APD/GBA (Belgium) - 04/2021: Difference between revisions
m (Ar moved page APD/GBA - 04/2021 to APD/GBA (Belgium) - 04/2021) |
|||
(11 intermediate revisions by 3 users not shown) | |||
Line 12: | Line 12: | ||
|Original_Source_Name_1=APD/GBA | |Original_Source_Name_1=APD/GBA | ||
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-04-2021.pdf | |Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-04-2021.pdf | ||
|Original_Source_Language_1= | |Original_Source_Language_1=French | ||
|Original_Source_Language__Code_1= | |Original_Source_Language__Code_1=Fr | ||
|Type=Complaint | |Type=Complaint | ||
Line 65: | Line 65: | ||
===Facts=== | ===Facts=== | ||
'''Background:''' | |||
The defendant | The defendant is a marketing company that distributes "pink boxes" which targets pregnant mothers that include samples, special offers and information sheets for future parents. | ||
The defendant | The offers and samples contained in the "pink boxes" where made available by the network of partners of the defendant. | ||
As to the data processed, the personal data of (future) mothers collected by the defendant included: the mother's name, mother's first name, date of birth of the baby, sex of the baby, name of the baby, e-mail address, street and house number, zip code and city. | |||
This personal data was then transferred by the defendant to third parties (so-called "structural partners") in exchange for the aforementioned offers and samples. | |||
These partners | These partners where in fact data brokers which processed the data for marketing campaigns and sold it to other third parties. | ||
''' | '''Facts:''' | ||
The complainant filled in a registration form with the defendant - when she received a pink box from - and authorized the processing | The complainant filled in a registration form with the defendant - when she received a pink box from - and authorized the processing her personal data. She was not informed clearly of the processing and possible subsequent processings (with regards to the defendant's network of partners). | ||
The complainant subsequently decided to | The complainant subsequently decided to withdraw her consent as she no longer desired to be contacted by third parties concerning promotions for childcare products. | ||
However, even after | However, even after having exercised her right, the complainant still received unwanted phone calls from partners of the defendant in connection with certain promotions. | ||
The complainant then lodged a complaint with the Belgian data protection authority alleging the defendant transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information. | |||
===Dispute=== | ===Dispute=== | ||
The discussion mainly | The discussion mainly mainly revolved around the (lack of) information given by the defendant about the sale and processing of personal data by its the network of partners as well as the scope and validity of the consent given by consumers to the processing(s). | ||
===Holding=== | |||
The Inspection Service and the Litigation Chamber of the Belgian DPA held that: | |||
'''1) Lack of information and transparency about the processing(s)''' | |||
The defendant had breached article 5, paragraph 1, a) of the GDPR as well as article 13 (lack of transparency) as the defendant was renting and/or selling personal data for commercial purposes via its partners without informing the consumers about these processings in a clear and comprehensible manner. | |||
The | |||
An aggravating factor is the fact that the pink boxes were distributed via gynecologists and hospitals combined with the company name of the defendant, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data. | |||
'''2) Lack of valid consent to process the data''' | |||
Article 6 GDPR, in particular Article 6(1)(a) and (f) GDPR, as there | Article 6 GDPR, in particular Article 6(1)(a) and (f) GDPR (Free consent) was also breached by the defendant, as there could be no free, specific, informed and unambiguous consent given by the customers as consent was in this case : | ||
a) - clearly not informed (about further processings by the network of partners); | |||
b) - not specific (as consent for receiving the boxes automatically involved the transfer of data); | |||
c) - not freely given (as the lack of consent involved the loss of some benefits). | |||
'''3) Lack of appropriate technical and organizational measures and disproportionate retention period''' | |||
Article 25 GDPR, given that the defendant has not taken appropriate technical and organizational measures to ensure that only personal data is processed that is necessary for each specific purpose of the processing. The retention period of 18 years is disproportionate to the initial consent and reasonable expectations of the complainant and other parties involved. Moreover the defendant had not concluded the necessary processing agreements. | |||
'''Decision of the Belgian DPA:''' | |||
Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of €50,000 on the defendant, and ordered the company to comply with the GDPR within a 6 months period. | |||
==Comment== | ==Comment== |
Latest revision as of 16:50, 12 December 2023
APD/GBA - 04/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1) GDPR Article 6 GDPR Article 7 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 20.01.2021 |
Published: | |
Fine: | 50000 EUR |
Parties: | Anonymous (Complainant) National Service for the Promotion of Childcare products (Defendant) |
National Case Number/Name: | 04/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in Fr) |
Initial Contributor: | Mathieu Desmet |
The Belgian DPA (APD/GBA) issued a fine of €50,000 against a private company for collecting personal data from its target audience (pregnant mothers) without valid consent. Personal data collected was then transferred to this company's network of partners which processed the data for direct marketing purposes and sold it to other third parties in breach of the GDPR.
English Summary
Facts
Background:
The defendant is a marketing company that distributes "pink boxes" which targets pregnant mothers that include samples, special offers and information sheets for future parents.
The offers and samples contained in the "pink boxes" where made available by the network of partners of the defendant.
As to the data processed, the personal data of (future) mothers collected by the defendant included: the mother's name, mother's first name, date of birth of the baby, sex of the baby, name of the baby, e-mail address, street and house number, zip code and city.
This personal data was then transferred by the defendant to third parties (so-called "structural partners") in exchange for the aforementioned offers and samples.
These partners where in fact data brokers which processed the data for marketing campaigns and sold it to other third parties.
Facts:
The complainant filled in a registration form with the defendant - when she received a pink box from - and authorized the processing her personal data. She was not informed clearly of the processing and possible subsequent processings (with regards to the defendant's network of partners).
The complainant subsequently decided to withdraw her consent as she no longer desired to be contacted by third parties concerning promotions for childcare products.
However, even after having exercised her right, the complainant still received unwanted phone calls from partners of the defendant in connection with certain promotions.
The complainant then lodged a complaint with the Belgian data protection authority alleging the defendant transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.
Dispute
The discussion mainly mainly revolved around the (lack of) information given by the defendant about the sale and processing of personal data by its the network of partners as well as the scope and validity of the consent given by consumers to the processing(s).
Holding
The Inspection Service and the Litigation Chamber of the Belgian DPA held that:
1) Lack of information and transparency about the processing(s)
The defendant had breached article 5, paragraph 1, a) of the GDPR as well as article 13 (lack of transparency) as the defendant was renting and/or selling personal data for commercial purposes via its partners without informing the consumers about these processings in a clear and comprehensible manner.
An aggravating factor is the fact that the pink boxes were distributed via gynecologists and hospitals combined with the company name of the defendant, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.
2) Lack of valid consent to process the data
Article 6 GDPR, in particular Article 6(1)(a) and (f) GDPR (Free consent) was also breached by the defendant, as there could be no free, specific, informed and unambiguous consent given by the customers as consent was in this case :
a) - clearly not informed (about further processings by the network of partners);
b) - not specific (as consent for receiving the boxes automatically involved the transfer of data);
c) - not freely given (as the lack of consent involved the loss of some benefits).
3) Lack of appropriate technical and organizational measures and disproportionate retention period
Article 25 GDPR, given that the defendant has not taken appropriate technical and organizational measures to ensure that only personal data is processed that is necessary for each specific purpose of the processing. The retention period of 18 years is disproportionate to the initial consent and reasonable expectations of the complainant and other parties involved. Moreover the defendant had not concluded the necessary processing agreements.
Decision of the Belgian DPA:
Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of €50,000 on the defendant, and ordered the company to comply with the GDPR within a 6 months period.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Decision on the merits 04/2021 - 1/46 Litigation chamber Decision on the merits 04/2021 of 20 January 2021 File number: DOS-2019-04798 Subject: Complaint as a result of the transfer of personal data by a organization that makes offers to (expectant) mothers. The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs. Jelle Stassijns and Dirk Van Der Kelen, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of People's representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15 2019; Considering the documents in the file; has taken the following decision regarding: - Ms X, hereinafter “the complainant”, - Family Service / The National Service for Promotion of Children's Articles, NV (hereinafter: NV NDPK), hereinafter “the defendant”, represented by mr. Jean-François Henrotte and mr. Fanny Coton. 1. Facts and procedure The complaint 1. The circumstances surrounding and the subject of the complaint can be summarized as follows. The defendant is a private company, more specifically an advertising agency provides media representation. The defendant offers so-called “Pink Boxes”, on behalf of (expectant) mothers in which offers and samples of products and services can be found. These boxes are distributed by a network of partners. The defendant also offers (expectant) mothers information about the pregnancy, birth, etc. She also gives discounts that are temporarily offered to registered members. The details of (expectant) mothers are passed on to third parties (so-called structural partners) in exchange for the aforementioned offers and samples and with a view to the trade in personal data and direct marketing by these third parties. The complaint mainly points to the fact that the defendant is a supplier is of personal data. 2. The complainant has at the time - upon receiving a box from the defendant - signed up with the defendant and given permission to process certain personal data belonging to it. However, the complainant later decided to lodge an objection with the defendant because she no longer wished to be contacted by third parties / partners of the defendant. Nevertheless, the complainant received after filing from an objection to the defendant, telephone calls from third partners of the defendant in connection with certain promotions. 3. On September 19, 2019, the complainant files a complaint with the Data Protection Authority against the defendant. 4. The object of the complaint concerns the hiring or selling of personal data for direct marketing reasons, without the explicit consent of the data subjects and at least after withdrawal, resulting in unwanted advertising. The complainant was called by a Dutch company for advertising purposes. The Dutch company would have indicated that it obtained the complainant's details from the defendant. The complainant argues that the transmission of the data is non-transparent way. At the same time, she indicates that she received a form from the defendant at the time but that she does not remember her consent to pass on her data. 5. On September 23, 2019, the complaint will be declared admissible on the basis of the articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the Litigation chamber. The report of the Inspection Service 6. On 8 October 2019, the Disputes Chamber will decide on the basis of art. 63, 2 ° and 94, 1 ° GBA Act to send a request to conduct an investigation to the Inspection Service. The The litigation chamber found some points too unclear to proceed to the treatment on the merits. 7. On 28 January 2020, the report was submitted by the Inspectorate to the Disputes Chamber in accordance with Article 91, §2 WOG. 8. The report states that the following personal data are rented to third parties companies by the defendant: mother's name, mother's first name, date of birth of the baby, gender of the baby, name of the baby, email address, street and house number, zip code and city. 9. The Inspectorate states that it is not authorized to carry out useful investigative actions for the Dutch company that called the complainant on 17 September 2019 with an offer for children's books. After all, the Dutch company has no establishment in Belgium. The Inspection Service thus limited itself to een research ten the defendant as controller. 