APD/GBA (Belgium) - 57/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 66: Line 66:


To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.
To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.
=== Holding ===
Legal basis of legitimate interest
The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes:
- conducting computer tests;
- monitoring the quality of service;
- training of personnel;
- monitoring and reporting;
- storing recordings of video surveillance for the statutory period; and
- compiling statistics from coded data, including big data.
For each of these purposes, a balancing test was done.
The DPA recites the requirements for relying on [[Article 6 GDPR#1f|Article 6(1)(f)]], namely purpose test, necessity of the processing and a balancing test.
As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as the data controller can in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.
In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued.  More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.
In order to verify whether the third condition of [[Article 6 GDPR#1f|Article 6(1)(f)]] - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."
<u>Conducting computer tests</u>
The DPA holds that this satisfies the first, second and third criteria. It does state that the data subject could be more informed about the tests.
<u>Monitoring the quality of service and compiling statistics from coded data, including big data</u>


=== Dispute ===
This topic has three parts: "statistics and quality tests", "satisfaction questionnaires" and "quality tests operations", each legitimate interest basis was assessed by the DPA:


'''Statistics and quality tests'''


=== Holding ===
All criteria have been fulfilled.
The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes and for each of these purposes, a balancing test was done.  
 
'''Satisfaction questionnaires'''
 
All criteria have been fulfilled.
 
'''Quality tests operations'''


The DPA recites the requirements for relying on [[Article 6 GDPR#1f|Article 6(1)(f)]], namely: purpose test, necessity of the processing and a balancing test.
All criteria have been fulfilled.


As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the defendant must be considered as carried out in view of a legitimate interest. The interest pursued by the Defendant as the data controller must in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.
<u>Training of personnel</u>


In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.
The first criteria has been fulfilled. The necessity test has not been fulfilled, as it is not necessary to use client data in order to provide training cases for personnel, this is a breach of data minimisation of [[Article 5 GDPR#1c|Article 5(1)(c)]]. The balancing test is also not fulfilled as it is not within the reasonable expectations of a person taking an insurance for their information to be used as an example.  


In order to verify whether the third condition of [[Article 6 GDPR#1f|Article 6(1)(f)]] - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. It should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."
<u>Monitoring and reporting</u>


Most purposes pass this assessment, notable passages:
The first criteria has been fulfilled.The second criteria has been fulfilled as a minimum of data is necessary to fulfill legal obligations. Said legal obligations however, did not foresee in an explicit legal basis for the processing.The third criteria has also been fulfilled as it is a reasonable expectation of a data subject that the insurance company must fulfill its legal obligations.


- personal data from a data subject cannot be used for training of personnel as this breaches the data minimisation and reasonable expectations of the data subjects.
<u>Storing recordings of video surveillance for the statutory period</u>


- even though there is no explicit legal obligation, it can be within the reasonable expectation of a data subject that a(n) (insurance) company must fulfill legal obligations and is thus bound to process certain data.
The first and second criteria have been fulfilled. The third criteria has not been fulfilled as a data subject signing an insurance contract cannot reasonably expect that their data will be used for video surveillance. This falls under the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects.


- legitimate interest cannot be relied upon to store recordings of video surveillance when signing an insurance contract as this is regulated by the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects. This does not fall under the reasonable expectations of data subjects and CCTV is based on consent.
<u>Model of balancing test</u>


- a model for balancing tests has no legal value, it is purely instrumental.
The defendant states that all these balancing tests scored less than 30 on the model that they used, which means legitimate interest can be used as a legal basis. The DPA holds that this is purely instrumental and no legal value can be given to a model.


<u>Legal basis for transfer to third parties</u>


The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of [[Article 4 GDPR#2|Article 4(2)]].  
The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of [[Article 4 GDPR#2|Article 4(2)]].  
Line 97: Line 128:


As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of [[Article 13 GDPR#1c|Article 13(1)(c)]], there is a breach of the GDPR.
As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of [[Article 13 GDPR#1c|Article 13(1)(c)]], there is a breach of the GDPR.
<u>Transparency principle</u>


Notwithstanding [[Article 13 GDPR#1d|Article 13(1)(d)]] regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.
Notwithstanding [[Article 13 GDPR#1d|Article 13(1)(d)]] regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.
Line 103: Line 136:


As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of [[Article 13 GDPR#1d|Article 13(1)(d)]], there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.  
As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of [[Article 13 GDPR#1d|Article 13(1)(d)]], there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.  
===Decision===


Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)
Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''
Line 118: Line 147:
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


<pre>Litigation Chamber  
<pre>
                                                                                        1/36
 
 
 
 
 
 
 
 
 
                                                                      Dispute Chamber
 
 
 
                                      Decision on the merits 57/2021 of 06 May 2021
 
 
 
 
 
File number: DOS-2019-02902
 
 
 
Subject: Lack of transparency in a privacy statement
 
insurance company (reconsideration of decision 24-2020)
 
 
 
 
 
 
 
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
 
Hijmans, chairman and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
 
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
 
on the protection of natural persons with regard to the processing of
 
personal data and on the free movement of such data and repealing Directive
 
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
 
 
 
In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
 
WOG;
 
 
 
Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on
 
January 15, 2019;
 
 
 
Considering the documents in the file;
 
 
 
 
 
 
 
                                                                                                .
                                                                                                .
 
                                                                                                . Decision on the merits 57/2021 - 2/36
 
 
 
has taken the following decision regarding:
 
    - Mr X, hereinafter “the complainant”;
 
    - Y, represented by Masters Benoit Van Asbroeck and Simon Mortier, hereinafter “de
 
        defendant".
 
 
 
 
    1. Facts and procedure
 
 
 
 
  1. This decision is a reconsideration of decision 24/2020 of the Disputes Chamber of 14
 
      May 2020, and implements the judgment of the Marktenhof of 18 November 2020, with
 
      roll number 2020 / AR / 813.
 
 
 
  2. This decision must be read in conjunction with decision 24/2020 and contains a
 
      review to give the defendant the opportunity to defend himself
 
      regarding all breaches of the GDPR for which a sanction was imposed in the initial decision,
 
 
      insofar as these infringements are contested by Y. With this review, the
 
      The disputes chamber thus falls within the framework of the initial decision, also with regard to the
 
      administrative fine that cannot exceed the amount of the initially determined fine.
 
      With regard to the allegations concerning the Disputes Chamber in the initial decision
 
      ruled that there was no breach of the GDPR, that judgment is preserved. The
 
      infringements identified in the initial decision and not contested by Y remain
 
      equally preserved.
 
 
 
 
  3. On June 14, 2019, the complainant lodged a complaint with the Data Protection Authority against
 
      defendant.
 
 
 
      The object of the complaint concerns the use of health data that the
 
      insurance company of the person concerned has obtained under a
 
      hospitalization insurance for other purposes without the express consent of the
 
      insured person concerned. The complainant states that he has no problem with his
 
      health data is processed for the performance of obligations under
 
      the hospitalization insurance taken out with the defendant, but a problem
 
      when those same health data are processed for the purposes listed
 
      in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9
 
      of the same privacy statement (it concerns point 6, but the reference to point 9 is a
 
      material mistake) as stated in the defendant's privacy statement. He asks that
 
      specifically for those purposes, as well as for the transfer the defendant gives the choice to the
 
      data subject to consent or not to the processing of his health data. Decision on the merits 57/2021 - 3/36
 
 
 
    Finally, the complainant indicates that he wishes to receive a data protection impact assessment
 
    of the defendant as there is a high-risk data processing involved
 
    The involved.
 
 
 
 
4. On 26 June 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of
 
    the WOG, the complainant will be informed of this on the basis of art. 61 WOG and the complaint becomes
 
    on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.
 
 
 
5. On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it
 
    file is ready for treatment on the merits.
 
 
 
6. On July 24, 2019, the parties concerned will be notified of
 
    the provisions as stated in article 95, §2 and in art. 98 WOG. The were also involved
 
    parties on the basis of art. 99 WOG of the time limits for their defenses
 
    to submit. The deadline for receiving the complainant's reply was
 
    recorded on 7 October 2019 and 7 November 2019 for the defendant.
 
 
 
7. On July 29, 2019, the defendant reports to the Disputes Chamber that it has taken note of
 
    the complaint, it requests a copy of the file (art.95, §2, 3 ° WOG) and accepts it electronically
 
    all communication regarding the case (art. 98, 1 ° WOG).
 
 
 
8. A copy of the file will be sent to the defendant on 30 July 2019.
 
 
 
9. On August 2, 2019, the Disputes Chamber will receive a letter in which the defendant indicates
 
    that he wishes to be heard by the Disputes Chamber (art. 98, 2 ° WOG).
 
 
 
10. On September 6, 2019, the Disputes Chamber will receive the statement of defense from the
 
    defendant. Respondent argues, first, that processing special categories of
 
    personal data, in this case health data by health insurer Y in a lawful manner
 
    happens. The processing of these special categories of personal data (Art.9 GDPR)
 
    is prohibited in principle. The respondent invokes the exception for the processing
 
    of Article 9 (2) a GDPR, the express consent of the data subject. Second, argues
 
    respondent that no separate consent is required for each transfer of
 
    personal data. Thirdly, according to the respondent, there is no question of asking
 
    consent to the processing of data other than health data. Finally it was
 
    according to the respondent, a data protection impact assessment is not necessary in this case
 
    since it concerns existing processing operations and not new processing operations
 
    commences after May 25, 2018. Decision on the merits 57/2021 - 4/36
 
 
 
 
 
11. The complainant has not exercised the right to submit a reply.
 
 
 
12. The defendant does not submit a new claim and only submits exhibits on 7 November 2019
 
 
    in support of the statement of defense submitted on 6 September 2019.
 
 
 
13. On January 9, 2020, the Parties will be notified that the hearing will take place
 
    on January 28, 2020.
 
 
 
14. On January 28, 2020, the defendant will be heard by the Disputes Chamber. The complainant, though
 
    duly summoned, did not appear. Among other things, the defendant answers questions from
 
    the Disputes Chamber on the legal basis for the processing of personal data, no
 
    being health data. After this, the debates are closed.
 
 
 
15. On January 29, 2019, the official report of the hearing will be presented to the parties.
 
 
 
16. On January 31, 2020, the defendant will provide the annual turnover as requested during the hearing
 
    of the last three financial years. For the years 2016-2018, these always amount to a turnover between
 
    the 500 and 600 million Euros.
 
 
 
17. On 6 February 2020, the Disputes Chamber will receive a number of comments from the defendant
 
    with regard to the official report, which it decides to include in its deliberations.
 
 
 
18. On March 25, 2020, the Disputes Chamber will notify the defendant of its intention to do so
 
    to impose an administrative fine, as well as the amount thereof
 
    in order to give the defendant the opportunity to defend himself before the sanction becomes effective
 
    is imposed.
 
 
 
19. On May 8, 2020, the Disputes Chamber will receive the respondent's response to the intention
 
    to impose an administrative fine, as well as the amount thereof.
 
    The defendant alleges that the alleged infringements as contained in the intent of
 
    the Disputes Chamber would be completely new and he was unable to do so
 
    to defend. However, the Disputes Chamber must establish this from the documents in the file
 
    it is indisputable that the defendant does have full rights of defense
 
    can exercise.
 
    The defendant also claims to disagree with the imposition of a fine, or the
 
    intended amount of the fine. However, he does not put forward any (new) arguments
 
    substantiation of this thesis. The response of the defendant gives before the Dispute Chamber Decision on the merits 57/2021 - 5/36
 
 
 
 
      therefore no reason to adjust the intention to impose a
 
      administrative fine nor to change the amount of the fine such as
 
      intended.
 
 
 
  20. On May 14, 2020, the Disputes Chamber ruled as follows in its Decision on the merits 24/2020:
 
      - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in
 
 
      is brought into line with article 5.1 a), article 5.2, article 6.1, article 12.1, article
 
      13.1 c) and d) and 13.2 b) GDPR.
 
      - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine
 
      of EUR 50,000 as a result of the violations of article 5.1 a), article 5.2, article 6.1, article
 
      12.1, article 13.1 c) and d) and article 13.2 b) GDPR.
 
 
 
  21. On 17 June 2020, the Disputes Chamber will receive the
 
      notification of an application against the GBA, lodged at the Registry of the Court.
 
 
 
  22. The introductory session for the Marktenhof will take place on 24 June 2020, at which the
 
 
      conclusion deadlines for the parties are set, as well as the case is set for
 
      pleadings at the session on October 21, 2020.
 
      The Marktenhof will pass judgment on 18 November 2020.
 
      The judgment contains the following points for attention with regard to the assessment of
 
      the subject of the petition:
 
 
 
      • Annulment of decision on the merits no. 24/2020 of 14 May 2020 of the Disputes Chamber.
 
      • The Marktenhof argues that the defendant should be given the opportunity - after the complaint is ready
 
          and clearly formulated in writing - in order to reach a written conclusion on this
 
 
          take. The fact that the defendant was asked on the occasion of the hearing
 
          (which was stated in the minutes of the hearing) to take a position
 
          on the general question of the legitimate interest on which the defendant
 
          is relying on processing other than health data and that the defendant
 
          only formulated a brief answer to this without any reservations or objections
 
          does not adequately justify decision no. 24/2020 of 14 May 2020.
 
 
  23. Following up on the judgment, the Disputes Chamber will decide on November 27, 2020 to proceed
 
      to retake the file with a view to taking a new decision. The
 
      The underlying consideration is that the Disputes Chamber notwithstanding the
 
 
 
 
 
1
  The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 57/2021 - 6/36
 
 
 
 
    annulment of the aforementioned decision by the judgment of the Marktenhof, is still contained
 
    by the initial complaint filed on June 14, 2019 as declared admissible by the
 
    First-line service on June 26, 2019. Therefore, the debates will be reopened
 
    and new closing deadlines are set, so that parties can take a stand
 
    regarding the legitimate interest on which the defendant relies on other than
 
    process health data.
 
 
 
  The parties are notified of the following settlement deadlines:
 
  • the deadline for the complainant's reply is set at 8
 
      January 2021;
 
  • the deadline for the defendant's reply is set at 19
 
      February 2021;
 
 
  The date of the hearing will also be determined, which will take place on March 22, 2021.
 
 
 
24. On 27 November 2020, the Disputes Chamber will receive the notification from the complainant that the
 
    because of the clear arguments it seems unnecessary to add additional arguments to him.
 
    On the same day, the Disputes Chamber will inform the defendant that it informs the complainant
 
    has stated that it will not submit a conclusion. At the request of the defendant, the
 
    The Disputes Chamber also states that the initially determined date for the statement of reply of the
 
    defendant, as well as the date of the hearing.
 
 
 
25. On February 19, 2021, the Disputes Chamber will receive the conclusion with accompanying documents from
 
    the defendant. In it, the defendant puts forward the following pleas:
 
          • The respondent can rely on its legitimate interests for the processing
 
              of personal data for purposes in accordance with Article 4.3 of its old
 
              privacy statement (no violation of article 5.1 a); 5.2, 6.1 f) and 13.1 c) and d)
 
              GDPR.
 
          • Respondent can rely on an applicable legal basis for transfers to
 
              third parties in accordance with Article 6 of the old privacy statement (no
 
              violation of articles 5.1 a), 5.2, 6.1 and 13.1 c) and d) GDPR.
 
          • If defendant cannot invoke all legal grounds under Article
 
              6.1 GDPR for the processing purposes in accordance with Article 4.3 of the old
 
              privacy statement and transfers to third parties in accordance with Article 6 of the old
 
              privacy statement, this constitutes an infringement of the freedom to conduct a business of the
 
              defendant.
 
          • Respondent argues that a reprimand is sufficient and that the administrative fine of
 
              € 50,000.00 is disproportionate. Decision on the merits 57/2021 - 7/36
 
 
 
26. On March 22, 2020, the parties will be heard by the Disputes Chamber. The complainant, though
 
    duly summoned, did not appear. The defendant will explain his defense during the hearing
 
    to. No elements other than those that already form part of this are applied
 
    File. After this, the debates are closed.
 
 
 
 
27. The minutes of the hearing will be presented to the parties on 25 March 2021
 
    in accordance with Article 54 of the Rules of Procedure. The defendant delivers on April 5
 
    2021 the Disputes Chamber some comments with regard to the official report, which
 
    she decides to include it in her deliberation.
 
 
 
28. On April 6, 2021, the Disputes Chamber announced its intention to the defendant
 
    to proceed to impose an administrative fine, as well as the amount
 
    in order to give the defendant the opportunity to defend himself before the sanction
 
    is effectively enforced.
 
 
 
29. On April 27, 2021, the Disputes Chamber will receive the respondent's response to the intention
 
    to impose an administrative fine, as well as the amount thereof.
 
    In summary, the defendant states in his response to the intention to impose a
 
    administrative fine the following:
 
 
 
  - With regard to the lack of a demonstrated legitimate interest as a legal basis for the
 
      purposes “training personnel” and “storage of video surveillance recordings
 
      during the legal period, ”the defendant argues that there was no
 
      questions were asked regarding legality, necessity or the
 
      proportionality of these processing purposes.
 
 
 
      In this regard, the Disputes Chamber notes that the defendant in the claims already
 
      The legality, necessity and proportionality of all have been discussed extensively
 
 
      processing purposes, including those for “staff training” and “storage
 
      of video surveillance recordings during the legal period ”, so that no
 
      additional clarification was requested during the hearing. Be at a hearing
 
      only punctual questions were asked about any remaining uncertainties in order to clarify them
 
      and to allow the Disputes Chamber to form an opinion.
 
      At present, the Disputes Chamber can only establish that the respondent's response to the
 
      intention to impose an administrative fine as a result of the infringement of
 
      Article 6.1 GDPR with regard to the purposes “training personnel” and “storage
 
      of video surveillance recordings during the legal period ”in the absence of a Decision on the merits 57/2021 - 8/36
 
 
 
    demonstrated legitimate interest as legal basis, does not contain any new elements that of
 
    nature to change the judgment of the Disputes Chamber.
 
 
 
- With regard to the amount of the fine, the defendant is of the opinion that no fine is possible
 
 
    be charged for charging that personal data would have been processed without it
 
    to have a legitimate interest. At the very least, the defendant believes that a
 
    amount of EUR 30,000 is disproportionately high. The defendant argues that from the
 
    written conclusions and the hearing revealed that general training material
 
    in principle, it is always anonymized and there is virtually no personal data of customers
 
    are processed via CCTV. The documents in the file do not show that either
 
    any personal data of the complainant would have been processed for this
 
    processing purposes. For that reason, the complainant (and by extension the other customers of
 
    defendant), have in principle not been personally harmed by any lack of
 
    legitimate interests for the processing activities “staff training” and
 
    “The storage of video surveillance recordings during the legal period”.
 
 
 
    The Disputes Chamber emphasizes whether or not experiencing any personal harm
 
    does not constitute a criterion for imposing an administrative fine, as this is not
 
    included in Article 83.2 GDPR. It will therefore motivate this sanction in its decision below
 
    without taking into account whether or not the complainant has any personal disadvantage
 
    ago. The criteria for imposing an administrative fine are clearly defined
 
    in article 83.2 GDPR, on which the Disputes Chamber will make its decision regarding the administrative
 
    fine.
 
 
 
    To the extent necessary, the Disputes Chamber adds that the complainant is
 
    has provided personal data to the defendant for processing under a
 
    hospitalization insurance and the defendant then on the basis of the then
 
    privacy statement indicated that the personal data of the complainant was also processed for all
 
    purposes stated in the privacy statement. Based on the then privacy statement
 
    the defendant processed the complainant's data for each of the purposes included
 
    in the privacy statement. This is also evident from the conclusion that underlies the current one
 
    decision, in which the defendant himself defines the allegations arising from the complaint
 
    (see marginal 33) and the allegations under points f), g) and h) are the subject of
 
    his defense. The allegations arising from the complaint and as made by the defendant himself
 
    described in his conclusion, concern defects in the privacy statement issued by the complainant
 
    concern, as well as ipso facto any other customer of the defendant who has a
 
    take out hospitalization insurance. After all, the privacy statement is not exclusively for the complainant
 
    drawn up, but for each client of the defendant who takes out hospitalization insurance. Decision on the merits 57/2021 - 9/36
 
 
 
    This also explains why the defendant in his claim the legality, necessity
 
    and proportionality of all processing purposes, without distinction of whether or not
 
    concerns a processing purpose for which personal data of the complainant will be made
 
    processed, tries to demonstrate. The defendant verifies whether it is for all processing purposes
 
 
    has a legitimate interest, because for each of those processing purposes the
 
    personal data of the complainant were processed in accordance with the then
 
    privacy declaration.
 
 
 
- In addition, the defendant is of the opinion that an amount of EUR 30,000 is disproportionate to
 
    the infringement.
 
    More specifically, as regards the seriousness of the infringement, the defendant does not agree with the
 
    statement of the Disputes Chamber that, solely because of the fact that an infringement of Articles 5
 
    and 6 of the GDPR, the infringements are therefore automatically “serious” and
 
    Would be “serious”. The defendant argues that on the one hand these articles are the basis
 
    lie with almost the entire GDPR and therefore virtually any violation of the other GDPR
 
    articles can be reduced to an infringement of articles 5 and 6 GDPR.
 
    On the other hand, these infringements are classified as being “serious” and “serious”.
 
    prevent a differentiation from being made with infringements that are actual
 
    weighty and serious, such as, for example, the complete absence of one
 
    privacy declaration. However, this is not at all relevant here.
 
    The defendant argues that it has indeed stated these processing purposes in its
 
    privacy statement and has extensive weighing of interests with due diligence
 
    to determine whether it can rely on its legitimate interests.
 
 
 
    Regarding the defendant's contention that a breach of the basic principles of the GDPR
 
    included in Articles 5 and 6 GDPR would not automatically be considered serious and serious
 
    can be considered, the Disputes Chamber notes that Article 83.5 GDPR itself provides for
 
    a more severe punishment for this infringement for which there is the highest maximum fine
 
    determined precisely because of the fact that these are basic principles that lie at the heart of a
 
    concern data processing. The defendant's claim that any breach of the GDPR
 
    can be traced back to a breach of basic principles, does not stand as the
 
    The Disputes Chamber is caught by the complaint and carries out the assessment against the GDPR within those limits
 
    and therefore by no means, contrary to what the defendant maintains, any infringement could be possible
 
    are "reduced" to violations of the basic principles. Since the complaint is exactly the
 
    basic principles, the Disputes Chamber will rule on the
 
    application of those principles. Where the defendant cites as an example that the
 
    a complete absence of a privacy statement would be serious and important, states the
 
    Disputes Chamber that the total lack of a privacy statement is not only a serious and Decision on the merits 57/2021 - 10/36
 
 
 
      would be a serious infringement, but a total disregard of the GDPR. However, this increases
 
      does not mean that a defective privacy statement, such as in the present case, which contains the
 
      does not respect basic principles of the GDPR, if it must be serious and weighty
 
      classified.
 
