reaffirms that an investigation can only be carried out by the Inspection Service (Article 28 of the LCA). Unlike the latter, neither the General Secretariat nor the Management Committee have the power to note infringements or violations of the GDPR before submitting their findings to the Litigation Chamber. 85. The sending by the General Secretariat to the Management Committee of the contested note (the “DIRCO Report – Preliminary Information Letter – Freedelity”) was done legally, on the basis of Articles 10 and 20§1, 1° of the LCA. II.3.4. Finding of serious evidence by the Management Committee 86. First, the defendant maintains that it was the General Secretariat that referred the Management Committee, with reference to Article 63.1 of the LCA, when it did not have serious evidence to do so and that it therefore illegally decided to ask questions of the defendant. It considers that the article in L’Echo was not sufficient in itself to trigger the opening of a file. Secondly, it adds that the Management Committee did not find serious evidence in its decision of 6 December 2019 since it merely repeated the report made by the General Secretariat. It refers in particular 14 to the judgment of the Court of Markets of 22 February 2023 to argue that the Management Committee’s reasoning is deficient. Third, the defendant considers that the DPA has undermined the defendant’s legitimate expectations by using information present in files from 2014 to 2016, while the DPA’s predecessor, the CPVP had closed these files. 87. First, with regard to the question of the General Secretariat’s jurisdiction, the Litigation Chamber refers to section II.3.3 above, in which no illegality is established. Furthermore, the Litigation Chamber notes a reading error on the part of the defendant. The General Secretariat did not assist the Management Committee on the basis of 14 Judgment of the Court of Markets, dated 22 February 2023, No. 2022/AR/253, available at the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf Decision on the merits 146/2024 – 15/67 Article 63.1° of the LCA, but rather on the basis of Article 20§1,1° of the LCA, as it clearly emerges from the documents in the file. 88. The Litigation Chamber recalls that, by virtue of the powers conferred on the Management Committee, it is up to it to ask the Inspection Service to open an investigation if serious evidence reveals the existence of practices that could give rise to a violation of the fundamental principles of data protection (Article 63.1° of the LCA). As recalled by the Markets Court, this is a discretionary power of the APD.15 89. The elements covered by the report comply with the letter of the LCA, insofar as the object of the monitoring or surveillance is precisely the impact or incidence on the protection of personal data as required by Articles 10 and 20§1, 1° of the LCA). The elements retained by the General Secretariat were indeed focused on such an object: a) Article 10 of the LCA concerns technological areas that have an “impact on the protection of personal data” b) Article 20§1, 1° of the LCA requires the monitoring of technological developments having an “impact on the protection of personal data” 90. A report on a technology having an impact or an impact on the protection of personal data, may reveal serious indications of the existence of a practice likely to give rise to an infringement of the fundamental principles of the protection of personal data (Article 63.1 of the LCA). 91. Secondly, concerning the reference by reference, the Litigation Chamber recalls that the Council of State accepts the motivation by reference, provided that the document to which reference is made is part of the file. This is the case here since document number 6, which constitutes the opinion of the General Secretariat (“DIRCO Report – Preliminary Information Letter – Freedelity”), is annexed to the decision of the Management Committee and has always been part of the file. The decision of the Management Committee is formulated as follows: “The conclusions of the attached annex contain indications of non-compliance with the following principles: obtaining consent, profiling and sharing of data, minimisation of data, retention period and recipients of data” (free translation). 15 Judgment of the Market Court of 22 February 2023, No. 2023/1527, p. 40., available at the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf. 16Decision of the Council of State of 7 May 2013, No. 223.440 17 Extract from the minutes of the Management Committee of 6 December 2019. Exhibit 7 of the file. Original version: "The extensive statements in bijlage gevoegd bevatten aanwijzingen betreffende do not comply with the following principles: as per Décision sur le fond 146/2024 – 16/67 92. The decision of the Management Committee therefore justifies its decision by referring to the note provided to it, and relies on it to identify serious indications of breaches of the following principles: - obtaining consent, - profiling and sharing of data, - minimisation of data, - retention period, - and recipients of the data. 93. Thirdly, with regard to the defendant’s argument that the consultation and use of the information in the files opened within the CPVP, the predecessor of the APD, violated the principle of legitimate expectations, the Litigation Chamber recalls that, like any public authority, it is subject to the duty of thoroughness which requires it to “conduct a meticulous research into the facts, to gather the information necessary for decision-making and to take into account all the elements of the file in order to make its decision in full knowledge of the facts and after having reasonably assessed all the elements useful for resolving the specific case”. 18 94. This duty requires the APD, when it wishes to make a decision concerning an individual, to check whether and to what extent files have already been opened against that individual. This research is also essential in order to be able to ensure compliance with the principle of non bis in idem. The Litigation Chamber therefore considers that the General Secretariat was perfectly entitled to consult all the files concerning the defendant, including the closed files, to enable the Management Committee to make an informed decision. 95. The Litigation Chamber recalls that, according to the Council of State, the principle of legitimate trust, "means that the person administered must be able to count on a clear and well-defined line of conduct from the authority or, in principle, on promises made to him by the authority in a specific case. The violation of the general principle of legitimate trust requires three conditions, namely an error by the administration, a legitimate expectation raised following this error and the absence of a reason to go back on this recognition. This principle cannot be invoked on the basis of acts emanating from an authority distinct from that which adopted the contested act. » of toestemming, profiling in delen van gegevens, gegevensminimalisatie, bewaartermijn en ontvangers van de gegevens. » 18Judgment of the Council of State, of December 6, 2021, No. 252.324, p. 13. 19Judgment of the Council of State of 8 May 2024, No. 259.704. Decision on the merits 146/2024 – 17/67 96. The Litigation Chamber notes that in its analysis, the General Secretariat found five indications of non-compliance. Two of these indications (indications 3 and 5) are based solely on the responses provided by the defendant in its letter of 9 October 2019. These indicators are not based on elements of older files. The three other indicators of non-compliance are based on a comparison between the elements contained in a letter from the defendant to the CPVP dated 26 November 2015 and the response of 9 October 2019. The General Secretariat noted in its three instances a change in the defendant's practice which, according to it, could constitute a breach of the principles of personal data protection. The General Secretariat had to carry out this verification to allow the Management Committee to "monitor developments", as explained previously, and decide to refer the matter to the Inspection Service. 97. Thus, in its analysis, the General Secretariat claims that between 2015 and 2019, the duration of data retention by the defendant increased from 5 to 8 years. It also writes that the defendant would now carry out profiling based on the data collected, which it had indicated that it did not do before. 98. For the Litigation Chamber, the General Secretariat's analysis does not reveal any change in the position of the APD or an erroneous interpretation on its part. It therefore has no impact on the procedure. Indeed, it emerges from the Chamber's analysis that when the General Secretariat uses information from past cases, it is to compare them with the current practices that the defendant has informed it of. This comparison allowed the Management Committee to ensure its follow-up (Article 10 of the LCA). 99. For the Litigation Chamber, even if the CPVP had authorised the processing in question by the defendant, quod non, the principle of legitimate expectation does not mean that in the face of new facts and changes in practices, the public authority must maintain a line of conduct that it would have expressed in the past on facts that were significantly different. The defendant is therefore wrong to invoke a violation of the principle of legitimate expectation. 100. In view of the foregoing, the Litigation Chamber concludes that the decision of the Management Committee complies with the requirements of Article 63.1 of the LCA. II.3.5. Referral to the Inspection Service by the Management Committee (validity of the minutes) 101. First, the defendant explains that the versions of the minutes sent to it do not allow it to be established whether the President of the Litigation Division, who abstained during the Management Committee’s vote on this point, participated in the discussion. In addition, it considers that it has not been demonstrated that the majority of the members of the Management Committee were present, nor that a majority of the members voted in favour under Article 3 of the ROI. Finally, the defendant considers that there are doubts that a record of the Management Committee’s decision was drawn up and signed by the President of the Management Committee, which would constitute a violation of Article 16 of the LCA. 102. Secondly, the defendant also argues that since this decision was taken in Dutch, it would be contrary to the law on the use of languages in administrative matters, since the defendant is based in a French-speaking region. 103. Firstly, the Litigation Chamber recalls that the minutes of the Management Committee cover many topics, including strategic decisions of the APD and that they contain personal data. In accordance with the principle of data minimisation (Article 5.1.c of the GDPR), and compliance with the principle of confidentiality applying to the members of the Management Committee (Art. 48 LCA), the Litigation Chamber does not transmit the minutes of the Management Committee in their entirety to the parties concerned by a procedure, but only an extract of said minutes in order to enable the parties to a procedure to assess their existence for the part that concerns them. 104. The defendant had at the outset of the proceedings on the merits an extract from the minutes of the Management Committee concerning the activation of Article 63.1° against it. At its request, a broader extract was provided to it on 2 May 2023. A full version of the minutes was provided to it on 18 July 2023 by the President of the APD. 105. The defendant was able to note from the minutes, firstly, that all the members of the Management Committee were present at the meeting of the Management Committee, but that the President of the Litigation Chamber recused himself for this item on the agenda, secondly, that no objection from any of the members of the Management Committee was noted, thirdly, that the minutes were indeed signed by the President of the Management Committee, and fourthly, that the Management Committee decided to refer the Inspection Service on the basis of Article 63.1° of the LCA. The conditions of Articles 15 and 16 of the LCA are therefore met. The defendant’s argument contesting the existence of a report and compliance with its formalism is therefore unfounded. 106. With regard to the complaint concerning the bias of the members, the Disputes Chamber refers to its examination in section II.4.1 below. 107. Therefore, neither the validity of the minutes of the Management Committee nor the participation of the directors can be called into question. The procedure complied with the legal requirements, and no evidence of bias has been provided. Decision on the merits 146/2024 – 19/67 21 108. Secondly, in a judgment of 7 July 2021, the Procurement Court recalled that the APD must be considered a central service within the meaning of the Act on the use of languages in administrative matters and that as such, it must comply with Articles 40 et seq. of that Act. 109. However, the decision to refer the matter to the Inspection Service by the Management Committee does not constitute communication with individuals, within the meaning of Article 41 of the Act on the Use of Languages in Administrative Matters, but rather internal communication; the use of French by the Management Committee was therefore not required. 110. The referral to the Inspection Service by the minutes of the Management Committee is therefore valid and complies with the requirements of Articles 15 and 16 of the LCA, as well as Article 3 of the ROI. II.3.6. Procedure before the Inspection Service 111. The defendant argues that the file reference used by the APD has been the same since the first letter sent by the General Secretariat, which tends to prove that there was a well-established “pre-inspection” procedure within the APD. It adds that the Inspection Service has taken up the exchanges between the General Secretariat and Freedelity under the name “Surveillance of the General Secretariat”. The defendant also considers that there is no evidence of the taking of an oath by an inspector who worked on the case (“inspector concerned”), even though the latter contributed to the investigation. 112. The Litigation Chamber notes that the defendant draws no conclusions from the first two arguments mentioned and linked to the reference and title of the case. Insofar as necessary, it refers in this regard to the previous developments on this point (see paragraph 8282). 113. With regard to the taking of an oath, at the defendant’s request, the Litigation Chamber provided it with a document on 2 May 2023, the subject of which is “designation of inspectors of the inspection service”. This document signed by the Inspector General and the Director of the General Secretariat is dated June 25, 2019. It states that "Only the names of the agents of the Data Protection Authority below who took the oath on November 19, 2018 retain the status of inspector of the inspection service." This is followed by a list of agents whose names have been redacted by the Litigation Chamber for reasons of privacy, with the exception of the name of the inspector concerned which appears in the list. 114. For the Litigation Chamber, this document demonstrates that the inspector concerned took the oath on 19 November 2018 and that on 25 June 2019, the APD considered that he retained 21 Judgment of the Market Court of 7 July 2021, No. 2021/AR/320 available at the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-juillet-2021-de-la-cour-des-marches-ar-320- disponible-en-neerlandais.pdf Decision on the merits 146/2024 – 20/67 the quality of inspector of the inspection service. At the date of the referral to the Inspection Service by the Management Committee on 6 December 2019, the inspector concerned had indeed taken the oath and was still an inspector. 115. The Litigation Chamber also recalls that this type of request is not based on any legal basis. Indeed, the law provides that inspectors take an oath (Article 30 §1 of the LCA), which must be considered as an established fact, except in cases of serious doubt which must be proven by the defendant. The defendant cannot therefore rely on any legal basis to demand the transmission of these documents. 