10. According to the Inspectorate, the Dutch company would use the data of “de Roze box ”. The complainant had subscribed for the first time on “the pink box” of the defendant during her pregnancy via a form “reservation card for my gift packages ”. The first box was delivered according to the complainant on April 12, 2019 delivered through a store specializing in baby products. Decision on the merits 04/2021 - 4/46 11. According to the complainant, an employee of this shop invited her to complete the form to be completed if she also wishes to receive the other boxes from the defendant, of which the complainant indicates that she has indeed completed the form and transferred to the defendant. The complainant also received a “purple box” with her gynecologist who contained a QR code inviting her to register online to write. On admission to maternity, she obtained a third pink box without the ask to fill in a form. 12. On 21 May 2019, the complainant received an email thanking her for her registration and in which she was invited to sign up for one welcome gift. The complainant then submitted its objection to the defendant, who issued the acknowledged receipt thereof on September 19, 2019. Despite this, the complainant remained afterwards received repeated e-mails from a partner of the defendant during the period between September 26 and November 12, 2019, while under the terms of the information received by defendant may not be used more than once by this type of partner (a 'loose partner', infra). 13. The defendant has different types of partners: - Structural partners to whom the personal data is transferred. - Loose partners: With one type of loose partners, the defendant sends out emails himself their name. Another type of loose partners receive personal data for one-off use to be able to broadcast postal items or to make contact by telephone with those involved. 14. The defendant's first activity, as set out in the report of the Inspection service, concerns the distribution of gift boxes through the partners of the defendant. The distribution of the pink boxes supports according to the Inspection Service conducting an activity of trafficking in personal data of mother and child with with a view to direct marketing by partners of the defendant not mentioned exhaustively. There are different partners depending on the type of box: - “my pregnancy” and “my birth” boxes with maternity and gynecologists like partners; - “my first months” box with a supermarket (Y1), day care centers and childminders as partners; - “my first birthday” box with a clothing company (Y2), participating daycare centers and childminders as partners; - “my first school memories” box with a clothing company (Y2) as a partner Decision on the merits 04/2021 - 5/46 15. With regard to compliance with art. 5 (1) (a) GDPR (legality, propriety and transparency) the defendant replies that it “for whatever its personal use concerns "does not collect data" for direct marketing purposes. " The Inspection Service could not identify the defendant to promote its own services or would send goods direct marketing messages to the mothers and / or their minor children. But the Inspectorate states that: - the documents demonstrate that the intention is to transfer the personal data of mothers to rent for direct marketing by the defendant's customers; - the defendant in the period around 2014 associated her name with the slogan “N ° 1 in young family marketing ”; - the defendant is active in profiling data subjects. Becoming mothers classified according to the age of their child; - it is noticeable that the defendant in her communication with the parties involved and the GBA but emphasizes part of its activities (dividing the box) and communication not explicit about the other activity (trade in personal data / rental) describes in normal language but only in vague terms. This method creates potential confusion and goes against the principle of fairness. There is not clearly communicated that if one subscribes to the pink box one can advertise receive from third parties who are sufficiently clearly defined (in terms of category); - repeatedly concealing (explicit words such as profiling, advertising, marketing in external communication) or play with words To communicate "half truths" - such as, for example, stating that oneself does not collect data for direct marketing and only emphasizes the benefits - evidence is that the risks and consequences for those involved are becoming aware are concealed or undervalued by the defendant; - the principles of transparency and fairness are not respected; 16. The second activity of the defendant as set out abovebattle of the Inspection service concerns the trade in personal data (with a view to direct marketing). Pursuant to art. 12 and art. 13 GDPR, there is an obligation to provide information and one accountability to meet the requirement of transparent processing. 17. The defendant as controller must take appropriate action so that the data subject obtains information referred to in Articles 13 and 14 GDPR. The information about the rights of data subjects must also be provided accordingly articles 12 to 22 and art. 34 GDPR in connection with the processing be in a concise, transparent, understandable and easily accessible form and in plain and simple language. Decision on the merits 04/2021 - 6/46 18. According to the accountability in art. 5 (2) GDPR, the controller can demonstrate the activity of trading in personal data is made sufficiently clear by the partners to the involved. 19. According to the Inspectorate, the defendant disguises the objective of “trade in personal data and profiling ”by not in the same (clear) way about her Communicate trading activities as about receiving “free” benefits through the boxes. The information about the profiling of affected mothers and the trade in personal data is provided in legal terms and lower case letters on the side of the paper reply cards and on the defendant's website. 20. The Inspectorate finds that the main commercial activities of the defendant (in particular advertising, media representation, trade in personal data) is not satisfactory communicated transparently to the (expectant) mothers as required by Articles 5 (1) (a) and 12 (1) GDPR. 21. With regard to the lawfulness of the processing (Art. 6 GDPR), the defendant bases it relies on art. 6 (1) (a) and (f) GDPR, depending on whether the collection of personal data dates from resp. after and before May 25, 2018. 22. Article 6 paragraph 1 a) concerns the consent of the data subject as the legal basis for the processing of personal data. The defendant uses an online registration procedure. The online subscription to a pink box is always linked to it compulsory giving of the “agreement” for at least one form of transfer with a view on direct marketing. However, the data subject is not left a choice to determine which trade in personal data and profiling can take place in which context. The The person concerned cannot continue with the enrollment if a box is not selected checked. It is not possible to receive the benefits without permission. There there can therefore be no question of “free consent” within the meaning of the GDPR, concludes the Inspection Service. 23. The right of withdrawal, which is inseparable from the giving of the consent is only stated in the online privacy policy. It gets right in addition not facilitated by the representation in lower case. The Inspectorate states Accordingly, it is clear that withdrawal is not as simple as giving consent expires, which is contrary to art. 7 (3) GDPR. If the consent is given by a Decision on the merits 04/2021 - 7/46 the person concerned is withdrawn, the personal data of the defendant is not deleted or deleted, but only set to “inactive”. 24. Furthermore, there is no granular nature of the consent. All purposes are becoming aggregated in the communication by the defendant. This limits the control of data subjects about their personal data. Likewise, the categories of the recipients of the personal data not sufficiently clearly defined. Data subjects cannot estimate the impact or nature of passing on their data thus compromising their free choice. 25. The Inspection Service deduces from the combination of the aforementioned findings that no there is a valid consent within the meaning of the GDPR of the data subjects for themselves (mother) or as legal representative of the child (minor). 26. Article 6 (1) (f) GDPR concerns the legitimate interest of the controller as the legal basis for processing the personal data. In the assessment of whether the legitimate interest is sufficient if legal basis, reasonable expectations should be taken into account, interests and rights of those involved (mother and child). The complainant's response illustrates, according to the Inspection Service, the legitimate interest of the defendant inconsistent with the reasonable expectations of those involved. The defendant wields abstract terms and conditions and no explicit terms such as advertising, direct marketing and trade in personal data. It is impossible for those involved to estimate how many other companies use their personal data further. 27. The Inspectorate states that the defendant does not provide sufficient information about the type farworkings that can follow after the trading of the personal data. At the hospitals and gynecologists are called in for distribution of the boxes, which according to the Inspectorate, can generate a wrong perception among those involved the defendant would be a non-profit organization or government initiative instead of a private one company that trades personal data. 28. To prove that the defendant took into account and thought about the relevant ones and effective safeguards under this legal basis, it has a document established that incorporates a risk-based approach. It is the Inspection Service it is not entirely clear how this document should be used in practice to protect. According to the Inspectorate, the defendant cannot provide sufficient evidence Decision on the merits 04/2021 - 8/46 which concrete technical or organizational measures provide adequate protection offer. The Inspectorate concludes that the defendant does not demonstrate that this document is actually applied in practice. 29. The defendant further argues that there is a limitation on the number of times the data is used through the use of control addresses. The Inspectorate states however, note that the use restriction and the receipt of an objection in practice does not (always) work. The lack of evidence of effective technical and organizational implies measures to safeguard the interests of data subjects according to the Inspection service that the defendant is acting in violation of the principle of accountability / accountability. 30. According to the Inspectorate, the partners of the defendant follow their obligation to provide information with regard to data subjects on (Art.14 (2) point f) GDPR). For example, between the defendant and its partners have not contracted anything in relation to the communication of the source of the personal data to data subjects on the basis of Art. 14 (2) point f) GDPR. 31. On the basis of the aforementioned findings and considerations, the Inspectorate determines that the defendant could not rely on Article 6 (1) (f) GDPR, given the lack of effective safeguards it provides to safeguard the interests and rights of respect the data subjects under the GDPR. The Inspectorate also decides that a double legal basis for the same processing cannot be regarded as one fair processing. According to the Inspectorate, it cannot be more general determined that the defendant has an adequate legal basis to declare the justify the processing of personal data under Art. 6 (1), point (a) (consent) or art. 6 (1) (f) (legitimate interest), now not fulfilled the conditions imposed by the GDPR. 32. Concerning the principles of proportionality and data protection by design according to art. 5 and art. 25 (1) GDPR, the Inspectorate determines that the purposes of the processing cannot be distinguished. When subscribing to a additional box implies an agreement to trade in personal data. According to the Inspectorate, the defendant also does not demonstrate that an objection received is always communicated to the defendant's partners against direct marketing. 33. With regard to the conclusion of the processor agreement in accordance with art. 28, paragraph 3 AVG determines that the Inspection Service is a store specializing in baby items Decision on the merits 04/2021 - 9/46 receives fill-in cards and acts as a so-called "letterbox" through those fill-in cards to be kept only until an employee of the defendant comes to collect them. This one According to the Inspectorate, activity should be regarded as a processing of personal data. A processor agreement therefore had to be concluded. The Inspectorate is of the opinion that it has been sufficiently demonstrated that the defendant art. 28 para. 3 GDPR. 34. With regard to compliance with the duty to cooperate under art. 31 GDPR, the Inspectorate noted that no exhaustive list of partners has been provided and thus no effective compliance with this duty. 35. The Inspectorate then decides to transfer its report as part of the file to be submitted to the Chairman of the Disputes Chamber in accordance with article 91, §2 WOG. The proceedings before the Dispute Chamber 36. On April 20, 2020, the Disputes Chamber will decide in accordance with Article 95, §1, 1 ° and Article 98 WOG that the file is ready for consideration on the merits. 37. The complainant and the defendant will be informed of the decision of the Dispute Chamber. In the letter with the notification of that decision The closing deadlines are also communicated to the parties in accordance with Articles 98 and 99 WOG. 38. On May 8, 2020, the Secretariat of the Disputes Chamber will receive an e-mail from the defendant's attorneys with the message that certain documents accompany it report from the Inspectorate is missing. Defendant vhunts for these pieces still receive and also adjust the closing periods. In addition, early the defendant to deal with the file in French from now on, since the main contacts and responsible persons at the defendant are French-speaking. 39. On May 20, 2020, the Disputes Chamber will reply to the message confirming that it was indeed established that documents were missing when the file was transferred from Inspection service to Dispute Chamber and therefore an incomplete inventory drawn up. This includes, but is not limited to, duplicates. For this reason the closing deadlines were then interrupted and the parties get the full file forwarded with a correct inventory. Decision on the merits 04/2021 - 10/46 40. With regard to the request for French-language handling of the case, the Disputes Chamber according to art. 57 WOG who has the discretion of the Data Protection Authority (and the Dispute Chamber as its body) regarding the language of the proceedings. For that reason, the Disputes Chamber is free to submit a use the language of the procedure that takes into account the specific circumstances on the House. 