 
 
 
      Regarding the duration of the breach, the defendant points out that it already has its privacy statement
 
      during the initial procedure at the beginning of 2020 and has amended its privacy statement to
 
      following the initial decision of the Disputes Chamber at the beginning of 2021
 
      adjusted and this should be taken into account as an attenuating circumstance.
 
      As to the deterrent effect, the defendant points to her again
 
      willingness to constantly adjust its privacy statement, which they do
 
      twice has done so in a very drastic manner, thus the purpose of these proceedings
 
      this has been achieved according to the defendant.
 
 
 
      The Disputes Chamber has already announced its intention to impose an administrative one
 
      fine, as well as the amount thereof, that it is already done by the defendant
 
      efforts to bring the new privacy statement into line with the GDPR,
 
      evidence of his willingness. Hand must be
 
      noted that although the changes made to the new privacy statement are beneficial
 
      are an element in the assessment of the administrative fine, they do not serve it
 
      that the infringements established would be rectified (see marginal 120).
 
      The Disputes Chamber gives more detailed reasons for the imposition of the administrative fine
 
      in section 3 of this decision.
 
 
 
    It follows from the foregoing that the respondent's response to the Disputes Chamber is none
 
    gives rise to an adjustment of the intention to impose an administrative one
 
    fine, nor to change the amount of the fine as intended.
 
 
 
 
 
  2. Justification
 
 
 
    1. Legitimate interest
 
 
      a) Preliminary remark
 
 
 
30. It follows from the judgment of the Marktenhof that the Disputes Chamber in its decision 24/2020 of
 
    May 14, 2020 would have ruled without the defendant being able to fully comply
 
    because the decision of the Disputes Chamber would not have been limited to the
 
    allegations that are the subject of the complaint. Decision on the merits 57/2021 - 11/36
 
 
 
 
 
31. However, the complainant explicitly states in the complaint that the customer should be given the choice whether to use
 
    agrees to the processing operations listed in points 4.3 and 6 and does not receive them. After all, once
 
    he has given his consent to the processing of his personal data in the context of
 
 
    hospitalization insurance, according to the complainant, data processing should be limited to
 
    to perform the obligations arising from that insurance. The complainant argues
 
    that the defendant does not use his data for any other purpose, more specifically the
 
    the purposes stated in points 4.3 and 6 of the old privacy statement, can be processed without
 
    permission. The complaint thus becomes the legal basis of the processing for the purposes
 
    listed in section 4.3. The complainant believes that those purposes are mentioned in point 4.3
 
    consent is required and the defendant therefore does not automatically obtain the data obtained on the basis
 
    of permission in the context of a hospitalization insurance can also be used for others
 
    purposes, for which the defendant relies on his legitimate interest.
 
 
 
32. The complaint thus essentially relates to the legal basis on which the defendant can rely
 
    appeal to process the personal data obtained from the complainant for the purposes
 
    listed in points 4.3 and 6 of the defendant's old privacy statement.
 
 
 
33. In the present claim of the defendant, the allegations are listed in the paragraphs
 
    a) to h):
 
 
 
 
  “A) Y would consent to the processing of medical data for the purpose of closing
 
  and executing insurance contracts under duress, eliminating these
 
  consent would be invalid (violation of Article 5 (1) (a))
 
  (legality principle); 6 (1) (a) and 9 (2) (a) GDPR)
 
 
 
  b) Y must grant the Complainant access to the DPIA
 
  (“GBEB”) that it allegedly carried out for the processing of medical data related
 
  with the performance of insurance contracts with its customers (violation of articles
 
  35 and 36 GDPR)
 
 
 
  c) Y should, in Articles 4.3 and 6 of the old Privacy Statement, make a better distinction
 
  between the processing of medical data on the one hand and the processing of other "ordinary"
 
  personal data on the other hand (violation of Article 13 (1) (c) GDPR);
 
 
 
  d) Y should take additional steps to inform data subjects of their
 
  right to object pursuant to Article 21 (2) GDPR (violation of Article 12 (1)
 
  and 13 (2) (b) GDPR) Decision on the substance 57/2021 - 12/36
 
 
 
 
 
  e) Y serves the legal grounds referred to in Article 6 of the Y old Privacy Statement for the
 
  transfer of personal data to third parties, to be further clarified (violation of Article 13,
 
  para.1 lit.c) GDPR)
 
 
 
 
  f) Y would process personal data without proven legal basis (including her
 
  legitimate interest within the meaning of Article 6 (1) of the GDPR) for a number of in Article 4.3 of the
 
  the purposes stated in the old Y Privacy Statement and in Article 6 of the old Y Privacy Statement
 
  said transfers to third parties (violation of Article 5 (1) (a))
 
  (principle of legality) and 6 (1) GDPR)
 
 
 
  g) Y would have provided insufficient information about her in her old Privacy Statement
 
  legitimate interests, where Y invokes this legal basis (violation of
 
  Articles 5 (1) (a) (principle of transparency) and 13 (1) (c) and (d) GDPR)
 
 
 
  h) Y, where Y relies on this legal basis, would not have sufficiently demonstrated why
 
  its legitimate interests would exist and would have failed to demonstrate in
 
  to what extent her interests would outweigh the interests and fundamental rights of the Complainant
 
  (Violation of Article 5 (2) GDPR). "
 
 
 
34. The defendant also confirms that the allegations set out in points a) to h)
 
    arise from the complaint by stating the following in the conclusion:
 
    “Should the Dispute Chamber consider the above allegations and alleged violations
 
    on the GDPR by Y (points a to h) do not arise from the complaint […], becomes the Disputes Chamber
 
    invited to inform Y of this […]. ”
 
 
 
35. The Disputes Chamber notes in this regard that already in the complaint the allegations as now
 
    described by the respondent in points a) to h) and
 
    about which the defendant now indicates that these do indeed arise from the complaint,
 
    but about which he nevertheless put forward no defense in respect of f), g) and h) in the
 
    procedure prior to decision 24/2020 of 14 May 2020.
 
    As to the allegations under a) to e) of his Opinion, the defendant states
 
    indicates that he has either been able to defend himself and has been upheld by the
 
    Disputes Chamber (this concerns allegations a) and b)), or has not disputed the allegations
 
    and has been corrected in the new privacy statement (this concerns the allegations under c), d) and
 
    e)). Regarding the established infringement of Article 13.1 c) GDPR regarding the allegation under
 
    c), the breach of Article 12.1 and Article 13.2 b) GDPR on allegation under point (d) and the Decision on the merits 57/2021 - 13/36
 
 
 
 
      infringement of article 13.1 c) GDPR regarding the allegation under e) refers the Dispute Chamber
 
      to the motivation for this in decision 24/2020 of 14 May 2020.
 
      The defense in the present Opinion focuses only on the allegations under points f), g)
 
      and H).
 
 
 
  36. To the extent that there would be some uncertainty about the subject of the complaint
 
      on behalf of the defendant prior to the decision 24/2020, the
 
      The litigation chamber nevertheless offered the defendant the opportunity to submit itself
 
      and the Disputes Chamber will then check whether, and if necessary, to what extent the
 
      defendant has infringed the GDPR with regard to allegations such as
 
      described in points f), g) and h) of his opinion and whether the administrative fine should be applied
 
      are maintained.
 
 
 
 
 
 
        b) Legal basis for the purposes stated under 4.3 of the privacy statement
 
 
 
  37. The defendant argues that it can rely on its legitimate interests for the
 
      processing of non-sensitive personal data for the following purposes
 
      under point 4.3 of the old privacy statement:
 
          • performing computer tests;
 
          • monitoring the quality of the service;
 
          • training of personnel;
 
          • monitoring and reporting;
 
          • the storage of video surveillance recordings during the legal period; and
 
          • compiling statistics on coded data, including big data.
 
 
 
 
 
 
 
  38. For each of these purposes, the defendant has carried out a balancing of interests. The
 
 
      The Disputes Chamber below assesses the weighing of interests for each of these purposes
                                                        2
      in accordance with the firm decision-making it uses to assess the
 
      legitimate interest.
 
 
 
  39. In accordance with article 6.1 f) GDPR and the case law of the Court of Justice of the European
 
      Union must meet three cumulative conditions for a
 
 
 
 
 
2 See inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of October 30, 2020;
 
Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. Decision on the merits 57/2021 - 14/36
 
 
 
 
      controller can validly invoke this ground of lawfulness, “te
 
      know, in the first place, the promotion of a legitimate interest of the
 
      controller or of the third party (ies) to whom the data are provided, in the
 
      second, the necessity of processing the personal data for the purpose
 
      of the legitimate interest, and, thirdly, the condition that the fundamental
 
      rights and freedoms of the person involved in data protection do not prevail ”
 
      (“Rigas” judgment).
 
 
 
  40. In order to be able to rely on the lawfulness ground of
 
      in other words, the “legitimate interest” is the responsibility of the controller
 
      to show that:
 
    1) the interests pursued by this processing can be recognized as justified
 
        (the “target key”);
 
    2) the intended processing is necessary for the realization of these interests (the
 
 
        “Necessity test”); and
 
    3) the balancing of these interests against the interests, fundamental freedoms and
 
        fundamental rights of data subjects weighs in favor of the
 
        controller (the “balancing test”).
 
 
 
  41. With regard to the purpose of “performing computer tests”, the defendant argues
 
      next one:
 
 
 
    “Context of the processing purpose
 
    This processing purpose includes the tests performed by IT testers and developers:
 
    • related to "changes", which are minor changes or related to purely functional ones
 
    aspects; and
 
    • in the context of any automation projects.
 
    These tests are carried out as part of:
 
    • IT and network security;
 
 
    • the maintenance, improvement and development of (the quality of) Y products and services;
 
    or
 
    • improving the customer experience (eg to make internal processes and systems more efficient
 
    for back-office activities, to enhance the user experience in Y's digital channels
 
    improve, etc.).
 
 
 
 
 
 
3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
 
recital 40. Decision on the substance 57/2021 - 15/36
 
 
 
  This process does not include the acceptance and emulation phase, which is only specialized by the team
 
  activities "can be performed before the changes can actually be made
 
  implemented and can be put into production. ”
 
 
 
 
42. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
43. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
44. Based on the purpose, being the performance of computer tests, the Dispute Chamber serves
 
    establish that the defendant asserts that, where possible, dummy data or
 
    anonymous data is used (e.g. in case of changes where different
 
    systems or applications are involved and that require a unique reference, such as the
 
    policy number). Only when there is no other option will personal data be used to collect the
 
    to be able to realize the intended change or development. Possible possibilities for (a
 
    further) limitations of data processing are constantly being researched and progressive
 
    introduced as part of the project 'data anonymization in non-production environments'. Furthermore
 
    Strict access controls are introduced on the IT environments where the IT tests are carried out
 
    executed. Procedures are also established for how these IT tests should be carried out
 
    are carried out, which must be taken into account by all concerned.
 
 
 
 
45. The Disputes Chamber notes that the defendant states that he only uses personal data
 
    when there is no other option. During the hearing, Y stated that the tests are always taking place
 
    based on dummy data, but that the test phase determines the extent to which with
 
    such data can be tested. After all, in some cases the boundaries of the
 
    opportunities to do data masking. This has to do with the life cycle of
 
    the tests, namely gradually dummy data can be used in IT testing, but
 
    sometimes the processing of personal data is required in order to ensure the interaction between
 
    to be able to insure applications. The Disputes Chamber is of the opinion that the defendant does so
 
    reasonably plausible that the computer systems are not always based on Decision on the merits 57/2021 - 16/36
 
 
 
 
      anonymized or pseudonymized data can be tested. To the second
 
      condition is thus fulfilled, by showing that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with. Nevertheless, the Disputes Chamber notes
 
      note that for purposes of clarification as to the customers concerned, the defendant might
 
      consider providing some brief explanation of the case in the privacy statement
 
      in which the defendant has no choice but to perform computer tests with personal data.
 
 
 
  46. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  4
      expect that processing can take place for that purpose ”.
 
 
 
  47. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be
 
      used to perform computer tests. After all, customers expect a correct one
 
      execution of their insurance contracts, which is accompanied by a safe and correct
 
      management of IT systems. The interest of the customers thus requires that the functionalities of
 
 
      the IT environment are tested for this purpose.
 
 
 
 
  48. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
 
      Purpose “conducting computer tests” may rely on the legal basis contained in
 
      Article 6.1 f) GDPR.
 
 
 
 
  49. Regarding the purpose “monitoring the quality of the service” and “the
 
      compiling statistics on coded data, including big data ”, states the
 
 
      defendant that this comprises three parts and determines that:
 
 
 
    - For the section “Statistics and quality tests”
 
 
 
        “Context of the processing purpose
 
 
 
 
 
 
4 Recital 47 GDPR. Decision on the merits 57/2021 - 17/36
 
 
 
      Y, as an insurer, is subject to prudential supervision. This means, among other things, that they
 
      is bound to overall control of its company and its performance, including,
 
      but not limited to, the audit of the sales performance, performance and fees
 
      certain hospital networks and the coverages / reimbursements. This relates to the
 
 
      general control of the quality of the services and the performance of the
 
      insurance company to ensure its continuity. This processing purpose
 
      includes both one-off and recurring reports with or without use
 
      made of big data methodologies. These are mainly aggregated or
 
      anonymised reports, unless specific statistics are required (by category
 
      eg per age group). ”
 
 
 
 
50. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the context of the processing purpose should be as described by the defendant
 
    are considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
51. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
52. The Disputes Chamber notes that the defendant only justifies that it is for him
 
    is necessary to compile statistics and perform quality testing, as the
 
    financial viability, quality of service, premium setting and the
 
    performance cannot be determined without actively measuring it. The Disputes Chamber misunderstands
 
    by no means the need for the defendant to have statistics and
 
    quality tests, but the defendant mainly limits himself to asserting that
 
    aggregated or anonymized reports are prepared, unless specific statistics
 
    required (per category such as eg per age group). Moreover, the defendant proposes that
 
    the format of those reports may or may not be using big data methodologies.
 
 
 
53. To what extent the statistics still contain personal data or allow to proceed with
 
    re-identification of a data subject will be further explained during the hearing. The
 
    defendant states that there are still very few statistics containing personal data. The Decision on the merits 57/2021 - 18/36
 
 
 
 
      statistics do not contain names and certainly no health data. The statistics
 
      do contain codes, but they are mass aggregated, segmented data.
                                                                                  5
      Also requires the directive (EU) 2016/97 on insurance distribution and the Belgian
 
      implementing legislation of this Directive that provided for specific reporting
 
      personal data are processed. Sometimes policy data is processed in the reporting,
 
      but with that no further processing in the statistics takes place. Each report has one
 
      purpose and the processing may not go beyond that. A register is kept of
 
      those reports and their purpose, which are strictly regulated through the data warehouse and
 
      which requires "approvals" to deviate from it.
 
 
 
  54. The Disputes Chamber decides that the defendant has made the necessary efforts to resolve the
 
      limit data processing for this purpose to what is strictly necessary. To the second
 
      condition is thus fulfilled by showing that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
 
  55. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
      expect that processing can take place for that purpose ”.
 
 
 
 
  56. The Disputes Chamber follows the defendant's position that if a person has a
 
      enters into an insurance agreement with Y, he can reasonably expect that Y will be intern
 
      performs checks and compiles statistics to ensure that Y is contractual
 
      fulfill obligations.
 
 
 
 
  57. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
 
      Purpose “Statistics and Quality Requirements” can invoke the legal basis included in
 
      Article 6.1 f) GDPR.
 
 
 
    - For the section “Satisfaction surveys”
 
 
 
 
 
 
 
 
5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution
 
(recast), OJ L 26/19. Decision on the merits 57/2021 - 19/36
 
 
 
      “Context of the processing purpose
 
      This processing purpose includes determining the NPS ("Net Promoter Score"), the
 
      satisfaction factor of the customers based on an external survey by a third party to determine the
 
      to safeguard anonymity of the query. This factor is calculated with regard to the follow-up
 
 
      by the Y Contact Center and the claims department (claims handling)
 
 
 
58. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
59. In order to meet the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
60. Based on the purpose of conducting satisfaction surveys, the
 
    Disputes Chamber to determine that the defendant asserts that the customer through this questioning
 
    can give an opinion anonymously and thus assert his interests. The results
 
    are aggregated and processed by an outside company so that the anonymity of the
 
    those involved can be indemnified. During the hearing it is added that the
 
    customers always have the choice whether or not to participate in the survey, as they always have
 
    have the right to object. The Disputes Chamber finds that the customers thus over
 
    have the necessary freedom of choice and that the results of those who participate in the
 
    survey in anonymous form will be made available to the defendant.
 
    The second condition is thus fulfilled by showing that the principle of
 
    minimum data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
61. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
    “Balancing test” between the interests of the controller, on the one hand, and the
 
    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
    reasonable, in accordance with Recital 47 GDPR
 
    expectations of the data subject. More specifically, it should be evaluated whether “data subject Decision on the substance 57/2021 - 20/36
 
 
 
 
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  6
      expect that processing can take place for that purpose ”.
 
 
 
  62. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be provided by the defendant
 
      will be used to gauge his satisfaction with the service provided by the
 
      defendant.
 
 
 
 
 
  63. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose “conducting satisfaction surveys” can rely on the legal basis
 
      included in Article 6.1 f) GDPR.
 
 
 
    - For the part “Quality tests operations”
 
 
        “Context of the processing purpose
 
        This processing purpose relates to the general control of the quality of
 
        the operational services and performance of Y. This is about quality checks where
 
        every employee involved must perform 2 random checks per week for up to
 
        the correct underwriting or performance of the insurance contract and applicable
 
        instructions and procedures for this purpose. "
 
 
 
 
  64. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
      judgment that the processing purpose should be as described by the defendant
 
      considered performed for a legitimate interest. The importance that the
 
      defendant as controller may in accordance with recital 47
 
      GDPR can be considered justified in itself. The first is therefore satisfied
 
      condition contained in Article 6.1, f) GDPR.
 
 
 
  65. In order to fulfill the second condition, it must be demonstrated that the processing
 
      necessary for the achievement of the objectives pursued. This means more
 
      stipulates that the question should be asked whether the same result can be achieved by other means
 
 
      are achieved without processing of personal data or without an unnecessarily invasive one
 
      processing for data subjects.
 
 
 
 
 
 
 
 
6 Recital 47 GDPR. Decision on the merits 57/2021 - 21/36
 
 
 
 
  66. Based on the purpose, being the general control of the quality of the operational
 
      services and performance of Y, the Disputes Chamber must determine that the defendant is late
 
      apply that Y is subject to the insurance distribution directive (EU) 2016/97
 
      and the Belgian implementing legislation that the insurance companies oblige them
 
      tailor services to the desires and needs of their customers. As indicated
 
      during the hearing, the defendant does not invoke his legal obligation (Article 6.1
 
      c) GDPR) as the legal basis for the processing, given the nature and scope of the reporting
 
      is not explicitly imposed as such by law. Hence, the defendant for that
 
      processing its 'legitimate interest under that legislation' as the legal basis.
 
 
      The second condition is thus fulfilled by showing that the principle of
 
      minimum data processing (Article 5.1. c) GDPR) has been complied with. The processing of
 
      personal data is necessary in order to actively measure the quality of the service.
 
 
 
  67. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
      expect that processing can take place for that purpose ”. 7
 
 
 
 
  68. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be
 
      used to carry out internal quality control to ensure that Y hair
 
      comply with legal and contractual obligations.
 
 
 
  69. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose “quality testing operations” can rely on the legal basis included in Article
 
      6.1 f) GDPR.
 
 
 
  70. With regard to the purpose of “training personnel”, the defendant states the following:
 
 
 
 
    “Context of the processing purpose
 
 
 
 
 
 
 
 
7 Recital 47 GDPR. Decision on the merits 57/2021 - 22/36
 
 
 
  This includes the organization and follow-up of training courses, awareness-raising sessions ("awareness") and
 
  training for Y employees who come into contact with (personal data of) customers.
 
  Training courses include:
 
  • insurance technical aspects (eg with regard to Y products);
 
 
  • technical aspects (eg the use of Office 365 applications, training on
 
  information security, etc.);
 
  • "on the job" training courses (training for new employees as well as training with the aim of increasing the
 
  to continuously improve service quality); and
 
  • more general aspects such as compliance topics (eg the GDPR, IDD, etc.). ”
 
 
 
71. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
72. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
73. Based on the purpose, being the training of personnel, the Disputes Chamber should be established
 
    to argue that the defendant argues that in exceptional cases the cases are used
 
    contain, or become, personal data of customers for the training
 
    personal data of customers used for the preparation of the training material. The
 
    defendant argues that the underlying material (cases), however, is generally complete
 
    is anonymized.
 
 
 
74. The Disputes Chamber notes that the defendant states that in the context of training courses the
 
    cases only contain personal data of customers in exceptional cases or
 
    personal data of customers are used for the preparation of the training material.
 
    However, the defendant fails to clarify in which cases he would be required
 
    offer training to staff based on customers' personal data.
 
    The defendant does not reasonably demonstrate that staff training is not always on
 
    could be provided on the basis of anonymised data. To the second Decision on the merits 57/2021 - 23/36
 
 
 
 
      condition is thus not fulfilled because it has not been demonstrated that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
  75. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
                                                                  8
      expect that processing can take place for that purpose ”.
 
 
 
  76. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it cannot be assumed that the policyholder takes out insurance
 
      at that time can reasonably expect that his data will be
 
      used for staff training. A policyholder can only expect to
 
      normal management of his customer file, which only requires access to the information contained therein
 
      information by the personnel who have to perform tasks therein for the benefit of the person concerned
 
      customer. When information from concrete files is shared in the context of a course,
 
      the processing of that information is not limited to those who have to perform tasks in
 
      the relevant file.
 
 
 
 
  77. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose "training of personnel" cannot rely on the legal basis "justified."
 
      interest "and there is therefore a violation of article 6.1 f) GDPR. The Disputes Chamber observes
 
      in addition to that if the defendant nevertheless wishes to receive personal data of customers
 
      use for staff training, he can rely on another legal basis
 
      being the consent (Article 6.1 a) GDPR).
 
 
 
  78. With regard to the purpose of “monitoring and reporting”, the respondent states the following:
 
 
 
      “Context of the processing purpose
 
      This processing purpose includes the preparation of reports for the purpose of checks
 
 
      can perform in the context of:
 
      • IFRS 17 accounting standards for insurance contracts and the Belgian, general
 
      accepted accounting rules ("Belgian GAAP");
 
 
 
 
 
 
8 Recital 47 GDPR. Decision on the merits 57/2021 - 24/36
 
 
 
    • calculating the reserves (in the context of, for example, the law of 13 March 2016 on
 
    the status and supervision of insurance or reinsurance companies (Solvency
 
    II law), etc.); or
 
    • profitability monitoring or reporting in the context of major damage claims.
 