116. The Litigation Division concludes that the procedure before the Inspection Service is not flawed. II.3.7. Referral to the Litigation Division by the Inspection Service 117. The defendant argues that the Litigation Division could not have been validly referred to given that the Inspection Service itself was not validly referred to. 118. The Litigation Division did not find any irregularity in the referral to the Inspection Service. Consequently, it considers itself legally referred to on the basis of Article 92.3° of the LCA. 119. The referral to the Litigation Division was made legally on the basis of Article 92.3° of the LCA. II.4. Procedure: respect for the rights of the defence II.4.1. Impartiality of the members of the Management Committee and of the Committee itself 120. The grievances raised by the defendant must be distinguished according to whether they concern the members of the Management Committee or the Management Committee itself. II.4.1.1. The President of the Litigation Chamber Position of the defendant 121. As a preliminary matter, and as stated in Section II.2, the defendant requests the President of the Litigation Chamber to withdraw on the grounds of the legitimate doubts that exist regarding his impartiality. In the absence of a specific procedure established by the LCA, the defendant argues that Article 828, 1° of the Judicial Code should apply by analogy. 122. According to the defendant, the possibility of requesting the recusal of a judge is an integral part of Article 6 of the European Convention on Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union. These same guarantees of independence and impartiality are contained in Article 52 of the GDPR, which has been transposed into Belgian law by Article 36 of the LCA. Decision on the merits 146/2024 – 21/67 123. In the event that the Contentious Chamber considers that the absence of an explicit provision in the law would mean that recusal is not possible, the defendant requests that a prejudicial question be submitted to the Constitutional Court. 124. It considers that this bias or appearance of bias arises from the following elements: a) First, the President of the Litigation Chamber was aware of several documents concerning Freedelity that led to the decision of the Management Committee of 6 December 2019 and that despite his disqualification during the examination of this point, it is impossible to know what his role was at this meeting. b) Second, the President of the General Secretariat was allegedly dismissed from his mandate, in particular due to “pre-inspection” procedures such as those carried out in this case. However, the President of the Litigation Chamber testified before the Justice Commission on the occasion of the lifting of the mandate of the President of the APD before the House of Representatives and also constituted himself an intervener in the appeal for extremely urgent suspension brought by the President of the APD before the Council of State against the decision to lift the mandate. He himself filed an appeal for suspension of the decision to lift the mandate before the Council of State. For the defendant, the president of the Litigation Chamber would defend the conduct of the president of the APD which was allegedly the cause of his lifting of his mandate. c) Thirdly, the president of the Litigation Chamber could not refuse access to the request made by the defendant to access the decision to lift the mandate of the president of the APD on the grounds that he did not have this document, since he intervened in various proceedings before the Council of State on the subject of this decision and therefore necessarily had access to it. d) Fourthly, the fact that the president of the Litigation Chamber refused to provide certain documents requested by the defendant and that he took a position on the competence of the CADA with regard to requests for access concerning documents held by the APD. (e) Fifth, the defendant also considers that being a creditor is a ground for challenge, which would be the case for the President of the Litigation Chamber in this case since in the context of the challenge proceedings brought by Freedelity before the Market Court, the President requested and obtained a procedural indemnity, the payment of which he has not yet demanded. Review by the Litigation Chamber Decision on the merits 146/2024 – 22/67 125. As a preliminary point, the Litigation Chamber does not dispute that the principle of impartiality applies to administrative authorities. It should be stressed, however, that the principle 22 of impartiality “must be reconciled with the structure of the active administration”, as described below, in paragraph 127. 126. The Litigation Chamber of the APD is chaired by Mr Hijmans. The proper functioning of the Litigation Chamber and the APD requires that the president be available, and be able to sit during decisions on the merits (Articles 33§1 and 92 to 107 of the LCA), as well as within the Management Committee, as is apparent from the dual competence of the directors of the organs of the APD established by Article 12 of the LCA. 127. According to consistent case law of the Council of State: “the general principle of impartiality must be applied to all organs of the active administration. It is sufficient that an appearance of bias could have raised legitimate doubts in the applicant as to the ability to approach his case with complete impartiality. However, this principle only applies to the extent that it is compatible with the specific nature, and in particular with the structure of the active administration. Furthermore, the impartiality of a collegiate body can only be called into question if, on the one hand, specific facts which raise suspicions of bias on one or more members of that college can be legally established and on the other hand, it is clear from the circumstances that the bias of that member or members could have influenced the entire college. It is up to the person alleging that the authority did not act with independence, impartiality and thoroughness to provide proof of this. 23 128. It is therefore up to the party invoking the breach of the principle of impartiality to demonstrate the existence of specific facts from which it should be concluded that the principle of impartiality has been breached. If the facts concern a member of a collegiate body, it is appropriate for the party invoking the breach of the principle of impartiality to demonstrate that the facts it identifies are likely to have affected the impartiality not only of their author, but also of at least a majority of the members of the collegiate body in question.24 - The bias of the president of the Litigation Division as a member either of the management committee or of the Litigation Division sitting with three members. 129. First, the criticism concerns the fact that the President of the Litigation Chamber had received documents concerning the defendant prior to the meeting of the Management Committee of 6 December 2019. The defendant has not demonstrated why the fact of receiving 22 C.E., 25 April 2023, 256.341, Di Livio. 23 C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX. 24 See in particular Cour des marchés, 7 December 2022, 2022/AR/556, available from the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-.r-556.pdf Decision on the merits 146/2024 – 23/67 these documents would demonstrate indications of bias on the part of the President of the Chamber Contentious, especially since the latter did not, at any time, react to these documents and that he recused himself during the discussion on this point as proven by the minutes of the meeting. It is also not demonstrated how this bias, if it were demonstrated, could have influenced the other members of the Management Committee. 130. Secondly, the Disputes Chamber considers that the impartiality of the President of the Disputes Chamber cannot be called into question by the fact that he filed in his own name an appeal to suspend the decision to lift the request of the President of the APD, since this appeal was filed because he considered that this decision posed a risk to his personal independence as President of the 25 Disputes Chamber. Furthermore, the President of the APD did not conduct any “pre-inspections” in the present case (see section II.3.2 of the decision) and the defendant presents evidence without proof of what it claims, nor an explanation allowing the Disputes Chamber to follow its reasoning. - The bias of the President of the Litigation Chamber sitting alone 131. Third, the fact that the President of the Litigation Chamber responded to the defendant that the APD does not have the decision to lift the mandate of the President of the APD is a factual observation that does not reveal any bias. This assertion was further corroborated by the President of the APD in her letter dated 18 July 2023. 132. The fact that the President of the Litigation Chamber could have had knowledge of this document is irrelevant since this took place in the context of his private activities, since he was appearing before the Council of State "on his own initiative, without being authorised to do so by the data protection authority" (free translation). It cannot be reasonably argued that the request for access to documents that the defendant made to the APD would also extend to documents that could be held by the directors outside their function within the APD. 133. The Litigation Chamber also emphasises that access to this document was also refused by the Chamber of Representatives when the defendant requested access. In its order of 12 February 2024, the Interim Relief Chamber of the Court of First Instance also dismissed the defendant’s request for production of this document. 134. Fourthly, the fact that the President of the Litigation Chamber granted access to certain documents and not to others requested by the applicant does not mean 25 C.E. No. 256,827 of 19 June 2023, § 8. 26 C.E. of 17 August 2022, No. 254,326. Original version: “on its own title, without prejudice to the Gegevensbeschesmingsauthority”. Decision on the merits 146/2024 – 24/67 that he thereby lacked impartiality. The President of the Litigation Chamber is required to take a number of actions in the context of the organisation of the procedure, actions that he considers legitimate and these do not prejudge his personal assessment of the merits of the case. 135. Moreover, the bias of the President of the Litigation Chamber is not demonstrated by the response to the request for production of documents made by the defendant on the basis of the law of 11 April 1994 relating to the publicity of the administration. Indeed, in its response, the Litigation Chamber states that the APD does not consider itself currently subject to the law of 11 April 1994 relating to the publicity of the administration. This position does not demonstrate the bias of the President of the Contentious Division since it concerns the position of the Management Committee as a whole and that the CADA itself shared this position in the past. 136. In this regard, the case-law of the European Court of Human Rights teaches that a problem linked to a lack of judicial impartiality does not arise when the judge has already rendered formal and procedural decisions at other stages of the proceedings. On the other hand, this problem may arise if, at other stages of the proceedings, the judge has already ruled on the guilt of the accused. 137. However, in the present case, what is being criticised against the President of the Contentious Division does not imply any position whatsoever on the part of the latter as to the merits of the case and, in particular, as to the conduct or responsibility of the applicant. 138. This teaching of the European Court of Human Rights concerns judges; it applies even more so with regard to members of an administrative college. 139. Fifth, the President of the Litigation Chamber is not acting in his personal capacity in this case. The procedural compensation in question was requested in the context of the exercise of his functions within the APD, that is to say, as President of the Litigation Chamber; he has no personal or financial interest in this claim. 140. The lack of impartiality of the President of the Litigation Chamber has therefore not been demonstrated. No valid reason can justify his removal from the present case. II.4.1.2. The Director of the Knowledge Centre 27 See in particular CADA, opinion 2018-14, available at: https://www.ibz.rrn.fgov.be/fileadmin/user upload/fr/com/publicite/avis/2018/ADVIES-2018-14.pdf 28European Court of Human Rights (ECHR), George-Laviniu Ghiurău v. Romania, 16/06/2020, Application no. 15549/16, § 67 29Gómez de Liaño y Botella v. Spain, 22/07/2008, Application no. 21369/04, § 67-72. See also ECHR, Guide on Article 6 of the European Convention on Human Rights, Right to a fair trial – criminal aspect, https://www.echr.coe.int/documents/guide art 6 criminal eng.pdf. Decision on the merits 146/2024 – 25/67 141. The defendant claims that the then Director of the Knowledge Centre, in the context of her previous employment, had worked with Freedelity and validated their legal model. The defendant considers that these agreements were covered by professional secrecy, business secrecy and confidentiality agreements and that this information was shared with the DPA, which allegedly was complicit in the violation of this confidentiality. 142. The Disputes Chamber recalls that the members of the Management Committee are bound by the principle of impartiality (Article 43 of the LCA), which prohibits them from being present during a deliberation or decision on cases in which they have a personal and direct interest. According to the doctrine, "The personal and direct interest may be of a moral nature, in particular when one or more members of the decision-making authority have already expressed a clear point of view or have formed a personal opinion and could not go back on it without losing face." (free translation). 143. This principle means that no member of the Management Committee may have a personal interest in the decision taking a certain direction (nemo iudex in causa sua). In particular, being morally unable to revise a previous point of view carries the risk that members of the administration, having already expressed (publicly) their opinion, can no longer assess the case objectively. Furthermore, the Litigation Chamber notes that the defendant does not justify how the situation meets the definition of a conflict of interest provided for in Article 58 of the ROI. 144. In this case, the Director of the Knowledge Center has never worked within Freedelity, and therefore was not in a situation where the demonstration of a personal and direct interest in Freedelity, or a conflict of interest, could be inferred from her previous position. The fact that the Director of the Knowledge Center was aware of the Freedelity legal model and had “validated” it in the past does not demonstrate that she had a personal and direct interest in the decisions of the Management Committee based on Articles 10 and 63.1° of the LCA. The Director of the Knowledge Center has never expressed any public negative opinion regarding Freedelity. At most, the Director of the Knowledge Center has expressed a positive opinion in the context of her former functions on Freedelity in the past. If the director of the Knowledge Center had actually used information collected in the course of their duties 30Wolters Kluwer – Tijdschrift voor Bestuurswetenschappen en Publiekrecht, “Partijdigheid en belangenconflicten bij het actief bestuur: de sluipweg van het gelijkheidsbeginsel”, Lise Van den Eynde, 2024, paragraph 4. Original version: “De This class in the well-known category is the person of subject matter. Het komt erop neer dat Iemand met een personlijk en rechtstreeks belang zich moet onthouden van deelname aan het besluitvormingsproces » and “Het personlijk en rechtstreeks belang kan van morele aard zijn, onder andere wanneer een de meer leden van de be overheid eerder al een duidelijk standpunt hebben ingenomen de een eigen mening hebben gevormd en niet zonder gezichtsverlies daarop zouden kunnen terugkomen”. 31See above Decision on the merits 146/2024 – 26/67 previous, this should have led to the only conclusion that the Freedelity service was valid. 145. Furthermore, contrary to what Freedelity claims, there is no evidence in the case file that the Knowledge Centre Director used confidential information or shared it with the APD. The only statement on which Freedelity relies is the following: “When I analysed the Freedelity offer a year ago, it constituted a clear violation of the Privacy Regulation in several respects.” 32 146. No other sentence or information from the Knowledge Centre Director can be found in the subsequent exchanges, opinions and documents in the case file. The Litigation Chamber cannot therefore conclude that this was confidential information cited by the defendant and the entire procedure is based only on information legitimately collected by the APD. 147. The Litigation Chamber concludes that the Director of the Knowledge Centre did not breach the principle of impartiality applicable to members of the Management Committee (Article 43 of the LCA). II.4.1.3. The Director of the General Secretariat (Chairman of the Management Committee) 148. First, the defendant also criticises the APD for not having forwarded to it the decision relating to the lifting of the mandate of the President of the APD. Second, the defendant maintains that the Director of the General Secretariat was biased because he was the initiator of the request for information to the defendant. Third, the defendant claims that the type of procedure followed by the Management Committee in this case was the cause of the lifting of his mandate. It justifies itself by supporting press articles and judgments handed down by the Council of State in cases concerning the decision to lift the mandate. 