41. In this case, the investigation by the Inspectorate of the Data Protection Authority conducted entirely in Dutch. Likewise there is in no objection regarding use has been lodged in the previous stages of the procedure of Dutch. For these reasons, the Disputes Chamber does not consider it appropriate continue the procedure in French. Given the adjustment of the The Disputes Chamber considers that there is sufficient time and space for the defendant to take the necessary organizational measures to protect it prepare a defense properly. The Disputes Chamber underlines that the complainant Dutch is spoken, just like a large part of the data subjects whose personal data the defendant processes and in respect of whom the defendant is a Dutch-speaking person communication continues. The defendant's claims 42. On 8 July 2020, the defendant lodged its first claim. On August 19, 2020 the defendant lodges a reply. Following is the synthesis of the content of those conclusions. 43. The introductory remarks deal first and foremost with respect for the rights of defense. The defendant finds that there are more possible infringements on it the GDPR are raised than that it has been examined by the Inspectorate. According to the defendant, these infringements have been insufficiently proven for lack of further details and evidence to support these infringements. Because of this, the defendant not to be able to exercise its rights of defense as set out in Article 6 of the European Convention on Human Rights are prescribed. According to the defendant also provides the Disputes Chamber insufficiently in its decision of 20 April 2020 in which the violations, which were investigated by the Inspection Service, would exist in concrete terms. Because of this, the defendant asserts its defense insufficient preparation. Decision on the merits 04/2021 - 11/46 44. Second, it addresses the incompleteness of the documents received. The defendant argues that certain documents were not added to the report of the Inspection service. The documents were also incorrectly numbered and incomplete according to the defendant. As a result, the defendant found the file unclear and patchy eyes. The defendant alleges that only the incriminating elements are included in the file. The defendant asks for this exclude pieces from the debates on the grounds that they are incomplete. 45. Third, it examines the irrelevant nature of the earlier elements imparted by the Inspection Service. According to the defendant, this always concerns earlier ones grievances against the Commission for the protection of privacy (the legal predecessor of the GBA, hereinafter also the Dutch DPA) has not followed up. The according to the defendant, the documents do not show that it would not have complied with the requests from the former CPP. According to the defendant, these things can be done in this way are not considered precedents. 46. Fourth, the defendant addresses the need to split prosecutions. The defendant proposes to split the case into: a case concerning the subject-matter of the complaint, in particular whether there is direct marketing is carried out without legally valid consent is (complaint about a possible infringement of Articles 6 j ° 7 GDPR) and; a case concerning the other grounds, following the findings made by the Inspection Service outside the scope of the complaint, in particular possible violations of Articles 5, 6, 12, 13, 14, 25, 28, 31, 37 and 38 GDPR. 47. In the description of the facts, the defendant explains things in more detail, including the operation of its service and the compliance steps taken. The defendant claims zich to only address (expectant) mothers and not their children. She states that its activity revolves around four major axes: “1. It offers free boxes with offers and samples of products and services for expectant mothers and mothers, boxes provided by a network of partners divided; 2. She informs expectant mothers and mothers. 3. It offers the opportunity to enjoy discounts that are offered temporarily to members registered on its website, by means of printing vouchers; 4. It makes it possible to receive offers directly from partner companies, of products and services for expectant mothers and mothers. ” Decision on the merits 04/2021 - 12/46 48. The defendant then explains how the data of (expectant) mothers will be shared with third parties: 1. First type of partners: the structural (or long-term) partners. “As for the e-mail addresses, the defendant only transfers them to her long-term partners. Thanks to this long-term cooperation, the defendant can expectant mothers and mothers in particular in obtaining their consent said informing the communication to these recipients. It then arrives the recipients of that data to comply with the GDPR in their capacity as controller. 2. Second type of partners: the loose partners. There are two subtypes of these. In the first subtype, the defendant submits to other companies that products and offer services to expectant mothers and mothers, of those who do so have given permission, the data is available on a temporary basis and for single use only. Due to the fact that these are one-time requests, it is not for the defendant possible to name all potential partners by name when they enter the ask permission from expectant mothers and mothers. Only the areas of activity can be indicated. This always involves companies which may be of interest to expectant mothers and mothers who have their consent have given to receive these offers, not just to the request to to respect the information provided by the mothers, but also from commercial point of view for the defendant, to the membership of the mothers-members to be able to keep. ” 49. The defendant further clarifies: “The second sub-type of casual partners concerns other companies that are also located address the defendant in a one-off manner, but where: the e-mail addresses are not communicated to them. It is they who set the criteria determine according to which they want the email to be addressed to which expectant mothers or mothers, and that email is sent by the defendant on the head of De Roze Doos. That makes it possible for the defendant to ensure the single use of the data and of the fact that they are not following the relevant promotional campaign being kept; the defendant provides a list of information for postal addresses and telephone numbers for single use indicates to the receiving company (after checking that they are not on the "don't call me" list for phone numbers). Decision on the merits 04/2021 - 13/46 . The defendant does not have the necessary infrastructure to own the papers handle communications or telephone calls. With the recipients of the data, however, is contractually agreed that the data only once may be used. It is then up to the receiving companies to, in addition to fulfilling their contractual obligations, to comply with the applicable legal framework, in in particular the GDPR and the verification, if applicable, of the “don't call me anymore” list." 50. Regarding the compliance steps, the defendant states that it has achieved compliance with the help of her previous counsel. The data protection policy and the general and special conditions have been revised, as has the registration process via the website. The right to rectification and the right to erasure can be directly exercised by the data subjects through the page “my account”, as shown set out under the “FAQs” web page. Contracts have also been concluded with processors who, according to the defendant, meet the requirements of Article 28 GDPR. 51. The defendant declares, following the exchange of e-mails with the complainant, that he is there spontaneously committed to re-examining internal processes and them to try to improve. Since the end of October 2019, the registration process has changed on the website and data protection policy was also updated in March 2020 completed. Furthermore, the defendant reminded the recipients of the data importance of complying with their own legal obligations regarding protection of personal data. 52. Regarding the connection via postcards, the defendant states that the relevant partner has been using the reply cards since mid-November 2019not anymore saves. 53. The defendant has also appointed a data protection officer, too she believes that she is not obliged to do so under the conditions set out in the GDPR. 54. With regard to the complainant's requests, the defendant bears some pleas On. 55. As a first plea, the defendant argues that the complaint is unfounded. The complaint concerns one possible infringement of Article 6 (1) point a) j ° 7 GDPR. The defendant alleges that she Decision on the merits 04/2021 - 14/46 the registration process already before receipt of the report from the Inspectorate would have corrected the complaint regarding the non-free nature of the consent is no longer current at the time of handling the file on the merits by the Disputes Chamber. 56. The defendant refers to the judgment of the Marktenhof. 1 In this judgment it states Marktenhof that it cannot be considered a "disadvantage" if a customer does not enter is able to create a loyalty card because he has the required processing of the data on his identity card (“eID”). According to the Marktenhof this just a potential additional benefit that is lost, not legal or contractual law. 57. The defendant concludes that the consent given by the complainant is valid constitutes the legal basis for the communication of its data to the recipients. Further the defendant claims to be the data subject in giving the consent has been informed about the recipients of the personal data (making it a “Informed consent”). A single consent for the communication of data to third parties for the purpose of receiving commercial offers the defendant considers a valid consent, as it concerns one and the same objective, irrespective of whether several third companies have the receive personal data. 58. With regard to the Inspectorate's comment that the right to request the withdraw consent is not indicated on the screen when consent is obtained, the defendant states that it has amended this process. She does mention that there is no formal requirement foreseen by the GDPR to separate this withdrawal mention. 59. Finally, the defendant maintains that its website does not offer a practical possibility to immediately withdraw consent. According to the defendant, the withdrawal of the consent in any case is as easy as granting consent, since the data subjects give their consent for the different types withdraw notices in their “my account” section of the website. The consent can also be withdrawn by sending an e-mail, letter or by telephone call to the defendant. 1 Judgment of the Brussels Court of Appeal (Chamber 19 A, Marktenhof) of 19 February 2020, 2019 / AR / 1600. Decision on the merits 04/2021 - 15/46 60. The defendant points out that the fact that the online unsubscribe page is only in English and French had meanwhile been corrected. 61. With regard to the determination of the Inspection Service that a large part of the personal data relates to minor children, which makes recital 38 GDPR would apply, the defendant states that only the data of the mothers, along with a child's date of birth are required. There is no obligation to provide neither the name nor the sex of the child. For that reason, the respondent that it does not process data of minors; just the fact that the mother has a child under the age of 18 is important. According to the defendant Recital 38 GDPR does not apply as it relates to services that are offered directly to a child, while defendant's boxes and notices addressed to mothers only. 62. Next, the defendant addresses the other alleged violations of the GDPR: art. 5.1 a, 12.1, 13, 14, 6, 7, 5.1.c in conjunction with 25, 5.2, 28.3, 31, 37 and 38 AVG. 63. With regard to Article 5 (1) (a) GDPR, the defendant states that they do not have the boxes used as a “pretext” to obtain the data of (expectant) mothers. The use of that data by third parties is only part of its business. The data is also needed to invite the mothers to pick up their next box, close to their residence. That way the defendant knows how many boxes each distributor needs approx. This purpose is clearly stated in the data protection policy of the defendant and reflects according to the defendant the reality that does not constitute a violation of the duty of loyalty. The defendant further explains that the name “Family Service” is not used to mean “a impression of family services ”, as she uses this name in her B2B relationships. 64. The defendant argues that no vague wording is used regarding the activity of data sharing. She just doesn't use the term “direct marketing” yetdoes describe what this purpose entails, in particular: “with a view to sending products, offers and information ”. The defendant is in this case sufficiently transparent, so that there is no infringement of the GDPR on this point. 65. Furthermore, it is not clear to the defendant how the terminology and an alleged difference in language level and font size between the presentation of the distribution service of the boxes and the request for permission to receive communications Decision on the merits 04/2021 - 16/46 partners of the defendant would be a breach of the GDPR. Art. 5 (1) point a) According to the defendant, AVG does not stipulate that a particular language level is prohibited nor that it is prohibited to insist on the benefits of a service. Only the correctness of the information provided to the persons concerned must be entered be taken into account. 66. The defendant emphasizes that it did not collect any personal data for its own use for direct marketing purposes as it does not use it for its own promote activities. The defendant does not allege the nature of its activities the benefit of the beneficiaries. According to her, she gives the marketing goal in its data protection policy and provides a list of its partners and a list of potential recipient categories. 67. Regarding Articles 12 (1) and 13 GDPR, the defendant argues that it is not can blame categories of recipients for having stated this explicitly provided for in Article 13 (1) (e) GDPR. The defendant alleges that a detailed and complete publication of the list of partners would constitute an infringement on its trade secrets. According to the defendant, there is a conflict between them two equivalent rights: the right to data protection and the right to protection of business secrets, in accordance with Directive (EU) 2016/943. 