APD/GBA (Belgium) - 71/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(9 intermediate revisions by 4 users not shown)
Line 23: Line 23:
|Date_Started=14.10.2020
|Date_Started=14.10.2020
|Date_Decided=04.05.2022
|Date_Decided=04.05.2022
|Date_Published=04.05.2022
|Date_Published=
|Year=2022
|Year=2022
|Fine=10000
|Fine=10000
Line 73: Line 73:
}}
}}


The Belgian DPA fined the Belgian National Railway €10.000 because it sent an unsolicited advertisement email with no opt-out option to customers.  
The Belgian DPA fined the Belgian National Railway €10,000 because it sent an unsolicited advertisement email with no opt-out option to customers.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A Twitter user notified The APD/GBA (Belgium) of an email she had received from NMBS (the Belgian National Railway and the controller) about the "Hello Belgium Railway Pass", which is a ticket for Belgian residents providing them with a number of free train rides. After having reviewed the facts provided by the Twitter user, the DPA decided to initiate an investigation into the incident on its own motion. In its investigations the DPA found that the email contained the general terms and conditions of the NMBS, instructions on how to use the railway pass correctly and Covid related information. However, it also found that information of promotional nature was included in the email and no unsubscribe button or link was provided.
A Twitter user notified the Belgian DPA (APD/GBA) of an email she had received from the Belgian National Railway (NMBS) about the "Hello Belgium Railway Pass", which is a ticket for Belgian residents providing them with a number of free train rides. After having reviewed the facts provided by the Twitter user, the DPA decided to initiate an investigation into the incident on its own motion. In its investigations, the DPA found that the email contained the general terms and conditions of the NMBS, instructions on how to use the railway pass correctly and Covid related information. However, the communication also included information of promotional nature and no unsubscribe button or link was provided. In the proceedings, the controller brought forward that the email was intended to remind the recipients to always ensure their safety when traveling and to remind them of the contractual conditions. It, therefore, considered the email as necessary for the performance of the contracts concluded with the ticket holders under Article 6(1)(b) GDPR.
 
In the proceedings, the controller brought forward that the email was intended to remind the recipients to always ensure their safety when traveling and to remind them of the contractual conditions. It, therefore, considered the email as necessary for the performance of the contracts concluded with the ticket holders under Article 6(1)(b) GDPR.  


=== Holding ===
=== Holding ===
The DPA held that the controller violated [[Articles 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#1c|(c)]], [[Article 6 GDPR#1|6(1)]], [[Article 12 GDPR#2|12(2)]] and [[Article 21 GDPR#2|21(2)]], [[Article 21 GPDR#4|(4) GDPR]] and, therefore, issued a fine of €10,000 against the controller.
The DPA rejected the argument of the controller that sending an email with promotional content was necessary for the performance of the contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]].  It found that the purpose of informing the ticket holders about the contractual conditions and safety precautions could also have been achieved by publishing the information on the controller's website. It further found that the email constituted direct marketing according to [[Article 21 GDPR#2|Article 21(2) GDPR]] and by not providing the possibility to opt-out of receiving similar emails in the future the controller violated [[Article 12 GDPR#2|Article 12(2)]] and [[Article 21 GDPR#2|21(2), (4) GDPR]]. Consequently, the DPA held that the controller violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|(c)]], [[Article 5 GDPR#2|(2)]], [[Article 6 GDPR#1|6(1)]], [[Article 12 GDPR#2|12(2)]] and [[Article 21 GDPR#2|21(2), (4) GDPR]] and, therefore, issued a fine of €10,000 against the controller.
 
The DPA rejected the argument of the controller that sending an email with promotional content was necessary for the performance of the contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]].  It found that the purpose of informing the ticket holders about the contractual conditions and safety precautions could also have been achieved by publishing the information on the controller's website.  
 