149. First, the Litigation Chamber maintains that the APD does not have the decision to lift the mandate of its former president. 150. Second, the Litigation Chamber recalls that situations of bias cannot arise 33 from the normal application of the law. However, the law provides that the director of the General Secretariat may be in a position to chair the Management Committee (Article 13§2 of the LCA), and that the Chairman of the Management Committee is assisted in the performance of his 32 Email from the President of the Knowledge Center of August 2, 2019 33See the decision of the Council of State of May 11, 2021, No. 250.571 Decision on the merits 146/2024 – 27/67 tasks by the General Secretariat (Article 13§3 of the LCA). For the remainder, the Litigation Chamber refers to the previous developments on this point (see section II.3.2). 151. Third, of the nine press articles provided by the defendant, only one (exhibit 28 of the defendant’s file) makes a brief reference (one sentence in a four-page article) to a possible excess of authority by the president of the APD. The file in question concerned questions put to a school in Ghent on a possible use of biometric data. No other file is mentioned. 152. The defendant does not provide evidence that this element was actually, alone or among others, the reason for the lifting of the mandate of the president of the APD. It also does not explain how the finding of an excess of competence that was allegedly noted by the House of Representatives in the case identified by the press could be transposed to the present case or even relevant for its processing. 153. Nor does it appear from the extracts of the decisions of the Council of State that the president of the APD had his mandate lifted for facts related to the present case, or to the procedures put in place for the activation of Article 63.1 of the LCA. The elements emerging from the extracts cited are in fact very general and report serious failings and incapacities that are not specified. Furthermore, as demonstrated above, this case was proposed to the Management Committee by a director other than the President of the APD. The sending of the first letter to the defendant, as well as the request to open an investigation, were decided by the Management Committee. These elements seem difficult to reconcile with allegations of exceeding the powers of the President of the APD. 154. The Litigation Chamber concludes that none of the elements put forward by the defendant allows it to conclude that the General Secretariat or its director was in a situation of bias or exceeding the powers of the defendant. II.4.1.4. The Director of the Inspection Service (the Inspector General) 155. First, the defendant claims that the Inspector General (also a member of the Steering Committee) had met with Freedelity in the past when he was working for the CPVP and, secondly, had participated in the preparation of the file and decided on his own referral. It maintains that the involvement of the Inspector General at the stage of preparing the file for examination by the Steering Committee impacts his own referral and the admissibility of his work. 156. Second, it also maintains that the Inspector General cannot take a position on the activation of Article 63.1 of the LCA by the Steering Committee without affecting his impartiality. Decision on the merits 146/2024 – 28/67 157. First, regarding the arguments on the partiality of the Inspector General, the Litigation Chamber refers to its previous developments regarding the analysis of situations of partiality (see paragraphs 142-143) and recalls that a situation of partiality cannot arise from the normal application of the law. The fact that the Inspector General sits on the Management Committee during the decision-making phase of monitoring developments in the technological field (Article 10 of the LCA) or the phase of establishing serious indications (Article 63.1° of the LCA), is legally provided to be compatible with his function as Inspector General (Article 12 of the LCA). 158. Furthermore, the activation of Article 63.1 of the LCA (or Article 63.6) cannot in any case be equated with an indictment or investigation procedure as the defendant maintains. This is a preliminary step to the opening of an investigation, which does not entail any definitive finding and which in no way prevents the Inspection Service from conducting its investigation impartially thereafter. As it has proven in the past, the Inspection Service is perfectly capable of conducting an investigation concluding that there were no violations despite the findings of serious indications by the Management Committee. 159. The fact that a member of the Management Committee has “met” one or more members of a company’s staff does not put him in a position of bias towards that company on that sole basis. Bias must be concretely demonstrated, which requires highlighting specific facts or behaviors. 35 This obviously does not depend on the fact that he has worked on a case in the past or met a person on this occasion. 160. For the Litigation Chamber, the exchange of information within the APD is a sine qua non condition for the proper execution of its mission to ensure compliance with data protection. A partitioning of information between services only takes place when it is provided for by law. This is the case of Article 64.3 of the LCA, which provides that the investigation is secret. 161. The LCA does not provide for any other restriction on the exchange of information within the APD when this exchange is necessary for its operation. Informal exchanges between directors when carrying out preparatory acts for the adoption of a decision are normal and essential steps in the decision-making process. The files opened with the SPL concerning the defendant and the information available to the Inspector General who was involved in these files as a lawyer at the time are entirely relevant to assess whether an investigation should be requested against the defendant. The APD 34See in particular the decision of the Litigation Chamber 77/2020, in which the Management Committee had requested the opening of an investigation by the Inspection Service. The latter found that the incriminated activity did not involve the processing of personal data. The case was therefore closed by a filing without further action. 35See in this sense the judgment of the Court of Markets, 7 December 2022, 2022/AR/556, available from the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf, p.21. What applies to collegiate bodies also applies to a member of an administrative body. Decision on the merits 146/2024 – 29/67 allegedly acted negligently by not using the information it had on the defendant to inform its decision. 162. Indeed, if the latter could not handle cases in which he had been involved as a lawyer before his appointment as Inspector General, this would de facto prevent the Inspection Service from exercising its powers with regard to a large number of data controllers. This is certainly not the intention of the House of Representatives, which appointed the Inspector General while being fully informed of the fact that he had been a lawyer within the CPVP. According to the Litigation Chamber, this situation does not allow his impartiality to be called into question. 163. Secondly, the argument that the Inspector General cannot take a position on the activation of Article 63.1 of the LCA by the Management Committee without affecting his impartiality is no more convincing to the Litigation Chamber. Indeed, the Management Committee is not the only one that can request an investigation on the basis of serious evidence, since Article 63.6° of the LCA provides that the Inspection Service may, on its own initiative, open an investigation if there are serious indications of an offence. If the law provides that the Inspection Service, and therefore the Inspector General, can decide alone that there are serious indications of an offence, it can logically decide this collegially within the framework of the Management Committee, without this affecting its impartiality in conducting the investigation. 164. The LCA also provides for a clear distinction between the investigative power, which is devoted to the Inspection Service, and the sanctioning power, which is the prerogative of the Litigation Chamber. 165. In this case, the Litigation Chamber concludes that no evidence of bias has been demonstrated on the part of the Inspector General, who merely carried out the tasks assigned to him under the LCA. II.4.1.5. The Management Committee 166. The defendant argues that since the majority of the members of the Management Committee were in a position of bias, the Management Committee was itself biased. 167. As already recalled by the Litigation Chamber on numerous occasions in this decision, in accordance with the consistent case law of the Council of State, criticism of 36 bias cannot be based on a situation arising from the normal application of the law. 168. Furthermore, "the impartiality of a collegiate body can only be called into question if, on the one hand, specific facts which raise suspicions of bias on the part of one or more members of that college can be legally established and, on the other hand, it is clear from the circumstances that the bias of that or those members could have influenced the entire 36 Decision of the Council of State of 11 May 2021, No. 250.571 Decision on the merits 146/2024 – 30/67 college. It is up to the person alleging that the authority did not act with independence, impartiality and thoroughness to provide proof of this." 169. The Markets Court specifies that the alleged bias of a collegiate body must be concretely demonstrated, which requires highlighting specific facts or 38 behaviors that concern this body, therefore committed by its members. 170. The Management Committee is composed of the directors of the APD (Article 12 LCA). Each director ensures the management of a body, as is apparent from the powers established by the LCA. The Management Committee is competent to refer the matter to the Inspection Service in the event of finding serious evidence of the existence of a practice likely to violate the fundamental principles of the protection of personal data (Article 63.1° of the LCA). 171. For the Litigation Chamber, the defendant must therefore demonstrate for each of the members of the Management Committee against whom it makes this reproach, that on the one hand, he showed bias, and that on the other hand, he was able to influence the other members of the college. The Litigation Chamber adds, moreover, that the fact that a member of the Management Committee allegedly showed a lack of bias – quod non in the present case – is not sufficient in itself to invalidate a decision of the Management Committee. 39 172. However, as explained in sections II.4.1.1, II.4.1.2, II.4.1.3 and II.4.1.4, the bias of the members has not been demonstrated. Furthermore, even if the bias of a member of the Management Committee were demonstrated, this is not such as to taint the decisions taken by the Management Committee, which are valid on condition that the “majority” of the members were present (Article 15 of the LCA). 173. Therefore, neither the bias of the members of the Management Committee nor that of the Management Committee itself has been demonstrated. The Litigation Chamber concludes that the arguments of the defence on the issue of bias are not valid. II.4.2. Processing within a reasonable time and adequate time to prepare its defence 174. The defendant argues that the proceedings lasted almost five years after the first disputed letter, which exceeds the reasonable time and that it did not have the opportunity to properly defend itself. She accuses the APD of deliberately soliciting written contributions from the defendant during periods of leave. She cites 37 C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684. 38 Judgment of the Market Court of 7 December 2022, 2022/AR/556, available from the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf . 39 Judgment of the Market Court of 7 December 2022, 2022/AR/556, , available from the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf. Decision on the merits 146/2024 – 31/67 including a judgment of the Brussels Court of Appeal which provides that a file which had experienced a period of inertia of two years exceeded the reasonable time limit. 175. The defendant invokes unreferenced case law to argue that the rights of the defence from the perspective of the useful time limit and the right to a reasonable time limit apply to the APD. 176. The Litigation Chamber confirms that it is indeed subject to respect for the rights of the defence, including the right to a reasonable time, protected by Article 48 of the Charter of Fundamental Rights of the European Union and Article 6 of the European Convention on Human Rights. 177. Concerning the reasonable time, the defendant mentions a judgment of the Brussels Court of Appeal in which it allegedly found that the reasonable time had been exceeded in a case that had experienced a period of inertia of two years. This judgment is not provided to the Litigation Chamber. It cannot therefore take it into account. 178. The Litigation Chamber recalls that, according to the case law of the Council of State, "the principle of a reasonable time, which is derived from the general principles of good administration and legal certainty, is capable of being applied to all administrative decisions. The reasonable period within which any administrative authority must ensure that it takes a decision only begins to run from the moment it is able to do so. The assessment of whether or not the duration of a procedure is reasonable is a question of the individual case which depends, in particular, on the circumstances of the case, and more particularly on the respective conduct of the authority and the person concerned. » 40 179. The Inspection Service sent letters containing questions to the defendant in June and October 2020. It subsequently carried out technical findings and asked Freedelity new questions in October 2021. It carried out new technical findings between December 2021 and February 2022. In April 2022, it sent its report to the Litigation Chamber. 180. The Litigation Chamber considers that an investigation that lasted approximately two years does not exceed the reasonable period since numerous investigative acts were carried out during these two years, which is the case here. Furthermore, in the present case, the Litigation Chamber does not note any period of inertia that would be close to two years. 181. For its part, the Litigation Chamber notified the defendant of its intention to deal with the case on the merits in July 2022, three months after it was referred to it. The period between this decision to deal with the case on the merits and the adoption of the present decision was marked successively by requests for the production of documents, by a 41 40Judgment of the Council of State, 13 September 2022, no. 254.469, p. 16. 41See exhibit 94 of the file Decision on the merits 146/2024 – 32/67 request to the CADA, by an application for recusal followed by proceedings before the Court of Procurement and a summons for interim relief, by requests for postponement of the hearing, and by multiple requests for a stay of proceedings, in particular pending the publication of a judgment of the Court of Justice of the European Union, requests which were all made by the defendant. In view of these very numerous procedures which led to several postponements of the hearing, it cannot be reasonably argued that the case was the subject of an abnormally long period of inertia or that the Litigation Division was able to adopt a decision more quickly. 182. As regards the right to a time limit for the defence, the Market Court ruled in a judgment of 12 June 2019 that "The establishment of a timetable for submissions where each party has approximately one month and where the defendant is granted the final deadline is consistent with the rules on the rights of the defence." (free translation) 44 183. The Litigation Chamber notes that during the investigation by the Inspection Service, the defendant always had a response period of at least 30 calendar days and a maximum of 45 days, which is consistent with the case law of the Market Court. The Litigation Chamber cannot therefore conclude that there was a violation of the right to a time limit for the defence at the investigation stage. 