2 How then the defendant also has (before obtaining the report from the Inspectorate) supplemented its data protection policy and completed the wording. The defendant also undertakes to further clarify the beneficiaries. 68. The defendant argues that Article 13 GDPR only requires information about the categories of data recipients, not about the legal transaction supports the communication of the data (in particular the “renting” or “selling” of data). The respondent further states on the basis of Article 14 of the GDPR that the receiving third party is to indicate to the data subjects which data they when they have obtained the defendant's personal data. The defendant argues that the GDPR does not require it to specify how long and how the business partners who hold data. Furthermore, the defendant does not claim that either legal obligation exists to send in the email confirming the registration state which fields the data subject had completed because this can be consulted be via “my account”. 2 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of private know-how and business information (trade secrets) made against unlawful acquisition, use and disclosure thereof, OJ L 157/1. Decision on the merits 04/2021 - 17/46 69. According to the defendant, there is thus no infringement of the accountability and its activity is sufficient according to the defendant communicated transparently to data subjects as the requirements of Article 13 GDPR are respected by it. 70. The UK precedent cited by the Inspectorate, namely the Bounty UK Case 3 , according to the defendant, is based on the former in the United Kingdom Kingdom legislation in force and not the GDPR. According to the defendant, the infringement is not comparable. Thus no precedent can be drawn from it. 71. The defendant finds that there is no violation of Article 12 (1) nor from Article 13 GDPR. 72. Regarding Article 14 GDPR, the defendant argues that, since mothers-to-be register themselves with De Roze Doos, they receive the personal data directly from them obtains and that Article 14 GDPR does not apply. The defendant thinks there is accused of its shortcomings that would accrue to third parties. How the defendant is also in the process of adapting its contractual documents to the recall obligations of the GDPR for its customers in order to meet them address the concerns of the Inspectorate. 73. The fact that a partner of the defendant would not have informed the complainant of the source from which it obtained its personal data is according to the defendant a conduct of a controller that does not comply with the defendant is imputable. This also applies to the erasure of personal data from complainant by a partner. In addition,the fact that the complainant still receives reports from partners is because she has registered elsewhere. 74. Regarding Articles 6 and 7 GDPR: the defendant makes the arguments regarding consent (Art.6 (1) point a) GDPR) to what has already been stated in relation to the Inspection service. With regard to the legitimate interests of the controller or of a third party (Article 6 (1) point f GDPR) states the defendant that the conduct of a third party controller is not can be prevented from establishing a shortcoming on its part, nor for the balance between its legitimate interests and those of the 3 Reference to the administrative fine imposed by the Information Commissioner's Office on the Bounty company, for clarity, the Dispute Chamber adds a web link to the press release regarding that decision in the United Kingdom at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/bounty-uk-fined-400-000-for-sharing-personaldata- unlawfully /. Decision on the merits 04/2021 - 18/46 to assess those involved. 75. The defendant emphasizes that it does not in any way give the impression that it is a public or subsidized entity or non-profit organization. She also claims that the members are joining at the Pink Box because of the offers and therefore it cannot be said that they would be surprised in their consent given the transfer of their data takes place to send them other offers. 76. With regard to reasonable expectations regarding children's data defendant repeats that it does not process the data of the children, but only the data from mothers where the date of birth of the child is processed every needs of the mothers. 77. The defendant proposes the appropriate and effective safeguards correct processing of personal data that (as already mentioned) the recipients of the personal data must comply with the GDPR and it is not legally necessary for the defendant reminds them of this in the contractual documents. It makes according to the defendant does not exclude that the use restriction (single use) is part of its offer and that it also checks its application from a commercial point of view. The defendant cannot be accused of having made her offer designed in accordance with Articles 5 and 25 of the GDPR. 78. The defendant reports - about the agreement that binds it to its processor Y3 - ensuring that the entries required by Article 28 (3) GDPR therein were recorded. This agreement is supplemented by specific technical ones appendices that, according to the defendant, go beyond what is required by Article 28 (3) GDPR. 79. Regarding the dual legal basis, the defendant denies relying on it on two different legal bases. She states that she is legal on one basis per situation. It is based on Article 6 (1) (a) GDPR for the mothers who have given their consent since May 25, 2018 (date of entry into force of GDPR) and on Article 6 (1) (f) GDPR for mothers who gave their consent before 25 May 2018 and whose previously expressed consent does not meet the requirements of the GDPR. Regardless, the defendant even claims the use of two legal foundations cannot justify an administrative sanction. The defendant decides that it does not infringe Article 6 by providing two different legal grounds for the processing of data from different data subjects. Decision on the merits 04/2021 - 19/46 80. With regard to Articles 5 (1) (c) and 25 GDPR, the defendant argues that the data is deleted before the child reaches the age of 18, if the mother does want. That retention period is so fixed because a large number of children after reaching from the age of compulsory education enter active life and no longer part be part of the parental household. All data of the mother will be deleted when she no longer has a child under the age of 18. The defendant concludes that from this it complies with the principle of data minimization. 81. With regard to the possibility of making a (granular) choice between the For processing purposes, the defendant states that it has not been demonstrated that the data is not adequate, relevant and limited to what is necessary for the purposes for which they are processed. According to the defendant, there is no shortcoming demonstrated regarding the implementation of appropriate technical and organizational measures. The defendant claims that only personal data is processed necessary for each specific purpose of the processing. 82. In addition, the defendant argues again that it cannot become responsible for the behavior of third party recipients. The referfurther decides that none violates Articles 5 (1) (c) and 25 GDPR. 83. Regarding Article 5 (2) GDPR: no registration was made by the defendant keeps track of the number of requests for rectification and it is not possible to prove that an effective erasure took place. The defendant maintains that no some provision of the GDPR requires it to keep such records. The the only obligation that exists is to handle the request for rectification itself. The defendant could prove that the complaining party was no longer in its mailing list database. After further investigation, the defendant has also been able to provide evidence obtain the erasure. 84. The defendant states that they have requested the e-mail addresses of the mothers to delete their data, but just to make sure that later no new account can be created with the same email address. Regarding this According to the defendant, the issue exists neither in the GDPR nor in case law and doctrine of law a clear answer. Hence, she could not be blamed for that she could not immediately do the act of erasing the complainant's data prove. Decision on the merits 04/2021 - 20/46 85. Regarding Article 28 (3) GDPR, the defendant does not consider that they have a contract with the Y4 should have closed because there is no relationship with a data processor in the meaning of the GDPR. According to the defendant, no classification is carried out by that partner before handing over the postcards to her. The defendant argues furthermore, that before they receive the data handwritten by the (expectant) mothers it is not a file. That phase therefore does not fall under the equipment scope of the GDPR. According to the defendant, this partner is thus not processor within the meaning of Article 4 (8) GDPR. Consequently, Article 28 (3) GDPR does not apply application. 86. With regard to Article 31 GDPR, the defendant states that he cooperated well with the Inspectorate and that service to have provided detailed information about her network of box dividers. The reason why one of her partners is not listed, according to the defendant, can be traced back to the limited activity that that partner for executes her. The defendant argues that it has confirmed the list in good faith exhaustive, as she was not aware of having forgotten a distributor. According to the defendant, no shortcoming could have been committed in the duty of cooperation since the cooperation with this partner is not subject is subject to the GDPR (see above). Furthermore, the defendant understands the alleged shortcomings not regarding the customer list (the “partners” who receive the personal data). The defendant claims to have responded correctly to the questions of the Inspectorate. The defendant concludes that there is no infringement of Article 31 of the GDPR demonstrated. 87. Regarding Articles 37 and 38 GDPR, the defendant does not require to be based of Article 37.1 GDPR to have to be a data protection officer appoint. After all, it is not a government body. Furthermore, the core activity of the according to its defense, the respondent does not follow up on (expectant) mothers regular, systematic and large-scale basis. The defendant alleges that there is no proof is that they meet the conditions that require the appointment of an official for data protection. 88. The alleged profiling of which the Inspectorate refers has also not been proven according to the defendant. The defendant decides that it does not carry out any processing operations within the meaning of one of the cases referred to in Article 37 (1) GDPR. Furthermore, according to there is also no violation of Articles 37 (5) and 37 (7) GDPR because there is no indication that they fall within the scope of Article 37, paragraph 1 point b) or c) GDPR. With regard to Article 38 GDPR, the Decision on the merits 04/2021 - 21/46 defendant that the Inspection Service has not identified the shortcoming her would be charged. In any case, the defendant voluntarily has one appointed data protection officer. 89. The defendant claims: - In the main: violation of the rights of defense as a result of which the defendant does not can be punished for the alleged violation of any of the articles mentioned in the decision of April 20, 2020. - In secondary order: no offense and no penalty. According to the defendant, there is has not demonstrated any infringement by the Inspectorate that is targeted in the aforementioned decision. - In a more subordinate order: no fine should be imposed to become. The defendant undertakes the adjustments made by the Dispute Chamber necessary to implement within three months of the decision and a report on this To deliver. - In even more subordinate order: such an administrationeve would be fine be: opportunity for the defendant to make comments about the amount thereof. The defendant wants to be able to defend itself regarding the amount of the envisaged fine. - Finally: No need to publish the decision; if there is one any reference to her activities should be published deleted. The complainant's conclusion 90. In accordance with Article 98 of the WOG, the complainant also submits a conclusion. 91. The complainant argues that it mainly wants the defendant to change its working method so that it is clear to everyone that they resell / rent out data and certain retains data for 18 years. According to the complainant, the communication (also via the website) of the defendant more transparent so that a data subject knows all the parameters, before registering. 92. Furthermore, the complainant argues for the publication and publication of this file as this for this file “necessary” is “because of the tactics used on the website applied are an example of how it should not be done […]. ” Decision on the merits 04/2021 - 22/46 93. The complainant alleges that De Roze Doos's website is not protected against leakage from existing email addresses via the registration form. 94. The complainant clarifies that the cards held by one of the defendant's partners available, are fill-in cards and not postcards as the defendant argues. Currently no more papers / cards are received by this partner is logical, since an agreement must be drawn up for this because data is processed and stored. The complainant also calls for reply cards to be deleted completely as these are not formatted according to the guidelines of the AVG. 95. The complainant points out that in the event of the death of the mother and / or child, the defendant does not report the is informed and that this information will continue to be sold / rented. 96. The complainant concludes that the defendant continues to infringe several legal provisions within the GDPR. The hearing 97. In accordance with Article 51 of the Rules of Internal Order of the Data protection authority, as approved by the Chamber of People's representatives, the parties are invited to the by the defendant requested hearing (on the basis of article 98 WOG). 98. The complainant is not present at the hearing. 99. The defendant is present at the hearing and is represented by the two of them counsel, as well as a representative of the executive board. 