 
    These reports are created for both internal audit and reporting purposes
 
    to the Y1 Re group (of which Y is a part). This keeps recurring reports as well
 
    one-off ad hoc reports. Only fully aggregated,
 
    anonymised, or if not otherwise possible pseudonymized reports prepared in
 
    in the context of major claims or ad hoc reports regarding specific cases or outliers. ”
 
 
 
79. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the context of the processing purpose should be as described by the defendant
 
    are considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
80. In order to meet the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
81. Based on the purpose, being monitoring and reporting, the Disputes Chamber must determine
 
    argue that the defendant asserts that the various general financial and
 
    insurance law regulations (in the context of, for example, the law of 13 March 2016
 
    on the status and supervision of insurance or reinsurance undertakings
 
    (Solvency II law)) cannot be complied with without compiling the necessary reports
 
    or to monitor. As indicated at the hearing, the
 
    here too, the defendant does not rely on his legal obligation (Article 6.1 c) GDPR) as legal basis
 
    for the processing, since the nature and scope of the reporting is not explicitly stated as
 
    imposed by law as such. Hence, the defendant for those processing operations
 
    Uses "legitimate interest under that legislation" as the legal basis. To the second
 
    condition is thus fulfilled by showing that the principle of minimal
 
    data processing (Article 5.1. c) GDPR) has been complied with. The processing of personal data
 
    is necessary as legislation cannot be complied with without the


Decision on the merits 57/2021 of 06 May 2021
    necessary reports are drawn up or monitoring is carried out. Decision on the merits 57/2021 - 25/36


File reference : DOS-2019-02902


Subject: Lack of transparency in the privacy statement of an insurance company (reconsideration decision 24-2020)


The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the AVG;
  82. The defendant adds that only fully aggregated, anonymized, or if


Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG;
      not otherwise possible pseudonymized reports are prepared in the context of large


Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 
      claims for damages or ad hoc reports related to specific cases or outliers. To the


Having regard to the documents on file;
      second condition is thus fulfilled by showing that the principle of minimal


...
      data processing (Article 5.1. c) GDPR) has been complied with.


...


has taken the following decision concerning:


- Mr X, hereinafter "the complainant";
  83. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called


- Y, represented by Mr Benoit Van Asbroeck and Mr Simon Mortier, hereinafter "the defendant".
      “Balancing test” between the interests of the controller, on the one hand, and the


1. Facts and procedure
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should


1. This decision is a reconsideration of decision 24/2020 of the Dispute Chamber of 14 May 2020, and implements the judgment of the Markets Court of 18 November 2020, with roll number 2020/AR/813. 


2. This decision should be read in conjunction with decision 24/2020 and contains a reconsideration aimed at giving the Respondent the opportunity to defend itself with regard to all breaches of the AVG for which a penalty was imposed in the initial decision, to the extent that these breaches are contested by Y. In this reconsideration, the Dispute Resolution Chamber will thus stay within the framework of the initial decision, including with respect to the administrative fine, which cannot exceed the amount of the fine initially determined. As regards the allegations in respect of which the Dispute Resolution Chamber ruled in the initial decision that there was no infringement of the AVG, this opinion remains valid. The infringements established in the initial decision and not contested by Y are also maintained.
      reasonable, in accordance with Recital 47 GDPR


3. On 14 June 2019, the complainant filed a complaint with the Data Protection Authority against the respondent.
      expectations of the data subject. More specifically, it should be evaluated whether “data subject


The subject of the complaint concerns the use of health data obtained by the insurance company from the data subject in the context of a hospitalisation insurance policy for other purposes without the express consent of the insured data subject. The complainant states that he has no problem with his health data being processed for the fulfilment of obligations under the hospitalisation insurance policy taken out with the defendant, but has a problem when the same health data are processed for the purposes listed in point 4.3. of the privacy notice and for the transfer to third parties as mentioned in point 9 of the same privacy notice (it concerns point 6, but the reference to point 9 is a material error) as mentioned in the defendant's privacy notice. He requests that specifically for those purposes, as well as for the transfer, the Respondent gives the data subject the choice to consent or not to the processing of his health data.  
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                9
      expect that processing can take place for that purpose ”.


Finally, the complainant expresses the wish to receive a data protection impact assessment from the defendant as it involves the processing of data at high risk for the data subjects.


4. On 26 June 2019, the complaint shall be declared admissible pursuant to Sections 58 and 60 of the WOG, the complainant shall be notified thereof pursuant to Section 61 of the WOG, and the complaint shall be transferred to the Dispute Resolution Chamber pursuant to Section 62(1) of the WOG.


5. On 23 July 2019, the Dispute Resolution Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits.
  84. The Disputes Chamber is of the opinion that when collecting personal data in the framework


6. On 24 July 2019, the parties concerned were notified by registered mail of the provisions as mentioned in art. 95, §2 and in art. 98 WOG. Also, pursuant to art. 99 WOG, the parties concerned were informed of the time limits to submit their defences. The deadline for receipt of the statement of reply from the plaintiff was thereby set at 7 October 2019 and for the defendant 7 November 2019.
      it can be assumed that the policyholder is taking out an insurance policy


7. On 29 July 2019, the Respondent shall notify the Dispute Resolution Chamber that it has taken cognisance of the complaint, shall request a copy of the file (art. 95, §2, 3° WOG) and shall electronically accept all communications concerning the case (art. 98, 1° WOG).
      at that time can reasonably expect that his data will be


8. On 30 July 2019, a copy of the case file shall be transmitted to the defendant.  
      used for the fulfillment of the legal and contractual obligations of the defendant.


9. On 2 August 2019, the Dispute Resolution Chamber receives a letter in which the Respondent indicates that he wishes to be heard by the Dispute Resolution Chamber (art. 98, 2° WOG).


10. On 6 September 2019, the Dispute Resolution Chamber received the response by the Respondent. Firstly, the Respondent argues that the processing of special categories of personal data, in this case health data, by healthcare insurer Y is carried out lawfully. The processing of these special categories of personal data (Article 9 AVG) is in principle prohibited. For the processing, the defendant relies on the exceptional ground of Article 9 (2) (a) AVG, the explicit consent of the data subject. Second, the defendant argues that separate consent is not necessary for each transfer of personal data. Third, according to the defendant, there is no question of asking consent for the processing of data other than health data. Finally, according to the defendant, a data protection impact assessment was not necessary in this case as it concerned already existing processing operations and not new processing operations starting after 25 May 2018.


11. The complainant has not exercised the right to submit a reply.
  85. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the


12. The Respondent is not submitting a new Opinion and on 7 November 2019 is merely providing productions in support of the Opinion submitted on 6 September 2019.  
      purpose “monitoring and reporting” can rely on the legal basis included in article 6.1


13. On 9 January 2020, the parties are informed that the hearing will take place on 28 January 2020.


14. On 28 January 2020, the Respondent was heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. Among other things, the Respondent answered questions put by the Dispute Resolution Chamber as to the legal basis for the processing of personal data other than health data. The debates then closed.  
      f) GDPR.


15. On 29 January 2019, the record of the hearing shall be submitted to the parties.


16. On 31 January 2020, the Respondent shall provide, as requested at the hearing, the annual turnover for the last three financial years. These amount to a turnover of between EUR 500 million and EUR 600 million for the years 2016-2018.


17. On 6 February 2020, the Dispute Resolution Chamber receives some comments from the Respondent on the minutes, which it decides to include in its deliberations.


18. On 25 March 2020 the Litigation Chamber informs the defendant of its intention to impose an administrative fine and the amount thereof in order to give the defendant the opportunity to defend itself before the sanction is actually imposed.


19. On 8 May 2020, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof.
  86. Regarding the purpose “the storage of video surveillance recordings during the


The Respondent argues that the alleged infringements as set out in the Dispute Resolution Chamber's intention are entirely new and that it has not been able to defend itself in this respect. However, it is for the Dispute Resolution Chamber to find that the documents on the file irrefutably demonstrate that the Respondent was able to fully exercise his rights of defence. 
      legal period ”, the defendant states that:


The defendant also claims to disagree with the imposition of a fine, or the intended amount of the fine. However, he does not present any (new) arguments in support of this claim. Therefore, the response of the defendant does not give the Disputes Committee


The response of the Respondent does not give rise to an adjustment of the intention to impose an administrative fine nor to an adjustment of the amount of the fine as intended.


20. On 14 May 2020, the Arbitration Chamber in its decision on the merits 24/2020 ruled as follows:
      “Context of the processing purpose


- pursuant to Article 100, §1, 9° WOG, to order the Respondent to bring the processing into compliance with Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG 
      It concerns the processing of personal data by means of the cameras that are located


- On the basis of Article 100, §1, 13° WOG and Article 101 WOG, impose an administrative fine of EUR 50,000 for the infringements of Article 5.1 a), Article 5.2, Article 6.1, Article 12.1, Article 13.1 c) and d) and Article 13.2 b) AVG.
      within Y's premises with the aim of customer security, data security and the


21. On 17 June 2020, the Dispute Chamber received notification from the Brussels Court of Appeal of an application against the GBA lodged with the Court Registry.  
      protection of the company's assets. "


22. On 24 June 2020, the introductory hearing before the Market Court takes place, at which the time limits for the parties to conclude their cases are determined, and the case is set for oral argument at the hearing on 21 October 2020.


On 18 November 2020, the Market Court delivers its judgment. 


The judgment1 contains the following main points concerning the assessment of the object of the application:


1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-marktenhof.pdf 
  87. With regard to the first condition (the so-called “target test”), the Disputes Chamber of


- Annulment of the decision on the merits no. 24/2020 of 14 May 2020 of the Dispute Resolution Chamber.
      judgment that the processing purpose should be as described by the defendant


- The Market Court stated that the Respondent should have been given the opportunity - after the grievance was clearly formulated in writing - to make a written statement on the matter. The fact that the Respondent was asked at the hearing (which was mentioned in the transcript of the hearing) to make submissions on the general question of the legitimate interest invoked by the Respondent to process data other than health data and that the Respondent only made a summary reply to this without any objections does not adequately justify Decision No 24/2020 of 14 May 2020.
      considered performed for a legitimate interest. The importance that the


23. Following the judgment, the Dispute Resolution Chamber decided on 27 November 2020 to take up the file again in order to make a new decision. The underlying consideration is that, notwithstanding the annulment of the aforementioned decision by the


Annulment of the aforementioned decision by the Market Court judgment, the Dispute Resolution Chamber is still caught by the initial complaint lodged on 14 June 2019 as declared admissible by the First Line Service on 26 June 2019. Accordingly, the debates are reopened and new conclusion deadlines are set so that the parties can take a position on the legitimate interest invoked by the Respondent to process data other than health data. 


The parties are informed of the following time limits for the submission of oral argument: 


- the latest date for the plaintiff's reply will be set at 8 January 2021;


- the date of the reply by the defendant shall be set at 19 February 2021;


The date of the hearing will also be fixed, which will take place on 22 March 2021.
9 Recital 47 GDPR. Decision on the merits 57/2021 - 26/36


24. On 27 November 2020, the Dispute Resolution Chamber received a communication from the Complainant stating that, in view of the clear arguments, it did not consider it necessary to provide additional argumentation. On the same day, the Dispute Resolution Chamber informs the Respondent that the Complainant has indicated that it will not be submitting a claim. At the request of the Respondent, the Dispute Resolution Chamber also confirms that the date initially set for the Reply by the Respondent as well as the date of the hearing will be maintained.


25. On 19 February 2021, the claim and accompanying documents were received by the Dispute Resolution Chamber from the Respondent. In it the Respondent puts forward the following pleas in law:


- The Respondent may rely on its legitimate interests to process personal data for purposes pursuant to Article 4.3 of its former Privacy Notice (no violation of Articles 5.1(a), 5.2, 6.1(f) and 13.1(c) and (d) T&C.


- The Respondent may rely on an applicable legal ground for transfers to third parties pursuant to Article 6 of the former privacy notice (no violation of Articles 5.1(a), 5.2, 6.1 and 13.1(c) and (d) AVG.
      defendant as controller may in accordance with recital 47


- If the defendant cannot rely on all legal grounds under Article 6.1 of the AVG for the processing purposes under Article 4.3 of the old privacy notice and onward transfers to third parties under Article 6 of the old privacy notice, this constitutes an infringement of the defendant's freedom to conduct a business.  
      GDPR can be considered justified in itself. The first is therefore satisfied


- The Respondent submits that a reprimand is sufficient and the administrative fine of €50,000 is disproportionate.  
      condition contained in Article 6.1, f) GDPR.


26. On 22 March 2020, the parties were heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. During the hearing, the Respondent explained its defence. No other elements are introduced than those already on the file. After this, the debates are closed.


27. On 25 March 2021, the record of the hearing shall be submitted to the parties in accordance with Article 54 of the Rules of Procedure. On 5 April 2021, the respondent shall submit to the Dispute Resolution Chamber some comments on the transcript, which the Dispute Resolution Chamber decides to include in its deliberations.


28. On 6 April 2021, the Dispute Resolution Chamber notified the Respondent of its intention to proceed with the imposition of an administrative fine, as well as the amount thereof, in order to give the Respondent the opportunity to defend itself before the sanction is actually imposed.
  88. In order to fulfill the second condition, it must be demonstrated that the processing


29. On 27 April 2021, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof.  
      necessary for the achievement of the objectives pursued. This means more


In summary, the Respondent states the following in its response to the intention to impose an administrative fine:
      stipulates that the question should be asked whether the same result can be achieved by other means


- As regards the lack of a demonstrated legitimate interest as a legal basis for the purposes of 'staff training' and 'storage of video surveillance recordings during the statutory period', the Respondent argues that no questions were raised during the hearing as to the lawfulness, necessity or proportionality of these processing purposes. 
      are achieved without processing of personal data or without an unnecessarily invasive one


In this regard, the Dispute Resolution Chamber notes that the Respondent has already extensively addressed in the Conclusions the lawfulness, necessity and proportionality of all processing purposes, including those for "training of staff" and "storage of video surveillance recordings during the statutory period", so that no additional clarification on this was requested at the hearing. During a hearing, only specific questions are asked about remaining ambiguities in order to clarify them and to allow the Dispute Resolution Chamber to form an opinion.  
      processing for data subjects.


At the moment, the Litigation Chamber can only conclude that the Respondent's reaction to the intention to impose an administrative fine following the infringement of article 6.1 of the AVG for the purposes of "staff training" and "storage of video surveillance recordings during the statutory period" lacks a proven legitimate interest as a legal basis.


justified interest as a legal basis, does not contain any new elements which are of a nature to change the opinion of the Dispute Resolution Chamber.


- As regards the amount of the fine, the Respondent considers that no fine can be imposed for the allegation of processing personal data without a legitimate interest. At the very least, the defendant considers that an amount of EUR 30 000 is disproportionately high. The defendant submits that it appeared from the written conclusions and during the hearing that general training material was in principle always anonymised and that personal data of customers were processed by means of camera surveillance. The documents in the file would also not show that any personal data of the complainant would have been processed for these purposes. Therefore, the complainant (and, by extension, the respondent's other customers) would, in principle, not have suffered any personal detriment as a result of any lack of legitimate interests for the processing activities "training of staff" and "storage of video surveillance recordings during the statutory period".
  89. Based on the purpose, being the provision of video surveillance, the Disputes Chamber serves


The Dispute Resolution Chamber emphasises that whether or not the person concerned suffers any personal disadvantage is not a criterion for the imposition of an administrative fine, as this is not included in Article 83.2 AVG. Therefore, in its decision below, it justifies this sanction without taking into account whether or not the complainant has suffered any personal disadvantage. The criteria for the imposition of an administrative fine are clearly laid down in article 83.2 AVG, on which the Dispute Resolution Chamber bases its decision regarding the administrative fine.
      establish that the defendant asserts that the images are stored in a secure


In so far as necessary, the Dispute Resolution Chamber adds that the Complainant provided its personal data to the Respondent for processing in connection with a hospitalisation insurance scheme and the Respondent subsequently indicated, on the basis of the then current privacy notice, that it also processed the Complainant's personal data for all the purposes stated in the privacy notice. On the basis of the privacy notice given at the time, the Respondent processed the Complainant's data for each of the purposes set out in the privacy notice. This is also apparent from the conclusion underlying the present decision, in which the Respondent itself delineates the allegations arising from the complaint (see margin number 33) and the allegations under points (f), (g) and (h) are the subject of its defence. The allegations arising from the complaint and as described by the defendant itself in its conclusion, concern defects in the privacy notice that concern the complainant, as well as ipso facto any other customer of the defendant who takes out hospital insurance. Indeed, the privacy notice was not drawn up exclusively for the complainant, but for every customer of the defendant who takes out hospitalisation insurance.
      surroundings. Both the space and the affected IT servers are subject to strict


This also explains why, in its conclusion, the Respondent seeks to demonstrate the lawfulness, necessity and proportionality of all processing purposes, without any distinction as to whether or not it is a processing purpose for which personal data of the Complainant are processed. The Respondent verifies that it has a legitimate interest for all processing purposes, because for each of those processing purposes, the personal data of the Complainant were processed in accordance with the Privacy Notice in force at the time.
      access protection. The images are accessed according to strict procedures. The


- In addition, the Respondent considers that an amount of EUR 30,000 is disproportionate to the infringement. 


More specifically, with regard to the seriousness of the infringement, the Respondent disagrees with the Dispute Resolution Chamber's assertion that, merely because a breach of Articles 5 and 6 of the AVG has been established, the infringements are therefore automatically "serious" and "grave". The defendant submits that, on the one hand, those articles form the basis of virtually the whole of the AVG and, consequently, virtually any infringement of the other articles of the AVG can be reduced to an infringement of Articles 5 and 6 AVG.
      storage of the images is also limited to the legal retention period (in principle 30 days).


On the other hand, classifying these infringements as 'serious' and 'serious' prevents a differentiation being made with infringements that are truly serious and serious, such as, for example, the complete absence of a privacy notice. However, this is not at all the case here. 


The defendant argues that it did mention these processing purposes in its privacy notice and that it carried out, with the necessary rigour, extensive weighing of interests to ascertain whether it could invoke its legitimate interests. 


With regard to the Respondent's assertion that a breach of the fundamental principles of the AVG contained in Articles 5 and 6 AVG cannot automatically be regarded as serious and serious, the Litigation Chamber notes that Article 83.5 AVG itself provides for a more serious penalty for this breach, for which the highest maximum fine is set, precisely because it concerns fundamental principles that go to the heart of data processing. The Respondent's assertion that every breach of the AVG can be traced back to a breach of the core principles does not stand up, since the Dispute Resolution Chamber is bound by the complaint and performs its assessment against the AVG within those boundaries and therefore, contrary to what the Respondent suggests, every breach cannot be 'traced back' to breaches of the core principles. Since the object of the complaint is precisely the basic principles, the Dispute Resolution Chamber will rule in this case on the application of those principles. Where the Respondent quotes as an example that the total absence of a privacy statement would be a serious and serious breach, the Litigation Chamber states that the total absence of a privacy statement would not only be a serious and serious breach, but also a serious and serious breach.
  90. The second condition is thus fulfilled in that it was established that the principle of


serious and onerous breach, but a total disregard for the AVG. However, this does not alter the fact that a defective privacy statement, such as the one at issue here, which does not respect the basic principles of the AVG, must be regarded as serious and serious.
      minimum data processing (Article 5.1. c) GDPR) has been complied with.


As regards the duration of the infringement, the Respondent points out that it already amended its Privacy Statement during the initial proceedings in the beginning of 2020 and it amended its Privacy Statement again following the initial decision of the Dispute Resolution Chamber in the beginning of 2021 and this should be taken into account as an attenuating circumstance. As regards the deterrent effect, the Respondent again points to its willingness to always amend its Privacy Statement, which it has done twice in a very far-reaching manner, thus achieving the purpose of these proceedings according to the Respondent.


The Dispute Resolution Chamber already indicated in the intention to impose an administrative fine, as well as the amount thereof, that it takes into account the efforts already made by the Respondent to bring its new privacy notice into line with the AVG, which demonstrates its willingness. On the other hand, it must be noted that, although the amendments made to the new privacy notice are a favourable element in the assessment of the administrative fine, they are not intended to undo the infringements found (see paragraph 120 above).


The Dispute Resolution Chamber gives more detailed reasons for imposing the administrative fine in section 3 of this decision.  
  91. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called


It follows from the foregoing that the Respondent's response does not lead the Dispute Resolution Chamber to modify the intention to impose an administrative fine or the amount of the fine as intended.
      “Balancing test” between the interests of the controller, on the one hand, and the


2. Reasons
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should


1. Legitimate interest
      reasonable, in accordance with Recital 47 GDPR


(a) Preliminary remark
      expectations of the data subject. More specifically, it should be evaluated whether “data subject


30. It follows from the judgment of the Market Court that the Dispute Resolution Chamber in its decision 24/2020 of 14 May 2020 would have ruled without the Respondent being able to defend himself fully because the decision of the Dispute Resolution Chamber would not have been limited to the allegations that are the subject of the complaint.
      at the time and in the context of the collection of the personal data is reasonably permitted


31. However, the complainant expressly states in the complaint that the customer must be given the choice of whether to consent to the processing operations listed in points 4.3 and 6, and he is not given it. Indeed, once he has given his consent to the processing of his personal data in the framework of a hospitalisation insurance policy, the data processing should, according to the complainant, be limited to the fulfilment of the obligations arising from that insurance policy. The complainant maintains that the defendant cannot process his data for any other purpose, more specifically the purposes mentioned in point 4.3 and 6 of the former privacy notice, without his consent. The complaint thus challenges the legal basis of the processing for the purposes listed in point 4.3. The Complainant considers that the purposes set out in point 4.3 require his consent and that the Respondent cannot therefore simply use the data obtained on the basis of consent in the context of hospitalisation insurance for other purposes, for which the Respondent relies on its legitimate interest.  
      expect that processing can take place for that purpose . 10


32. The complaint thus essentially concerns the legal basis on which the Respondent may process personal data obtained from the Complainant for the purposes listed in paragraphs 4.3 and 6 of the Respondent's former privacy notice.