184. As regards the time limits granted to the defendant during the proceedings on the merits, the Litigation Chamber recalls that these are identical in all the cases it deals with on the merits and that they are extended by two weeks during the months of July and August. The defendant therefore had a period of 8 weeks, which is identical to that which would have been granted to any other defendant in proceedings based on an investigation report. This period was subsequently extended by three weeks at the request of the defendant. It was again extended by two weeks at its request, bringing the total to 13 weeks. 185. When additional documents were provided to the defendant following its requests, it was given a period of two weeks 45 to adapt its conclusions (period extended by one week at its request). The defendant cannot therefore reasonably maintain that the time limits granted to it by the Litigation Chamber, and which were 42 See Exhibit 94 of the case file 43 See in particular Exhibits 87 and 136 of the case file, and the following pages of the defendant's additional submissions: (i) page 163, "The Litigation Chamber must stay its decision on this point pending the outcome of case C154/21 pending before the Court of Justice",. 44 Judgment of the Market Court, of June 12, 2019, No. 2019/AR/741, available at the following link: https://www.autoriteprotectiondonnees.be/publications/arret-du-12-juin-2019-de-la-cour-des-marches-available-en- Dutch.pdfP.11.Original version:“Hetopstellenvaneenconclusiekalenderwaarbijelkepartijoverongeveeréénmaand beschiktenwaarbijdeverwerendepartijdelaatstetermijnverkrijgtisconformaanderegelsvanderechtenvanverdediging”. 45The Litigation Chamber notes in this regard that when the Interim Relief Chamber of the Court of First Instance of Brussels ordered the APD to provide additional documents to the defendant, it also considered that a period of 15 days was sufficient for the defendant to be able to conclude on the documents (a period which was granted to the defendant by the APD). Decision on the merits 146/2024 – 33/67 extended by his act on multiple occasions, did not allow him to have a useful period to prepare his defense. 186. The Contentious Chamber in concludes that there has been no exceeding of the reasonable time limit in this case, nor any failure concerning the right to a useful time limit. II.4.3. The principle of adversarial proceedings 187. The defendant considers that by repeatedly and constantly refusing to provide certain documents that it requested, the APD has violated the principle of adversarial proceedings and the rights of the defence. The defendant considers that the APD has repeatedly refused to provide decisive elements in the file and in its defence. 188. The The Contentious Chamber reminds that the LCA does not define the composition of the administrative file. This is composed of all the official decisions and documents related to a case (decisions of the SPL, investigation report of the SI, decisions of the CC, etc.). The Litigation Chamber forwarded the entire administrative file to Freedelity when the latter requested it to do so. 189. The defendant subsequently demanded the production of internal documents from the APD that are not traditionally present in an administrative file.The defendant's requests have varied on numerous occasions and have been made on varying grounds. 190. On 2 May 2023, the Litigation Chamber transmitted to Freedelity all the additional documents that it requested, to the extent that the APD had these. 191. On 18 July 2023, APD again sent Freedelity certain documents following the CADA's opinion, namely the agenda of the meeting of the Management Committee of the APD of 6 December 2019 as well as a more complete version of the minutes of the same meeting. 192. It was only on 22 December 2023, by a first summary summons, that Freedelity requested (from the Court) access wider than that previously requested and obtained. 193. The APD responded to this new request by sending Freedelity the most recent documents in the administrative file – these documents were all already known to Freedelity – since they were correspondence between Freedelity and the APD. 194. The APD again sent additional documents to Freedelity on its own initiative dated 12 January 2024, which it considered could be relevant in the 46The Litigation Chamber recalls in this regard that the opinions of the CADA are not not binding at all. See C.E., 15 November 2002, 111.522, Poncin. Decision on the merits 146/2024 – 34/67 framework of the criticism that Freedelity intended to formulate concerning the way in which the APD was seized of the case concerning it . 195. Then, in the context of the interim relief proceedings, Freedelity and the APD agreed that the APD would provide certain additional documents. 196. Finally, following the order of the Interim Relief Chamber, the APD provided additional documents, including preparatory documents, such as internal communications between APD employees. 197. It is clear from the chronological description above that the APD has, on several occasions and voluntarily, provided additional documents to the defendant. It also complied with the order of the Chamber of Interim Relief when it required it to provide certain additional documents. 198. The fact that a party to a case requests the production of additional documents to the case file administrative does not mean that the Litigation Chamber is obliged to follow it up without being able to contest the need for such production. 199. The fact that the APD contested, for certain documents, the need to produce them cannot result in a violation of the principle of adversarial proceedings and the right of defence. It is moreover right that the APD opposed the production of certain documents and since both the CADA and the Chamber of Interim Relief refused Freedelity access to certain documents .In addition, all the exhibits could have been the subject of an adversarial debate, in particular during the hearing. 200. As regards more specifically the decision to lift the request of the former president of the APD, the Litigation Chamber refers to the developments above (see paragraphs 130-133 and section II.4.1.3).201. Furthermore, the Litigation Chamber notes that the defendant was ultimately able to obtain all the documents necessary for its defence, since it was able to exhaustively formulate the grievances it wished to make concerning the legality of the procedure. 202 . The Litigation Chamber cannot find a violation of the principles of adversarial proceedings and the right of defense in this case. II.4.4. Violations of the principles of good administration 203. The defendant considers that the duty of "fair play", the duty of " solicitude" and the duty of motivation were not respected by the APD, without further details concerning these complaints. 204. The Litigation Chamber notes that the defendant does not explain what it means by "duty to do- play" and "solicitude", does not cite its sources, and does not justify in why the duty of motivation was not respected by the APD. Decision on the merits 146/2024 – 35/67 205. With regard to the duties of “fair play” and “care”, the defendant’s complaints are formulated as follows: “The Authority is seriously failing in its duty of fair play and care, which constitute principles of good administration in their own right." The Litigation Chamber can only note the absence of factual arguments which should corroborate the lack of respect for such duties. 206. The Litigation Chamber cannot therefore respond to these arguments, and refers, as far as necessary, to its considerations concerning the principle of adversarial proceedings and access to files above (see section II.4.3). 207. The Litigation Chamber considers that the principles of good administration have been respected. II. 5. On the merits II.5.1. On the processing operations in question, the responsibility for the processing operations and the legal bases 1. On the processing operations in question 208. Article 4, 2) of the GDPR defines processing as “any operation or set of operations whether or not performed using automated processes and applied to personal data or sets of data, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, 'use, communication by transmission, diffusion or any other form of making available, the approximation or interconnection, limitation, erasure or destruction'. 209. In this case, the Litigation Chamber notes, on the basis of the information provided by Freedelity to the Inspection Service, that the following data processing operations are implemented: 47 210. Firstly, the collection of personal data: a) directly provided by customers through the reading of the eID card. The reading of the eID card can be carried out, in particular via eID readers, via a terminal installed at Freedelity customers' premises, or via any other type of terminal. For people who do not have a Belgian eID card or who do not want to make use of, the same data may be entered manually into the screen of a terminal or via the partner's website by the person concerned or the staff of Freedelity's customers, based on the information provided by the person concerned. 47See page 24 of the additional submissions Decision on the merits 146/2024 – 36/67 b) by Freedelity: - via its MyFreedelity platform or application, including cookies embedded in emails and other digital interfaces, or - by recording the data communicated by the person concerned as part of their voluntary registration in the Freedelity file. 48 211. In its responses to the questions from the Inspection Service, Freedelity indicates that the 49 data collected is largely collected through Freedelity terminals , in a less significant portion, the data is collected through a seller authorized by the Freedelity customer, and very rarely, the data is collected through the filling of an online form. 50 212. Secondly, the pooling of personal data consists of sharing and automatically updating the information of a common consumer between several brands that have subscribed to the Custocentrix service, with which he has a relationship, while guaranteeing that those who already have his data can access these updates if the consumer's personal data has changed. To understand this processing, it is essential to remember that most of the electronic data contained in the identity card are updated in the event of a change. Thus, as the defendant recalls in its submissions, if a brand A has more recent information on a consumer in common with a brand B, then pooling allows for the transfer of this up-to-date data to brand B. Only companies that already have a commercial relationship with the consumer (i.e. they have, prior to granting the card, this consumer in their database) can access the updated data via this pooling. 213. The Litigation Chamber considers that the collection and pooling processes are inextricably linked, insofar as the purpose of collecting data from the electronic identity card is to allow the Freedelity file to be populated, which is presented as a precise and constantly updated database. Indeed, 52 as Freedelity points out, "Saving in the Freedelity file does not entail any particular purposes other than those related to the management of the Freedelity file. It is one and the same processing. These data flows reach us through 48See page 11 of the responses provided by Freedelity to the Inspection Service on 29 October 2020. 49 Freedelity only collects information contained in the eID card through the terminals and readers distributed through it (see page 14 of the responses provided by Freedelity to the Inspection Service on 29 October 2020) 50See page 14 of the defendant’s additional submissions 51For example, Belgian citizens have eight days to declare their new address to the population service of the municipality into which they are moving. This new address is recorded by the municipality in their electronic identity card, even if this data does not appear on the official (physical) document. 52 See page 3 of the responses provided by Freedelity to the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 37/67 different methods of data collection and consents as described above”. These will be examined jointly in the following sections. 214. The Litigation Chamber notes that the defendant does not contest implementing the processing described in the preceding paragraphs. 2. On the responsibility for processing 215. A controller is defined as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing" (Article 4.7 of the GDPR) (emphasis added). This is an autonomous concept specific to data protection regulation, which must be assessed according to the criteria it establishes: determining the "purposes" and "means" of processing involves deciding the "why" (the reason or objective of the processing) and the "how" (the way in which this objective will be achieved). 216. In some cases, responsibility is considered joint. For there to be joint responsibility for data processing, it is necessary that two or more entities participate together in determining the purposes and means of processing. This participation may be manifested by a joint decision or by convergent decisions that complement each other and are essential to the performance of the processing. A key criterion is that the processing could not be carried out without the contribution of each party, which means that the processing operations are inseparable and inextricably linked. 217. The Litigation Chamber recalls that in the event of joint responsibility, Article 26 of the GDPR requires joint controllers to ensure, by means of a contract, that they mutually comply with the GDPR. 218. According to the EDPB Guidelines on the concepts of controller and processor, “Joint participation may take the form of a joint decision taken by two or more entities or result from converging decisions adopted by two or more entities, where the decisions complement each other and are necessary for the processing to be carried out in such a way that they have a concrete effect on determining the purposes and means of the processing. An important criterion is that the processing would not be possible without the participation of both parties in the sense that the processing by each party is inseparable from that of the other, i.e. inextricably linked. 53EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (v. 2), adopted on 7 July 2021, (hereinafter “Guidelines 07/2020”), section 35. 54 EDPB, Guidelines 07/2020, page 3. 55EDPB, Guidelines 07/2020, page 3. Decision on the merits 146/2024 – 38/67 Joint participation must encompass, on the one hand, the determination of the purposes and, on the other, the determination of the means” (emphasis added). 219. The Litigation Chamber will successively analyse situations of joint participation in the context of the determination of the purposes (a) and the determination of the means (b). a) Determination of the purposes 220. First, the Litigation Chamber notes that the purpose of the collection and pooling of personal data is to feed the pooled Freedelity file to enable unique and up-to-date identification of consumers. 221. Freedelity considers that it exclusively controls this purpose, with the brands only intervening in the collection methods and without making a decision regarding the final objectives of the processing. In this sense, Freedelity considers that joint liability does not apply. 