100. The hearing will take place on November 25, 2020. 101. An official report of the hearing has been drawn up for the sole purpose additions and clarifications with regard to the previously submitted conclusions to give. As always, the parties were also given the opportunity to submit factual comments formulate the minutes without reopening the debates implies. The defendant submitted such observations, which were attached to the file as an annex to the official report. Decision on the merits 04/2021 - 23/46 The penalty form of December 9, 2020 102. On December 9, 2020, the Disputes Chamber submitted a penalty form to the defendant, stating that the Disputes Chamber intended to impose a fine of EUR 50,000 to be imposed on the defendant following the infringements of several provisions of the GDPR in this file (the same infringements as in the present decision are withheld from imposing an administrative monetary penalty pursuant to Article 83 GDPR). 103. In its response to the fine form on December 29, 2020, the defendant points out a number of elements that are taken up by the Dispute Chamber in her deliberation, and the following elements are particularly important for this the determination of the sanction in this decision: o regarding the duration of the breach: the Y4 held in mid-November 2019 with the collection of fill-in cards; o with regard to the number of data subjects: the defendant states that there are in reality only 1,140,725 adults have personal data are processed and that the Inspectorate incorrectly received the information from the children (according to the defendant a "characteristic of the mother" and none personal data) to those children as data subjects and so on the much larger number of people involved comes from 2,439,492. In addition, achieves the defendant indicates that there are many overlaps due to duplication registration, which makes the actual number of data subjects “well below 1,000,000 ”would lie; o the defendant states that the Dispute Chamber is only competent for the collection of personal data between May 25, 2018 and the end of October 2019; o with regard to the company's financial strength, the defendant insists that it is dealing with deficiencies as a result of the COVID-19 crisis income that will undoubtedly make the defendant “the year with (a large) loss [will] shut downand." The defendant points out that the imposition of a high fine endangers the company and its personnel; o with regard to the amount of the fine, the defendant considers that only the proceeds from the data transfer (39% of the activities in the 2019 financial year) and that in line with the previous case law of the Disputes Chamber, a percentage must It is assumed that the outcome would be a fine of EUR 2,500. Decision on the merits 04/2021 - 24/46 2. Justification 2.1. Procedural aspects 104. The defendant raises a number of alleged problems in its defense regarding the procedure. The material scope of the file 105. First, the defendant argues that the rights of defense would not be respected, as it is unclear what possible infringements it is targeting to defend. 106. However, the Disputes Chamber stated in its letter dated. April 20, 2020 to the parties informed of which legal provisions the defendant must comply with defenses and where potential infringements could be identified; she refers for the findings in this regard, refer to the report of the Inspectorate that was conducted in response to the complaint. 107. All legal provisions listed there by the Dispute Chamber there, were adopted by the Inspection service cited in its report. It is true that, for example, Articles 37 and 38 AVG per se are not mentioned in the findings of the report, but it is determined by the Inspectorate that there is no data protection officer was reported to the Data Protection Authority by the defendant.4 It is for that reason that the defendant is also given the opportunity to comment on this in her defense. 108. The defendant was able to inspect the entire file, and in particular of the integral report of the Inspectorate. The Dispute Chamber has of course not about more documents than the defendant regarding this file. When the Disputes Chamber in the report of the Inspection Service reads that there may be there is a lack of clarity about the official's registration for data protection, it is also an issue that the defendant is concerned about this can defend extensively, and more specifically on the basis of all (exceptions) provisions in said legal provisions, not merely those provisions implicit could be onerous for the defendant. 4 Report of the Inspectorate, page 14. Decision on the merits 04/2021 - 25/46 109. It may be noted here that in the proceedings before the Dispute Chamber of the Data Protection Authority does not provide for any kind of Public Prosecution Service or Parquet, let alone that role was assigned to the Inspectorate. The Inspection Service knows only those powers that have been assigned to it under the WOG. The The procedure for the Data Protection Authority cannot therefore be compared with these in criminal proceedings, although there are of course safeguards that the rights of defense in the light of Article 6 ECHR. 110. Nor can it be that the Dispute Chamber would appear biased by a priori an infringement that she would read in the file specifically identify in her decision to invite the parties to file and hear defenses in accordance with Article 98 of the WOG. On the contrary, the Dispute Chamber has the provisions of the law where potential (based on the complaint and the investigation and subsequent report from the Inspectorate) poses a problem or presents problems, precisely indicated, precisely with a view to safeguarding the rights of defense and not to appear biased. Incompleteness of the documents received and the alleged irrelevant nature of those documents 111. It is true that initially the file that the parties received was inconsistent with the documents as indicated by the Inspectorate in its report. This one situation was remedied, after which the parties created a new inventory and a new one received a file (which includes all documents known to the Disputes Chamber) and the closing deadlines were extended. The rights of defense were thus fully guaranteed. 112. Furthermore, the defendant also cites that certain documents were added to the file by the Inspectorate are irrelevant and should not be taken into account with these documents on the basis of articles 104 and 105 WOG. In addition, the defendant to the lack of jurisdiction in this regard before the Data Protection Authority with regard to infringements prior to May 25, 2018. 113. It is true that the documents to which the defendant refers in its claims are documents the Disputes Chamber is not or not about which for one or more reasons can say more about it. However, the Inspectorate's investigation attempts to (factual) to inquire who wouldn may be relevant to the file, under article 72 WOG. This does not mean that with such elements - within the meaning of Article 104 WOG as "onerous element" in the legal sense - is taken into account by the Disputes chamber if it would take sanctions. Well Decision on the merits 04/2021 - 26/46 these facts may be relevant to the construction of the Inspectorate's file. It cannot be that the Inspection Service is limited in its discretion in this regard. The Disputes Chamber is responsible for deciding on the relevance of the Inspection service pushed forward elements. Need to split up “the prosecutions” 114. The defendant argues that a distinction should be made between the findings with regard to the complaint on the one hand, and the other findings of the Inspection service outside the scope of the complaint. 115. Now that the file was brought before the court in accordance with Article 63, 2 ° WOG The Disputes Chamber at the Inspection Service, the latter of course has the power to to continue the processing operations related to the subject of the complaint to investigate. The Disputes Chamber emphasizes that the powers of investigation of the Inspectorate (Articles 64 to 90 WOG) are not limited to one mere determination of the accuracy of the content of the complaint. The investigative powers must, after all, serve to ensure compliance with the examine provisions on personal data protection. The investigation must for that reason can at least also discuss elements that are ancillary to the subject of the complaint. 116. The Disputes Chamber also points out that when the Inspection Service is in the course of of an investigation into a complaint finds that there are serious indications of it existence of a practice that could give rise to an infringement of the principles of the protection of personal data, the Inspectorate in accordance with Article 63, 6 ° WOG can investigate new elements of its own accord. The Dispute Chamber points out, however, that in the present case all the findings of the Inspectorate directly or indirectly related to the subject of the complaint. All findings form part of one file that was submitted to the Inspectorate made on the basis of Article 63, 2 ° WOG. 117. In addition, all legal aspects of the file are relevant to the complainant and her minor child, now that their personal data has been processed by the defendant or to become. It is these processing operations that have been subject to extensive investigation subject. All findings of the Inspectorate are therefore closely linked with the subject of the complaint. Decision on the merits 04/2021 - 27/46 118. Nor can it be argued in this regard that the size of the file for the defendant was unclear, now that the decision of the Dispute Chamber dated April 20, 2020, inviting both parties to submit defenses accordingly Articles 98 and 99 WOG, clearly refers to the complaint and the findings of the Inspection service. 119. The Dispute Chamber's request to the Inspection Service therefore in no way restricts the scope of the research and research possibilities of the latter. This shows clear from the legal text. For that reason, the defendant's request for “the prosecutions to split ”are not retained. It is also worth noting that the complainant has the right to follow-up in accordance with Article 77 (2) GDPR of his complaint and the subsequent file, to which the national legislator has also comprehensively followed up procedurally, through the role of the complainant in complete the procedure in detail, in accordance with the European provision about this. The size of the number of people involved 120. In its response to the penalty form, the defendant cites that the Dispute Chamber is solely responsible for the collection of personal data between May 25, 2018 and at the end of October 2019. The Disputes Chamber points out that it is without doubt competent to pronounce on all personal data processing that took place after 25 May 2018. It is therefore not limited to processing operations related to personal data collected after May 25, 2018, but is also authorized for processing of personal data collected before May 25, 2018. 2.2. Consent and the lawfulness of the processing (Article 4, point 11, Article 6 (1) in conjunction with Article 7 GDPR) 121. With regard to the lawfulness of the processing (art. 6 GDPR), the defendant bases its arguments relies on art. 6 (1) (a) and (f) GDPR, respectively for the processing operations on the basis of personal data collections that date after and before May 25, 2018. Decision on the merits 04/2021 - 28/46 122. Article 6 paragraph 1 a) concerns the consent of the data subject as the legal basis for the processing of personal data. The definition of “consentg ”of the data subject in the GDPR is the following: 5 “Any free, specific, informed and unambiguous expression of will with which the data subject by means of a statement or an unambiguous active action accepts him concerning the processing of personal data ” 123. Recital 42 in fine clarifies in relation to that legal provision: “Consent should not be considered to have been freely given if the data subject has no real or free choice or cannot refuse or withdraw consent without adverse consequences. ” (the Dispute Chamber underlines) 3.2.1 The free nature of consent 124. The defendant alleges that the objections in the file regarding the free nature of the consent is unfounded because only a potential additional benefit would be lost 6 . The defendant refers to a judgment of 19 February 2019 of the Marktenhof 7 to the point. The defendant cites some elements: o According to the Marktenhof, it cannot be considered a “disadvantage” that a customer is unable to create a loyalty card because he has the processing of the data on his identity card, required for the loyalty card, declined. o According to the Court, this is just a potential additional benefit that is lost no legal or contractual right. o According to the Marktenhof, there is thus not so much a disadvantage as a result of losing - but losing a limited benefit - when someone refuses to give permission to process his personal data. 125. The case referred to cannot in fact be compared with the present file. It concerns in in this case, a different situation because the benefits that those involved can acquire (the received from i.a. boxes and benefits) can also be effectively missed if none 5 Art. 4 (11) GDPR. 6 Marktenhof judgment 2009 / AR / 1600. 7 Marktenhof judgment 2009 / AR / 1600. Decision on the merits 04/2021 - 29/46 consent is given. After all, the defendant uses an online subscription procedure in which the subscription to the benefits is always linked to the compulsory giving of the “agreement” for at least one form of transfer with a view on direct marketing. This concerns the essence of the service through defendant, not for an additional benefit, such as a customer card. 126. In addition, the Disputes Chamber points out that the loss of an advantage for a data subject as a result of a breach of a provision of the GDPR - such as defective information provision - by a controller, where a data subject would have acquired the advantage without that infringement, without further ado in a causal context state of the infringement.8 This should be taken into account when assessing the "free" nature of the consent within the meaning of Article 4, point 11 GDPR. 127. The data subject is left no choice as to which trade in personal data can take place in any context. The data subject (including the complainant) cannot proceed with the registration if the box is not checked. The question is therefore whether the consent in this matter is a sufficiently “free” consent in the meaning of the GDPR. 128. According to the European Data Protection Board (hereafter in English abbreviation: EDPB), consent is only valid if the person concerned makes a genuine choice can create and maintain control over their own personal data. 9 In accordance Article 70 (1) (e) GDPR, the EDPB is empowered to issue guidelines to Promote consistent application of the GDPR. These guidelines bind the Data protection authority as a member of the EDPB. If the EDPB guidelines members of the EDPB may be expected to comply with them keep guidelines. 