It further found that the email constituted direct marketing according to [[Article 21 GDPR#2|Article 21(2) GDPR]] and by not providing the possibility to opt-out of receiving similar emails in the future the controller violated [[Article 12 GDPR#2|Articles 12(2)]] and [[Article 21 GDPR#2 GDPR|21(2)]], [[Article 21 GDPR#4|(4) GDPR]].  


== Comment ==
== Comment ==

Latest revision as of 07:37, 9 June 2022

APD/GBA - 71/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 21(2) GDPR
Article 21(4) GDPR
Type: Investigation
Outcome: Violation Found
Started: 14.10.2020
Decided: 04.05.2022
Published:
Fine: 10000 EUR
Parties: NMBS
National Case Number/Name: 71/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 71/2022 van 4 mei 2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined the Belgian National Railway €10,000 because it sent an unsolicited advertisement email with no opt-out option to customers.

English Summary

Facts

A Twitter user notified the Belgian DPA (APD/GBA) of an email she had received from the Belgian National Railway (NMBS) about the "Hello Belgium Railway Pass", which is a ticket for Belgian residents providing them with a number of free train rides. After having reviewed the facts provided by the Twitter user, the DPA decided to initiate an investigation into the incident on its own motion. In its investigations, the DPA found that the email contained the general terms and conditions of the NMBS, instructions on how to use the railway pass correctly and Covid related information. However, the communication also included information of promotional nature and no unsubscribe button or link was provided. In the proceedings, the controller brought forward that the email was intended to remind the recipients to always ensure their safety when traveling and to remind them of the contractual conditions. It, therefore, considered the email as necessary for the performance of the contracts concluded with the ticket holders under Article 6(1)(b) GDPR.

Holding

The DPA rejected the argument of the controller that sending an email with promotional content was necessary for the performance of the contract under Article 6(1)(b) GDPR. It found that the purpose of informing the ticket holders about the contractual conditions and safety precautions could also have been achieved by publishing the information on the controller's website. It further found that the email constituted direct marketing according to Article 21(2) GDPR and by not providing the possibility to opt-out of receiving similar emails in the future the controller violated Article 12(2) and 21(2), (4) GDPR. Consequently, the DPA held that the controller violated Article 5(1)(a), (c), (2), 6(1), 12(2) and 21(2), (4) GDPR and, therefore, issued a fine of €10,000 against the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                  1/29








                                                                                    Dispute room


                                                      Decision on the merits 71/2022 of 4 May 2022





File number: DOS-2020-04750



Subject : Newsletter Hello Belgium Railpass NMBS



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs Yves Poullet and Frank De Smet;


Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;



has made the following decision:


The defendant: NATIONAL COMPANY OF BELGIAN RAILWAYS (“NMBS”), nv

                      of public law, with registered office at Francestraat 56, 1060

                      Brussels, registered with the Crossroads Bank for Enterprises (CBE) in Brussels,

                      under number 0203.430.576, hereinafter referred to as “the defendant”, Decision on the merits 71/2022 - 2/29



I. Fact-finding procedure


1. On 14 October 2020, the GBA received a notification from a Twitter user about a newsletter they

    received from NMBS about the Hello Belgium Railpass. The Hello Belgium Railpass is a

    ticket with a number of free train rides that are free of charge to Belgian residents on request

    was provided. According to the person who made the report, the newsletter did not contain any possibility to
    deregistration thereof.


2. On 19 October 2020, the Inspectorate decided to bring the case before

    pursuant to Article 63, 6° WOG because serious indications could be established about the existence

    of a practice that could give rise to a breach of the fundamental principles of protection
    of personal data.


3. The inspection will be completed by the Inspectorate on 9 November 2020, the report will be submitted to the

    file is added and the file is transferred by the Inspector General to the Chairman of

    the Disputes Chamber (art. 91, § 1 and § 2 WOG).