222. Contrary to what the defendant maintains, the Litigation Chamber considers that this purpose is common to Freedelity and the brands. Indeed, this purpose is necessary to enable Freedelity to enrich its database to attract brands interested in reliable and up-to-date identification of their consumers. It is also essential for brands wishing to avoid any confusion between their consumers and thus prevent the accumulation of obsolete data. 223. The fact that these treatments occur one after the other has no impact on the qualification of joint controller. According to the CJEU, "the existence of joint responsibility does not necessarily translate into equivalent responsibility of the different operators concerned by the processing of personal data. On the contrary, these operators may be involved at different stages of this processing and to different degrees, such that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the individual case." 6 224. In order to remove any ambiguity, the Litigation Chamber specifies that this decision does not concern the processing purposes specific to the brands (such as registration for consumer loyalty programs, sending digital invoices, etc.), for which Freedelity does not have joint responsibility. It is important not to confuse these purposes specific to the brands with the common purpose in question, which is the collection and pooling of data to update the Freedelity file. Confusing these different purposes, as the defendant does, 56Judgment of the CJEU of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C 210/16, EU:C:2018:388, paragraph 43. Decision on the merits 146/2024 – 39/67 leads to an incorrect characterisation of the roles of the parties. Furthermore, the Contentious Chamber also does not dispute that when a brand ceases its collaboration with Freedelity, Freedelity remains the sole data controller for future processing, even if the data was initially collected by the brand that terminated its contract with Freedelity. (b) Determination of the means 225. Secondly, as regards the means, the Litigation Chamber recalls that according to the EDPB guidelines, “It may also be the case that one of the entities concerned provides the means of processing and makes them available for the personal data processing activities carried out by other entities. The entity that decides to use these means so that personal data can be processed for a particular purpose also participates in determining the means of processing. This scenario may occur in particular in the case of platforms, standardised tools or other infrastructures that allow the parties to process the same personal data and that have been created in a certain way by one of the parties for use by other parties, who may also decide how to create them”. 226. In this case, the means of processing are also defined jointly: the collection is carried out mainly by customers via devices provided by Freedelity and offered by the brands (particularly via the terminals). In terms of means, Freedelity centralises the data in a technical infrastructure that it has developed, but the pooling is itself made possible by the continuous contributions of customers, who regularly transfer identity data to make it possible to update the information. 227. In addition, Freedelity explains that the content of the terminal varies between the brands in order to take into account the multiple customer journeys and actions related to the collection of personal data as well as the expectations of its customers regarding the consideration of elements specific to them, in particular their identity and their graphic charters. Regarding manual forms, Freedelity explains that forms can vary from one client to another (i.e. the visual and text content). For some, it is even Freedelity that does the formatting work on behalf of the client. 228. Regarding this last point, the Inspection Service requested further clarification. Freedelity responded that: “The process is similar to that of the 57EDPB, Guidelines 07/2020, sections 64 and 65. 58 See page 8 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020. 59 See page 9 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 40/67 design of the forms used in the Kiosks when the implementation of the form is entrusted to us. We do not reinvent the wheel for each customer, which explains why the underlying logic remains similar.”60 229. In a document intended for retailers, although after excluding joint liability, Freedelity reveals a non-exhaustive list of cases where collaboration is evident must take place between Freedelity and the brands, which reinforces the analysis of the 61 Litigation Chamber that this is a case of joint liability. This non-exhaustive list refers, among other things, to: - the validation of forms and processes for collecting personal data via terminals, cash register systems or other digital interfaces, - the production and delivery of leaflets intended to inform consumers, - informing consumers when collecting their consent to the processing of their data by providing oral explanations supported by the delivery of the explanatory information leaflet, - the provision of alternative solutions to reading the identity card in order to benefit from the advantages or the loyalty program. - explicit mention of the use of Freedelity's services in the terms and privacy policy, - validation of the robustness of the processing of data flows between customers' applications and CustoCentrix, - mandatory and immediate coordination in the event of a personal data leak, - coordination in response to requests for deletion of their data by certain consumers, - the implementation of IT systems ensuring the required IT security. 230. In conclusion, if the collection is mainly the responsibility of the brands, while the pooling is carried out by Freedelity, these operations are inseparable and inextricably linked, since the second could not happen without the first. In other words, pooling by Freedelity is only possible through the collaboration of the brands in the process of collecting identity data. 60See page 15 of the responses provided by Freedelity to the additional questions posed by the Inspection Service on 29 October 2021 61“White Paper” by Freedelity, 2020 edition. Decision on the merits 146/2024 – 41/67 231. This technical infrastructure, configured by Freedelity but integrated mainly in the customers’ environment, shows a convergence of the means of processing and the purposes implemented to carry it out. The Litigation Chamber considers, like the Inspection Service, that this is a case of joint liability. 232. Freedelity is joint data controller with its customers for the collection and pooling of identity data. 3. On the legal bases of processing 233. Article 5.1.a of the GDPR requires that data be processed lawfully, fairly and transparently, which requires in particular securing a legal basis to implement the data processing. 234. Under Article 6.1 of the GDPR, several legal bases may be invoked by the data controller, including consent: "processing is lawful only if, and to the extent that, at least one of the following conditions is met: 235. a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; 236. […]". 237. The collection and sharing of personal data must take place in accordance with applicable law, in particular Article 6, §4 of the 1991 law 62 and the GDPR. This article of the 1991 law requires the prior obtaining of "free, specific and informed" consent for the electronic reading of data appearing on the identity card. The CPVP (predecessor of the APD) issued a recommendation on 25 May 2011 63 in which it recommended: "The prior obtaining of the free, specific and informed consent of the customer to proceed with the electronic reading of his identity card as part of a loyalty system. An alternative to the use of his identity card must also be offered to him" (emphasis added). 238. These criteria directly echo the criteria for valid consent within the meaning of the GDPR 64 and must meet the conditions for consent of Article 6.1.a) of the GDPR, provided for in Article 4.11) of the GDPR, and explained in the EDPB Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679. 62 Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link: https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf 63 CPVP, recommendation No. 03/2011 of 25 May 2011, on taking copies of identity cards, as well as their use and electronic reading, the link to which is available opposite: https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf (page 7) 64 Under Article 4.11) of the GDPR, consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she accepts, by a declaration or by a clear affirmative act, that personal data concerning him/her are processed" (emphasis added). Decision on the merits 146/2024 – 42/67 239. These criteria ensure that each individual retains full control over the use of his/her personal data, particularly when it comes to reading his/her electronic identity card, for which the Belgian legislator has provided a specific regime. In France, the National Commission for Information Technology and Civil Liberties has even considered that an electronic identity card contains information that can be considered as "highly personal data". 65 240. Consent ensures that this control is exercised with full knowledge of the facts, thus allowing the person concerned to decide freely whether or not he/she accepts that his/her data is used in this specific context. This choice must be made freely and specifically, i.e. relate to a clearly defined purpose. In addition, the obligation to offer an alternative to the use of the eID card is essential to ensure that the use of this card remains an option, and not an obligation. 241. In this sense, Article 6§4 of the 1991 law protects citizens by ensuring that the processing of their identity data takes place in a transparent framework, respectful of their privacy, and in accordance with the fundamental principles set out by the GDPR. The use of consent, as provided for in Article 6.1.a of the GDPR, is therefore the appropriate legal basis for the processing of personal data collection and pooling. 242. In conclusion, the collection and sharing of personal data must be based on the consent of the persons concerned, namely the consumers of the brands, in accordance with Article 6.1.a of the GDPR. II.5.2. Finding 1: On the validity of consent (5.1.a., 6.1.a, 7 and 5.2. of the GDPR): 243. As a preliminary, some consent mechanisms implemented by Freedelity and certain brands will be recalled. The brands whose processing has been examined offer an alternative to data collection by identity card, i.e. by 66 filling out a manual form. This obligation is provided for by the 1991 law and is applied – for example – as follows: a) On the Freedelity website, to create a profile, the person concerned must enter their identity card number and activate the toggle “I consent to registering with Freedelity and agree to its privacy policy” (associated with a link). b) At Enseigne A, a terminal associated with a home screen offers the consumer to enter their identity card to give their consent, 65See the doctrine of the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), which considers that the NIR [personal registration number] is “highly personal data”: https://www.cnil.fr/fr/tout-savoir-sur-le-decret-cadre-nir-dans-le-champ-de-la-sante 66Article 6§4 of the Law of 19 July 1991 relating to population registers, identity cards, foreigners’ cards and residence documents, available at the following link: https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 43/67 which must be deemed to have been obtained, according to the defendant, when the person inserts his card into the card reader and continues to browse the pages of the terminal: “By using your identity card, you agree that Enseigne A and Freedelity use the identity data to inform you of actions that correspond to your profile and interests and to update the databases of Freedelity’s commercial partners. Find out more”. By clicking on "Learn more", a page opens on which EnseigneA presents three distinct purposes for which this consent is obtained: (i) To update the information of the persons concerned in the databases of Enseigne A and other Freedelity partners, (ii) To allow Enseigne A to carry out its marketing actions based on the registration of the telephone number and email address, (iii) To allow Enseigne A to send a digital proof of guarantee (proof of purchase) in replacement of the receipt. c) At Enseigne B, two consent mechanisms are offered through the terminals: 1) “I agree that Enseigne B uses my data to inform me of future actions based on my interests”, and 2) “I agree that Freedelity, Enseigne B’s partner designated to manage my loyalty card, manages my data in this context, informs me of actions based on my interests and updates the databases of Freedelity’s partners”. However, on the Enseigne B website, three consent mechanisms are present: 1) “I consent to registering with Enseigne B and agreeing to its privacy policy [link]”, 2) “I consent to registering with Freedelity and agreeing to its privacy policy [link]”, 3) “I consent to receiving offers by SMS and email from Enseigne B”. d) On the Enseigne C website, three consent mechanisms are offered during manual registration: 1) “I accept the registration, the general terms and conditions [link] and privacy policy [link] of Freedelity”, 2) “I accept the registration and the general terms and conditions of Enseigne C [link]”, 3) “I agree to receive offers by SMS and email from Enseigne C”. 244. The defendant maintains that the various consent-obtaining mechanisms set up by the brands for the collection and sharing of personal data are all compliant with the GDPR. With regard to its three aforementioned partners, it successively analyses the characteristics of consent in an attempt to demonstrate that they meet the requirements of Article 4.11 of the GDPR. While it is not possible to present the defendant’s arguments in detail in this section, which extends over Decision on the merits 146/2024 – 44/67 50 pages of conclusions, the Litigation Chamber will respond to the defendant’s arguments in its analysis below. 245. The Litigation Chamber refers to its previous paragraphs concerning the need to obtain a legal basis for processing within the meaning of Article 5.1.a of the GDPR (see paragraph 233), and consent as a possible legal basis within the meaning of Article 6.1.a of the GDPR (see paragraph 234234). 246. It recalls that under Article 4.11) of the GDPR, consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject signifies agreement, by a statement or by a clear affirmative action, to the processing of personal data relating to him or her". 247. Article 7.1 of the GDPR relating to the conditions applicable to consent provides that: "where processing is based on consent, the controller shall be able to demonstrate that the data subject has given his or her consent to the processing of personal data relating to him or her". In addition, the controller shall be able to demonstrate that valid consent has been given (Article 5.2 of the GDPR). 248. It emerges from the Inspection Service's investigation and the observations sent by Freedelity that the brands are contractually designated as separate data controllers. The clauses of the contract subject them to general obligations of cooperation with Freedelity, to collect valid consent and provide information to the persons concerned. The Litigation Chamber recalls that it is not bound by a qualification of the role of the parties as it results from the agreements concluded between them. 249. The Litigation Chamber notes that the different mechanisms presented in paragraph 243243 are significantly different, and each fails in its own way, to meet the essential criteria of consent. The defendant uses as a general argument that the EDPB guidelines on consent, used to support the analysis made by the Inspection Service, are not enforceable against Freedelity because they were adopted after the investigation. This argument is irrelevant, since these guidelines essentially take up the achievements of the guidelines on consent adopted in 2017 by the Article 29 Working Party ("WP29") 68: A) Free nature of consent: For consent to be considered free within the meaning of Article 4.11 of the GDPR, the data subject must be able to consent 67 EDPB, Guidelines 07/2020, section 191 68G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017, and available on the following link: https://ec.europa.eu/newsroom/article29/items/623051/en. Decision on the merits 146/2024 – 45/67 freely, i.e. without being subject to pressure or negative consequences if they refuse the processing of their personal data. Consent must be given without the obligation to adhere to other conditions, and the data subject must be able to withdraw their consent without suffering any harm. In addition, the eID cardholder may refuse to have their data read and/or recorded in the context of loyalty, which means that they must be able to benefit from the possibility of subscribing to a loyalty program outside of any eID card reading. In the situations presented, several elements show that consent is not free: - At Enseigne C, the services offered require acceptance of the Freedelity general conditions as consent within the meaning of Article 6.1.a of the GDPR. The fact that the data subject must accept the general terms and conditions of Freedelity in order to benefit from the commercial advantages offered by Enseigne C demonstrates a lack of freedom offered to the data subjects. Such consent, which combines both (i) the acceptance of the general terms and conditions of Freedelity and (ii) the obtaining of consent (Article 6.1.a of the GDPR) necessary for the processing of the collection and sharing of personal data, is to the detriment of the data subject and is not free by nature. 