33. In the Respondent's submission before us, the allegations are listed in paragraphs (a) to (h):


"(a) Y would obtain the consent for the processing of medical data in the context of the conclusion and performance of insurance contracts under coercion, which would render such consent invalid (violation of Articles 5(1)(a) (principle of lawfulness); 6(1)(a) and 9(2)(a) AVG)
  92. The Disputes Chamber is of the opinion that with the collection of personal data in the framework


(b) Y should give the Complainant access to the data protection impact assessment ('DIA') which it allegedly carried out for the processing of medical data in connection with the execution of insurance contracts with its customers (breach of Articles 35 and 36 AVG)
      it cannot be assumed that the policyholder takes out insurance


(c) Y should, in Articles 4.3 and 6 of the old Privacy Notice, make a better distinction between the processing of medical data on the one hand and the processing of other 'ordinary' personal data on the other (breach of Article 13(1)(c) AVG); 


d) Y should take additional measures to inform the data subjects of their right to object under Article 21(2) of the AVG (breach of Articles 12(1) and 13(2)(b) of the AVG)
      at that time can reasonably expect that his data will be


e) Y should further clarify the legal grounds for the transfer of personal data to third parties, as mentioned in Article 6 of the Privacy Statement of Y (violation of Article 13 (1) (c) AVG)
      used for video surveillance. The purpose of video surveillance is unrelated to the


f) Y would process personal data without a demonstrated legal basis (including its legitimate interest within the meaning of Article 6(1) AVG) for a number of purposes referred to in Article 4.3 of the ex-Y Privacy Statement and transfers to third parties referred to in Article 6 of the ex-Y Privacy Statement (breach of Articles 5(1)(a) (legality principle) and 6(1) AVG)
      conclusion of an insurance contract, so that the policyholder does not adhere to it


g) Y is alleged not to have provided sufficient information about its legitimate interests in its previous Privacy Statement where Y invokes this legal ground (violation of Articles 5(1)(a) (transparency principle) and 13(1)(c) and (d) of the AVG)
      can expect that his personal data is provided in response to a


(h) Y is alleged, where Y invokes this legal ground, not to have sufficiently demonstrated what its legitimate interests would be and not to have demonstrated to what extent its interests would outweigh the interests and fundamental rights of the Complainant (violation of Article 5(2) AVG).  
      insurance contract will be used in the context of video surveillance. Only at


34. The Respondent also confirms that the allegations described in paragraphs (a) to (h) arise from the Complaint by stating in the Conclusion the following:
      there is video surveillance when physically entering the defendant's premises and then it suffices


"Should the Dispute Resolution Chamber find that the above allegations and alleged violations of the AVG by Y (points a to h) do not arise from the complaint [...], the Dispute Resolution Chamber is invited to inform Y thereof [...]."


35. In this respect, the Dispute Resolution Chamber notes that the allegations as currently described by the Respondent in points (a) to (h) were already raised in the complaint, and in respect of which the Respondent now indicates that they do indeed result from the complaint, but in respect of which he nevertheless did not put forward a defence in the proceedings prior to decision 24/2020 of 14 May 2020 as regards (f), (g) and (h). 


With regard to the allegations in points (a) to (e) of his conclusion, the Respondent indicates that he either had the opportunity to defend himself and was found in favour by the Dispute Resolution Chamber (this concerns allegations (a) and (b)), or did not contest the allegations and rectified them in the new privacy notice (this concerns allegations (c), (d) and (e)). As regards the established breach of Article 13.1(c) of the AVG regarding allegation (c), the breach of Article 12.1 and Article 13.2(b) of the AVG regarding allegation (d) and the


Article 13.1(c) AVG regarding allegation under (e), the Dispute Resolution Chamber refers to the reasons for this in decision 24/2020 of 14 May 2020.


The defence in the present conclusion only focuses on the allegations under points (f), (g) and (h).


36. To the extent that there may have been some lack of clarity regarding the subject matter of the complaint on the part of the Respondent prior to decision 24/2020, the Dispute Resolution Chamber nevertheless gave the Respondent the opportunity to defend itself, and will consider below whether and, if so, to what extent the Respondent breached the AVG with regard to the allegations set out in points (f), (g) and (h) of its conclusion, and whether the administrative fine should be upheld.
10
  Recital 47 GDPR. Decision on the merits 57/2021 - 27/36


b) Legal basis for purposes mentioned under 4.3 of the Privacy Statement 


37. The Respondent claims to be able to rely on its legitimate interests for the processing of non-sensitive personal data for the following purposes listed under Section 4.3 of the former Privacy Notice:


- Performing computer tests;
    that the camera law is complied with, including the obligation to affix a


- Monitoring the quality of service provision;
    icon with information to notify the data subject.


- training of personnel;


- monitoring and reporting;


- the storage of video surveillance recordings for the statutory period; and  
93. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
 
    purpose “the storage of video surveillance recordings during the legal period” does not
 
    can rely on the legal basis "legitimate interest" and thus there is an infringement
 
    to Article 6.1 f) GDPR.
 
 
 
94. For the sake of completeness, the Disputes Chamber adds that if a controller
 
    wishes to use surveillance cameras, these are legal obligations
 
    ensuing from the law of 21 March 2007 regulating the placement and use of
 
    security cameras must comply. As soon as a controller uses
 
    of surveillance cameras, arise from the aforementioned law obligations regarding
 
    data processing, so that the controller can rely on article 6.1 c)
 
    GDPR. In that regard, the defendant stated at the hearing that in
 
    the necessary pictograms have been affixed in accordance with this law.
 
 
 
 
 
      c) Model of balancing of interests
 
 
 
95. For each of the foregoing purposes, the defendant argues that the
 
    processing purpose is permissible because of the quantitative score calculated by the model
 
    balance of interests that Y uses is lower than 30. The defendant argues that on the basis of that
 
    model the processing purposes can be based on the legitimate interests
 
    of the controller as long as this score does not exceed 30.
 
 
 
96. In this regard, the Disputes Chamber should note that the model used by Y is a
 
    is a purely internal instrument that can at most act as a guideline within the company,
 
    but from which no legal arguments can be drawn to support the assessment against the
 
    legal basis of Article 6.1 f) GDPR. To the scores calculated on the basis of that model
 
    therefore no legal value can be attached.
 
 
 
 
 
      d) All legal grounds included in Article 6.1 GDPR
 
 
 
97. The defendant is of the opinion that the Disputes Chamber in its decision 24/2020 would have stated that
 
    he can only rely on consent as a legal basis (Article 6.1 a) GDPR) for the Decision on the merits 57/2021 - 28/36
 
 
 
          processing purposes included in point 4.3. of the old privacy statement and not on
 
          the other legal grounds of Article 6.1 GDPR.
 
 
 
      98. The Disputes Chamber explains that the following was made in this regard in the decision 24/2020
 
 
          mention:
 
          The Disputes Chamber is therefore of the opinion that the violation of art. 6.1. AVG is proven,
 
          since the data processing is for the purposes stated in sections 1, 2, 3, 4, 6 and
 
          7 of point 4.3. of the privacy statement, without any demonstrated legitimate interest,
 
          should be based on the consent of the complainant in the absence of any other possible
 
          applicable legal basis in art. 6.1. AVG. ”
 
 
 
      99. From this the defendant deduces, albeit incorrectly, that the Dispute Chamber is the only one
 
          legal basis for the purposes specified therein precedes the consent. The defendant
 
          however, ignores the fact that the Disputes Chamber reaches that decision, precisely because the
 
          defendant fails to demonstrate any legitimate interest and thus in
 
          fails to demonstrate that the applicable conditions have been fulfilled to comply with this
 
          legal basis in Article 6.1 f) GDPR. The Disputes Chamber stated in its decision
 
          after all expressly that the defendant has in no way demonstrated from what
 
          legitimate interest or would exist and also failed to demonstrate to what extent his interest
 
          would outweigh the interests and fundamental rights of the complainant, although the defendant
 
          is obliged to do so on the basis of its accountability obligation (Article 5.2 GDPR). The
 
          Accordingly, the Disputes Chamber could not withhold article 6.1 f) GDPR as a valid legal basis. On base
 
          of the factual elements leading to the decision 24/2020 was the only remaining
 
          legal basis the consent.
 
 
 
      100. The Disputes Chamber emphasizes that every controller, including the
 
          defendant, can invoke any possible legal basis of Article 6.1 GDPR, but that the
 
          applicable conditions for the legal basis invoked must be fulfilled.
 
 
 
 
 
2. Legal basis for transfers to third parties
 
 
 
 
      101. First, the defendant claims that a transfer to third parties does not have a processing purpose
 
          is itself, but is merely a form of processing of personal data within the meaning of Article
 
          4.2 GDPR. The defendant states that he only draws up balances of interests per
 
          processing purpose, but not per processing. Decision on the merits 57/2021 - 29/36
 
 
 
      102. The Disputes Chamber states that it follows from article 5.1 a) GDPR that personal data must be
 
          processed for a specific purpose and that such processing must be lawful in the sense
 
          of Article 6.1 GDPR. So it is clear that any processing must be done within the framework
 
          of a specific, explicit and justified purpose and that
 
 
          processing must be based on a legal ground for it to be lawful
 
          considered. It is of course possible to perform multiple processing operations within the meaning of Article 4.2 GDPR
 
          for the same purpose, but this does not alter the fact that the
 
          data processing for a specific purpose can only be considered lawful
 
          labeled if there is a legal basis for doing so.
 
 
 
      103. The Disputes Chamber notes that any transfer to third parties must be determined with the
 
          in view of the purpose for which the transfer takes place. To be able to verify whether the transfer is to
 
          third parties can be regarded as lawful, it must thus be determined for what purpose
 
          which is passed on to third parties.
 
 
 
 
      104. As the defendant rightly points out, the legal basis for the transfer to processors (which
 
          however, no third parties within the meaning of Article 4, 10) GDPR) are the same as for the
 
          data processing by the defendant himself. After all, the processing purpose remains
 
          unchanged, as the processor only processes the personal data for the benefit of the
 
          defendant as controller.
 
 
 
 
      105. If the personal data are transferred to a third party within the meaning of Article 4. 10)
 
          GDPR with a view to the purpose of enabling that third party to provide the relevant personal data
 
          to process it for your own purposes, then that transfer must cease for that specific purpose
 
          considered themselves and requires a separate legal basis. With a view to
 
          transparency should become the processing basis for all transfers in the privacy statement
 
          stated that the defendant fulfills his obligation under art. 13.1 c) would comply with GDPR. This is
 
          However, this is not the case, so that the Disputes Chamber is of the opinion that there is a
 
          infringement of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.
 
 
 
 
 
3. Transparency principle
 
 
 
 
      106. Notwithstanding the fact that Article 13.1 d) GDPR requires the controller to send the
 
          provides the data subject with information about his legitimate interests, if the processing
 
          is based on Article 6 (1) (f), the defendant maintains that it suffices
 
          for the purposes of the privacy statement referred to in point 4.3, as well as for the purposes of 6 of the Decision on the merits 57/2021 - 30/36
 
 
 
    data transfers based on Article 6 (1) (f) GDPR only
 
    state that personal data is processed on the basis of the legitimate interest of
 
    the defendant without indicating exactly what that legitimate interest would consist of.
 
 
 
 
107. The defendant argues that the balancing of interests concerns internal documents that have not been handled by Y
 
    made public or included in its Privacy Statement, in view of the
 
    business sensitive information they contain. Moreover, this involves bulky, rather privacy-
 
    technical documents that are typically not included in a privacy statement.
 
 
 
108. For transmission to “the companies of the group Y1 Re to which Y belongs, for monitoring
 
    and reporting ”, the defendant confirms that this is a transfer to another
 
    controller, indicates the defendant demonstrating his legitimate interest
 
    consists in its conclusion under the processing purpose “monitoring and reporting”, but late
 
    after clarifying his legitimate interest in the privacy statement.
 
 
 
109. Furthermore, the defendant also refers to recital 48 of the GDPR which states that
 
    controllers that are part of a concern or group of institutions
 
    associated with a central body may have a legitimate interest in the
 
    forwarding of personal data within the group for internal administrative purposes,
 
    including the processing of personal data of customers or employees.
 
 
 
110. The Disputes Chamber acknowledges that consideration 48 applies to the defendant, but this
 
    does not prevent the defendant from being transparent about this in his privacy statement and
 
    also in such a case must indicate the legal basis and must make it clear where it is
 
    legitimate interest exists, which is not the case in the old privacy statement.
 
 
 
 
111. Responsible for transfers to “subcontractors in the European Union or abroad
 
    for processing activities defined by Y ”, the defendant argues that it concerns
 
    processors of Y.
 
 
 
112. The Disputes Chamber therefore restates the reasoning in this regard from its decision
 
    24/2020 to decide on an infringement of Article 13.1 d) GDPR in conjunction with Article 5.1 a) GDPR
 
    and Article 5.2 GDPR. The privacy statement only mentions that for those referred to in 4.3. listed
 
    purposes personal data are processed on the basis of the legitimate interest of the
 
    defendant without indicating exactly what that legitimate interest would consist of,
 
    while art. 13.1. d) GDPR does require the controller to comply
 
    obliged to provide the data subject with information about his legitimate interests,
 
    if the processing is based on Article 6 (1) (f). Decision on the merits 57/2021 - 31/36
 
 
 
 
 
 
 
  113. The Disputes Chamber also refers to the Guidelines of the European Committee for the
 
      data protection (EDPB) on transparency according to Regulation (EU)
 
      2016/679, who stress the need to identify the specific interest in question
 
      for the benefit of the data subject.
 
 
 
 
 
  114. Also with regard to point 6. of the privacy statement, the defendant does not indicate why
 
      legitimate interest, on which he relies, would exist to obtain personal data from the
 
      to process the complainant for the purpose of transferring it to “The companies of the Y1 RE group
 
      to which Y belongs, for monitoring and reporting ”and“ Subcontractors in the European Union
 
      or beyond, responsible for processing activities defined by Y ”. However
 
      requires art. 13.1. d) GDPR in fact that the controller is the data subject
 
      must provide information about his legitimate interests, if the processing
 
      is based on Article 6 (1) (f). The Disputes Chamber refers again to the
 
      Guidelines on transparency in accordance with Regulation (EU) 2016/679 and the
 
      stated above in this regard.
 
 
 
 
 
  115. The Disputes Chamber stated in its decision 24/2020 that as best practice the
 
      controller also, before becoming personal data of the data subject
 
      collected, can provide the data subject with information about the assessment to be made
 
      created in order to be able to use Article 6 (1) (f) as a legal basis for the processing.
 
      To avoid information fatigue, this information can be included in a layered
 
      privacy statement / notice. 12 The information provided to data subjects should make clear
 
      that these data subjects can receive information about the assessment upon request. This is
 
      essential for effective transparency when data subjects have doubts about the
 
      fairness of the consideration made as to whether to submit a complaint to a supervisory authority
 
      authority.
 
 
 
 
  116. As the defendant points out, he is unwilling to apply the aforementioned best practice,
 
      because, according to him, it concerns internal privacy-technical documents with company-sensitive
 
      information.
 
 
 
 
 
 
 
 
11
  EDPB, Guidelines of the Article 29 Working Party on Data Protection on Transparency under Regulation (EU)
2016/679, approved November 29, 2017, last revised and approved April 11, 2018, p. 42.
12See paragraph 35 of the guidelines referred to in footnote 6. Decision on the substance 57/2021 - 32/36
 
 
 
 
      117. The Disputes Chamber argues that even if the defendant refuses to follow this best practice,
 
          he is at least obliged to notify the data subject on a
 
          concise, transparent, intelligible and easily accessible form and in clear and
 
          provide simple language information about his legitimate interest for each of the
 
 
          purposes for which he relies on that legal basis. It is by no means to comply with this
 
          requires privacy-technical documents to be made public, but it is
 
          requires that information about the legitimate interest is provided in clear
 
          wording that can be easily understood by a customer or potential customer of the defendant
 
 
 
      118. The Disputes Chamber finds that the information required by Article 13.1 d) GDPR is in no way whatsoever
 
          is made available by the defendant, so that the infringement of Article 13.1 d)
 
          GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.
 
 
 
 
 
 
 
 
4. Administrative fine
 
 
 
 
      119. The fact that the defendant does indeed commit the infringements of Articles 5.1 a), 5.2, 6.1, 12.1, 13.1
 
          c) and d) and 13.2 b) GDPR, brings the Dispute Chamber to the administrative
 
          fine. This sanction does not extend to an offense committed
 
          but with a view to vigorous enforcement of the rules of the GDPR. As
 
 
          is clear from recital 148 of the GDPR, the GDPR states that in the event of any serious infringement
 
          - including when an infringement is first established - penalties, including administrative ones
                                                                                              13
          fines are imposed in addition to or instead of appropriate measures. After this, the
 
          Disputes Chamber states that the breaches committed by the defendant against Articles 5.1 a),
 
          5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR in no way concern minor infringements, nor that the
 
          a fine would cause a disproportionate burden on a natural person as referred to in
 
          Recital 148 GDPR, whereby a fine can be waived in either case.
 
          The fact that it is a first finding of an infringement committed by the defendant in the
 
 
 
 
 
 
    13
      Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
    including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
    appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
    for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
    instead of a fine, a reprimand can be chosen. However, the
    nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,
 
    with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
    supervisory authority has come up with compliance with the measures taken against the
    controller or processor, with affiliation to a code of conduct and any other aggravating or
    mitigating factors. Imposing penalties, including administrative fines, should be subject to
    appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
    effective remedy and due process. [own underlining] Decision on the merits 57/2021 - 33/36
 


- compiling statistics from encrypted data, including big data.


38. For each of these purposes, the Respondent has carried out a balancing of interests. The Dispute Resolution Chamber below assesses the balancing of interests undertaken for each of these purposes in accordance with the established decision-making2 approach it uses in assessing the legitimate interest.


2 See, inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of 30 October 2020; Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020.
      GDPR, does not in any way affect the possibility for the Disputes Chamber


39. Pursuant to Article 6.1(f) of the AVG and the case law of the Court of Justice of the European Union, three cumulative conditions must be met in order for a
      to impose an administrative fine. The Disputes Chamber explains the administrative


controller may lawfully rely on that ground of law, 'namely, first, the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, second, the necessity of processing the personal data for the purposes of the legitimate interest pursued and, third, the condition that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas judgment)3.
      fine in accordance with article 58.2 i) GDPR.


3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rigas regiona parvaldes Kartibas policijas parvalde v Rigas pašvaldibas SIA "Rigas satiksme", paragraph 28. See also CJEU, 11 December 2019, C-708/18, TK t/ Asociatia de Proprietari bloc M5A-ScaraA, paragraph 40.


40. In order to rely on the lawfulness ground of "legitimate interest" under Article 6.1(f) of the AVG, the controller must demonstrate, in other words, that: 


1) the interests it pursues with the processing can be recognised as legitimate (the "purpose test"); 
  120. The Disputes Chamber emphasizes once again that the instrument of administrative fine


2) the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and
      is in no way intended to end infringements. To this end, the AVG and the WOG provide for a


(3) the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the controller (the "balancing test").
      number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 °


41. With regard to the purpose of "conducting computer tests", the Respondent states the following:
      WOG. She also emphasizes that the administrative fine is one of the sanctions foreseen


"Context of the processing purpose
      in article 58.2 GDPR and article 100 WOG. Neither EU law nor national Belgian law


This processing purpose includes the tests performed by IT testers and developers:
      has a hierarchy with regard to the sanctions to be imposed. It stands as the Dispute Chamber


- in connection with "modifications", which are minor adjustments or in connection with purely functional aspects; and
      body of an independent data protection authority as referred to in Article 51


- in the context of any automation projects.
      AVG is free to choose the most appropriate sanction. The Disputes Chamber is of the opinion that, in view of the


These tests are carried out in the context of:
      accountability of the controller, the imposition of a


- IT and network security;
      administrative fine for violation of the GDPR could be expected. 14


- the maintenance, improvement and development of (the quality of) Y products and services; or


- the improvement of the customer experience (e.g. to make internal processes and systems more efficient for back-office activities, to improve the user experience in Y's digital channels, etc.).


This process does not include the acceptance and emulation phase, which can only be performed by the "specialised activities" team before the changes can actually be implemented and put into production." 
                                                                  15
  121. Taking into account article 83 GDPR and the case law of the Marktenhof, the


42. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled.
      Disputes Chamber imposing an administrative sanction in concrete terms:


43. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.  
        - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.


44. Considering the purpose of computer testing, the Dispute Resolution Chamber should note that the Respondent ensures that, where possible, dummy data or anonymised data are used (e.g. in the case of changes involving different systems or applications and requiring a unique reference, such as the policy number). Only when there is no other option, will personal data be used to realise the intended change or development. Possible possibilities for (further) restriction of data processing are constantly investigated and progressively introduced as part of the project 'data anonymisation in non-production environments'. Furthermore, strict access controls are introduced on the IT environments where the IT tests are performed. Procedures are also established for how these IT tests are to be conducted, which all stakeholders must take into account.
        - The duration of the infringement: the infringements are assessed for this aspect in


45. The Dispute Resolution Chamber notes that the Respondent cites using personal data only when there is no other option. During the hearing, Y states that the tests are always performed using dummy data, but that the testing phase determines the extent to which such data can be tested. In some cases, the limits of the possibilities to do data masking have been reached. This has to do with the life cycle of the tests, namely gradually dummy data can be used in IT tests, but sometimes the processing of personal data is required in order to ensure the interaction between applications.  The Dispute Resolution Chamber considers that the Respondent has thus made it reasonably plausible that the computer systems are not always based on
            in light of the date on which the GDPR became applicable, namely May 25


anonymised or pseudonymised data. The second condition is thus fulfilled, as it has been demonstrated that the principle of minimum data processing (Article 5.1(c) of the AVG) has been complied with. Nevertheless, the Dispute Resolution Chamber notes that for the sake of clarity vis-à-vis the customers concerned, the Respondent might consider providing in the privacy notice some succinct explanation of the case where the Respondent has no choice but to conduct computer tests with personal data.
            2018. The defendant's privacy statement appears to have remained unchanged since


46. In order to assess whether the third condition of Article 6.1(f) AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the reasonable expectations of the data subject should be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "4.
            the GDPR becoming applicable until such time as, following the


4 Recital 47 AVG.  
            complaint, a new privacy statement has been drawn up. The new privacy statement constitutes


47. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that moment that his data will be used for computer testing. After all, the customers expect a correct execution of their insurance contracts, which goes hand in hand with secure and correct management of the IT systems. The interest of the customers thus requires that the functionalities of the IT environment be tested for this purpose.
            however, not the object of assessment by the Dispute Chamber, so that they themselves


48. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) of the AVG for processing for the purpose of "computer testing".
            also does not comment on the extent to which the new privacy statement is consistent


49. With regard to the purpose of "monitoring the quality of service" and "compiling statistics from coded data, including big data", the Respondent states that this comprises three elements and provides as follows:
            is with the GDPR.


- For the part "Statistics and quality testing"
        - The necessary deterrent effect to prevent further infringements.