10 129. In the guidelines on consent, the EDPB underlines that consent on grounds of "disadvantage" cannot be free, if for the data subject "significant negative consequences. ”11 Consent must be an autonomous act of the individual 8 For the sake of completeness, the question could be raised whether, if a data subject pursuant to Article 82 GDPR (for a judge) would claim damages for the loss of the aforementioned benefit, not as adverse damages the data subject could be regarded as for which the data subject - on the basis of the aforementioned European provision - receive compensation; for an in-depth discussion of the concepts, read J. HERBOTS, “Why It Is IllAdvised to Translate Consequential Damage by Dommage Indirect” in European Review of Private Law, 2011, Vol. 19 (6), 931- 949. 9 EDPB Guidelines 5/2020 on consent under Regulation 216/679 (v. 1.1.), 4 May 2020, available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf (hereinafter Guidelines 5/2020), marg. 13. 10 Compare AG Bobek's reasoning in case C-16/16 P, Belgium v Commission, ECLI: EU: C: 2017: 959, paras 89-90. 11 Guidelines 5/2020, 14-15. Decision on the merits 04/2021 - 30/46 contents, free from external manipulations.12 Consent according to the regulation is allowed are not considered released when the individual has no real choice or is unable to refuse her or his consent without adverse consequences. 13 130. The defendant not only offers products and discount coupons, but also grants a service in the provision of information with regard to data subjects. The defendant offers information sheets about pregnancy and the period to (expectant) mothers subsequently. Neither of the products and other benefits nor of the information sheets would can be enjoyed if the data subject does not transmit personal data and agrees to dozens of further transfers and other processing operations, making this clear constitutes a disadvantage for the data subject. 131. The EDPB has also provided examples in this regard in its Guidelines 5/2020. If example it is discussed there that there appears to be no disadvantage in the case of the benefits can also be obtained in another way. 14 A contrario are the benefits to this are not obtainable in any other way, and does not confer consent is a disadvantage for the data subjects, including the complainant. 132. Moreover, there is no granular nature of the consent. All purposes for further processing is bundled when granting the consent by data subjects with regard to the defendant. Likewise, the categories of the recipients of the personal data are not sufficiently clearly defined and the partners of the defendant are not fully identified by those involved. In this way, those involved cannot estimate the impact or nature of it passing on their data. Data subjects' control over their personal data is consequently taken from them. 133. The GDPR states in recital 43 that consent “is considered not to be free granted if separate consent cannot be given for different personal data processing, despite the fact that this is in the individual case is appropriate, or if the performance of an agreement, including the provision of a service depends on the consent despite the fact that such consent is not necessary for that performance. " So it is possible that a data subject merely wishes to obtain the boxes presented by the defendant and therefore wants to transfer the contact details to the defendant, but this is not possible because 12 Compare KOSTA, E., Consent in European Data Protection Law, Leiden, Martinus Nijhoff Publishers, 2013, p. 169. 13 Recital 42 GDPR. 14 Guidelines 5/2020, 14-15. Decision on the merits 04/2021 - 31/46 the defendant also inextricably has other purposes for the personal data through the consent (selling and renting the personal data for commercial purposes). 134. When the controller has multiple purposes (and in addition multiple processing operations) when collecting the same personal data, according to the EDPB, “those concerned should be free to choose which purposes they accept, instead of having to consent to a package processing purposes. " 15 135. If only for the non-free nature of the consent, it is consent not legally valid in accordance with Article 6 (1) point a) j ° 7 GDPR. 3.2.2 The “informed” nature of a consent 136. Exercising positive pressure (such as offering discounts on products) does not invalidate the consent provided that the data subject has all necessary information has received with regard to the processing of his personal data and him a real choice is given to decide. In the present case, however, the person concerned not receive all necessary information. The complaint has precisely this aspect as its object. 137. Moreover, it is clear from the file and the arguments of the defendant in the proceedings on the basis that not even all partners could be known to those involved on the basis of of the information available to them at the time of consent, now the defendant does not disclose all its partners for reasons based on the Directive 2016/943 on Business Secrets. 16 138. The EDPB literally writes in its Consent Guidelines “that if several (joint) controllers respond to the requested consent or if the data will be passed on to or processed by other controllers who are on the original consent, all these organizations should be mentioned. ” 17 15 Guidelines 5/2020, marg. 42. 16 Cited in footnote 4. 17 Guidelines 5/2020, marg. 65. Decision on the merits 04/2021 - 32/46 139. The complaint emphasizes the non-transparent provision of information whereby a incorrect perception is created by the complainant and other parties involved. Thus the complainant that the initiative of the boxes honoredthere seems to be linked to a government initiative. 140. If a company wants to rely on the legal basis of consent must data subjects clearly know all parameters when giving this consent. After all, informed consent means that it must be based on a appreciation, understanding of the facts and implications of an action. This means that the data subject in a clear and comprehensible manner, accurate and complete must be provided with information on all relevant issues such as the nature of the processed data, the purposes of the processing, the recipients of possible transfers and the rights of the data subject.18 In this case, the consent is neither sufficient neither informed nor sufficiently specific. 141. Two more aspects are important in giving valid consent. First and above all, the quality of the information must be sufficient. The way the information provided by the defendant is not sufficient. The Inspectorate stated noted that the communication about the activity trading in personal data is not explicit is in normal language but only in vague terms such as “with for the purpose of sending products, offers and information ”. The defendant in this way camouflages the activity of trade in personal data by not ending communicate the same clear way as about receiving the “free” benefits. 142. The information regarding the trade in personal data is additionally provided in legal terms. Explicit terms such as advertising and marketing are avoided in external communication, for example. The defendant serves be clear and understandable in its communication for those involved, “for the average person, and not just for lawyers. ” 19 The defendant's working method however creates confusion and does not sufficiently take into account the impact on (the rights of) the data subjects. 143. Second, the accessibility and visibility of the information is important. Information must be given directly to individuals. It is not enough to make it "available" elsewhere (for example through a privacy policy on the 18 Guidelines 5/2020, marg. 64 .. 19 Guidelines 5/2020, 18. Decision on the merits 04/2021 - 33/46 website). 20 In the online reality, it is not uncommon for information to be provided to data subjects is given through a privacy policy21 , but it does serve enough be clear so that it is understandable for data subjects to be informed consent.22 The reference must be visible on the form / reply card where the consent is given, and not in small letters on the side, as is the case with the defendant. 144. Also on the basis of the insufficient “informed” nature of the consent, is the consent in accordance with Article 6 (1) point a) j ° Article 7 GDPR is not legally valid. This defect is already sufficient to constitute an infringement of Article 6 (1) point a) j ° Article 7 GDPR to establish. 3.2.3 The conditions of "specificity" and "unambiguity" for a legally valid one permission 145. Informed consent is associated with specific consent. When data processing activities that require consent specific and therefore unclear, the data subject cannot make informed decisions about these activities.23 Here, too, the lack of granularity in itself points to the inadequacy of the specific nature of the consent. 146. It can also be pointed out that the gradual blurring of the objectives for which personal data are processed, this is a risk for data subjects in this specific file. There is when describing the purposes by the defendant speaks of the phenomenon of "function creep", which means leads to the unforeseen use of for the complainant and other parties involved personal data for purposes that were not clear or insufficiently clear to them, and by partners who were not or not sufficiently known to them. 24 147. To be specific, consent must refer very precisely to both the scope as the consequences of the data processing.25 The consent is because of this moreover, not unambiguous because those involved do not know what they agree to. 20 Guidelines 5/2020, 18-19. 21 KOSTA, E., Consent in European Data Protection Law, Leiden, Martinus Nijhoff Publishers, 2013, p. 215. 22 SCHERMER, CUSTERS, VAN DER HOF, Ethics Inf Technol, 2014/16. 23 Guidelines 5/2020, 15-16. 24 Guidelines 5/2020, marg. 56. 25 Guidelines 5/2020,. Decision on the merits 04/2021 - 34/46 3.2.4 Additional Conditions for Obtaining Legally Consent 148. The withdrawal of consent in accordance with Article 7 paragraph 3 GDPR is inseparable associated with giving the consent. The defendant argues that there are several there are possibilities to revoke the consentek. At the time of submission of the complaint, however, it was clearly not that easy to obtain the consent draw as if to give it. 149. The withdrawal was not sufficiently facilitated because it was single stated in the defendant's online privacy policy and, moreover, only there lowercase. The right to withdraw consent was thus not indicated on the screen when the permission was given. Furthermore, the unsubscribe page was ten only available in English or French at the time of the complaint. With the use of consent as a legal basis it is essential that it is clearly stated that the consent can always be withdrawn and this in a simple manner (on the time of giving consent). The withdrawal is thus not as easy if giving consent contrary to Article 7 (3) GDPR. 150. An additional problematic element is the fact that when the consent is effective is withdrawn by a data subject, the personal data of the defendant is not deleted or deleted but only set to “inactive”. A However, the controller must - as soon as the consent has been withdrawn - ensure that the data is erased, unless there is another legal ground to do so to process the data 26 151. The Disputes Chamber therefore also stipulates with regard to the other conditions regarding a legally valid consent, in particular that contained in Article 7 (3) GDPR, an infringement. 3.2.5 The lawfulness of the processing of personal data of the minor child 152. The Disputes Chamber also notes that at least the date of birth of the child is collected and further processed by the defendant. Also, the 26 Compare: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-groundsprocessing-data/grounds-processing/what-if-somebody -withdraws-their-consent_en. Decision on the merits 04/2021 - 35/46 option provided by the defendant to other personal data of the child to make known to third parties, as also stated in the privacy statement. 27 153. Recital 38 of the GDPR states: “Children have the right to specific with regard to their personal data protection, as they may be less aware of the risks involved, consequences and safeguards and of their rights in connection with the processing of personal data. That specific protection must in particular apply to the use of children's personal data for marketing purposes or for creating personality or user profiles and collecting personal data about children when using directly to children services provided. In the context of preventive or advisory services directly offered to a child is the consent of the person holding the parental bears responsibility, not required. " 154. Although the child's date of birth is linked to the identity of the parent, is also allocate the date of birth specifically to the individual child. That is also the case the case for the child's surname and first name. It's not because it personal data is attributed to the parent ("the date of birth of their child") that it does not (also) belong to the minor child. So there is indeed of personal data referred to in Article 4 (7) GDPR that are processed from the minor child. This child is a data subject whose personal data must be processed in accordance with the provisions of the GDPR. 155. According to the defendant, such processing takes place at a certain age of the child to send a specific box to the parent. When processing that personal data must therefore have a legal basis within the meaning of Article 6 (6) 1 GDPR are indicated by the defendant as the controller, which is something she fails. 28 156. Although in the present case the child's mother gave her consent, it is in theory she may not retain parental authority over the child, and thus no consent can provide for the processing of that child's personal data. In addition 27 https://www.derozedoos.be/privacy#3. 