71 - It is incorrect for the defendant to assert that when consent is requested separately for the processing of data by (i) a brand and (ii) by Freedelity, this circumstance makes the consent free. Indeed, assuming that all the other conditions of consent are met, it is up to the defendant to demonstrate that consent to processing operations by Freedelity is completely optional, such that, by setting up separate consent mechanisms, the data subject does not need to consent to the pooling service offered by Freedelity and its partners in order to benefit from the commercial advantages offered by the brand. - Thus, in all cases where the persons concerned are forced to consent to the processing of their personal data by Freedelity (in particular the pooling), in order to obtain the desired commercial advantages, this consent is vitiated because it is not free (see in particular the example of Enseigne A). Indeed, consent can only be free if the person has the choice to accept or refuse 69EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 (v1.1), adopted on 4 May 2020, (hereinafter, "Guidelines 5/2020"), section 13 et seq., and available at the following link: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf 70Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link : https://www.ejustice.just.fgov.be/img_l/pdf/1991/07/19/1991000380_F.pdf 71EDPB, Guidelines 5/2020, section 13 et seq. Decision on the merits 146/2024 – 46/67 the pooling of his personal data, envisaged as a service that would benefit him distinctly from the commercial advantages offered by the brand in question. B) Specific nature of consent: To be considered specific within the meaning of Article 4.11 of the GDPR, consent must relate to precise and distinct purposes. Each purpose must be clearly separated from the others in order to avoid any use of the data collected that has not been previously and clearly announced to the person concerned. In all the cases presented, the consent is not specific: - On the Freedelity website, the request for consent related to the creation of a profile includes the obligation to provide one's identity card number and to accept the privacy charter. Contrary to the defendant's allegations, the presence of a link to the privacy charter containing more information on the processing does not make the consent specific. Indeed, the Litigation Chamber notes that the request is global, not distinguishing between consents (i) to the creation of an account, and (ii) to the subsequent use of the data in order to feed the shared Freedelity file using data collected by other partners. The absence of specification of each purpose prevents the data subject from understanding and consenting separately to the different uses of their personal data. - At Enseigne A, the terminal does not allow specific consent: by inserting their identity card, the person concerned generally accepts the use of their data for three separate purposes (updating Freedelity’s databases, marketing actions, and sending proof of digital guarantee). However, each purpose should be presented as requiring a separate request for consent to ensure control of the user’s data, which is not the case in this instance. The Litigation Chamber disputes the defendant’s claims that the EDPB’s guidelines on consent do not prohibit several purposes from being linked. The Litigation Chamber refers to the version of these guidelines adopted in 2017 by the G29.73 - Retailer B and Retailer C offer different consent mechanisms through a system of terminals (Retailer B only) and their websites, but the structure of these options creates confusion. In Retailer B, consent to Freedelity's processing operations groups together several distinct purposes. On 72 EDPB, Guidelines 5/2020, section 55 et seq. 73 See Guidelines 5/2020, section 58: "Without prejudice to the provisions relating to the compatibility of purposes, consent must be specific to the purpose". "If a data controller processes data based on consent and wishes to process the data for another purpose, it must seek additional consent for that other purpose unless another legal basis better reflects the situation", which on this point echoes a well-established position since the publication of the 2017 G29 guidelines on consent also cited above (see page 12). Decision on the merits 146/2024 – 47/67 the websites of these brands, the consents are not specifically linked to clear and distinct purposes. For example, it is not specified whether the data collected are used only by Brand B or whether they will be shared in the Freedelity file, accessible by other partners. Specific consent would have required separating the purposes related to Enseigne B and those common to Enseigne B and Freedelity, to obtain the explicit consent of the data subject for their personal data to be shared and updated in the Freedelity file, using the contributions of Freedelity’s partners. 250. C) Informed nature of consent: The GDPR requires that consent be informed, i.e. allowing data subjects to understand precisely what 74 they are consenting to. In addition, the minimum requirements for informed consent are 75 included in the guidelines on consent and include in particular (i) the identity of the data controller, (ii) the purpose of each of the processing operations for which consent is requested, (iii) the (types of) data collected and used, (iv) the existence of the right to withdraw consent (etc.). Regarding points (i) and (iii), the EDPB points out that if the consent requested must serve as a basis for several (joint) controllers or if the data must be transferred to, or processed by, other controllers who wish to rely on the original consent, these organisations should all be named. 251. The 1991 law also requires that “informed” consent be provided in the event of electronic reading of the information on the identity card. In the situations described, the consent cannot be described as informed: - On the websites of Freedelity, Enseigne B, and Enseigne C, the concept of mutualisation, requiring the sharing of data with Freedelity’s partners, is not explained at all to the data subject when obtaining their consent. This information is nevertheless essential for the persons concerned to understand the processing that will be done of their personal data, making the consent uninformed. The fact that the categories of recipients are included in Freedelity's privacy policy is not sufficient to make the consent informed, as the defendant maintains, since this separate obligation is governed by the transparency obligations of Articles 13 and 14 of the GDPR. - On the terminals of Enseigne A and Enseigne B, if the concept of mutualisation is referred to in a more or less direct manner, the recipients of the personal data are not mentioned. 74 EDPB, Guidelines 5/2020, section 62 et seq. 75 EDPB, Guidelines 5/2020 , sections 64 and 65 76 Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link: https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 48/67 However, since each recipient of the data acts as a (joint) data controller with Freedelity, and therefore as a potential recipient of the data collected by the other joint controllers of Freedelity, it is essential to inform the person by announcing the identity of the recipients of this data. It was therefore appropriate to name them individually, without which the consent could not be considered informed, and therefore valid. The Guidelines on consent, both in their previous version 77 and in their current version, specifically mention this point. This omission, in violation of the GDPR, is aggravated by the circumstances of the processing, which require the electronic collection of particularly sensitive identity data, and their subsequent automated exchange between data controllers in the event of an update of the latter. D) Unambiguous nature of consent: For consent to be considered unambiguous, it must result from a clear positive act by the data subject. This requirement excludes any ambiguity: the action by which the person concerned consents must be clearly distinguished from other possible actions, in particular the simple continuation of navigation.The Litigation Chamber notes that the consent cannot be described as unambiguous for the following reasons: - In the case of Enseigne A, the defendant considers that the person who inserts his identity card into a reader and clicks on a green button to continue browsing, gives unambiguous consent. Contrary to what the defendant maintains, the simple fact of navigating from page to page on a terminal by pressing a green button to continue does not amount to a clear expression of consent. For the Litigation Chamber, the simple click on the green button to navigate from page to page does not meet the requirements of valid consent, in accordance with Article 4.11) of the GDPR. 80 - Indeed, successive navigation from one page to another can just as well indicate an exploration of options or an acknowledgement of information, rather than an approval of a specific data processing. The fact of moving from page to page, even with a return option (via a red button), remains ambiguous and can mean several things: exploration, search for more information, or simple navigation, without it being possible to unequivocally deduce the intention to consent. Thus, for consent to be unequivocal, the terminal should include a mechanism 77G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017: “With regard to item (i) and (iii), WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named” (page 13). 78 EDPB, Guidelines 5/2020, section 65 79EDPB, Guidelines 5/2020, section 75 et seq. 80See also, EDPB, Guidelines 5/2020. Decision on the merits 146/2024 – 49/67 explicit request for consent, such as a specific and dedicated button, formulated in such a way that the data subject understands unequivocally that by clicking, he or she is giving his or her consent to the processing of his or her personal data. 252. The Litigation Chamber wishes to clarify that the examples mentioned above are limited to three specific cases detailed by Freedelity, in which consent, although not valid, was actually obtained. It notes, however, that Freedelity does not provide proof of the very existence of any collection of consent by Freedelity's other partner brands. 253. In conclusion, the Litigation Chamber argues that the mechanisms put in place by the brands to ensure compliance with Articles 5.1.a and 6.1.a of the GDPR do not allow valid consent to be considered to have been obtained, in violation of Articles 5.2 and 7 of the GDPR. II.5.3. Finding 2: Measures put in place to facilitate the right to withdraw consent at any time (Arts. 7.3, 5.2, 24 and 25 of the GDPR) 254. According to the defendant, data subjects who wish to withdraw their consent to the processing of their data by Freedelity can do so by going to the “My profile” tab of the MyFreedelity portal and disabling the “Validation and updating of my data with Freedelity customers” toggle. Concerning Brand A, Freedelity indicates that the possibility for the person concerned to return to the previous page by clicking on a red button associated with a cross constitutes a right to withdraw consent. It considers that for certain brands: "The fact that the person concerned has the possibility of simply not confirming their account is an additional way made available to them by Freedelity to withdraw their consent to the processing of their data". 255. It also explains that the person concerned can always send their withdrawal request by email or by post, or make their request to the seller of the brand. In this sense, Freedelity considers that it allows the persons concerned to withdraw their consent at any time. Furthermore, and notwithstanding these measures which it considers satisfactory, Freedelity admits that it is in the process of changing the terminal screens in order to provide the possibility for the person concerned to delete their accounts directly via the terminal. 256. The Litigation Chamber recalls that Article 7.3 of the GDPR provides that: "The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not compromise the lawfulness of processing based on consent 81As of 12 November 2020, there were 5 customers who used terminals (page 8 of the responses provided by the defendant to the questions from the inspection service asked on 29 October 2020). Decision on the merits 146/2024 – 50/67 made before this withdrawal. The data subject is informed of this before giving his/her consent. It is as easy to withdraw as it is to give your consent. Articles 24.1 and 5.2 of the GDPR impose accountability obligations on the data controller, requiring it to be able to demonstrate that the processing is carried out in accordance with the GDPR. 257. Article 25.1 of the GDPR requires the data controller to apply data protection measures by design and by default, depending in particular on the nature, scope and risks of the processing for the rights and freedoms of the data subjects. It requires the implementation of technical and organisational measures to ensure compliance with the GDPR. 258. In this case, Freedelity is criticised for not having implemented sufficiently simple and direct means to allow the withdrawal of consent. Although options exist via the MyFreedelity portal and in-store terminals, these methods do not meet the simplicity requirement of Article 7.3 of the GDPR, according to which withdrawing consent must be as simple as giving it. Indeed, the need for data subjects to navigate through various tabs or interfaces, as well as the absence of an explicit and immediate withdrawal option, may discourage consumers from withdrawing their consent. 259. The principle of data protection by design and by default, as set out in Article 25 of the GDPR, requires the data controller to implement adequate technical and organizational measures to ensure the protection of personal data, in particular with regard to the rights of data subjects. This principle of protection by default should have led Freedelity to provide withdrawal mechanisms directly at the terminals themselves, even before the processing is set up. Having to revise the interfaces of the terminals to facilitate the withdrawal of consent demonstrates a lack of anticipation regarding the requirements of data protection by default, which should have guided the initial design of the device. 260. Freedelity has implemented a system where the right of withdrawal, as currently proposed, does not fully meet the requirements of simplicity and accessibility established by the GDPR. In accordance with the Guidelines on Consent, a consent mechanism cannot be considered compliant with the GDPR if the conditions of the right of withdrawal are not effectively respected. The fact that data subjects must go through separate steps or interfaces to withdraw their consent, instead of a withdrawal functionality directly integrated into the terminals, does not meet the conditions for withdrawal of consent provided for in Article 7.3 of the GDPR. 82EDPB, Guidelines 5/2020, section 116 Decision on the merits 146/2024 – 51/67 261. In conclusion, the Litigation Chamber considers that Freedelity has not complied with the documentation and accountability requirements arising from Articles 24 and 5.2 of the GDPR regarding withdrawal of consent, as the current mechanisms do not allow for a simple and direct withdrawal of consent (Art. 7.3 of the GDPR), in accordance with the principle of data protection by design (Art. 25 of the GDPR). II.5.4. Finding 3: Measures put in place to demonstrate that the consent collected complies with the GDPR (Arts. 5.2, 24 and 25 of the GDPR) 262. The defendant maintains that its standard contract requires brands to collect quality consent, combined with a clause providing that the brand will indemnify Freedelity in the event of a failure to obtain consent or the quality of the consent. It also states that its consent register includes important information, such as the date of consent or the consent log and the source of the consent. 263. The Litigation Chamber recalls that Article 5.2 enshrines the principle of accountability and requires that the data controller be able to demonstrate compliance with the principles of the GDPR in its data processing. Article 24 supplements this obligation by requiring data controllers to implement technical and organizational measures adapted to the nature, scope, context, purposes of the processing as well as the risks to the rights of the data subjects, with an obligation of continuous review to ensure compliance. Article 25.1, finally, enshrines the obligation of data protection by design and by default, implying the implementation of concrete measures that must be applied from the definition of the processing means. This finding is limited to examining the measures put in place to ensure the validity of the consent collected. 