4. The report contains the following findings:


    • The newsletter sent by e-mail was not necessary for the execution of the agreement

        (by requesting the Hello Belgium Railpass) between the defendant and the travelers involved. er

        a different way of publishing the newsletter could have been chosen. There was
        moreover, there is no legal basis for the processing of the personal data, since

        the sending of the newsletter by e-mail did not fulfill the agreement between

        defendant and the passengers. There are no appropriate technical and organizational measures

        taken to ensure and demonstrate that the processing took place in accordance with the GDPR.



        According to the Inspectorate, this leads to a violation of Articles 5.1, a) and c) and 5.2 of the GDPR,
        Article 6.1 of the GDPR, Article 24.1 of the GDPR and Articles 25.1 and 25.2 of the GDPR;



    • The right to object was not facilitated by the defendant while the targeted emails

        can be regarded as “direct marketing” which constitutes infringements of Article 12. 2

        of the GDPR and Articles 21. 2, 21.3 and 21.4 of the GDPR.

    The report also contains findings regarding the data protection officer:


    • The DPO did not report to senior management
        body within the defendant's organization.


    • The job description, number of working hours per week, and access to resources by the

        data protection officer were found to be sufficient by the Inspectorate. The

        Opinions provided by the officer in the context of the targeted e-mails sent was, Decision on the substance 71/2022 - 3/29



        according to the Inspectorate, also sufficient to assume that the legal obligation

        the level of advice was met.


       Therefore, the Inspectorate establishes an infringement of Article 38.3 of the GDPR, but no infringement
       on Article 38. 1, 38.2 and 38.6 of the GDPR and no infringement of Article 39 of the GDPR.




5. On February 19, 2021, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° and art. 98 WOG that it

    file is ready for processing on the merits.

6. On February 19, 2021, the defendant will be notified of the provisions as referred to in Article 95,

    § 2, as well as those in art. 98 WOG. It is also on the basis of art. 99 WOG notified

    the time limit for submitting its defences.


7. The latest date for receipt of the defendant's statement of defense set at 2
    Apr 2021.


8. On March 4, 2021, the defendant will request a copy of the file, and the defendant will accept electronically

    all communication regarding the case and he indicates that he wishes to make use of the possibility

    to be heard, in accordance with article 98 WOG. (art. 95, §2, 3° WOG) the file was

    transferred on March 17, 2021.

     Conclusion of the defendant's answer


9. On April 2, 2021, the Disputes Chamber will receive the statement of defense from the defendant.

10. According to the defendant, she received the e-mail containing the newsletter about the Hello Belgium Railpass

    sent lawfully. Defendant argues that the e-mails were sent in the context of the

    execution of the agreement between applicants/users of the Hello Belgium Railpass and

    defendant. The intended processing of personal data was therefore, according to the defendant,

    necessary for the execution of the agreement pursuant to Article 6.1 sub b GDPR and for the sanitary
    to ensure passenger safety. The conditions for using the Hello Belgium

    Railpass together with the General Conditions of Carriage are part of the

    transport contract with the passengers. Moreover, according to the defendant, it was necessary that the

    emails were sent given the precarious situation at the time, with a second wave in the

    Covid-19 epidemic in Belgium was coming and everyone therefore had to be extra alert in order to prevent the

    to ensure safety on the trains. In order to reach the travelers in time, NMBS was therefore
    forced to send applicants the newsletter by e-mail. The disclaimer of the email

    According to the defendant, it contained clear information about the intended purpose of the e-mail, namely the

    inform passengers about how the Railpass is used as correctly and optimally as possible

    had to be. According to the defendant, the principle of minimum

    data processing in accordance with article 5.1 sub c, as there is no realistic and less intrusive

    alternatives were available to give effect to the agreement., Decision on the merits 71/2022 - 4/29



11. Moreover, according to the defendant, the targeted e-mail did not constitute direct marketing in the sense of the article

    21.2 GDPR because the email was not intended to directly or indirectly promote goods,

    services or the image of SNCB. The e-mail was part of the implementation of the government tasks of

    SNCB and these tasks are excluded from the term 'direct marketing'. Now that there is no direct

    marketing and processing took place on the basis of Article 6.1, b (performance of the agreement),

    According to the respondent, this means that the right of objection as laid down in Article 21.1 AVG does not
    applies to. In addition, the disclaimer of the e-mail regarding the Hello Belgium Railpass

    according to the defendant, clearly a hyperlink to the privacy statement of NMBS. The involved

    were therefore informed of the rights available to them.