28 Article 5 (2) GDPR and Article 24 GDPR require the controller to comply with the provisions of the GDPR. organize and be able to indicate. Decision on the merits 04/2021 - 36/46 There are other reasons why a parent might agree to own to process personal data, but not that of her or his child (ren). The one who exercises parental authority, must therefore also grant permission for the process the child's personal data. 157. The Disputes Chamber concludes that in any case there is no lawful processing of the personal data of the minor child exists because the defendant fails to do so to indicate a basis, which is an infringementk constitutes on Article 6 (1) GDPR. 2.3. Lawfulness of processing of personal data collected for 25 May 2018 on the basis of legitimate interests (Article 6 (1) (f)) GDPR) 158. Article 6 paragraph 1 f) concerns the legitimate interest of the controller as the legal basis for processing the personal data. The question is whether the further processing of personal data collected before May 25, 2018 are lawful under the aforementioned legal provision in the AVG. 159. In accordance with the case law of the Court of Justice (EU), the controllers to demonstrate that: 1) the interests they pursue with the processing may be justified be recognized (the “target test”); 2) the intended processing is necessary for the realization of those interests (the “necessity test”); and 3) the balancing of those interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favor of the controllers or of a third party (the “balancing test”) 29 160. First of all, it can be established that the further processing of personal data is that were collected before May 25, 2018 can be found in accordance with the legitimate interests of the defendant and therefore the target test in itself endures. The commercial interest of the defendant is apparent within the present 29 CJEU judgment of 4 May 2017, Rigas satiksme, C-13/16, EU: C: 2017: 336, paragraph 28. Decision on the merits 04/2021 - 37/46 legal situation to be a legitimate interest under the GDPR. It however, it must be investigated whether the processing also complies with the necessity test and passed the assessment test. 161. First of all, the Disputes Chamber establishes that, although a commercial interest is can properly be considered a legitimate interest in the spirit of the GDPR, on the other hand, there is no need to process certain personal data exists, if there are other possibilities for the processing to be lawful expire and thus safeguard the legitimate interests. It's not on the Litigation chamber to determine the defendant's litigation strategy or to provide some advice in this regard. However, the Disputes Chamber concludes that from the defense does not show that the defendant has sufficiently investigated whether and why there is no other options exist to determine the lawfulness of the processing assure, whereby the processing operations are based on the legitimate interest become necessary. For that reason, the aforementioned processing of the respondent does not carry out the necessity test. 162. The defendant's legitimate interest must be in accordance with the balancing test are weighed against reasonable expectations, interests and rights of those involved. The defendant uses conditions that are too abstract and does not mention any explicit terms such as advertising, direct marketing and trade in personal data. It is impossible for data subjects to estimate how many other companies their further use personal data. 163. In addition, the defendant does not provide sufficient information about the types of processing operations that can follow after the trading of the personal data. When distributing the boxes are used by hospitals and gynecologists. This could be the wrong one to generate perception among those involved, namely that the defendant is a non-profit organization or government initiative and not a private company providing personal data trades. The Disputes Chamber finds that the defendant has insufficient transparency concerned about the benefits offered in relation to the transfer of personal data. There is a clear mismatch between the promised benefits and the activities that are not clearly highlighted, being the reselling / selling of the data personal data to third parties. In itself, those involved can perhaps still expect that, in a case where data subjects transfer personal data to a company and receive certain benefits for this, this company can afterwards the parties involved approach for marketing reasons. In the present case, however, the problem is that it is a retransmission Decision on the merits 04/2021 - 38/46 of the personal data by the defendant to third parties. This does not belong to the reasonable expectations of those involved. 164. To prove that the defendant took into account and thought about the there is only one relevant and effective safeguards in the context of Article 6 paragraph 1 f) document prepared containing a risk-based approach. The defendant cannot sufficiently demonstrate which concrete technical or organizational measures provide adequate protection. It has not been shown that this document is actually in practice is applied. As long as there is no additional evidence of the actual application in practice, such documents cannot be retained as proof of effective and relevant safeguards. The defendant arguesfurther to that there is a limitation on the number of times the data is accessed through use of control addresses. However, the Inspectorate determined that the use restriction and receiving an objection does not (always) work in practice. Based on the aforementioned considerations and the lack of evidence of effective technical and organizational measures to safeguard the interests of data subjects, the Disputes Chamber finds a violation of Article 6 (1) f) GDPR. 165. The Disputes Chamber concludes that there has been a violation of article 6, paragraph 1, point f) of the fact that it cannot establish that the defendant has an adequate legal basis to justify the processing of personal data under art. 6 (1) point f) GDPR (legitimate interest). The conditions have not been met which the GDPR imposes for this purpose. This is in line with case law that states that a processing activity can only be allowed if it complies with the rules on the lawfulness of the processing. 30 2.4. With regard to the transparency obligation (art. 5, paragraph 1, point a) j ° art. 12 and art. 13 GDPR) 166. The Disputes Chamber rejects the defendant's assertion that the transparency requirements under Article 5 (1) (a) GDPR. 30 ECJ, cases C-465/00, C-138/01 and C-139/01, Rechnungshof v. Österreichischer Rundfunk and others; Neukomm and Lauermann v. Österreichischer Rundfunk, para. 65; CJEU, C-524/06, Huber v. Germany, December 16, 2008, para. 48. Decision on the merits 04/2021 - 39/46 167. Transparency is crucial to give data subjects control over them personal data and to provide effective protection of personal data 31 The transparency obligation in the GDPR requires that all information or communication regarding the data processing of data subjects easily accessible and understandable.32 The aim is to create such a trusted environment for create data processing for data subjects.33 These problems are related with the judgment of the Disputes Chamber on the validity of the consent. The The complainant and other parties involved are not sufficiently clear about the exact ones involve the defendant's activities. The fact that the complainant thinks the defendant a non-profit organization or government initiative illustrates this fact. There needs to be more transparent information is offered to data subjects, for example about the fact that data subjects obtain certain benefits only if they receive their provide personal data. 168. The defendant argues that Article 13 GDPR only requires information about the categories of data recipients, not about the legal transaction supports the communication of the personal data (in particular “renting” or selling ”data). The Disputes Chamber rejects this statement because of the fact that pursuant to Article 13 (1) c) GDPR, the purposes of the processing must become state what the personal data are intended for. This means that the defendant should have indicated that these personal data would rented / sold to third parties. 169. The defendant further suggests that a detailed and complete publication of the list of partners would infringe its trade secrets. According to the defendant, there are two equal rights in conflict with each other: on the one hand, the right to data protection and on the other hand the right to protection of trade secrets, in accordance with the aforementioned Directive 2016/943. This reasoning cannot are retained, given the right to the protection of personal data a fundamental right protected in the EU treaties and the GDPR, that is only possible are limited in cases provided for by the legislator. Neither European legislation, nor the Belgian legislation implementing Article 23 GDPR provides for a restriction of the publication of the name of recipients of personal data. 31 Communication European Commission, An integrated approach to the protection of personal data in the European Union, COM (2010) 609 final, p. 6. 32 Recital 39 GDPR. 33 DE HART, PAPAKONSTANTINOU, Computer Law & Security Review 2016, p. 134. Decision on the merits 04/2021 - 40/46 170. In addition, the Disputes Chamber finds that the core of the activities in this file consists in the transfer of personal data, and the policy of the defendant about this. It cannot be decided at the expense of those involved that the commercial the interests of the defendant or its partners sometimes do, and sometimes not weigh against the rights of those data subjects. By adding more and more partners moreover, the list still does not seem to be exhaustive. In any case, it is true that over at the time of the report of the Inspectorate, the complainant brought to light that boxes and fill-in cards were distributed by a then unnamed partner. 171. The activities of the defendant are affectedat the core of the GDPR. It is from fundamental that those involved know which partners can contact record with them. 34 This would be different if the partners only supply goods without asking for anything in return. Here, however, it is the case that the personal data is sold. In such situations it is by definition the duty under article 5 j ° article 13 GDPR for the defendant to display / mention the partners. 172. The Disputes Chamber concludes from this that the commercial activities of the defendant focused on advertising, media representation and trade in personal data does not communicated in a sufficiently transparent manner to those involved. The Disputes Chamber considers a violation of Articles 5, paragraph 1, point a), 12 and 13 GDPR proven. 2.5. Regarding the retention period under art. 5, par.1, point c) j ° art. 25 AVG 173. The defendant does not have the appropriate technical and organizational measures taken to ensure that only personal data is processed necessary for each specific purpose of the processing. However, this practice belongs to the core of the responsibility of the processor with the introduction of the GDPR has become all the more important. 35 34 This view was also taken by the Information Commissioner's Office in the Bounty UK case. (https://ico.org.uk/media/action-weve-taken/mpns/2614757/bounty-mpn-20190412.pdf) This case also involved very parallel information. Here too, data was collected from the mother as a parent and their newborn child. beside this similar case shows that the aforementioned practice is not unique in Europe. There is a real need to enforce the GDPR to protect a vulnerable population. 35 QUELLE C., Privacy, Proceduralism and Self-Regulation in Data Protection Law 2017, p. 6. Decision on the merits 04/2021 - 41/46 174. The defendant does not clearly distinguish the purposes of the processing. If a the person concerned subscribes to an additional box, this implies one for the defendant agreement with the trade in personal data. Furthermore, the defendant does not demonstrated that a received objection to direct marketing is always becoming communicated to the defendant's partners. The retention period is 18 years also disproportionate to the initial consent and the reasonable expectations of the complainant and other parties involved. The originally offered after all, products (benefits) mainly concern baby items. Finally, the defendant that its website does not offer a practical possibility to use the granted immediately withdraw consent. All these aforementioned elements go against it the principles of proportionality and data protection by design. 175. At the hearing, the defendant compares the situation with that of a subscription for a newspaper, which must also be explicitly canceled. However, these situations are not comparable. When subscribing to a newspaper, the person concerned knows, through it obtain and the systematic payment for that newspaper that becomes its relationship with the newspaper continued. This is not the case in the present situation. At least the respondent explicitly state that the personal data will be kept for 18 years and regularly remind the person concerned of this, as well as of the possibility to end the relationship. 176. The Disputes Chamber concludes from the above considerations that Article 5 paragraph 1 c) j ° 25 GDPR. 2.6. Regarding accountability under Art. 5.2. j ° art. 24 GDPR 177. The defendant, taking into account the nature, scope, context and purpose of the processing, as well as with the different risks in terms of likelihood and severity the rights and freedoms of natural persons, not the appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is in accordance with the GDPR. There was no clear evidence of this effective technical and organizational measures to protect the interests of those involved within the framework of article 6 paragraph 1 f). 