264. In this case, Freedelity, whose role as data controller is not contested, must respect these principles of accountability, by demonstrating that the consents collected comply with the requirements of the GDPR. Indeed, when processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of personal data concerning him or her (Article 7.1 of the GDPR). Recital 42 provides that: “Where processing is based on the data subject’s consent, the controller should be able to prove that the data subject has consented to the processing operation.” 265. Freedelity explains in its answers to the questions of the Inspection Service 83 that “The management of consent and its collection is tailored to each client. The IT aspect 83See page 12 of the responses provided by Freedelity to the questions asked by the inspection service on 29 October 2020. Decision on the merits 146/2024 – 52/67 of the management of this consent within the software is complex and is not documented in itself”. To the extent that this consent can be adapted to each customer, at least at the level of the Freedelity terminals, the Litigation Chamber questions the reasons why Freedelity has not secured quality consent for the collection and sharing of data at the terminals themselves. 266. In addition, the Litigation Chamber notes that the agreements concluded by Freedelity with the brands do not allow Freedelity to demonstrate the collection of valid and systematically GDPR-compliant consent for each person concerned. By limiting itself to requiring the implementation of "quality consent" on a case-by-case basis, Freedelity takes the risk that certain consent forms are non- compliant. 267. Without prejudging the compliance procedures that could have been considered to enable compliance, the Litigation Chamber notes that the following procedures seemed entirely feasible in this case to guarantee Freedelity's compliance with the requirements of the GDPR in view of the risks presented by the processing in question: - Freedelity could have established a precise model for collecting valid consent, relating to the collection and pooling of identification and contact data, integrated directly into the Freedelity terminals. - For brands wishing to implement the consent mechanisms themselves (for example via their websites), Freedelity could have established a precise model for collecting consent, described in its contracts with the brands. - As far as necessary, ask brands to provide proof that they have put in place valid consent once the implementation is complete and add to this obligation an audit clause allowing Freedelity to verify the compliance of the consent mechanism in a timely manner. 268. The Litigation Chamber insists on the fact that a data controller, even in a context of joint responsibility, cannot be exempted from this obligation to demonstrate the collection of valid consent. 269. The sole obligation to compensate Freedelity in the event of collection of invalid consent is not sufficient in itself to demonstrate the sufficiency of the measures implemented 84See in this sense the IAB decision of the Litigation Chamber of 2 February 2022, No. 21/2022, available from the following link: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-en.pdf And the deliberation of the restricted formation of the CNIL, the French data protection authority, No. SAN-2023-009 of 15 June 2023 concerning the company CRITEO, available from the following link: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047707063. This decision is currently the subject of an appeal before the French Council of State. Decision on the merits 146/2024 – 53/67 to ensure the collection of valid consent. Indeed, appropriate technical and organizational measures should have supplemented such contractual measures. In addition, the presence of a register that simply contains information on the presence of a consent mechanism is also insufficient, as it only allows one to note that consent has been obtained. Neither the quality of the consent nor its specific nature to Freedelity can be deduced from such a register. 270. In these circumstances, the Litigation Chamber considers that Freedelity has not implemented the necessary measures to enable it to demonstrate that the consent collected for the collection and pooling of data complies with the GDPR within the meaning of Articles 5.2, 24 and 25 of the GDPR. II.5.5. Finding 4: Principle of minimisation of personal data (Art. 5.1.c of the GDPR), and principle of data protection by default (Art. 25.1 of the GDPR) 271. The defendant maintains that given the large amount of personal data processed by Freedelity, a balance must be struck between the principle of minimisation (Art. 5.1.c of the GDPR) and the principle of accuracy (Art. 5.1.d of the GDPR). It points out that in order to carry out its missions, it must quickly limit the risk of confusion between individuals, avoid duplication, and identify potential fraud, hence the large volume of information collected. Finally, it maintains that the recording of changes of postal or electronic address in order to allow consumers to receive promotional offers, advertisements or any other information and new tenants or purchasers not to receive unwanted advertising. 272. The Litigation Chamber recalls that the principle of data minimisation, set out in Article 5.1.c of the GDPR, requires that the personal data collected be adequate, relevant and limited to what is strictly necessary in relation to the purposes for which they are processed. In other words, only data that is essential to achieve the objectives of the processing must be collected, thus avoiding any excessive collection of information that would not be directly useful or justified by the intended purposes. As stated above, Article 25.1 of the GDPR, enshrines the obligation of data protection by design and by default, implying the implementation of concrete measures that must be applied as soon as the processing means are defined. 273. The Inspection Service indicated that with regard to the processing carried out for the purposes of registration in the "Freedelity file" as well as for the pooling of data with Freedelity customers and partners, the following personal data would be processed in particular: Decision on the merits 146/2024 - 54/67 - Identification data, namely: "surname, first name(s), gender, place and date of birth, nationality, home address, identity card number, municipality of issue of the identity card, validity date of the identity card and history of this data"; and - Contact data: "your email address, telephone/mobile number and history of this data". 274. In addition, the 2011 recommendation of the CPVP states: "Certain commercial practices also lead the Commission to look into the use of the identity card as a loyalty card. (…) This choice must be offered to customers in a transparent and explicit manner as soon as a loyalty system is offered to them. In addition, the principle of proportionality of the privacy law requires that only the necessary data of the identity card can be read in this context. There can be no question of processing and storing for this purpose either the photo of the cardholder, nor the number of his identity card, his identification number in the National Register, his nationality, his place of birth" (emphasis added). The underlined data are nevertheless collected by Freedelity. ". Therefore, contrary to what the defendant claims, the CPVP has not only never approved this practice but has also limited in its opinion the modalities of lawful processing of identity card data. 275. A fortiori, data such as the municipality where the identity card was issued, the validity date of the identity card and the history of this data are of no relevance in the context of the processing carried out by Freedelity and the brands. This data is generally not included in the manual collection form set up by certain brands, which shows that it is not useful, and therefore a fortiori not necessary for the implementation of the processing. 276. As the Inspection Service rightly points out, only a few data items would have been necessary for Freedelity to fully comply with the GDPR’s principles of minimisation and accuracy when feeding the Freedelity file. The Litigation Chamber considers that the surname, first name and contact details (postal address, email or telephone) are sufficient to provide a sufficiently precise indication of the data subject in view of the purpose in question, which does not require irrefutable identification of the data subject’s identity. These data items could have been the only ones collected from the start of the processing, without the operation of the Freedelity file being affected. 85The identity card number is an identifier distinct from the national register registration number (NIR), which Freedelity assures that it does not collect. 86CPVP, recommendation No. 03/2011 of 25 May 2011, relating to the taking of copies of identity cards, as well as their use and electronic reading, the link to which is available opposite: https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf. Decision on the merits 146/2024 – 55/67 277. The risk of having obsolete data in the Freedelity file does not justify the collection of around ten additional and optional information. Furthermore, the greater the number of personal data collected, the more difficult it is to comply with both the principle of accuracy and the principle of minimisation. The defendant’s arguments on this point cannot therefore convince. The Litigation Chamber is particularly concerned about the impact on the persons concerned in the event of a data breach, due to their quantity and precision. Indeed, the massive centralisation of data of a large part of the population and their data collected directly on their identity card poses a high risk to the privacy of millions of consumers. 278. For these reasons, the Litigation Chamber considers that Freedelity has failed to comply with the principle of minimisation of personal data (art. 5.1.c of the GDPR), and with the principle of data protection by default (art. 25.1 of the GDPR). II.5.6. Finding 5: Principle of limitation of the retention of personal data (art. 5.1.e, 5.2, 24 and 25.1 of the GDPR) 279. The defendant claims that the retention of data for a period of 8 years in the context of the management of the Freedelity file is appropriate. The starting point of this retention period is calculated, according to the defendant, from the last "activity" of the person concerned (e.g.: checkout). 280. It maintains that the data retention period of 8 years is justified first of all by the specific purpose of the Freedelity file, which requires regular updating and immediate accessibility of the data. Then, it underlines the legitimate economic interest of retaining the data for a sufficient period to allow optimal operation of its service. This retention period is also justified by accounting and tax considerations, both for customers and for the company itself. It highlights the fact that the legal guarantee of consumer goods of 2 years, 87 which can be extended by traders, requires a longer data retention period than the strict 2-year period proposed by the Inspection Service. 281. The Litigation Chamber recalls that within the meaning of Article 5.1.e of the GDPR, data must be retained in a manner that guarantees that they are not kept in a form that allows the identification of individuals for longer than is necessary for the purposes for which they are processed. The data controller is responsible for compliance with this principle and must be able to demonstrate that it is 87Article 1649quater of the Civil Code Decision on the merits 146/2024 – 56/67 complied with (Arts. 5.2 and 24 of the GDPR). The Litigation Chamber refers to its previous findings concerning Art. 25 of the GDPR (see paragraph 263). 282. The Litigation Chamber notes that the defendant's arguments are not sufficient to justify such a long retention period. Indeed, while regular updating of the file and immediate accessibility of the data are necessary to ensure quality customer service, it should be noted that these objectives can be achieved with a retention period significantly shorter than 8 years. 283. Concerning the retention periods invoked by the defendant, the Chamber notes that these apply mainly to purposes distinct from the management of the Freedelity file, and for which Freedelity does not act as data controller. Indeed, the legal requirements relating to guarantees essentially concern the relations between the consumer and the seller. Thus, the legal obligations weighing on Freedelity in terms of data retention cannot be based on these requirements alone. 284. Furthermore, the Freedelity file is not the appropriate medium for storing data based on such requirements, specific to customers. Indeed, the CustoCentrix database is the one that hosts, in the form of Silos, the data strictly specific to each brand and the processing of which is subcontracted to Freedelity by each of the brands. To this extent, and based on the responses provided by 89 Freedelity to the Inspection Service, the Silo specific to each customer could serve 90 as an intermediate archive of data whose retention in an active database, on the Freedelity file, is no longer justified. 285. In this case, the Chamber considers that a retention period of maximum 3 years from the last activity would be sufficient to meet the needs of the defendant, while respecting the rights of the persons concerned. This period is aligned with the current practices recommended by the National Commission for Information Technology and 91 Liberties. The Chamber considers that a consumer who has not shown any activity for a period of two to three years within the partner brands of Freedelity can be presumed to no longer wish to benefit from the services associated with this file. 88As explained by Freedelity in its 2020 WhitePaper, (page 5): "the database specific to each client within CustoCentrix containing consumer data that cannot be shared with other clients and for which Freedelity acts as a subcontractor within the meaning of data protection regulations". 89See page 22 of the responses provided by Freedelity to the additional questions from the Inspection Service asked on 29 October 2021. 90 The concepts of “intermediate archiving” and “active base” are used by the CNIL in its reference documents on data retention. See for example this article from the CNIL on the determination of retention periods: https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees 91 CNIL reference document on the processing of personal data – management of commercial activities. https://www.cnil.fr/sites/cnil/files/atoms/files/referentiel traitement-donnees-caractere-personnel gestion-activites- commerciales.pdf (page 5) Decision on the merits 146/2024 – 57/67 It is indeed reasonable to consider that such a consumer has lost all interest in this type of loyalty program. 286. In this perspective, the defendant is free to set up a mechanism for regular verification of the activity of the persons concerned to ensure that their data - and their account - should not be deleted. For example, an email could be sent to consumers who have not shown any activity for 3 years, in order to ask them to confirm their wish to maintain their registration in the Freedelity file. In the absence of a response from them within a reasonable time, the defendant could consider that these persons have waived the benefit of this service and proceed to the deletion of their data or their archiving, if applicable. 287. In view of all these elements, the Chamber considers that the retention period of 8 years set by the defendant is disproportionate to the purpose pursued. The principle of data minimization, enshrined in Article 5.1.e of the GDPR, requires the data controller to limit the retention of data to a strictly necessary period. 