"Context of the processing purpose


Y, as an insurer, is subject to prudential supervision. This includes the duty to exercise overall control over its business and its performance, including, but not limited to, the monitoring of sales performance, the performance and remuneration of certain hospital networks and cover/refunds. This relates to the overall control of the quality of the services and the performance of the insurance undertaking to ensure its continuity. This processing purpose includes both one-off and recurring reports, which may or may not involve the use of big data methodologies. These reports are mainly aggregated or anonymised, unless specific statistics are required (by category, such as by age group)."


50. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled.


51. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


52. The Dispute Resolution Chamber notes that the Respondent only justifies that it is necessary for it to compile statistics and conduct quality tests, as financial viability, quality of service, premium setting and performance cannot be determined without actively measuring them. The Dispute Resolution Chamber does not in any way disregard the need for the Respondent to have statistics and quality tests, but the Respondent limits itself to stating that mainly aggregated or anonymised reports are prepared unless specific statistics are required (by category such as e.g. by age group). Moreover, the Respondent states that big data methodologies may or may not be used to produce such reports. 
  122. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes


53. To what extent the statistics still contain personal data or allow for the re-identification of a data subject, is further explained during the hearing. The respondent states that there are still very few statistics that contain personal data. The
      that compliance with the principles set out in art. 5 GDPR - in the present case in particular the


In any event, the statistics do not contain names and certainly not health data. The statistics do contain codes, but these are aggregated, segmented data in the mass.
      transparency principle including accountability, as well as the


Also, the Directive (EU) 2016/97 on insurance distribution5 and the Belgian implementing legislation of this directive require the processing of certain personal data for specific reporting. Sometimes policy data is processed in the reporting, but this does not result in further processing in the statistics. Each report has a purpose and the processing may not exceed this purpose. A register is kept of those reports and their purpose, which are strictly regulated via the data warehouse and require approvals to deviate from it. 
      principle of legality - essential, because it is fundamental principles of


5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast), OJ L 26/19.
      data protection. The Disputes Chamber considers the defendant's infringement


54. The Dispute Resolution Chamber concludes that the Respondent has made the necessary efforts to limit the data processing for this purpose to what is strictly necessary. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG).


55. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it should be evaluated whether 'the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose'.


56. The Dispute Resolution Chamber follows the Respondent's view that if an individual enters into an insurance contract with Y, that individual can reasonably expect Y to implement internal controls and compile statistics to ensure that Y can meet its contractual obligations.


57. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "Statistics and Quality Requirements".


- For the section on "Satisfaction Surveys"


"Context of the processing purpose


This processing purpose includes determining the NPS ("Net Promoter Score"), the customer satisfaction factor, by means of an external survey carried out by a third party in order to safeguard the anonymity of the survey. This factor is calculated with regard to the follow-up by the Y Contact Centre and the claims department (claims handling).
14 With regard to the jurisdiction of the Disputes Chamber regarding the imposition of an administrative fine, see also decision no
55/2021 of April 26, 2021, available in French on the GBA website.
15
  Court of Appeal Brussels (section Marktenhof), Judgment 2020/1471 of 19 February 2020. Decision on the merits 57/2021 - 34/36


58. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered to be carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.


59. In order to fulfil the second condition, it should be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


60. Starting from the purpose of conducting satisfaction surveys, the Dispute Resolution Chamber should establish that the Respondent allows customers to express an opinion anonymously through this survey and thus to assert their interests. The results are aggregated and processed by an external company so that the anonymity of those involved can be preserved. During the hearing, it was added that customers always have the choice of whether or not to participate in the survey, since they always have the right to object. The Panel finds that customers thus have the necessary freedom of choice, and that the results of those who participate in the survey are made available to the respondent in anonymous form.
    the principle of legality specified in art. 6 GDPR and the transparency principle


The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG).  
    which is specifically laid down in Articles 12 and 13 GDPR, therefore as a serious violation.


61. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it must be evaluated whether the "data subject


at the time and in the context of the collection of the personal data, the data subject may reasonably expect that processing can take place for that purpose "6.


6 Recital 47 AVG.  
123. An important element in determining the amount of the fine is the fact that the defendant


62. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used by the defendant to gauge his satisfaction with the defendant's service.


63. Consequently, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "conducting satisfaction surveys".
    subsequent infringements as motivated in decision 24/2020 not disputed and as a result thereof


- For the section on 'Quality assurance tests on operations
    has already made efforts to address the new privacy statement on those points


"Context of the processing purpose
    to comply with the GDPR:


This processing purpose relates to the general monitoring of the quality of the operational services and the performance of Y . This concerns quality checks whereby each employee concerned must carry out 2 random checks per week on the correct underwriting or execution of the insurance contract and applicable instructions and procedures for this purpose."
      - Infringement of Article 13.1 c) GDPR due to lack of clear distinction between the


64. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.
          processing health data on the one hand, and processing the other 'normal'


65. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question must be asked whether the same result can be achieved by other means without processing personal data or without processing that is unnecessarily intrusive for the data subjects.
          personal data on the other hand and this for each of the purposes of 4.3. of the


66. In view of the purpose, being the general monitoring of the quality of Y's operational services and performance, the Litigation Chamber should note that the Respondent asserts that Y is subject to the Insurance Distribution Directive (EU) 2016/97 and the Belgian implementing legislation which require insurance companies to tailor their services to the desires and needs of their customers. As indicated during the hearing, the Respondent does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and scope of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). The processing of personal data is necessary in order to actively measure the quality of the service.  
          privacy statement, as for each of the 6. transmissions of the privacy statement.


67. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "7.
      - Violation of Articles 12.1 and 13.2 b) GDPR in the absence of mention in the privacy statement


7 Recital 47 AVG.  
          of the possibility for the data subject to exercise his right of retention.


68. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for carrying out internal quality controls in order to ensure that Y can comply with its legal and contractual obligations.
      - Infringement of Article 13.1 c) GDPR due to lack of indication of the legal basis for the


69. Accordingly, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of 'quality checks operations'.
          transfer to each of the distinct categories of third parties in point 6. of the


70. With regard to the purpose of "training of personnel", the Respondent states the following:
          privacy declaration.


"Context of the processing purpose


This includes the organisation and follow-up of training, awareness sessions and courses for Y employees who come into contact with (personal data of) customers. Trainings include


- technical aspects (e.g. with regard to Y products);


- technical aspects (e.g. the use of Office 365 applications, information security training, etc.)
124. Although the changes made to the new privacy statement are a positive element


- On the job training (training for new employees as well as training with the aim to continuously improve the quality of service); and
    when assessing the administrative fine, the Disputes Chamber emphasizes that it is there


- More general aspects such as compliance topics (e.g. AVG, IDD, etc.).  
    do not seek to rectify the infringements established. The


71. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.
    infringements have been identified and cannot be reversed retroactively by the


72. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.
    controller who still processes his data - albeit too late


73. Starting from the purpose of training staff, the Dispute Resolution Chamber should note that the Respondent submits that in exceptional cases the cases used for training contain personal data of customers, or personal data of customers are used for the preparation of the training material. However, the Respondent states that the underlying material (case studies) is generally fully anonymised.  
    complies with the requirements of the GDPR.


74. The Dispute Resolution Chamber notes that the Respondent cites that, in the context of training, cases contain personal data of customers only in exceptional cases or personal data of customers are used for the preparation of the training material. However, the Respondent fails to clarify in which cases it would be required to provide training to staff using customers' personal data. The defendant does not make it reasonably plausible that staff training could not always be provided on the basis of anonymised data. The second


condition is thus not met, as it has not been demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) is complied with.


75. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 of the AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "8.


8 Recital 47 AVG.


76. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for staff training. A policy holder can only expect normal management of his customer file, which only requires access to the information contained therein by the personnel who have to carry out tasks for the benefit of the customer concerned. When, in the context of training, information from actual files is shared, the processing of that information is not limited to those who have to perform tasks in the file concerned.


77. Consequently, the Litigation Chamber concludes that the Respondent cannot rely on the legal ground of 'legitimate interest' for processing for the purpose of 'staff training' and therefore there is an infringement of Article 6.1(f) of the AVG. The Dispute Resolution Chamber additionally notes that if the Respondent nevertheless wishes to use customers' personal data for the purpose of training staff, it may rely on another legal ground, namely consent (Article 6.1(a) AVG).


78. With regard to the purpose of "monitoring and reporting", the Respondent states the following:  
125. In addition, the current decision also identifies infringements:


"Context of the processing purpose
      - Violation of article 6.1 GDPR with regard to the purposes of “training personnel” and


This processing purpose includes, inter alia, the production of reports for auditing purposes in the context of:
          “The storage of video surveillance recordings during the legal period”.


- IFRS 17 accounting standards for insurance contracts and Belgian generally accepted accounting principles ("Belgian GAAP")
      - Violation of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.


- calculating reserves (within the framework of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act), etc.); or
      - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.


- profitability monitoring or reports in the context of large claims.


These reports are made both for internal control purposes and for reporting to the Y1 Re group (of which Y is part). This includes both recurring reports and one-off ad hoc reports. Only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are made in the context of large claims or ad hoc reports relating to specific cases or outliers.


79. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled.


80. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.  
    Furthermore, the Disputes Chamber also takes into account the finding that the violation of Article 6.1


81. Based on the purpose of monitoring and reporting, the Litigation Chamber finds that the Respondent asserts that the various general financial and insurance law regulations (in the context of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act)) cannot be complied with without drawing up the necessary reports or carrying out monitoring. As indicated during the hearing, the Respondent also does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and extent of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). Indeed, the processing of personal data is necessary since compliance with the legislation cannot be achieved without the necessary reports or monitoring.
    AVG is limited to two processing purposes “staff training” and “the storage of


82. The Respondent adds that only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are prepared in the context of large claims or ad hoc reports relating to specific cases or outliers. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1(c) of the AVG).
    recordings of video surveillance during the legal period ”and is therefore of a nature to be a


83. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "9.
    justify a reduction in the amount of the fine. In addition, the established


9 Recital 47 AVG.
    breaches of the principle of transparency and accountability are so serious Decision on the substance 57/2021 - 35/36


84. The Dispute Resolution Chamber considers that in the case of collection of personal data in the context of taking out insurance, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for the fulfilment of the legal and contractual obligations of the defendant.


85. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "monitoring and reporting".


86. With regard to the purpose "storage of video surveillance recordings for the statutory period", the Respondent states the following:


"Context of the processing purpose
          that a substantial fine is required. This applies all the more in view of the large scale


It concerns the processing of personal data by means of the cameras located within the premises of Y for the purpose of safeguarding customer security, data security and the protection of the company's assets."
          of the processing of non-health data by the defendant with


87. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest that the
          decisive impact on all insured persons who have taken out hospitalization insurance


Respondent pursued as a data controller can in itself be considered justified pursuant to recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled.  
          affiliated with Y, which concerns a significant number of stakeholders. A decisive element


88. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.
          this is also due to the fact that Y is a major player in the insurance market that may become


89. Starting from the purpose of providing video surveillance, the Dispute Resolution Chamber should note that the Respondent asserts that the images are stored in a secure environment. Both the room and the IT servers involved are subject to strict access security measures. Access to the images is subject to strict procedures. Storage of the images is also limited to the legal retention period (in principle 30 days).
          expects the latter to duly and with the necessary conscientiousness align its privacy policy with the


90. The second condition is thus fulfilled as it was demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) was complied with.  
          GDPR.


91. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the data subject's reasonable expectations must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "10.


10 Recital 47 AVG.


92. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for video surveillance. The purpose of video surveillance is not related to the conclusion of an insurance contract, so that the policyholder cannot expect that his personal data provided in connection with an insurance contract will be used for video surveillance purposes. Video surveillance only takes place when the defendant's premises are physically entered, and then it is sufficient
      126. With regard to the lack of transparency, the Disputes Chamber also points out that the GDPR is exactly


compliance with the camera law, including the obligation to display a pictogram with information to inform the person concerned.
          has provided for a transition period of 2 years 16 to the end of each controller


93. Consequently, the Dispute Resolution Chamber concludes that the Respondent cannot rely on the legal basis 'legitimate interest' for processing for the purpose of 'storage of video surveillance recordings during the statutory period' and thus there is an infringement of Article 6.1(f) of the AVG. 
          give the necessary time to prepare and adapt to the requirements set by the


94. For the sake of completeness, the Litigation Chamber adds that if a controller wishes to use surveillance cameras, it must then comply with its legal obligations under the Act of 21 March 2007 regulating the installation and use of surveillance cameras. As soon as a controller makes use of surveillance cameras, data processing obligations flow from that law, so that the controller can rely on Article 6(1)(c) AVG. In this regard, the Respondent stated during the hearing that the necessary pictograms have been affixed in accordance with this law.
          GDPR. The defendant's argument made at the hearing that the changes


c) Model balancing of interests
          which the GDPR has implemented compared to the previous directive 95/46 / EC of the European


95. For each of the aforementioned purposes, the Respondent argues that the processing purpose is permissible because the quantitative score calculated by the balancing of interests model used by Y is below 30. The Respondent submits that on the basis of that model, the processing purposes may be supported by the legitimate interests of the controller to the extent that this score does not exceed 30.
          Parliament and the Council on the protection of individuals with regard to the


96. In this respect the Litigation Chamber notes that the model used by Y is a purely internal instrument which, at most, can serve as a guideline within the company, but from which no legal arguments can be drawn in order to pass the test against the legal basis of Article 6.1(f) of the AVG. Thus, no legal value can be attached to the scores calculated on the basis of that model.


d) All legal grounds contained in Article 6.1 AVG
          processing of personal data and on the free movement of such data to the


97. The Respondent believes that the Dispute Resolution Chamber would have stated in its Decision 24/2020 that it can only rely on consent as a legal ground (Article 6.1(a) AVG) for the
          based on the lack of transparency cannot therefore be accepted. The


processing purposes listed in section 4.3. of the old Privacy Notice and not on the other legal grounds of Article 6.1 AVG.
          defendant argues that Articles 13 and 14 GDPR, in conjunction with Article 12 GDPR, and the precise manner of


98. The Litigation Chamber explains that in this regard the following was stated in the decision 24/2020:
          interpretation of it caused the difficulty. The transparency guidelines of


"The Litigation Chamber therefore considers that the breach of Art. 6.1. AVG has been proven, as the data processing for the purposes set out in sections 1, 2, 3 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, must be based on the consent of the complainant in the absence of any other possibly applicable legal ground in Art. 6.1. AVG."
          Group 29 (now EDPB) were an auxiliary tool. Here too, the Disputes Chamber serves


99. From this the defendant infers, albeit incorrectly, that the Dispute Resolution Chamber has given consent as the sole legal basis for the purposes set out therein. However, the Respondent ignores the fact that the Dispute Resolution Chamber reaches that decision precisely because the Respondent fails to demonstrate any legitimate interest and thus fails to demonstrate that the applicable conditions are met to rely on this legal basis in Article 6.1(f) AVG. Indeed, the Litigation Chamber expressly stated in its decision that the Respondent did not demonstrate in any way what its legitimate interest would be and also failed to demonstrate to what extent its interest would outweigh the interests and fundamental rights of the Complainant, although the Respondent is obliged to do so on the basis of its accountability obligation (Article 5.2 AVG). Thus, the Dispute Resolution Chamber could not retain Article 6.1(f) AVG as a valid legal basis. Based on the factual elements that led to decision 24/2020, the only remaining legal ground was consent. 
          state that those guidelines date back to 29 November 2017, have been revised and adopted


The Litigation Chamber emphasises that any controller, including thus also the Respondent, may rely on any possible legal ground under Article 6.1 AVG, but that the applicable conditions for the legal ground relied upon must be met.
          on April 11, 2018 and have remained unchanged since then. The defendant thus disposed of


2. Legal ground for transfers to third parties
          sufficient time, as required by its accountability (Article 5.2 GDPR)


101. First, the defendant claims that a transfer to third parties is not a processing purpose in itself, but is a mere form of processing personal data within the meaning of Article 4.2 AVG. The Respondent argues that it only makes considerations of interests per processing purpose, but not per processing.  
          privacy statement to align with the GDPR.


102. The Dispute Resolution Chamber states that it follows from Article 5.1(a) AVG that personal data must be processed for a specified purpose and that such processing must be lawful within the meaning of Article 6.1 AVG. It is therefore clear that any processing must take place within the framework of a well-defined, explicit and legitimate purpose and that this processing must be based on a legal basis in order to be considered lawful. It is, of course, possible to carry out several processing operations for the same purpose within the meaning of Article 4.2 of the AVG, but this does not alter the fact that data processing for a certain purpose can only be regarded as lawful if there is a legal basis for doing so.


103. The Litigation Chamber notes that, for each transfer to a third party, the purpose for which the transfer is made must be determined. In order to verify whether the transfer to a third party can be considered lawful, the purpose of the transfer to a third party must be determined.


104. As the Respondent rightly points out, the legal basis for the transfer to processors (which are, however, not third parties within the meaning of Article 4(10) of the AVG) is the same as for the data processing by the Respondent itself. Indeed, the purpose of processing remains unchanged, as the processor processes the personal data only for the benefit of the defendant as controller.  
      127. This leads the Disputes Chamber to reconsider the fine and reduce it to € 30,000.


105. If the personal data are transferred to a third party within the meaning of Article 4. 10) AVG for the purpose of enabling that third party to process the personal data in question for its own purposes, then that transfer should be considered in isolation for that specific purpose and requires a separate legal basis. For the sake of transparency, the processing basis for all transfers should be stated in the privacy notice in order for the defendant to comply with its obligation under Article 13(1)(c) of the AVG. However, this is not the case, which is why the Dispute Resolution Chamber is of the opinion that there has been a violation of Article 13.1(c) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG.


3. Principle of Transparency


106. Notwithstanding the fact that Article 13.1(d) AVG requires the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f), the Respondent maintains that this is sufficient for the purposes of the Privacy Notice referred to in 4.3 above, as well as for the transfers referred to in 6 of the
      128. The totality of the elements set out above justifies an effective,


privacy statement which are based on Article 6(1)(f) of the AVG, it is sufficient to state that personal data are processed based on the legitimate interest of the defendant, without explaining what exactly this legitimate interest would consist of.
          proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein


107. The Respondent submits that the balancing of interests concerns internal documents which have not been made public by Y or included in its Privacy Statement, given the business-sensitive information they contain. Moreover, these are voluminous, rather privacy-related documents that are typically not included in a Privacy Statement.  
          certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.


108. For transfers to "the companies of the group Y1 Re to which Y belongs, for monitoring and reporting purposes", the Respondent confirms that it is a transfer to another controller, mentions its legitimate interest in its conclusion under the processing purpose "monitoring and reporting", but fails to clarify its legitimate interest in the Privacy Statement.


109. Furthermore, the Respondent also refers to recital 48 of the AVG which provides that controllers which are part of a group of companies or a group of institutions affiliated to a central body may have a legitimate interest in the transmission of personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees.
          GDPR in this case are not such as to lead to a different administrative fine than


110. The Dispute Resolution Chamber acknowledges that recital 48 applies to the Respondent, but this does not prevent the Respondent from being transparent on this issue in its privacy notice and also in such a case from indicating the legal basis and making clear what its legitimate interest consists in, which is not the case in the old privacy notice.  
          those adopted by the Disputes Chamber in the context of this decision.


111. As regards the transfer to "subcontractors in the European Union or outside, responsible for processing activities defined by Y", the Respondent argues that they are processors of Y .


112. The Litigation Chamber therefore repeats the reasoning in this regard from its decision 24/2020 to conclude a breach of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. The privacy declaration merely states that personal data are processed for the purposes set out in 4.3 on the basis of the legitimate interest of the defendant, without indicating what exactly this legitimate interest would be, whereas Art. 13.1(d) AVG does require that the processing of personal data be based on the legitimate interest of the defendant. AVG does require the controller to provide the data subject with information regarding his legitimate interests if the processing is based on Article 6(1)(f).


113.  The Dispute Resolution Chamber also refers to the European Data Protection Board (EDPB) Guidelines on transparency under Regulation (EU) 2016/67911, which emphasise that the specific interest in question must be identified for the benefit of the data subject.


11 EDPB, Guidelines of the Article 29 Data Protection Working Party on Transparency under Regulation (EU) 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, p. 42.
116. As the Respondent points out, it is not prepared to apply the aforementioned best practice because, in its view, the documents in question are internal privacy documents containing business-sensitive information. 


117. The Dispute Resolution Chamber states that even if the Respondent refuses to follow this best practice, it is at least obliged under Article 12.1 AVG to provide the data subject with information on its legitimate interest for each of the purposes for which it invokes that legal basis in a concise, transparent, intelligible and easily accessible form and in clear and simple language. In order to comply with this, it is by no means required that privacy technical documents would be disclosed, but it is required that information regarding the legitimate interest is provided in clear language that can be easily understood by a (potential) customer of the defendant
5. Publication of the decision


118. The Litigation Chamber finds that the information required by Article 13.1(d) AVG has not been made available by the Respondent in any way, so that the breach of Article 13.1(d) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG has been established. 


4. Administrative fine


119. The fact that the Respondent did commit the infringements of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG leads the Dispute Resolution Chamber to uphold the administrative fine. This sanction is not intended to put an end to a violation that has been committed, but to ensure vigorous enforcement of the rules of the AVG. After all, as is clear from recital 148 of the AVG, the AVG stipulates that in the event of any serious breach - i.e. even if the breach is detected for the first time - sanctions, including administrative fines, shall be imposed in addition to or as an alternative to appropriate measures.13 In the following, the Dispute Resolution Chamber demonstrates that the infringements committed by the Respondent of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG are by no means minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in recital 148 AVG, whereby a fine may be waived in either case. The fact that it is a first finding of an infringement committed by the defendant is not sufficient to justify the imposition of a fine.


13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of the Regulation, in addition to or as an alternative to any appropriate measures imposed by the supervisory authorities under this Regulation. Where the infringement is minor or where the likely fine would impose a disproportionate burden on a natural person, a reprimand may be substituted for a fine. However, account should be taken of the nature, seriousness and duration of the breach, of the intentionality of the breach, of measures to mitigate damages, of the degree of responsibility or of previous relevant breaches, of how the breach came to the attention of the supervisory authority, of compliance with measures taken against the controller or processor, of adherence to a code of conduct and of any other aggravating or mitigating factors. The imposition of sanctions, including administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in line with general principles of Union law and the Charter, including effective remedy and fair trial. own emphasis]


As regards the AVG, this does not in any way affect the ability of the Dispute Resolution Chamber to impose an administrative fine. The Dispute Resolution Chamber shall impose the administrative fine in application of Article 58.2(i) AVG. 