178. Accountability in accordance with Articles 5 (2) and 24 GDPR requires that the controller takes measures to prevent the comply with data protection principles and obligations and upon request Decision on the merits 04/2021 - 42/46 show that they have been complied with.36 However, the defendant has not shown that the activity of the trade in personal data by the partners in an adequate manner is clear to those involved. Furthermore, no records were kept either of the requests for rectification and the defendant could not (immediately) prove that an effective erasure of the personal data had taken place. In fact, the Respondent claims that it has the email addresses of the data subjects requesting the erasure have requested their personal data to be retained anyway to ensure it later no new account can be created from the same email address. However, this goes completely ignores the letter and spirit of the right to erasure. 179. The Disputes Chamber concludes from the above considerations that Article 5 paragraph 2 j ° 24 GDPR. 2.7. Regarding art. 14 GDPR 180. The Disputes Chamber does not find an infringement of Article 14 of the GDPR as the defendant obtains the personal data directly from the data subjects and that Article 14 GDPR thus does not apply. It is the defendant's partners who make the requirements of Article 14 GDPR, as they contain the personal data of the the defendant and not directly from those involved. 2.8. Regarding art. 28 para. 3 GDPR 181. The defendant failed to enter into a processor agreement between herself and one of her partners, who kept fill-in cards at the time of the complaint for the defendant. This is a processing of personal data as referred to in Article 4 1) and 2) GDPR. 182. According to the defendant, this retention by the Y4 did not fall under the equipment scope of the GDPR, now the mere storage of the fill-in cards no would constitute processing of personal data within the meaning of Article 2 GDPR. 183. Article 2 (1) GDPR states that the GDPR applies “to the whole or in part automated processing, as well as the processing of personal data contained in 36 Article 29 Working Party, "Opinion 3/2010 on the principle of accountability", p. 3. Decision on the merits 04/2021 - 43/46 are included in a file, or are intended to be included therein. " (the Dispute Chamber underlines) 184. Now the fill-in cards ab initio are intended to be included in a file (by the defendant), the Y4 keeping the fill-in cards is indeed one processing within the meaning of the GDPR. 185. The Disputes Chamber thus establishes a violation of Article 28 paragraph 3 GDPR on the ground of the defendant, now that the latter should have concluded a processing agreement with the Y4, which the defendant failed to do. 2.9. Regarding art. 37 and 38 GDPR 186. The defendant does not state that it is obliged on the basis of Article 37.1 GDPR to submit a as a data protection officer because they are not government body. Furthermore, according to her, her core activity is not follow-up of (expectant) mothers on a regular, systematic and large-scale basis. The defendant alleges that there is no evidence that it would meet these conditions. In in each case, the defendant has appointed an officer in the meantime. 187. The Disputes Chamber does not address the question to what extent the defendant was obliged to appoint a data protection officer, also in view of the fact that a data protection officer has since been appointed and that's the gist of the infringements in the present case is independent of the position of the official for data protection. In general, the Disputes Chamber points out that it attaches great importance to compliance with the obligations surrounding the officer for data protection. Decision on the merits 04/2021 - 44/46 3. Breaches of the GDPR and the complainant's requests 188. The Disputes Chamber considers that the defendant has infringed the following provisions proven: a.Article 5 (1) (a) GDPR, given the lack of transparent information provision whereby an incorrect perception is created with regard to the data subjects, including the complainant. The initiative of the boxes is more often linked in the perception of those involved to a non-profit organization or a government initiative that does not include the complainant it is clear that it concerns a private company which, moreover, as an activity trading of personal data. There is a clear mismatch between them the promised benefits and that not clearly explained activity; b. Article 5, paragraph 1, c) j ° Article 25 GDPR, in view of the defendant not the appropriate one has taken technical and organizational measures to ensure that only personal data are processed that are necessary for each specific purpose of processing. The retention period of 18 years is disproportionate to the initial one consent and reasonable expectations of the complainant and other stakeholders. The After all, originally offered products (benefits) mainly concern baby stuff. c. Article 6 GDPR, in particular Article 6 (1) (a) and (f) GDPR, given there cannot be free, specific, informed and unambiguous consent of the complainant (see Article 4, point 11) GDPR). After all, the complainant did not know all parameters when giving the consent which prevents the consent informed. In addition, the further processing of personal data collected before May 25, 2018 is not necessary for the to promote the legitimate interests of the defendant - also weigh them legitimate interests do not swords over interests, grond rights and fundamental freedoms of those involved; d. Article 7 (3) GDPR, given the consent at the time of the complaint, not that easy could be withdrawn than it could be given; e. Article 13 GDPR, in view of the inadequate, non-transparent provision of information. f. Article 24 GDPR, given the defendant taking into account the nature, scope, context and purpose of the processing, as well as the likelihood and severity various risks to the rights and freedoms of data subjects are not appropriate has taken technical and organizational measures. g. Article 28 (3) GDPR, given the lack of a processor agreement between the defendant and one of their partners who kept fill-in cards at the time of the complaint for the defendant, which constitutes a processing of personal data as intended in Article 4 (2) GDPR. Decision on the merits 04/2021 - 45/46 189. The Disputes Chamber considers it appropriate to recommend that the processing is in accordance is accompanied by the provisions of the GDPR, in particular Article 5 (1) GDPR, article 24 and article 28 GDPR, all this based on article 58.2, d) GDPR and article 100, §1, 9 ° WOG, within six months after the notification of this decision and the To inform the disputes chamber about this within the same period. This relatively long time limit is set, knowing that this decision may be a requires significant adjustment of business operations on the defendant's behalf. 190. Furthermore, the Disputes Chamber considers it appropriate, in addition to this corrective measure, to impose an administrative fine (Article 83 (2) GDPR; Article 100, §1, 13 ° WOG and article 101 WOG). The Disputes Chamber points out that an administrative fine in many cases - including the present case - the appropriate measure is that in sufficiently effective, proportionate and dissuasive. The enforcement of Union law by Member States must meet these requirements, in order to implement the obligation to cooperate in good faith (Article 4, paragraph 3, of the EU Treaty). These requirements therefore do not only apply to the imposition of a fine in accordance with Article 83 (1) GDPR, but also when choosing between the different types of sanctions provided in Article 58, paragraph 2 GDPR and Article 100 WOG. Where the Disputes Chamber considers it appropriate sanction an action that has already taken place, the GDPR and the WOG has only very limited alternatives, which in many cases even more insufficiently effective, proportionate and dissuasive. 191. Taking into account article 83 GDPR and the case law37 of the Marktenhof, the Disputes Chamber motivates the imposition of an administrative fine in concrete terms: a. The seriousness of the breach: Violations of Articles 5, 6 and 7 GDPR give rise to the highest fines Article 83 (5) GDPR. The combined infringements of Articles 13, 24, 25 and 28 GDPR show that the controller has failed to process its processing in accordance data protection legislation, although the processing of those personal data forms the core of its business activities. 37 Brussels Court of Appeal (section Marktenhof), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 04/2021 - 46/46 All elements of the file show that insufficient account was taken with the expectations of the citizen and the implications for the personal data protection. b. Duration of the infringement: The defendant has been operating for a very large number of years and is there during all these years has not been able to adapt its business model to the legislation on personal data protection, which nevertheless gets to the core of its activities. c. The scope of the infringement: The number of data subjects affected is considerable. It concerns according to after all, the findings of the Inspectorate at the time of its investigation personal data from 21.10% of the Belgian population, and in any case a significant number of those involved. The Disputes Chamber has taken note of what the defendant has made this is objected to in its response to the fine form (supra, paragraphs 101 and 102). First of all, the Disputes Chamber has already established that the data of minor children used by the defendant solely as personal data of the parent ("characteristic of the mother") are considered, including to the children as those involved should be attributed. It is indeed about personal data processing of those children. Subsequently, the Disputes Chamber determines that the defendant himself is not the correct number can indicate data subjects whose personal data it processes (“well below 1,000,000 ”), which is striking in itself, in the light of the technical and organizational measures that the defendant must take to ensure that the personal data comply with the processing principlesg of personal data, including the accuracy of personal data, the obligation on storage limitation and the minimum data processing obligation. The Disputes Chamber considers the Inspectorate's estimate to be the most reliable and establishes that the defendant does not provide additional elements which may contradict this figure as an estimate. Decision on the merits 04/2021 - 47/46 d. The necessary deterrent to prevent further infringements: This file shows that insufficient account is taken of the personal data protection of data subjects which should actually be central given the defendant's business model. The processing of after all, personal data is a core activity of the defendant. In fact, the defendant trades this personal data with third partners. So it is from crucial that such data brokers / companies comply with the provisions of the GDPR function. The facts, circumstances and established infringements therefore require a fine meets the need to have a sufficiently deterrent effect ("effet dissuasif '), with sufficient sanction to the defendant, lest practices involving such violations be repeated, and that the the respondent would from now on pay more attention to personal data protection. 192. The Disputes Chamber points out that the other criteria of art. 83.2. AVG in this case is not are of a nature that they lead to an administrative fine other than that which the Dispute Resolution Chamber has established within the framework of this decision. 193. The Disputes Chamber takes note of what the defendant's response to it penalty form, and takes into account in particular the economic precarious conditions for the company, and the potential impact of a high administrative pecuniary sanction on the company and its employees. The The disputes chamber emphasizes, however, that economically sound entrepreneurship is never at the expense can go from fundamental rights of citizens, as enshrined in Article 8 Charter of the European Union and as specified in the GDPR. It is also up to the defendant if controller to take its responsibility to ensure that it takes sufficient technical and organizational measures to ensure that its processing takes place in accordance with the GDPR, which is not the case in this case evidencing the defendant's negligence. 194. The Disputes Chamber is of the opinion that in some sectors of the economy there is reason to, given the exceptional circumstances of the COVID-19 health crisis, a to reduce administrative money penalties to a certain extent, without this being detrimental to the necessary deterrent effect of the fine. For the activities of defendant, where the proceeds are mainly related to the trading of Decision on the merits 04/2021 - 48/46 personal data, however, there is no specific reason for this. Considering it the above, the Disputes Chamber will lower the amount proposed in the fine form of the fine and sets the fine at EUR 50,000. 4 Publish the present decision 195. It is in the public interest to notify the public, given the nature of the infringements, and the large number of people involved in the Belgian society. 196. Given the importance of transparency with regard to the decision-making process of the Disputes Chamber, this decision is made in accordance with Article 100, §1, 16 ° WOG published on the website of the Data Protection Authority with reference to the identification data of the defendant, and this because of the specificity of the activities of the defendant and their public awareness, which is a meaningful omission of the identification data, as well as in general importance of the present decision, but with the omission of the identification data of the complainant, given that these identification data are not necessary and relevant to the publication of the decision. The identification data of defendant's partners are also omitted. Decision on the merits 04/2021 - 49/46 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority will, after consultation, decide to issue the defendant: - pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG, to order the to make processing in accordance with the provisions of the GDPR, in the in particular Article 5 (1) GDPR, Article 24 and Article 28 GDPR, within six months after notification of this decision and the Dispute Chamber about this same term. - on the basis of Article 83 GDPR and Articles 100, 13 ° and 101 WOG one an administrative fine of EUR 50,000 to be imposed on the defendant for violation of Articles 5, 6, 7, 13, 24, 25 and 28 GDPR. Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one term of thirty days, from thenotification, at the Marktenhof, with the Data protection authority as defendant. (get.) Hielke Hijmans Chairman of the Disputes Chamber