12. The defendant further argues that the determination of the Inspectorate, according to which the officer

    data protection would not report directly to the highest management body
    within NMBS, is incorrect. Defendant makes it clear that the data protection officer

    reports to the CEO of SNCB, both periodically and ad hoc. The CEO is chairman of the

    Executive Committee as well as of the Executive Committee. Therefore, the officer reports for

    data protection fully in accordance with Article 38.3 to the highest body within NMBS and there is

    according to the defendant, there is no violation of this article.

13. On 14 February 2022, the parties are notified that the hearing will be held on

    February 28, 2022.


14. On February 28, 2022, the parties will be heard by the Disputes Chamber.

15. The minutes of the hearing will be submitted to the parties on March 16, 2022.


16. On March 23, 2022, the Dispute Chamber will receive the defendant's comments regarding

    until the official report. Defendant notes the following with regard to the representation in the proceedings-

    verbal: the communication that is the subject of the present procedure does not concern a newsletter

    but communication addressed to holders of the Hello Belgium Railpass. Defendant is from
    believes that the emphasis in the official report is placed on the first part of the

    communication containing the message “rediscover more than 500 destinations in Belgium”.

    According to the defendant, the foregoing is not consistent with what was submitted at the hearing by

    Defendant. In the Defendant's opinion, all elements in the communication should be regarded as equivalent

    The representation of what was not explained by the defendant during the hearing is according to

    defendant is also incomplete. Each of the components of the communication was aimed at spreading
    of travelers, encouraging them to use the Move Safe App and correctly pre-

    completing the Railpass to avoid aggression against personnel and to facilitate control. The

    The Disputes Chamber emphasizes that the response to the trial story does not reopen the debates,

    but that the representation of this reaction is useful in this case, for a better understanding of the position of the

    defendant., Decision on the merits 71/2022 - 5/29




17. On March 16, 2022, the Disputes Chamber notified the defendant of its intention to

    to proceed with the imposition of an administrative fine, as well as the amount thereof

    in order to give the defendant another opportunity to defend itself, before the sanction becomes effective

    imposed.


18. On April 8, 2022, the Disputes Chamber will receive the defendant's response to the intention to
                                                                                         1
    imposing an administrative fine, as well as the amount thereof.





II. Justification


    II.1. Compliance with the principles governing the processing of personal data (Articles 5.1 and

          5.2 GDPR) and the lawfulness of the processing (Article 6.1 GDPR)


19. The processing of personal data is only lawful if it is based on one of the conditions set out in Article
                                             2
    6.1 GDPR listed legal bases.


    The Inspectorate has established that the processing of personal data of travelers who

    e-mail, containing a newsletter about the Hello Belgium Railpass, happened without a valid

    legal basis. In contrast to the defendant who believes that he can legally invoke

    Article 6.1.b GDPR, namely the execution of an agreement, the Inspection Service is of the opinion that

    that is not the case. According to the Inspectorate, the processing of personal data of

    train passengers by sending a communication via e-mail not necessarily for the implementation or

    preparation of the contract between the defendant and the applicants/travellers of the Hello

    Belgium Railpass. In addition, the processing was not necessary since the defendant had

    may choose to disseminate the information through other channels such as its website. The

    according to the Inspectorate, processing was therefore not based on one of the provisions set out in Article 6.1 of the GDPR


    listed legal grounds and, according to the Inspectorate, was in violation of Article 6.1 of the GDPR.