120. The Litigation Chamber again emphasises that the instrument of an administrative fine is in no way intended to terminate infringements. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. It further emphasises that the administrative fine is one of the sanctions provided for in Article 58.2 AVG and Article 100 WOG. Neither EU law nor national Belgian law establish a hierarchy with regard to the sanctions to be imposed. As an organ of an independent data protection authority as provided for in Section 51 of the AVG, the Litigation Chamber is free to choose the most appropriate sanction. The Litigation Chamber considers that, in view of the controller's duty of accountability, the imposition of an administrative fine for a breach of the AVG could be expected.14 
12 See paragraph 35 of the Guidelines referred to in footnote 6.


114. Also with regard to point 6. of the Privacy Notice, the Respondent does not indicate what would be its legitimate interest, invoked by it, to process personal data of the Complainant for the purpose of transfer to "The companies of the Y1 RE group to which Y belongs, for monitoring and reporting purposes" and "Subcontractors in the European Union or beyond, responsible for processing activities defined by Y". However, Art. 13.1. d) AVG does require the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f). In this regard, the Litigation Chamber refers again to the Guidelines on Transparency pursuant to Regulation (EU) 2016/679 and the above. 


115. The Dispute Resolution Chamber stated in its decision 24/2020 that as a best practice, the controller may also, before collecting personal data from the data subject, provide the data subject with information on the consideration to be given to Article 6(1)(f) as the legal basis for the processing. To avoid information fatigue, this information could be included in a layered privacy notice.12 The information provided to data subjects should make clear that these data subjects may receive information on the balancing exercise upon request. This is essential for effective transparency when data subjects have doubts about the fairness of the assessment made or wish to lodge a complaint with a supervisory authority.
    16
      Article 99 GDPR Decision on the substance 57/2021 - 36/36


14 On the competence of the Dispute Chamber to impose an administrative fine, see also decision no. 55/2021 of 26 April 2021, available in French on the website of the GBA. 


15 Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020.


121. Taking into account Article 83 AVG and the jurisprudence15 of the Markets Court, the Dispute Resolution Chamber motivates the imposition of an administrative sanction in concrete terms: - The seriousness of the breach: the reasoning below shows the seriousness of the breach. 
  129. Given the importance of transparency with regard to the decision-making process of the


- The duration of the breach: the breaches are assessed with regard to this aspect in the light of the date on which the AVG became applicable, namely 25 May 2018. The Respondent's privacy notice appears to have remained unchanged since the AVG became applicable until a new privacy notice was drafted in response to the complaint. However, the new privacy statement is not the subject of the Dispute Resolution Chamber's assessment, so it does not express an opinion on the extent to which the new privacy statement complies with the AVG.
    Disputes Chamber, this decision will be published on the GBA website. However, it is


- The necessary deterrent effect to prevent further breaches
    does not require that the identification data of the parties be directly


122. As regards the nature and seriousness of the breach (Article 83.2(a) AVG), the Litigation Chamber emphasises that compliance with the principles laid down in Article 5 AVG - in this case, in particular, the principle of transparency including accountability, as well as the principle of legality - is essential, as these are fundamental principles of data protection. The Litigation Chamber considers that the defendant's infringement of the principle of legality
    announced.


The Dispute Settlement Chamber therefore considers that the Respondent's breach of the principle of lawfulness set out in Article 6 of the AVG and of the principle of transparency set out in specific terms in Articles 12 and 13 of the AVG constitutes a serious breach. 


123. An important element in determining the amount of the fine is the fact that the Defendant does not contest the following infringements as substantiated in Decision 24/2020 and, as a result, has already made efforts to bring the new privacy notice into line with the AVG in these respects 


- Infringement of Article 12.1 and 13.2 b) of the Privacy Act by not mentioning in the privacy declaration the possibility for the person concerned to exercise his/her right of retention.


- Infringement of Article 13(1)(c) AVG for failure to state the legal basis for the transfer to each of the different categories of third parties in point 6. of the privacy statement.
FOR THESE REASONS,


124. Although the amendments made to the new Privacy Notice are a favourable element in the assessment of the administrative fine, the Litigation Chamber emphasises that they are not intended to undo the breaches found. The infringements were found and cannot be retroactively reversed by the controller bringing its data processing into compliance with the requirements of the AVG, albeit too late.


125. In addition, infringements are also identified in the present decision:  - Infringement of Article 6.1 AVG as regards the purposes of 'training of staff' and 'storage of video surveillance recordings during the statutory period'. 


- Infringement of Article 13(1)(c) of the AVG in conjunction with Article 5(1)(a) of the AVG and Article 5(2) of the AVG.
the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her


- Infringement of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG.  
to review decision 24/2020 of 14 May 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG


Furthermore, the Dispute Resolution Chamber also takes into account the finding that the violation of Article 6.1 AVG is limited to two processing purposes "the training of staff" and "the storage of video surveillance recordings during the statutory period" and is therefore of a nature to justify a reduction in the amount of the fine. In addition, the breaches of the principle of transparency and accountability that have been established are of such gravity
and art. 101 WOG to impose an administrative fine of € 30,000.00 as a result of the infringements


that a substantial fine is appropriate. This is all the more true in view of the large scale of the defendant's processing of data other than health data with a decisive impact on all insured persons who have taken out hospital insurance with Y, which is a considerable number of persons concerned. A decisive element in this respect is also the fact that Y is a major player in the insurance market which may be expected to align its privacy policy with the AVG with due diligence.  
to Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR.


126. As regards the lack of transparency, the Litigation Chamber also points out that the AVG precisely provided for a transitional period of 2 years16 in order to give every controller the necessary time to prepare for and adapt to the requirements set by the AVG. Therefore, the Respondent's argument during the hearing that the changes made by the AVG to the previous Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data are at the root of the lack of transparency cannot be accepted. The defendant argues that Articles 13 and 14 AVG, in conjunction with Article 12 AVG, and the precise manner in which they are interpreted caused the difficulty. The transparency guidelines of the Group 29 (now EDPB) were an aid. Again, the Dispute Resolution Chamber should note that those Guidelines already date from 29 November 2017, were revised and adopted on 11 April 2018 and have remained unchanged since then. The Respondent thus had sufficient time, as required by its accountability obligation (Article 5.2 AVG), to align its privacy statement with the AVG.


16 Article 99 AVG


127. This leads the Dispute Resolution Chamber to reconsider the fine and reduce it to €30,000.
On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within


128. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Section 83 AVG, taking into account the assessment criteria set out therein. The Litigation Chamber points out that the other criteria of art. 83.2. AVG in this case are not such as to result in an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision.
a period of thirty days from the notification at the Marktenhof, with the


5. Publication of the decision
Data protection authority as defendant.


129. In view of the importance of transparency regarding the Dispute Resolution Chamber's decision, this decision is published on the GBA's website. However, it is not necessary for the identification details of the parties to be published directly for this purpose.


FOR THESE REASONS,


the Data Protection Authority's Dispute Resolution Chamber, after deliberation, decides to reverse its decision 24/2020 of 14 May 2020 and to impose an administrative fine of €30,000 on the Respondent, pursuant to art. 100, §1, 13° WOG and art. 101 WOG, for violations of articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG.


This decision may be appealed pursuant to Article 108 § 1 WOG within a period of thirty days from the notification to the Market Court, with the Data Protection Authority as defendant.


(Get).Hielke Hijmans  
(Get) Hielke Hijmans


President of the Litigation Chamber </pre>
Chairman of the Disputes Chamber
</pre>

Latest revision as of 14:05, 2 June 2021

APD/GBA (Belgium) - 57/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(d) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 06.05.2021
Published: 06.05.2021
Fine: 30.000 EUR
Parties: n/a
National Case Number/Name: 57/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 57/2021 van 06 mei 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA states that a separate and clearly defined purpose is necessary for transfer to a third party. Multiple, different processing can take place for the same purpose, but each requires a legal basis.

English Summary

Facts

This decision is a reconsideration of the decision 24/2020 and executes the appeal of the Market Court of 18 November 2020 (2020/AR/813), it gives the defendant the possibility to defend itself against all infractions on the GDPR for which the initial sanction was based on.

To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.

Holding

Legal basis of legitimate interest The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes: - conducting computer tests; - monitoring the quality of service; - training of personnel; - monitoring and reporting; - storing recordings of video surveillance for the statutory period; and - compiling statistics from coded data, including big data. For each of these purposes, a balancing test was done.

The DPA recites the requirements for relying on Article 6(1)(f), namely purpose test, necessity of the processing and a balancing test.

As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as the data controller can in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.

In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.

In order to verify whether the third condition of Article 6(1)(f) - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."

Conducting computer tests

The DPA holds that this satisfies the first, second and third criteria. It does state that the data subject could be more informed about the tests.

Monitoring the quality of service and compiling statistics from coded data, including big data

This topic has three parts: "statistics and quality tests", "satisfaction questionnaires" and "quality tests operations", each legitimate interest basis was assessed by the DPA:

Statistics and quality tests

All criteria have been fulfilled.

Satisfaction questionnaires

All criteria have been fulfilled.

Quality tests operations

All criteria have been fulfilled.

Training of personnel

The first criteria has been fulfilled. The necessity test has not been fulfilled, as it is not necessary to use client data in order to provide training cases for personnel, this is a breach of data minimisation of Article 5(1)(c). The balancing test is also not fulfilled as it is not within the reasonable expectations of a person taking an insurance for their information to be used as an example.

Monitoring and reporting

The first criteria has been fulfilled.The second criteria has been fulfilled as a minimum of data is necessary to fulfill legal obligations. Said legal obligations however, did not foresee in an explicit legal basis for the processing.The third criteria has also been fulfilled as it is a reasonable expectation of a data subject that the insurance company must fulfill its legal obligations.

Storing recordings of video surveillance for the statutory period

The first and second criteria have been fulfilled. The third criteria has not been fulfilled as a data subject signing an insurance contract cannot reasonably expect that their data will be used for video surveillance. This falls under the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects.

Model of balancing test

The defendant states that all these balancing tests scored less than 30 on the model that they used, which means legitimate interest can be used as a legal basis. The DPA holds that this is purely instrumental and no legal value can be given to a model.

Legal basis for transfer to third parties

The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of Article 4(2).

The DPA states according to Article 5(1)(a), personal data must be processed processed for a specific purpose and the processing must be legitimate within the meaning of Article 6(1). It is possible to do multiple processing for the same purpose, but this must be done in compliance with the above.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(c), there is a breach of the GDPR.

Transparency principle

Notwithstanding Article 13(1)(d) regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.

Those legitimate interest are not public as they contain company sensitive information and the documents are very 'heavy', not suited for a privacy notice.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(d), there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.

Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                         1/36









                                                                       Dispute Chamber



                                      Decision on the merits 57/2021 of 06 May 2021





File number: DOS-2019-02902



Subject: Lack of transparency in a privacy statement

insurance company (reconsideration of decision 24-2020)







The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;



Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Considering the documents in the file;







                                                                                                 .
                                                                                                 .

                                                                                                 . Decision on the merits 57/2021 - 2/36



has taken the following decision regarding:

    - Mr X, hereinafter “the complainant”;

    - Y, represented by Masters Benoit Van Asbroeck and Simon Mortier, hereinafter “de

        defendant".




    1. Facts and procedure




  1. This decision is a reconsideration of decision 24/2020 of the Disputes Chamber of 14

      May 2020, and implements the judgment of the Marktenhof of 18 November 2020, with

      roll number 2020 / AR / 813.



  2. This decision must be read in conjunction with decision 24/2020 and contains a

      review to give the defendant the opportunity to defend himself

      regarding all breaches of the GDPR for which a sanction was imposed in the initial decision,


      insofar as these infringements are contested by Y. With this review, the

      The disputes chamber thus falls within the framework of the initial decision, also with regard to the

      administrative fine that cannot exceed the amount of the initially determined fine.

      With regard to the allegations concerning the Disputes Chamber in the initial decision

      ruled that there was no breach of the GDPR, that judgment is preserved. The

      infringements identified in the initial decision and not contested by Y remain

      equally preserved.




  3. On June 14, 2019, the complainant lodged a complaint with the Data Protection Authority against

      defendant.



      The object of the complaint concerns the use of health data that the

      insurance company of the person concerned has obtained under a

      hospitalization insurance for other purposes without the express consent of the

      insured person concerned. The complainant states that he has no problem with his

      health data is processed for the performance of obligations under

      the hospitalization insurance taken out with the defendant, but a problem

      when those same health data are processed for the purposes listed

      in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9

      of the same privacy statement (it concerns point 6, but the reference to point 9 is a

      material mistake) as stated in the defendant's privacy statement. He asks that

      specifically for those purposes, as well as for the transfer the defendant gives the choice to the

      data subject to consent or not to the processing of his health data. Decision on the merits 57/2021 - 3/36



    Finally, the complainant indicates that he wishes to receive a data protection impact assessment

    of the defendant as there is a high-risk data processing involved

    The involved.




4. On 26 June 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of

    the WOG, the complainant will be informed of this on the basis of art. 61 WOG and the complaint becomes

    on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.



5. On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it

    file is ready for treatment on the merits.



6. On July 24, 2019, the parties concerned will be notified of

    the provisions as stated in article 95, §2 and in art. 98 WOG. The were also involved

    parties on the basis of art. 99 WOG of the time limits for their defenses

    to submit. The deadline for receiving the complainant's reply was

    recorded on 7 October 2019 and 7 November 2019 for the defendant.



7. On July 29, 2019, the defendant reports to the Disputes Chamber that it has taken note of

    the complaint, it requests a copy of the file (art.95, §2, 3 ° WOG) and accepts it electronically

    all communication regarding the case (art. 98, 1 ° WOG).



8. A copy of the file will be sent to the defendant on 30 July 2019.



9. On August 2, 2019, the Disputes Chamber will receive a letter in which the defendant indicates

    that he wishes to be heard by the Disputes Chamber (art. 98, 2 ° WOG).



10. On September 6, 2019, the Disputes Chamber will receive the statement of defense from the

    defendant. Respondent argues, first, that processing special categories of

    personal data, in this case health data by health insurer Y in a lawful manner

    happens. The processing of these special categories of personal data (Art.9 GDPR)

    is prohibited in principle. The respondent invokes the exception for the processing

    of Article 9 (2) a GDPR, the express consent of the data subject. Second, argues

    respondent that no separate consent is required for each transfer of

    personal data. Thirdly, according to the respondent, there is no question of asking

    consent to the processing of data other than health data. Finally it was

    according to the respondent, a data protection impact assessment is not necessary in this case

    since it concerns existing processing operations and not new processing operations

    commences after May 25, 2018. Decision on the merits 57/2021 - 4/36





11. The complainant has not exercised the right to submit a reply.



12. The defendant does not submit a new claim and only submits exhibits on 7 November 2019


    in support of the statement of defense submitted on 6 September 2019.



13. On January 9, 2020, the Parties will be notified that the hearing will take place

    on January 28, 2020.



14. On January 28, 2020, the defendant will be heard by the Disputes Chamber. The complainant, though

    duly summoned, did not appear. Among other things, the defendant answers questions from

    the Disputes Chamber on the legal basis for the processing of personal data, no

    being health data. After this, the debates are closed.



15. On January 29, 2019, the official report of the hearing will be presented to the parties.



16. On January 31, 2020, the defendant will provide the annual turnover as requested during the hearing

    of the last three financial years. For the years 2016-2018, these always amount to a turnover between

    the 500 and 600 million Euros.



17. On 6 February 2020, the Disputes Chamber will receive a number of comments from the defendant

    with regard to the official report, which it decides to include in its deliberations.



18. On March 25, 2020, the Disputes Chamber will notify the defendant of its intention to do so

    to impose an administrative fine, as well as the amount thereof

    in order to give the defendant the opportunity to defend himself before the sanction becomes effective

    is imposed.



19. On May 8, 2020, the Disputes Chamber will receive the respondent's response to the intention

    to impose an administrative fine, as well as the amount thereof.

    The defendant alleges that the alleged infringements as contained in the intent of

    the Disputes Chamber would be completely new and he was unable to do so

    to defend. However, the Disputes Chamber must establish this from the documents in the file

    it is indisputable that the defendant does have full rights of defense

    can exercise.

    The defendant also claims to disagree with the imposition of a fine, or the

    intended amount of the fine. However, he does not put forward any (new) arguments

    substantiation of this thesis. The response of the defendant gives before the Dispute Chamber Decision on the merits 57/2021 - 5/36




      therefore no reason to adjust the intention to impose a

      administrative fine nor to change the amount of the fine such as

      intended.



  20. On May 14, 2020, the Disputes Chamber ruled as follows in its Decision on the merits 24/2020:

       - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in


       is brought into line with article 5.1 a), article 5.2, article 6.1, article 12.1, article

       13.1 c) and d) and 13.2 b) GDPR.

       - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine

       of EUR 50,000 as a result of the violations of article 5.1 a), article 5.2, article 6.1, article

       12.1, article 13.1 c) and d) and article 13.2 b) GDPR.



  21. On 17 June 2020, the Disputes Chamber will receive the

      notification of an application against the GBA, lodged at the Registry of the Court.



  22. The introductory session for the Marktenhof will take place on 24 June 2020, at which the


      conclusion deadlines for the parties are set, as well as the case is set for

      pleadings at the session on October 21, 2020.

      The Marktenhof will pass judgment on 18 November 2020.

      The judgment contains the following points for attention with regard to the assessment of

      the subject of the petition:



      • Annulment of decision on the merits no. 24/2020 of 14 May 2020 of the Disputes Chamber.

      • The Marktenhof argues that the defendant should be given the opportunity - after the complaint is ready

          and clearly formulated in writing - in order to reach a written conclusion on this


          take. The fact that the defendant was asked on the occasion of the hearing

          (which was stated in the minutes of the hearing) to take a position

          on the general question of the legitimate interest on which the defendant

          is relying on processing other than health data and that the defendant

          only formulated a brief answer to this without any reservations or objections

          does not adequately justify decision no. 24/2020 of 14 May 2020.


  23. Following up on the judgment, the Disputes Chamber will decide on November 27, 2020 to proceed

      to retake the file with a view to taking a new decision. The

      The underlying consideration is that the Disputes Chamber notwithstanding the





1
   The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 57/2021 - 6/36




    annulment of the aforementioned decision by the judgment of the Marktenhof, is still contained

    by the initial complaint filed on June 14, 2019 as declared admissible by the

    First-line service on June 26, 2019. Therefore, the debates will be reopened

    and new closing deadlines are set, so that parties can take a stand

    regarding the legitimate interest on which the defendant relies on other than

    process health data.



  The parties are notified of the following settlement deadlines:

  • the deadline for the complainant's reply is set at 8

       January 2021;

  • the deadline for the defendant's reply is set at 19

       February 2021;


  The date of the hearing will also be determined, which will take place on March 22, 2021.



24. On 27 November 2020, the Disputes Chamber will receive the notification from the complainant that the

    because of the clear arguments it seems unnecessary to add additional arguments to him.

    On the same day, the Disputes Chamber will inform the defendant that it informs the complainant

    has stated that it will not submit a conclusion. At the request of the defendant, the

    The Disputes Chamber also states that the initially determined date for the statement of reply of the

    defendant, as well as the date of the hearing.



25. On February 19, 2021, the Disputes Chamber will receive the conclusion with accompanying documents from

    the defendant. In it, the defendant puts forward the following pleas:

           • The respondent can rely on its legitimate interests for the processing

               of personal data for purposes in accordance with Article 4.3 of its old

               privacy statement (no violation of article 5.1 a); 5.2, 6.1 f) and 13.1 c) and d)

               GDPR.

           • Respondent can rely on an applicable legal basis for transfers to

               third parties in accordance with Article 6 of the old privacy statement (no

               violation of articles 5.1 a), 5.2, 6.1 and 13.1 c) and d) GDPR.

           • If defendant cannot invoke all legal grounds under Article

               6.1 GDPR for the processing purposes in accordance with Article 4.3 of the old

               privacy statement and transfers to third parties in accordance with Article 6 of the old

               privacy statement, this constitutes an infringement of the freedom to conduct a business of the

               defendant.

           • Respondent argues that a reprimand is sufficient and that the administrative fine of

               € 50,000.00 is disproportionate. Decision on the merits 57/2021 - 7/36



26. On March 22, 2020, the parties will be heard by the Disputes Chamber. The complainant, though

    duly summoned, did not appear. The defendant will explain his defense during the hearing

    to. No elements other than those that already form part of this are applied

    File. After this, the debates are closed.




27. The minutes of the hearing will be presented to the parties on 25 March 2021

    in accordance with Article 54 of the Rules of Procedure. The defendant delivers on April 5

    2021 the Disputes Chamber some comments with regard to the official report, which

    she decides to include it in her deliberation.



28. On April 6, 2021, the Disputes Chamber announced its intention to the defendant

    to proceed to impose an administrative fine, as well as the amount

    in order to give the defendant the opportunity to defend himself before the sanction

    is effectively enforced.



29. On April 27, 2021, the Disputes Chamber will receive the respondent's response to the intention

    to impose an administrative fine, as well as the amount thereof.

    In summary, the defendant states in his response to the intention to impose a

    administrative fine the following:



  - With regard to the lack of a demonstrated legitimate interest as a legal basis for the

       purposes “training personnel” and “storage of video surveillance recordings

       during the legal period, ”the defendant argues that there was no

       questions were asked regarding legality, necessity or the

       proportionality of these processing purposes.



       In this regard, the Disputes Chamber notes that the defendant in the claims already

       The legality, necessity and proportionality of all have been discussed extensively


       processing purposes, including those for “staff training” and “storage

       of video surveillance recordings during the legal period ”, so that no

       additional clarification was requested during the hearing. Be at a hearing

       only punctual questions were asked about any remaining uncertainties in order to clarify them

       and to allow the Disputes Chamber to form an opinion.

       At present, the Disputes Chamber can only establish that the respondent's response to the

       intention to impose an administrative fine as a result of the infringement of

       Article 6.1 GDPR with regard to the purposes “training personnel” and “storage

       of video surveillance recordings during the legal period ”in the absence of a Decision on the merits 57/2021 - 8/36



    demonstrated legitimate interest as legal basis, does not contain any new elements that of

    nature to change the judgment of the Disputes Chamber.



- With regard to the amount of the fine, the defendant is of the opinion that no fine is possible


    be charged for charging that personal data would have been processed without it

    to have a legitimate interest. At the very least, the defendant believes that a

    amount of EUR 30,000 is disproportionately high. The defendant argues that from the

    written conclusions and the hearing revealed that general training material

    in principle, it is always anonymized and there is virtually no personal data of customers

    are processed via CCTV. The documents in the file do not show that either

    any personal data of the complainant would have been processed for this

    processing purposes. For that reason, the complainant (and by extension the other customers of

    defendant), have in principle not been personally harmed by any lack of

    legitimate interests for the processing activities “staff training” and

    “The storage of video surveillance recordings during the legal period”.