288. In conclusion, the Litigation Chamber finds a violation of the principle of limitation of the retention of personal data (Art. 5.1.e, 5.2, 24 and 25.1 of the GDPR) due to the excessive retention period of 8 years for the management of the Freedelity file. III. Corrective measures and sanctions 289. Under Article 100§1 of the LCA, the Litigation Chamber has the power to: 1° dismiss the complaint; 2° order that there be no further action; 3° order a suspension of the decision; 4° propose a transaction; 5° issue warnings or reprimands; 6° order compliance with the requests of the person concerned to exercise these rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of the processing; 9° order that the processing be brought into compliance; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of the certification bodies; Decision on the merits 146/2024 – 58/67 12° impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the Public Prosecutor's Office of the Brussels King's Prosecutor, who shall inform him of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. III.1. Choice of the appropriate corrective measure or sanction 290. In light of the above and on the basis of the powers assigned to it by the legislator, the Litigation Chamber decides to order measures to bring processing into compliance, pursuant to Article 100, §1, 9° of the LCA, as well as the deletion of certain data, in accordance with Article 100, §1, 10° of the LCA. In order to guarantee the effective execution of these measures, the Litigation Chamber considers it necessary to combine them with periodic penalty payments, considering that this approach constitutes the most appropriate response to the circumstances of the case. 291. The Litigation Chamber considers that a combination of such measures is appropriate to achieve the effective, proportionate and dissuasive nature of the sanction. Indeed, it is imperative that Freedelity implements this decision by bringing its processing into compliance and deleting certain data. In this case, the planned penalty payment is able to put sufficient pressure on Freedelity to achieve this end. 292. The Litigation Chamber could decide to impose an administrative fine under its powers on the basis of Article 83 of the GDPR and Article 100, § 1, 13° of the LCA, with regard to the violations found of Articles 4, 5, 6, 7, 24 and 25 of the GDPR. 293. Nevertheless, the Litigation Chamber considers that compliance orders accompanied by a penalty payment do not require the imposition of a fine since the injunctions issued require the company to significantly transform its business model in order to comply with the requirements of the GDPR. This complex and demanding process will require significant financial resources from the defendant. 294. The penalty payment, through its incentive mechanism, guarantees that the corrective measures will be effectively implemented without unduly weakening the financial stability of the company. This approach, combined with the other sanctions adopted, ensures a response that respects the principles of effectiveness, proportionality and dissuasion of the GDPR. 295. Therefore, pursuant to Article 100§ 1 of the LCA, the Litigation Chamber decides to: a) in accordance with Article 100§ 1, 9° of the LCA, order compliance of the processing operations within a period of 4 months, in accordance with injunctions 1 to 5; b) in accordance with Article 100§ 1, 10° of the LCA, order the erasure of the data in accordance with injunctions 4 and 5 within a period of 4 months; c) in accordance with Article 100§ 1, 12° of the LCA, impose periodic penalty payments of EUR 5,000 per day of delay from the day on which the Litigation Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision, on the basis of the responses provided by the defendant to the Litigation Chamber, which must have been received by the end of the period allowed for compliance; d) in accordance with Article 100§ 1, 16° of the LCA decide to publish the decision on the website of the Data Protection Authority, with direct identification of the defendant. III.2. Order for compliance and erasure of data 296. The Litigation Chamber considers that it is appropriate to impose several injunctions for compliance and erasure of data on the defendant, by virtue of the breaches noted. 297. Injunction 1: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders Freedelity to put in place consent collection mechanisms guaranteeing that consent is free, specific, informed and unequivocal, in accordance with Article 4.11 of the GDPR, and this for each processing of personal data that it carries out, including the pooling of data with its commercial partners. 298. Freedelity must in particular: - Ensure that access to the commercial advantages offered by a brand is not conditioned on the acceptance of other non-essential processing or conditions, including the pooling of data. - Clearly and comprehensibly inform the persons concerned, at the time of the collection of their data, on the specific purposes of each processing, the categories of data concerned, and allow consumers to know the identity of the recipients with whom the data will be shared. Decision on the merits 146/2024 – 60/67 - Implement explicit mechanisms to obtain unambiguous consent, such as a button that is not checked by default allowing data subjects to expressly confirm their agreement for each processing purpose envisaged. - Verify the existence of free, informed, unequivocal and specific consent for all data subjects whose data is processed in the Freedelity file, in light of the above requirements and in the event of a negative finding, either delete the data currently present in the Freedelity file without valid consent, or renew the consent of the data subjects before the end of the period allowed for compliance with this Injunction 1. - Transmit to the Litigation Chamber evidence of compliance with this Injunction 1, including a copy of the Freedelity-specific consent form template (or consent forms) modified or implemented pursuant to Injunction 1 issued by the Litigation Chamber. 299. Injunction 2: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders Freedelity to put in place simple, accessible and direct mechanisms to allow data subjects to withdraw their consent, in accordance with Article 7.3 of the GDPR. 300. Freedelity must in particular: - Integrate on all physical terminals used by its partners an explicit and immediate option allowing the withdrawal of consent, without the need to navigate through complex menus or interfaces. - Update the MyFreedelity portal to include a clearly visible and directly accessible feature allowing data subjects to withdraw their consent in as many steps as it takes them to give their consent. - Inform the persons concerned, at the time of collecting consent, of the means available to withdraw this consent, ensuring that this information is clear, understandable and easily accessible. - Adopt and document technical and organizational measures in accordance with the principle of data protection by design and by default (Article 25 of the GDPR), ensuring that withdrawal mechanisms are integrated from the design of any new interface or terminal. - Transmit to the Litigation Chamber evidence of compliance with this Injunction 2, including screenshots of the new consent withdrawal mechanisms as implemented or modified by Freedelity and the brands. Decision on the merits 146/2024 – 61/67 301. Injunction 3: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders Freedelity to document precisely the consent collection process, in such a way as to be able to demonstrate, at any time, that it was obtained in accordance with the requirements of the GDPR, and this in order to ensure in particular compliance with Articles 5.2, 24 and 25 of the GDPR. Freedelity shall provide the Litigation Chamber with evidence of compliance with this Injunction 3. 302. Injunction 4: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders Freedelity to immediately cease the collection and processing of personal data from consumers’ identity cards, with the exception of data strictly necessary for the stated purpose, namely, to take the example of a classic loyalty program: the surname, first name and contact details (postal address, email or telephone). Pursuant to Article 100§ 1, 10° of the LCA, the Litigation Chamber also requires the deletion of any data that has been collected beyond this information within a period of four months. 303. Freedelity shall in particular: - Update, or order the updating of all collection interfaces and tools used by Freedelity and its partners (in-store terminals, digital portals, manual forms, etc.) in order to guarantee that only authorized data is collected. - Prohibit, with respect to third parties, any resale or transfer of unnecessary data collected before the definitive deletion of this data, unless valid consent from the persons concerned is obtained. This prohibition includes data previously collected that does not comply with the principle of minimization. - Notify the persons concerned of the deletion of unnecessary data already collected, reminding them of their rights regarding the data that continues to be processed by Freedelity, in particular the right to access, rectify, delete their data, as well as their right to withdraw their consent. - Freedelity must provide the Litigation Chamber with evidence of compliance with this Injunction 4, in particular a copy of the template for the notification to the persons concerned and proof of the effective deletion of the unnecessary personal data identified in Finding 4 of this decision. 304. Injunction 5: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders Freedelity to reduce the retention period of personal data processed in the context of the Freedelity file to a maximum of three years from the last activity of the persons concerned. Pursuant to Article 100§ 1, 10° of the LCA, the Litigation Chamber requires Freedelity to erase data that has been retained for a period of more than three years, unless a separate legal basis justifies their retention in an intermediate archive such as Customer Silos (for example, specific legal obligations for brands). 305. Freedelity must in particular: - Delete all personal data retained beyond this period of three years for persons who have not demonstrated any activity, unless a separate legal basis justifies their retention (for example, specific legal obligations or ongoing disputes). Apply this erasure to all data currently contained in the Freedelity file and purge the Freedelity file of obsolete data. - Ensure that when a separate legal basis justifies the retention of data for more than 3 years, the data is archived on a medium separate from the Freedelity file and that it is processed for no purpose other than that of storage justified by the legal basis in question. - Send a reminder by email or any other appropriate means to consumers who have not shown any activity for three years or more, in order to ask them to confirm their wish to maintain their registration. In the absence of a response within a reasonable period (for example, one month), archive the data under the conditions listed above, or delete them if applicable. - Freedelity must provide the Litigation Chamber with evidence of compliance with this Injunction 5, in particular documents demonstrating the effective erasure of personal data beyond the authorized periods, in accordance with Finding 5 of this decision. III.3. Conditional sanction: the penalty payment III.3.1. Preliminary considerations 306. The penalty payment is unique in that it is fully conditional. The amount to be paid is indeed uncertain. The defendant first has a period of time to comply or to appeal the decision. It is only in the event of non-compliance on its part after a period of 4 months from notification of this decision that the penalty payment will be implemented. Therefore, the amount of the penalty payment is variable, and it may even be zero, where applicable. 92See on this point the recommendations of the CNIL (French data protection authority) regarding intermediate data archiving: https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees Decision on the merits 146/2024 – 63/67 307. The penalty payment is distinguished from the administrative fine in that it constitutes an indirect means of enforcement of the main penalty(s) in order to comply with the law in force, whereas the administrative fine is punitive in nature. 308. The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine are thus different both in nature and in the objectives they pursue. 309. In light of the reasons set out above, the Litigation Chamber decides to impose periodic penalty payments on the defendant in this case, and does not consider that it must inform the defendant in advance by means of a penalty form. III.3.2. Practical arrangements for the periodic penalty payment 310. In order to give the defendant the time necessary to comply with the injunctions issued in this decision, the periodic penalty payment will not be implemented directly following the notification of this decision to the defendant. In this case, the Litigation Chamber considers that a period of 4 months from the notification of this decision is sufficient to allow the defendant to comply with the said injunctions. 311. The time limit shall run from the day on which the defendant receives the registered letter notifying it of this decision or from the day of expiry of the time limit during which the defendant is, where applicable, required to collect said registered letter from the post office. 312. From the expiry of the 4-month period from the notification of this decision, and provided that it has received the evidence requested in the various injunctions within the time limits, the Litigation Division shall notify the defendant, after examining the documents: 1) That the latter has fully complied with the injunctions issued in this decision; or 2) That the defendant has partially complied with the injunctions issued in this decision; or 3) That the defendant has not complied with the injunctions issued in this decision. 313. The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as the notification in the second and third cases. In case of doubt, the APD may use its powers derived from the LCA or the ROI in order to continue the procedure or open a new file, if necessary. 93Decision on the merits of the Contentious Chamber, No. 131/2024 of 11 October 2024, paragraphs 113 to 116. Decision on the merits 146/2024 – 64/67 314. The amount of the periodic penalty payments is defined as follows: a) Injunction 1: the defendant must pay EUR 1,000 per day of delay from the day on which the Contentious Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision; b) Injunction 2: the defendant must pay EUR 1,000 per day of delay from the day on which the Contentious Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision. (c) Injunction 3: The defendant shall pay EUR 1,000 for each day of delay from the day on which the Litigation Chamber notifies it that it has complied partially or not at all with the injunctions issued in this decision. (d) Injunction 4: The defendant shall pay EUR 1,000 for each day of delay from the day on which the Litigation Chamber notifies it that it has complied partially or not at all with the injunctions issued in this decision. (e) Injunction 5: The defendant shall pay EUR 1,000 for each day of delay from the day on which the Litigation Chamber notifies it that it has complied partially or not at all with the injunctions issued in this decision. 315. If the defendant fails to comply with the six injunctions, it must then pay EUR 5,000 for each day of delay from the day on which the Litigation Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision. 316. The Litigation Chamber recalls that the penalty payment is not punitive in nature. The injunctions are each accompanied by a penalty payment to ensure their proper execution. The amount of the penalty payments is reasonable in view of the infringement that the defendant has caused to the rights of the plaintiff, and of users more generally, but also in view of the financial capacity of the defendant, whose turnover is less than [amount], and the profit that it can derive from the non-execution of the injunctions in question. 317. If the defendant considers that full execution of the injunctions is impossible within the prescribed period despite all reasonable efforts, it may submit a reasoned request for an extension of time to the Litigation Chamber within 45 days of notification of this decision to it. 318. The penalty payment is daily. The Litigation Chamber decides that the maximum cumulative amount of the penalty payment may not exceed EUR 100,000. Decision on the merits 146/2024 – 67/67 In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant. Such an appeal may be filed by means of an interlocutory application which must contain the information listed in Article 1034ter of the Judicial Code. The interlocutory application must be filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or 95 via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code) (sé). Hielke H IJMANS President of the Litigation Chamber 94 The application contains, under penalty of nullity: 1° the indication of the day, month and year; 2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualities and his/her national register number or company number; 3° the surname, first name, address and, where applicable, the quality of the person to be summoned; 4° the subject and summary statement of the grounds of the application; 5° the indication of the judge who is seized of the application; the signature of the applicant or his lawyer. 95The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.