1
 See point 68 of this decision.
2Article 6.1subbGDPR:“The processing is only lawful and subject to at least one of the following conditions
is completed:

    a) the data subject has consented to the processing of his/her personal data for one or more specific
         purposes;

    b) the processing is necessary for the performance of a contract to which the data subject is a party, or to
         of the data subject before the conclusion of a contract;
    c) the processing is necessary for compliance with a legal obligation incumbent on the controller;

    d) the processing is necessary to protect the vital interests of the data subject or of another natural person
         to protect;

    e) the processing is necessary for the performance of a task carried out in the public interest or of a task carried out in the context of the
         exercise of official authority vested in the controller;
    f) the processing is necessary for the representation of the legitimate interests of the controller
         or of a third party, except where the interests or fundamental rights and freedoms of the data subject
         require the protection of personal data outweigh those interests, in particular where the data subject has a

         child.”, Decision on the merits 71/2022 - 6/29




20. Defendant invokes the performance of the agreement (Article 6.1 (b) GDPR) that NMBS/SNCB has with the

    the person concerned has. According to the defendant, the reliance on this legal ground is lawful since the

    legal conditions under NMBS/SNCB are fulfilled: there is a valid agreement with the

    The data subject and the processing is objectively necessary for the execution of the agreement.


21. Defendant makes it clear that the decision to provide a free Hello Belgium Railpass to

    Belgian residents was a decision taken by Royal Decree “with a view to the
                                                                                              3
    recovery of the Belgian economy and the promotion of rail as public transport”.


22. The Hello Belgium Rail Passes could be used from October 5, 2020. This moment coincided
    with the “second wave” of the Covid-19 epidemic becoming increasingly critical. There was a large number

    rail passes requested and issued, so that NMBS could expect problems (again) on

    certain stations. In its submission, the defendant also submits a number of newspaper articles from which

    it appears that there was already concern among its management when the Hello Belgium Railpass was announced

    on the impact of the initiative on the sanitary safety of staff and travellers. To

    for the aforementioned reasons, the start of the validity period of the Hello Belgium Railpass according to

    defendant postponed twice.


23. In view of the situation described, according to the defendant, there was a need to do everything possible

    to ensure that this runs smoothly and where possible to avoid crowds. According to the defendant,

    therefore decides that: “(i) sending a communication to the holders (and thus to the expected

    users) of the Hello Belgium Railpass was necessary to support the existing initiatives of SNCB

    to avoid crowds and to draw attention to the conditions for using the ticket

    and (ii) that this was the only possible way to reach the travelers (on time).


24. Defendant states by conclusion that the conditions for the use of the HelloBelgium Railpass

    together with the General Conditions of Carriage of NMBS, the contract of carriage with the

    applicant/traveler. According to the defendant, these General Conditions of Carriage are

    available on the NMBS website and are listed in the footnote on every page of the website

    displayed. In view of the foregoing, according to the defendant, there is therefore a legally valid

    agreement between SNCB and the applicant for the Hello Belgium Railpass.

25. The endorsed e-mail that the defendant sent to the applicants for the Hello Belgium Railpass

    contains the following text:


        (i) “Rediscover more than 500 destinations in Belgium” accompanied by a “Find inspiration” button;






3Royal Decree of 28 July 2020 amending the Royal Decree of 21 December 2013 establishing the provisional
rules that apply as a management contract of Infrabel and NMBS, Belgian Official Gazette 31 July 2020: “In the Royal Decree of 21 December 2013 to
adoption of the provisional rules that apply to the management contract of Infrabel and SNCB, as last amended by the decree of 9
April 2020, an article 4/5 will be inserted, which reads as follows: "Art. 4/5.§1. In response to the COVID-19 crisis, wildfederalState
to promote the use of rail transport, the tourist, recreational, cultural and economic sectors by, on the one hand, the
Ask NMBS to distribute a new free ticket for domestic passenger transport, i.e. de12-TRAJECTS-PASS,
and by temporarily allowing the bicycle to be taken on the train for free, Decision on the merits 71/2022 - 7/29




        (ii) “MoveSafe app: your safety” accompanied by a button “Download the app”

        (iii) “Ready for your first trip?”;


        (iv) “Any questions? Consult our FAQ on how to use your Hello Belgium Railpass”, accompanied

        of a button 'View the conditions';


        (v) The message “We wish you pleasant journeys with your Hello Belgium Railpass!”