    The Disputes Chamber emphasizes whether or not experiencing any personal harm

    does not constitute a criterion for imposing an administrative fine, as this is not

    included in Article 83.2 GDPR. It will therefore motivate this sanction in its decision below

    without taking into account whether or not the complainant has any personal disadvantage

    ago. The criteria for imposing an administrative fine are clearly defined

    in article 83.2 GDPR, on which the Disputes Chamber will make its decision regarding the administrative

    fine.



    To the extent necessary, the Disputes Chamber adds that the complainant is

    has provided personal data to the defendant for processing under a

    hospitalization insurance and the defendant then on the basis of the then

    privacy statement indicated that the personal data of the complainant was also processed for all

    purposes stated in the privacy statement. Based on the then privacy statement

    the defendant processed the complainant's data for each of the purposes included

    in the privacy statement. This is also evident from the conclusion that underlies the current one

    decision, in which the defendant himself defines the allegations arising from the complaint

    (see marginal 33) and the allegations under points f), g) and h) are the subject of

    his defense. The allegations arising from the complaint and as made by the defendant himself

    described in his conclusion, concern defects in the privacy statement issued by the complainant

    concern, as well as ipso facto any other customer of the defendant who has a

    take out hospitalization insurance. After all, the privacy statement is not exclusively for the complainant

    drawn up, but for each client of the defendant who takes out hospitalization insurance. Decision on the merits 57/2021 - 9/36



    This also explains why the defendant in his claim the legality, necessity

    and proportionality of all processing purposes, without distinction of whether or not

    concerns a processing purpose for which personal data of the complainant will be made

    processed, tries to demonstrate. The defendant verifies whether it is for all processing purposes


    has a legitimate interest, because for each of those processing purposes the

    personal data of the complainant were processed in accordance with the then

    privacy declaration.



- In addition, the defendant is of the opinion that an amount of EUR 30,000 is disproportionate to

    the infringement.

    More specifically, as regards the seriousness of the infringement, the defendant does not agree with the

    statement of the Disputes Chamber that, solely because of the fact that an infringement of Articles 5

    and 6 of the GDPR, the infringements are therefore automatically “serious” and

    Would be “serious”. The defendant argues that on the one hand these articles are the basis

    lie with almost the entire GDPR and therefore virtually any violation of the other GDPR

    articles can be reduced to an infringement of articles 5 and 6 GDPR.

    On the other hand, these infringements are classified as being “serious” and “serious”.

    prevent a differentiation from being made with infringements that are actual

    weighty and serious, such as, for example, the complete absence of one

    privacy declaration. However, this is not at all relevant here.

    The defendant argues that it has indeed stated these processing purposes in its

    privacy statement and has extensive weighing of interests with due diligence

    to determine whether it can rely on its legitimate interests.



    Regarding the defendant's contention that a breach of the basic principles of the GDPR

    included in Articles 5 and 6 GDPR would not automatically be considered serious and serious

    can be considered, the Disputes Chamber notes that Article 83.5 GDPR itself provides for

    a more severe punishment for this infringement for which there is the highest maximum fine

    determined precisely because of the fact that these are basic principles that lie at the heart of a

    concern data processing. The defendant's claim that any breach of the GDPR

    can be traced back to a breach of basic principles, does not stand as the

    The Disputes Chamber is caught by the complaint and carries out the assessment against the GDPR within those limits

    and therefore by no means, contrary to what the defendant maintains, any infringement could be possible

    are "reduced" to violations of the basic principles. Since the complaint is exactly the

    basic principles, the Disputes Chamber will rule on the

    application of those principles. Where the defendant cites as an example that the

    a complete absence of a privacy statement would be serious and important, states the

    Disputes Chamber that the total lack of a privacy statement is not only a serious and Decision on the merits 57/2021 - 10/36



      would be a serious infringement, but a total disregard of the GDPR. However, this increases

      does not mean that a defective privacy statement, such as in the present case, which contains the

      does not respect basic principles of the GDPR, if it must be serious and weighty

      classified.




      Regarding the duration of the breach, the defendant points out that it already has its privacy statement

      during the initial procedure at the beginning of 2020 and has amended its privacy statement to

      following the initial decision of the Disputes Chamber at the beginning of 2021

      adjusted and this should be taken into account as an attenuating circumstance.

      As to the deterrent effect, the defendant points to her again

      willingness to constantly adjust its privacy statement, which they do

      twice has done so in a very drastic manner, thus the purpose of these proceedings

      this has been achieved according to the defendant.



      The Disputes Chamber has already announced its intention to impose an administrative one

      fine, as well as the amount thereof, that it is already done by the defendant

      efforts to bring the new privacy statement into line with the GDPR,

      evidence of his willingness. Hand must be

      noted that although the changes made to the new privacy statement are beneficial

      are an element in the assessment of the administrative fine, they do not serve it

      that the infringements established would be rectified (see marginal 120).

      The Disputes Chamber gives more detailed reasons for the imposition of the administrative fine

      in section 3 of this decision.



    It follows from the foregoing that the respondent's response to the Disputes Chamber is none

    gives rise to an adjustment of the intention to impose an administrative one

    fine, nor to change the amount of the fine as intended.





  2. Justification



    1. Legitimate interest


      a) Preliminary remark



30. It follows from the judgment of the Marktenhof that the Disputes Chamber in its decision 24/2020 of

    May 14, 2020 would have ruled without the defendant being able to fully comply

    because the decision of the Disputes Chamber would not have been limited to the

    allegations that are the subject of the complaint. Decision on the merits 57/2021 - 11/36





31. However, the complainant explicitly states in the complaint that the customer should be given the choice whether to use

    agrees to the processing operations listed in points 4.3 and 6 and does not receive them. After all, once

    he has given his consent to the processing of his personal data in the context of


    hospitalization insurance, according to the complainant, data processing should be limited to

    to perform the obligations arising from that insurance. The complainant argues

    that the defendant does not use his data for any other purpose, more specifically the

    the purposes stated in points 4.3 and 6 of the old privacy statement, can be processed without

    permission. The complaint thus becomes the legal basis of the processing for the purposes

    listed in section 4.3. The complainant believes that those purposes are mentioned in point 4.3

    consent is required and the defendant therefore does not automatically obtain the data obtained on the basis

    of permission in the context of a hospitalization insurance can also be used for others

    purposes, for which the defendant relies on his legitimate interest.



32. The complaint thus essentially relates to the legal basis on which the defendant can rely

    appeal to process the personal data obtained from the complainant for the purposes

    listed in points 4.3 and 6 of the defendant's old privacy statement.



33. In the present claim of the defendant, the allegations are listed in the paragraphs

    a) to h):




   “A) Y would consent to the processing of medical data for the purpose of closing

   and executing insurance contracts under duress, eliminating these

   consent would be invalid (violation of Article 5 (1) (a))

   (legality principle); 6 (1) (a) and 9 (2) (a) GDPR)



   b) Y must grant the Complainant access to the DPIA

   (“GBEB”) that it allegedly carried out for the processing of medical data related

   with the performance of insurance contracts with its customers (violation of articles

   35 and 36 GDPR)



   c) Y should, in Articles 4.3 and 6 of the old Privacy Statement, make a better distinction

   between the processing of medical data on the one hand and the processing of other "ordinary"

   personal data on the other hand (violation of Article 13 (1) (c) GDPR);



   d) Y should take additional steps to inform data subjects of their

   right to object pursuant to Article 21 (2) GDPR (violation of Article 12 (1)

   and 13 (2) (b) GDPR) Decision on the substance 57/2021 - 12/36





  e) Y serves the legal grounds referred to in Article 6 of the Y old Privacy Statement for the

  transfer of personal data to third parties, to be further clarified (violation of Article 13,

  para.1 lit.c) GDPR)




  f) Y would process personal data without proven legal basis (including her

  legitimate interest within the meaning of Article 6 (1) of the GDPR) for a number of in Article 4.3 of the

  the purposes stated in the old Y Privacy Statement and in Article 6 of the old Y Privacy Statement

  said transfers to third parties (violation of Article 5 (1) (a))

  (principle of legality) and 6 (1) GDPR)



  g) Y would have provided insufficient information about her in her old Privacy Statement

  legitimate interests, where Y invokes this legal basis (violation of

  Articles 5 (1) (a) (principle of transparency) and 13 (1) (c) and (d) GDPR)



  h) Y, where Y relies on this legal basis, would not have sufficiently demonstrated why

  its legitimate interests would exist and would have failed to demonstrate in

  to what extent her interests would outweigh the interests and fundamental rights of the Complainant

  (Violation of Article 5 (2) GDPR). "



34. The defendant also confirms that the allegations set out in points a) to h)

    arise from the complaint by stating the following in the conclusion:

    “Should the Dispute Chamber consider the above allegations and alleged violations

    on the GDPR by Y (points a to h) do not arise from the complaint […], becomes the Disputes Chamber

    invited to inform Y of this […]. ”



35. The Disputes Chamber notes in this regard that already in the complaint the allegations as now

    described by the respondent in points a) to h) and

    about which the defendant now indicates that these do indeed arise from the complaint,

    but about which he nevertheless put forward no defense in respect of f), g) and h) in the

    procedure prior to decision 24/2020 of 14 May 2020.

    As to the allegations under a) to e) of his Opinion, the defendant states

    indicates that he has either been able to defend himself and has been upheld by the

    Disputes Chamber (this concerns allegations a) and b)), or has not disputed the allegations

    and has been corrected in the new privacy statement (this concerns the allegations under c), d) and

    e)). Regarding the established infringement of Article 13.1 c) GDPR regarding the allegation under

    c), the breach of Article 12.1 and Article 13.2 b) GDPR on allegation under point (d) and the Decision on the merits 57/2021 - 13/36




      infringement of article 13.1 c) GDPR regarding the allegation under e) refers the Dispute Chamber

      to the motivation for this in decision 24/2020 of 14 May 2020.

      The defense in the present Opinion focuses only on the allegations under points f), g)

      and H).



  36. To the extent that there would be some uncertainty about the subject of the complaint

      on behalf of the defendant prior to the decision 24/2020, the

      The litigation chamber nevertheless offered the defendant the opportunity to submit itself

      and the Disputes Chamber will then check whether, and if necessary, to what extent the

      defendant has infringed the GDPR with regard to allegations such as

      described in points f), g) and h) of his opinion and whether the administrative fine should be applied

      are maintained.






        b) Legal basis for the purposes stated under 4.3 of the privacy statement



  37. The defendant argues that it can rely on its legitimate interests for the

      processing of non-sensitive personal data for the following purposes

      under point 4.3 of the old privacy statement:

          • performing computer tests;

          • monitoring the quality of the service;

          • training of personnel;

          • monitoring and reporting;

          • the storage of video surveillance recordings during the legal period; and

          • compiling statistics on coded data, including big data.







  38. For each of these purposes, the defendant has carried out a balancing of interests. The


      The Disputes Chamber below assesses the weighing of interests for each of these purposes
                                                         2
      in accordance with the firm decision-making it uses to assess the

      legitimate interest.



  39. In accordance with article 6.1 f) GDPR and the case law of the Court of Justice of the European

      Union must meet three cumulative conditions for a





2 See inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of October 30, 2020;

Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. Decision on the merits 57/2021 - 14/36




      controller can validly invoke this ground of lawfulness, “te

      know, in the first place, the promotion of a legitimate interest of the

      controller or of the third party (ies) to whom the data are provided, in the

      second, the necessity of processing the personal data for the purpose

      of the legitimate interest, and, thirdly, the condition that the fundamental

      rights and freedoms of the person involved in data protection do not prevail ”

      (“Rigas” judgment).



  40. In order to be able to rely on the lawfulness ground of

      in other words, the “legitimate interest” is the responsibility of the controller

      to show that:

    1) the interests pursued by this processing can be recognized as justified

        (the “target key”);

    2) the intended processing is necessary for the realization of these interests (the


        “Necessity test”); and

    3) the balancing of these interests against the interests, fundamental freedoms and

        fundamental rights of data subjects weighs in favor of the

        controller (the “balancing test”).



  41. With regard to the purpose of “performing computer tests”, the defendant argues

      next one:



    “Context of the processing purpose

    This processing purpose includes the tests performed by IT testers and developers:

    • related to "changes", which are minor changes or related to purely functional ones

    aspects; and

    • in the context of any automation projects.

    These tests are carried out as part of:

    • IT and network security;


    • the maintenance, improvement and development of (the quality of) Y products and services;

    or

    • improving the customer experience (eg to make internal processes and systems more efficient

    for back-office activities, to enhance the user experience in Y's digital channels

    improve, etc.).






3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,

recital 40. Decision on the substance 57/2021 - 15/36



  This process does not include the acceptance and emulation phase, which is only specialized by the team

  activities "can be performed before the changes can actually be made

  implemented and can be put into production. ”




42. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



43. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



44. Based on the purpose, being the performance of computer tests, the Dispute Chamber serves

    establish that the defendant asserts that, where possible, dummy data or

    anonymous data is used (e.g. in case of changes where different

    systems or applications are involved and that require a unique reference, such as the

    policy number). Only when there is no other option will personal data be used to collect the

    to be able to realize the intended change or development. Possible possibilities for (a

    further) limitations of data processing are constantly being researched and progressive

    introduced as part of the project 'data anonymization in non-production environments'. Furthermore

    Strict access controls are introduced on the IT environments where the IT tests are carried out

    executed. Procedures are also established for how these IT tests should be carried out

    are carried out, which must be taken into account by all concerned.




45. The Disputes Chamber notes that the defendant states that he only uses personal data

    when there is no other option. During the hearing, Y stated that the tests are always taking place

    based on dummy data, but that the test phase determines the extent to which with

    such data can be tested. After all, in some cases the boundaries of the

    opportunities to do data masking. This has to do with the life cycle of

    the tests, namely gradually dummy data can be used in IT testing, but

    sometimes the processing of personal data is required in order to ensure the interaction between

    to be able to insure applications. The Disputes Chamber is of the opinion that the defendant does so

    reasonably plausible that the computer systems are not always based on Decision on the merits 57/2021 - 16/36




      anonymized or pseudonymized data can be tested. To the second

      condition is thus fulfilled, by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with. Nevertheless, the Disputes Chamber notes

      note that for purposes of clarification as to the customers concerned, the defendant might

      consider providing some brief explanation of the case in the privacy statement

      in which the defendant has no choice but to perform computer tests with personal data.



  46. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the


      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  4
      expect that processing can take place for that purpose ”.



  47. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used to perform computer tests. After all, customers expect a correct one

      execution of their insurance contracts, which is accompanied by a safe and correct

      management of IT systems. The interest of the customers thus requires that the functionalities of


      the IT environment are tested for this purpose.




  48. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the

      Purpose “conducting computer tests” may rely on the legal basis contained in

      Article 6.1 f) GDPR.




  49. Regarding the purpose “monitoring the quality of the service” and “the

      compiling statistics on coded data, including big data ”, states the


      defendant that this comprises three parts and determines that:



    - For the section “Statistics and quality tests”



        “Context of the processing purpose






4 Recital 47 GDPR. Decision on the merits 57/2021 - 17/36



      Y, as an insurer, is subject to prudential supervision. This means, among other things, that they

      is bound to overall control of its company and its performance, including,

      but not limited to, the audit of the sales performance, performance and fees

      certain hospital networks and the coverages / reimbursements. This relates to the


      general control of the quality of the services and the performance of the

      insurance company to ensure its continuity. This processing purpose

      includes both one-off and recurring reports with or without use

      made of big data methodologies. These are mainly aggregated or

      anonymised reports, unless specific statistics are required (by category

      eg per age group). ”




50. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the context of the processing purpose should be as described by the defendant

    are considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



51. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



52. The Disputes Chamber notes that the defendant only justifies that it is for him

    is necessary to compile statistics and perform quality testing, as the

    financial viability, quality of service, premium setting and the

    performance cannot be determined without actively measuring it. The Disputes Chamber misunderstands

    by no means the need for the defendant to have statistics and

    quality tests, but the defendant mainly limits himself to asserting that

    aggregated or anonymized reports are prepared, unless specific statistics

    required (per category such as eg per age group). Moreover, the defendant proposes that

    the format of those reports may or may not be using big data methodologies.



53. To what extent the statistics still contain personal data or allow to proceed with

    re-identification of a data subject will be further explained during the hearing. The

    defendant states that there are still very few statistics containing personal data. The Decision on the merits 57/2021 - 18/36




      statistics do not contain names and certainly no health data. The statistics

      do contain codes, but they are mass aggregated, segmented data.
                                                                                   5
      Also requires the directive (EU) 2016/97 on insurance distribution and the Belgian

      implementing legislation of this Directive that provided for specific reporting

      personal data are processed. Sometimes policy data is processed in the reporting,

      but with that no further processing in the statistics takes place. Each report has one

      purpose and the processing may not go beyond that. A register is kept of

      those reports and their purpose, which are strictly regulated through the data warehouse and

      which requires "approvals" to deviate from it.



  54. The Disputes Chamber decides that the defendant has made the necessary efforts to resolve the

      limit data processing for this purpose to what is strictly necessary. To the second

      condition is thus fulfilled by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.




  55. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”.




  56. The Disputes Chamber follows the defendant's position that if a person has a

      enters into an insurance agreement with Y, he can reasonably expect that Y will be intern

      performs checks and compiles statistics to ensure that Y is contractual

      fulfill obligations.




  57. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the

      Purpose “Statistics and Quality Requirements” can invoke the legal basis included in

      Article 6.1 f) GDPR.



    - For the section “Satisfaction surveys”








5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution

(recast), OJ L 26/19. Decision on the merits 57/2021 - 19/36



      “Context of the processing purpose

      This processing purpose includes determining the NPS ("Net Promoter Score"), the

      satisfaction factor of the customers based on an external survey by a third party to determine the

      to safeguard anonymity of the query. This factor is calculated with regard to the follow-up


      by the Y Contact Center and the claims department (claims handling)



58. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the


    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



59. In order to meet the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



60. Based on the purpose of conducting satisfaction surveys, the

    Disputes Chamber to determine that the defendant asserts that the customer through this questioning

    can give an opinion anonymously and thus assert his interests. The results

    are aggregated and processed by an outside company so that the anonymity of the

    those involved can be indemnified. During the hearing it is added that the

    customers always have the choice whether or not to participate in the survey, as they always have

    have the right to object. The Disputes Chamber finds that the customers thus over

    have the necessary freedom of choice and that the results of those who participate in the

    survey in anonymous form will be made available to the defendant.

    The second condition is thus fulfilled by showing that the principle of

    minimum data processing (Article 5.1. c) GDPR) has been complied with.



61. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

    “Balancing test” between the interests of the controller, on the one hand, and the

    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

    reasonable, in accordance with Recital 47 GDPR

    expectations of the data subject. More specifically, it should be evaluated whether “data subject Decision on the substance 57/2021 - 20/36




      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  6
      expect that processing can take place for that purpose ”.



  62. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be provided by the defendant

      will be used to gauge his satisfaction with the service provided by the

      defendant.





  63. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “conducting satisfaction surveys” can rely on the legal basis

      included in Article 6.1 f) GDPR.



    - For the part “Quality tests operations”


        “Context of the processing purpose

        This processing purpose relates to the general control of the quality of

        the operational services and performance of Y. This is about quality checks where

        every employee involved must perform 2 random checks per week for up to

        the correct underwriting or performance of the insurance contract and applicable

        instructions and procedures for this purpose. "




  64. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

      judgment that the processing purpose should be as described by the defendant

      considered performed for a legitimate interest. The importance that the

      defendant as controller may in accordance with recital 47

      GDPR can be considered justified in itself. The first is therefore satisfied

      condition contained in Article 6.1, f) GDPR.



  65. In order to fulfill the second condition, it must be demonstrated that the processing

      necessary for the achievement of the objectives pursued. This means more

      stipulates that the question should be asked whether the same result can be achieved by other means


      are achieved without processing of personal data or without an unnecessarily invasive one

      processing for data subjects.








6 Recital 47 GDPR. Decision on the merits 57/2021 - 21/36




  66. Based on the purpose, being the general control of the quality of the operational

      services and performance of Y, the Disputes Chamber must determine that the defendant is late

      apply that Y is subject to the insurance distribution directive (EU) 2016/97

      and the Belgian implementing legislation that the insurance companies oblige them

      tailor services to the desires and needs of their customers. As indicated

      during the hearing, the defendant does not invoke his legal obligation (Article 6.1

      c) GDPR) as the legal basis for the processing, given the nature and scope of the reporting

      is not explicitly imposed as such by law. Hence, the defendant for that

      processing its 'legitimate interest under that legislation' as the legal basis.


      The second condition is thus fulfilled by showing that the principle of

      minimum data processing (Article 5.1. c) GDPR) has been complied with. The processing of

      personal data is necessary in order to actively measure the quality of the service.



  67. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”. 7




  68. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used to carry out internal quality control to ensure that Y hair

      comply with legal and contractual obligations.



  69. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “quality testing operations” can rely on the legal basis included in Article

      6.1 f) GDPR.



  70. With regard to the purpose of “training personnel”, the defendant states the following:




    “Context of the processing purpose








7 Recital 47 GDPR. Decision on the merits 57/2021 - 22/36



  This includes the organization and follow-up of training courses, awareness-raising sessions ("awareness") and

  training for Y employees who come into contact with (personal data of) customers.

  Training courses include:

  • insurance technical aspects (eg with regard to Y products);


  • technical aspects (eg the use of Office 365 applications, training on

  information security, etc.);

  • "on the job" training courses (training for new employees as well as training with the aim of increasing the

  to continuously improve service quality); and

  • more general aspects such as compliance topics (eg the GDPR, IDD, etc.). ”



71. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



72. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



73. Based on the purpose, being the training of personnel, the Disputes Chamber should be established

    to argue that the defendant argues that in exceptional cases the cases are used

    contain, or become, personal data of customers for the training

    personal data of customers used for the preparation of the training material. The

    defendant argues that the underlying material (cases), however, is generally complete

    is anonymized.



74. The Disputes Chamber notes that the defendant states that in the context of training courses the

    cases only contain personal data of customers in exceptional cases or

    personal data of customers are used for the preparation of the training material.

    However, the defendant fails to clarify in which cases he would be required

    offer training to staff based on customers' personal data.

    The defendant does not reasonably demonstrate that staff training is not always on

    could be provided on the basis of anonymised data. To the second Decision on the merits 57/2021 - 23/36




      condition is thus not fulfilled because it has not been demonstrated that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.



  75. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

                                                                  8
      expect that processing can take place for that purpose ”.



  76. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it cannot be assumed that the policyholder takes out insurance

      at that time can reasonably expect that his data will be

      used for staff training. A policyholder can only expect to

      normal management of his customer file, which only requires access to the information contained therein

      information by the personnel who have to perform tasks therein for the benefit of the person concerned

      customer. When information from concrete files is shared in the context of a course,

      the processing of that information is not limited to those who have to perform tasks in

      the relevant file.




  77. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose "training of personnel" cannot rely on the legal basis "justified."

      interest "and there is therefore a violation of article 6.1 f) GDPR. The Disputes Chamber observes

      in addition to that if the defendant nevertheless wishes to receive personal data of customers

      use for staff training, he can rely on another legal basis

      being the consent (Article 6.1 a) GDPR).



  78. With regard to the purpose of “monitoring and reporting”, the respondent states the following:



       “Context of the processing purpose

       This processing purpose includes the preparation of reports for the purpose of checks


       can perform in the context of:

       • IFRS 17 accounting standards for insurance contracts and the Belgian, general

       accepted accounting rules ("Belgian GAAP");






8 Recital 47 GDPR. Decision on the merits 57/2021 - 24/36



     • calculating the reserves (in the context of, for example, the law of 13 March 2016 on

     the status and supervision of insurance or reinsurance companies (Solvency

     II law), etc.); or

     • profitability monitoring or reporting in the context of major damage claims.


     These reports are created for both internal audit and reporting purposes

     to the Y1 Re group (of which Y is a part). This keeps recurring reports as well

     one-off ad hoc reports. Only fully aggregated,

     anonymised, or if not otherwise possible pseudonymized reports prepared in

     in the context of major claims or ad hoc reports regarding specific cases or outliers. ”



79. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the context of the processing purpose should be as described by the defendant

    are considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



80. In order to meet the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



81. Based on the purpose, being monitoring and reporting, the Disputes Chamber must determine

    argue that the defendant asserts that the various general financial and

    insurance law regulations (in the context of, for example, the law of 13 March 2016

    on the status and supervision of insurance or reinsurance undertakings

    (Solvency II law)) cannot be complied with without compiling the necessary reports

    or to monitor. As indicated at the hearing, the

    here too, the defendant does not rely on his legal obligation (Article 6.1 c) GDPR) as legal basis

    for the processing, since the nature and scope of the reporting is not explicitly stated as

    imposed by law as such. Hence, the defendant for those processing operations

    Uses "legitimate interest under that legislation" as the legal basis. To the second

    condition is thus fulfilled by showing that the principle of minimal

    data processing (Article 5.1. c) GDPR) has been complied with. The processing of personal data

    is necessary as legislation cannot be complied with without the

    necessary reports are drawn up or monitoring is carried out. Decision on the merits 57/2021 - 25/36




  82. The defendant adds that only fully aggregated, anonymized, or if

      not otherwise possible pseudonymized reports are prepared in the context of large

      claims for damages or ad hoc reports related to specific cases or outliers. To the

      second condition is thus fulfilled by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.



  83. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should


      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                 9
      expect that processing can take place for that purpose ”.



  84. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used for the fulfillment of the legal and contractual obligations of the defendant.



  85. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “monitoring and reporting” can rely on the legal basis included in article 6.1


      f) GDPR.





  86. Regarding the purpose “the storage of video surveillance recordings during the

      legal period ”, the defendant states that:



      “Context of the processing purpose

      It concerns the processing of personal data by means of the cameras that are located

      within Y's premises with the aim of customer security, data security and the

      protection of the company's assets. "




  87. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

      judgment that the processing purpose should be as described by the defendant

      considered performed for a legitimate interest. The importance that the






9 Recital 47 GDPR. Decision on the merits 57/2021 - 26/36




      defendant as controller may in accordance with recital 47

      GDPR can be considered justified in itself. The first is therefore satisfied

      condition contained in Article 6.1, f) GDPR.



  88. In order to fulfill the second condition, it must be demonstrated that the processing

      necessary for the achievement of the objectives pursued. This means more

      stipulates that the question should be asked whether the same result can be achieved by other means

      are achieved without processing of personal data or without an unnecessarily invasive one

      processing for data subjects.



  89. Based on the purpose, being the provision of video surveillance, the Disputes Chamber serves

      establish that the defendant asserts that the images are stored in a secure

      surroundings. Both the space and the affected IT servers are subject to strict

      access protection. The images are accessed according to strict procedures. The


      storage of the images is also limited to the legal retention period (in principle 30 days).



  90. The second condition is thus fulfilled in that it was established that the principle of

      minimum data processing (Article 5.1. c) GDPR) has been complied with.



  91. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”. 10



  92. The Disputes Chamber is of the opinion that with the collection of personal data in the framework

      it cannot be assumed that the policyholder takes out insurance


      at that time can reasonably expect that his data will be

      used for video surveillance. The purpose of video surveillance is unrelated to the

      conclusion of an insurance contract, so that the policyholder does not adhere to it

      can expect that his personal data is provided in response to a

      insurance contract will be used in the context of video surveillance. Only at

      there is video surveillance when physically entering the defendant's premises and then it suffices






10
  Recital 47 GDPR. Decision on the merits 57/2021 - 27/36



    that the camera law is complied with, including the obligation to affix a

    icon with information to notify the data subject.



93. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the


    purpose “the storage of video surveillance recordings during the legal period” does not

    can rely on the legal basis "legitimate interest" and thus there is an infringement

    to Article 6.1 f) GDPR.



94. For the sake of completeness, the Disputes Chamber adds that if a controller

    wishes to use surveillance cameras, these are legal obligations

    ensuing from the law of 21 March 2007 regulating the placement and use of

    security cameras must comply. As soon as a controller uses

    of surveillance cameras, arise from the aforementioned law obligations regarding

    data processing, so that the controller can rely on article 6.1 c)

    GDPR. In that regard, the defendant stated at the hearing that in

    the necessary pictograms have been affixed in accordance with this law.





      c) Model of balancing of interests



95. For each of the foregoing purposes, the defendant argues that the

    processing purpose is permissible because of the quantitative score calculated by the model

    balance of interests that Y uses is lower than 30. The defendant argues that on the basis of that

    model the processing purposes can be based on the legitimate interests

    of the controller as long as this score does not exceed 30.



96. In this regard, the Disputes Chamber should note that the model used by Y is a

    is a purely internal instrument that can at most act as a guideline within the company,

    but from which no legal arguments can be drawn to support the assessment against the

    legal basis of Article 6.1 f) GDPR. To the scores calculated on the basis of that model

    therefore no legal value can be attached.





      d) All legal grounds included in Article 6.1 GDPR



97. The defendant is of the opinion that the Disputes Chamber in its decision 24/2020 would have stated that

    he can only rely on consent as a legal basis (Article 6.1 a) GDPR) for the Decision on the merits 57/2021 - 28/36



          processing purposes included in point 4.3. of the old privacy statement and not on

          the other legal grounds of Article 6.1 GDPR.



      98. The Disputes Chamber explains that the following was made in this regard in the decision 24/2020


          mention:

          The Disputes Chamber is therefore of the opinion that the violation of art. 6.1. AVG is proven,

          since the data processing is for the purposes stated in sections 1, 2, 3, 4, 6 and

          7 of point 4.3. of the privacy statement, without any demonstrated legitimate interest,

          should be based on the consent of the complainant in the absence of any other possible

          applicable legal basis in art. 6.1. AVG. ”



      99. From this the defendant deduces, albeit incorrectly, that the Dispute Chamber is the only one

          legal basis for the purposes specified therein precedes the consent. The defendant

          however, ignores the fact that the Disputes Chamber reaches that decision, precisely because the

          defendant fails to demonstrate any legitimate interest and thus in

          fails to demonstrate that the applicable conditions have been fulfilled to comply with this

          legal basis in Article 6.1 f) GDPR. The Disputes Chamber stated in its decision

          after all expressly that the defendant has in no way demonstrated from what

          legitimate interest or would exist and also failed to demonstrate to what extent his interest

          would outweigh the interests and fundamental rights of the complainant, although the defendant

          is obliged to do so on the basis of its accountability obligation (Article 5.2 GDPR). The

          Accordingly, the Disputes Chamber could not withhold article 6.1 f) GDPR as a valid legal basis. On base

          of the factual elements leading to the decision 24/2020 was the only remaining

          legal basis the consent.



      100. The Disputes Chamber emphasizes that every controller, including the

          defendant, can invoke any possible legal basis of Article 6.1 GDPR, but that the

          applicable conditions for the legal basis invoked must be fulfilled.





2. Legal basis for transfers to third parties




      101. First, the defendant claims that a transfer to third parties does not have a processing purpose

          is itself, but is merely a form of processing of personal data within the meaning of Article

          4.2 GDPR. The defendant states that he only draws up balances of interests per

          processing purpose, but not per processing. Decision on the merits 57/2021 - 29/36



      102. The Disputes Chamber states that it follows from article 5.1 a) GDPR that personal data must be

          processed for a specific purpose and that such processing must be lawful in the sense

          of Article 6.1 GDPR. So it is clear that any processing must be done within the framework

          of a specific, explicit and justified purpose and that


          processing must be based on a legal ground for it to be lawful

          considered. It is of course possible to perform multiple processing operations within the meaning of Article 4.2 GDPR

          for the same purpose, but this does not alter the fact that the

          data processing for a specific purpose can only be considered lawful

          labeled if there is a legal basis for doing so.



      103. The Disputes Chamber notes that any transfer to third parties must be determined with the

          in view of the purpose for which the transfer takes place. To be able to verify whether the transfer is to

          third parties can be regarded as lawful, it must thus be determined for what purpose

          which is passed on to third parties.




      104. As the defendant rightly points out, the legal basis for the transfer to processors (which

          however, no third parties within the meaning of Article 4, 10) GDPR) are the same as for the

          data processing by the defendant himself. After all, the processing purpose remains

          unchanged, as the processor only processes the personal data for the benefit of the

          defendant as controller.




      105. If the personal data are transferred to a third party within the meaning of Article 4. 10)

          GDPR with a view to the purpose of enabling that third party to provide the relevant personal data

          to process it for your own purposes, then that transfer must cease for that specific purpose

          considered themselves and requires a separate legal basis. With a view to

          transparency should become the processing basis for all transfers in the privacy statement

          stated that the defendant fulfills his obligation under art. 13.1 c) would comply with GDPR. This is

          However, this is not the case, so that the Disputes Chamber is of the opinion that there is a

          infringement of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.





3. Transparency principle




      106. Notwithstanding the fact that Article 13.1 d) GDPR requires the controller to send the

          provides the data subject with information about his legitimate interests, if the processing

          is based on Article 6 (1) (f), the defendant maintains that it suffices

          for the purposes of the privacy statement referred to in point 4.3, as well as for the purposes of 6 of the Decision on the merits 57/2021 - 30/36



    data transfers based on Article 6 (1) (f) GDPR only

    state that personal data is processed on the basis of the legitimate interest of

    the defendant without indicating exactly what that legitimate interest would consist of.




107. The defendant argues that the balancing of interests concerns internal documents that have not been handled by Y

    made public or included in its Privacy Statement, in view of the

    business sensitive information they contain. Moreover, this involves bulky, rather privacy-

    technical documents that are typically not included in a privacy statement.



108. For transmission to “the companies of the group Y1 Re to which Y belongs, for monitoring

    and reporting ”, the defendant confirms that this is a transfer to another

    controller, indicates the defendant demonstrating his legitimate interest

    consists in its conclusion under the processing purpose “monitoring and reporting”, but late

    after clarifying his legitimate interest in the privacy statement.



109. Furthermore, the defendant also refers to recital 48 of the GDPR which states that

    controllers that are part of a concern or group of institutions

    associated with a central body may have a legitimate interest in the

    forwarding of personal data within the group for internal administrative purposes,

    including the processing of personal data of customers or employees.



110. The Disputes Chamber acknowledges that consideration 48 applies to the defendant, but this

    does not prevent the defendant from being transparent about this in his privacy statement and

    also in such a case must indicate the legal basis and must make it clear where it is

    legitimate interest exists, which is not the case in the old privacy statement.




111. Responsible for transfers to “subcontractors in the European Union or abroad

    for processing activities defined by Y ”, the defendant argues that it concerns

    processors of Y.



112. The Disputes Chamber therefore restates the reasoning in this regard from its decision

    24/2020 to decide on an infringement of Article 13.1 d) GDPR in conjunction with Article 5.1 a) GDPR

    and Article 5.2 GDPR. The privacy statement only mentions that for those referred to in 4.3. listed

    purposes personal data are processed on the basis of the legitimate interest of the

    defendant without indicating exactly what that legitimate interest would consist of,

    while art. 13.1. d) GDPR does require the controller to comply

    obliged to provide the data subject with information about his legitimate interests,

    if the processing is based on Article 6 (1) (f). Decision on the merits 57/2021 - 31/36







  113. The Disputes Chamber also refers to the Guidelines of the European Committee for the

      data protection (EDPB) on transparency according to Regulation (EU)

      2016/679, who stress the need to identify the specific interest in question

      for the benefit of the data subject.





  114. Also with regard to point 6. of the privacy statement, the defendant does not indicate why

      legitimate interest, on which he relies, would exist to obtain personal data from the

      to process the complainant for the purpose of transferring it to “The companies of the Y1 RE group

      to which Y belongs, for monitoring and reporting ”and“ Subcontractors in the European Union

      or beyond, responsible for processing activities defined by Y ”. However

      requires art. 13.1. d) GDPR in fact that the controller is the data subject

      must provide information about his legitimate interests, if the processing

      is based on Article 6 (1) (f). The Disputes Chamber refers again to the

      Guidelines on transparency in accordance with Regulation (EU) 2016/679 and the

      stated above in this regard.





  115. The Disputes Chamber stated in its decision 24/2020 that as best practice the

      controller also, before becoming personal data of the data subject

      collected, can provide the data subject with information about the assessment to be made

      created in order to be able to use Article 6 (1) (f) as a legal basis for the processing.

      To avoid information fatigue, this information can be included in a layered

      privacy statement / notice. 12 The information provided to data subjects should make clear

      that these data subjects can receive information about the assessment upon request. This is

      essential for effective transparency when data subjects have doubts about the

      fairness of the consideration made as to whether to submit a complaint to a supervisory authority

      authority.




  116. As the defendant points out, he is unwilling to apply the aforementioned best practice,

      because, according to him, it concerns internal privacy-technical documents with company-sensitive

      information.








11
  EDPB, Guidelines of the Article 29 Working Party on Data Protection on Transparency under Regulation (EU)
2016/679, approved November 29, 2017, last revised and approved April 11, 2018, p. 42.
12See paragraph 35 of the guidelines referred to in footnote 6. Decision on the substance 57/2021 - 32/36




      117. The Disputes Chamber argues that even if the defendant refuses to follow this best practice,

           he is at least obliged to notify the data subject on a

           concise, transparent, intelligible and easily accessible form and in clear and

           provide simple language information about his legitimate interest for each of the


           purposes for which he relies on that legal basis. It is by no means to comply with this

           requires privacy-technical documents to be made public, but it is

           requires that information about the legitimate interest is provided in clear

           wording that can be easily understood by a customer or potential customer of the defendant



      118. The Disputes Chamber finds that the information required by Article 13.1 d) GDPR is in no way whatsoever

           is made available by the defendant, so that the infringement of Article 13.1 d)

           GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.








4. Administrative fine




      119. The fact that the defendant does indeed commit the infringements of Articles 5.1 a), 5.2, 6.1, 12.1, 13.1

           c) and d) and 13.2 b) GDPR, brings the Dispute Chamber to the administrative

           fine. This sanction does not extend to an offense committed

           but with a view to vigorous enforcement of the rules of the GDPR. As


           is clear from recital 148 of the GDPR, the GDPR states that in the event of any serious infringement

           - including when an infringement is first established - penalties, including administrative ones
                                                                                              13
           fines are imposed in addition to or instead of appropriate measures. After this, the

           Disputes Chamber states that the breaches committed by the defendant against Articles 5.1 a),

           5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR in no way concern minor infringements, nor that the

           a fine would cause a disproportionate burden on a natural person as referred to in

           Recital 148 GDPR, whereby a fine can be waived in either case.

           The fact that it is a first finding of an infringement committed by the defendant in the






    13
      Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
    including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
    appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
    for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
    instead of a fine, a reprimand can be chosen. However, the
    nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,

    with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
    supervisory authority has come up with compliance with the measures taken against the
    controller or processor, with affiliation to a code of conduct and any other aggravating or
    mitigating factors. Imposing penalties, including administrative fines, should be subject to
    appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
    effective remedy and due process. [own underlining] Decision on the merits 57/2021 - 33/36




      GDPR, does not in any way affect the possibility for the Disputes Chamber

      to impose an administrative fine. The Disputes Chamber explains the administrative

      fine in accordance with article 58.2 i) GDPR.



  120. The Disputes Chamber emphasizes once again that the instrument of administrative fine

      is in no way intended to end infringements. To this end, the AVG and the WOG provide for a

      number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 °

      WOG. She also emphasizes that the administrative fine is one of the sanctions foreseen

      in article 58.2 GDPR and article 100 WOG. Neither EU law nor national Belgian law

      has a hierarchy with regard to the sanctions to be imposed. It stands as the Dispute Chamber

      body of an independent data protection authority as referred to in Article 51

      AVG is free to choose the most appropriate sanction. The Disputes Chamber is of the opinion that, in view of the

      accountability of the controller, the imposition of a

      administrative fine for violation of the GDPR could be expected. 14



                                                                  15
  121. Taking into account article 83 GDPR and the case law of the Marktenhof, the

      Disputes Chamber imposing an administrative sanction in concrete terms:

        - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.

        - The duration of the infringement: the infringements are assessed for this aspect in

             in light of the date on which the GDPR became applicable, namely May 25

             2018. The defendant's privacy statement appears to have remained unchanged since

             the GDPR becoming applicable until such time as, following the

             complaint, a new privacy statement has been drawn up. The new privacy statement constitutes

             however, not the object of assessment by the Dispute Chamber, so that they themselves

             also does not comment on the extent to which the new privacy statement is consistent

             is with the GDPR.

        - The necessary deterrent effect to prevent further infringements.





  122. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes

      that compliance with the principles set out in art. 5 GDPR - in the present case in particular the

      transparency principle including accountability, as well as the

      principle of legality - essential, because it is fundamental principles of

      data protection. The Disputes Chamber considers the defendant's infringement







14 With regard to the jurisdiction of the Disputes Chamber regarding the imposition of an administrative fine, see also decision no
55/2021 of April 26, 2021, available in French on the GBA website.
15
  Court of Appeal Brussels (section Marktenhof), Judgment 2020/1471 of 19 February 2020. Decision on the merits 57/2021 - 34/36



    the principle of legality specified in art. 6 GDPR and the transparency principle

    which is specifically laid down in Articles 12 and 13 GDPR, therefore as a serious violation.



123. An important element in determining the amount of the fine is the fact that the defendant


    subsequent infringements as motivated in decision 24/2020 not disputed and as a result thereof

    has already made efforts to address the new privacy statement on those points

    to comply with the GDPR:

      - Infringement of Article 13.1 c) GDPR due to lack of clear distinction between the

          processing health data on the one hand, and processing the other 'normal'

          personal data on the other hand and this for each of the purposes of 4.3. of the

          privacy statement, as for each of the 6. transmissions of the privacy statement.

      - Violation of Articles 12.1 and 13.2 b) GDPR in the absence of mention in the privacy statement

          of the possibility for the data subject to exercise his right of retention.

      - Infringement of Article 13.1 c) GDPR due to lack of indication of the legal basis for the

          transfer to each of the distinct categories of third parties in point 6. of the

          privacy declaration.




124. Although the changes made to the new privacy statement are a positive element

    when assessing the administrative fine, the Disputes Chamber emphasizes that it is there

    do not seek to rectify the infringements established. The

    infringements have been identified and cannot be reversed retroactively by the

    controller who still processes his data - albeit too late

    complies with the requirements of the GDPR.







125. In addition, the current decision also identifies infringements:

      - Violation of article 6.1 GDPR with regard to the purposes of “training personnel” and

          “The storage of video surveillance recordings during the legal period”.

      - Violation of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.

      - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.




    Furthermore, the Disputes Chamber also takes into account the finding that the violation of Article 6.1

    AVG is limited to two processing purposes “staff training” and “the storage of

    recordings of video surveillance during the legal period ”and is therefore of a nature to be a

    justify a reduction in the amount of the fine. In addition, the established

    breaches of the principle of transparency and accountability are so serious Decision on the substance 57/2021 - 35/36




          that a substantial fine is required. This applies all the more in view of the large scale

          of the processing of non-health data by the defendant with

          decisive impact on all insured persons who have taken out hospitalization insurance

          affiliated with Y, which concerns a significant number of stakeholders. A decisive element

          this is also due to the fact that Y is a major player in the insurance market that may become

          expects the latter to duly and with the necessary conscientiousness align its privacy policy with the

          GDPR.



      126. With regard to the lack of transparency, the Disputes Chamber also points out that the GDPR is exactly

          has provided for a transition period of 2 years 16 to the end of each controller

          give the necessary time to prepare and adapt to the requirements set by the

          GDPR. The defendant's argument made at the hearing that the changes

          which the GDPR has implemented compared to the previous directive 95/46 / EC of the European

          Parliament and the Council on the protection of individuals with regard to the


          processing of personal data and on the free movement of such data to the

          based on the lack of transparency cannot therefore be accepted. The

          defendant argues that Articles 13 and 14 GDPR, in conjunction with Article 12 GDPR, and the precise manner of

          interpretation of it caused the difficulty. The transparency guidelines of

          Group 29 (now EDPB) were an auxiliary tool. Here too, the Disputes Chamber serves

          state that those guidelines date back to 29 November 2017, have been revised and adopted

          on April 11, 2018 and have remained unchanged since then. The defendant thus disposed of

          sufficient time, as required by its accountability (Article 5.2 GDPR)

          privacy statement to align with the GDPR.



      127. This leads the Disputes Chamber to reconsider the fine and reduce it to € 30,000.



      128. The totality of the elements set out above justifies an effective,

          proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein

          certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.


          GDPR in this case are not such as to lead to a different administrative fine than

          those adopted by the Disputes Chamber in the context of this decision.





5. Publication of the decision








    16
      Article 99 GDPR Decision on the substance 57/2021 - 36/36



  129. Given the importance of transparency with regard to the decision-making process of the

     Disputes Chamber, this decision will be published on the GBA website. However, it is

     does not require that the identification data of the parties be directly

     announced.




FOR THESE REASONS,



the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her

to review decision 24/2020 of 14 May 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG

and art. 101 WOG to impose an administrative fine of € 30,000.00 as a result of the infringements

to Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR.



On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within

a period of thirty days from the notification at the Marktenhof, with the

Data protection authority as defendant.





(Get) Hielke Hijmans

Chairman of the Disputes Chamber