        (vi) Disclaimer


        “With the above communication, NMBS wants to inform you about how you can use your Hello

        Belgium Railpass correctly and as optimally as possible. NMBS processes your personal data

        data to implement the agreement based on the Hello Belgium Railpass

        consists. You will find more details about how SNCB processes your personal data and about your rights
                                  4
        at www.nmbs.be/privacy”

26. In Article 4.1 GDPR, personal data is defined as: “Any information about an identified

    or identifiable natural person.” In this case you have the majority of the applicants for the Hello

    Belgium Railpass provided their name and e-mail address. This is personal data within the meaning of

    article 4.1 GDPR. Article 4.2 contains the definition of a processing, which reads: 'processing': a

    operation or set of operations on personal data or set of

    personal data, whether or not carried out by automated processes, such as collection,

    record, organize, structure, store, update or modify, retrieve, consult, use,
    provide by transmission, distribution or otherwise make available,

    align or combine, shield, erase or destroy data. The applicants

    personal data provided were (initially) collected by the defendant and used for the

    processing the Railpass application. Therefore, there is a processing of

    personal data within the meaning of Article 4.2 GDPR.


27. According to the defendant, the targeted e-mail from NMBS should be regarded as "an official"
    reminder of some of the essential terms of the contract of carriage with the traveler,

    in particular the obligation to use the ticket correctly and to always

    to monitor their own safety. Both obligations cannot be fulfilled by all

    simultaneously to the obvious (coastal) destinations. †


28. First of all, the Disputes Chamber points out that for a successful appeal to Article 6.1.b GDPR

    it is necessary that there is an agreement to which the person concerned is a party and that the

    processing is a necessary consequence of the agreement. In this case it should therefore be
    assessed whether the targeted e-mail can be regarded as a necessary corollary of the

    contract of carriage between the applicants for the railpass and the defendant.




4
 See Appendix 1 to this decision for the targeted e-mail in its entirety, Decision on the merits 71/2022 - 8/29




29. For the Disputes Chamber there is no doubt that guaranteeing the sanitary safety of the

    train herons is a necessary element for the performance of the agreement in question.

    However, the e-mail also contains general information (which is rather promotional in nature) in which not only
    and specifically communicated about the sanitary situation at that time and the

    precautions to be taken to ensure safety. Becomes

    reported the large number of applications for a Hello Belgium Railpass. However, this is -

    as described above - not the only information given in the email. The text below

    For example, the section “Rediscover more than 500 destinations in Belgium” reads:


        Nearly 3.6 million Belgians have applied for a Hello Belgium Railpass. They are right! je

        must of course be able to explore our country in complete safety. Get inspired

        through our blogs that are overflowing with ideas to go on a city trip, to go out in the
        nature, with family or with friends… You will find something for everyone in Belgium!



30. The Disputes Chamber rules - in accordance with the findings of the Inspectorate - that

    the e-mail therefore also contains general promotional information that does not relate to the specific

    sanitary situation. Therefore, according to the Disputes Chamber, the e-mail can be sent, other than by the defendant

    argued, should not be classified as “An official reminder of some of the essential

    conditions of the contract of carriage with the traveler, in particular the obligation to

    to use the transport ticket correctly and to always monitor his own safety as a passenger ...”. The

    After all, the newsletter contains, in addition to a reference to the Move Safe app and announcements about the correct

    use of the Hello Belgium Railpass, also blogs to get inspiration to visit certain places
    to discover.


31. The Disputes Chamber also rules that the information contained in the e-mail can equally well be

    processing of the personal data of applicants for the Hello Belgium Railpass could have been

    to happen. The Inspectorate has established that the defendant also provided the aforementioned information

    had published his website https://www.belgiantrain.be. The content of the e-mail had

    The Disputes Chamber is not of such an urgent nature, because it would suffice in this specific case

    to publish on the website and/or the SNCB application, given its content.














    5https://www.belgiantrain.be/nl of the VV which were taken on 27/10/2020 by the Inspectorate.

    See the screenshots of the website on the next page, Decision on the merits 71/2022 - 9/29





























































In this regard, the Disputes Chamber refers to the Guidelines of the European Committee for

Data Protection (EDPB) on Article 6.1. b which states: “What the

data protection legislation, data controllers should
take into account that the foreseen processing activities must have an appropriate legal basis

to have. When the agreement consists of several separate services or parts of

a service that can in fact reasonably be provided independently of each other, the question arises

to what extent Article 6(1)(b) can serve as a legal basis. In accordance with the

principle of proportionality, the applicability of Article 6(1)(b) must be assessed in the Decision on the merits 71/2022 - 10/29




     context of each of those services separately, looking at what is objectively needed is milk

     of the individual services that the data subject has actively performed or

     reported. This assessment may show that certain processing activities are not necessary
     are requested by the data subject for individual services, but rather are necessary for the

     broader business model of the controller. In that case, Article 6(1)(b)

     not be a legal basis for those activities. However, there may be other legal bases for those

     processing are available, such as Article 6(1)(a) or (f), provided that the relevant

     criteria are met.”


32. The EDPB further points out that an agreement defines the categories of personal data or the

    type of processing operations necessary for the performance of the agreement whereby the

    data subject is not allowed to artificially expand. It is also pointed out that
    what is covered by an agreement depends not only on the perspective of the

    controller, but also the reasonable expectations of the data subject. A very

    strict application is therefore appropriate in view of the high degree of precision of this legal basis.


33. Although not strictly necessary, since SNCB invokes Article 6.1.b, the

    Disputes Chamber ex officio and superfluously whether the defendant possibly has a successful appeal

    accrues to the legal bases of Article 6. 1 c, e and f of the GDPR. The Disputes Chamber notes that

    for the intended processing, the defendant invoked Article 6.1 b, (the implementation of the

    agreement) but on the other hand also stated: "Secondly, the e-mail regarding the Hello
    Belgium Railpass within the implementation of the government tasks of SNCB. NMBS has a

    public service obligation for domestic passenger transport by rail. like higher

    mentioned, NMBS was instructed by the Royal Decree on 28 July 2020 to issue the Hello Belgium Rail Passes

    To make available to the Belgian population to provide train journeys for which this title

    could be used.” Defendant was instructed by the King to dispose of the Rail passenger

    and had to process personal data for this to process the requests for Rail Passes

    The Royal Decree, however, does not contain any clearly defined provisions

    about the further processing of the personal data after the applications have been processed. One

    any appeal to article 6.1 sub c cannot succeed for this reason alone.

34. Article 6. 1e contains the legal basis task of general interest or a task for the implementation of the

    public authority. As already indicated above, this legal ground also applies that there is

    must be necessary for the processing. The Disputes Chamber does not consider it plausible that the

    (content of the) e-mail was necessary to carry out the task of general interest (making available

    of the Hello Belgium Rail Passes).


35. The Disputes Chamber points out in this regard that in accordance with Article 6.3 GDPR, read in

    coherence with Article 22 of the Constitution and in the light of Articles 7 and 8 of the European


6
 EDPB, Guidelines 2/2019 on the processing of personal data pursuant to Article 6(1)(b) of the GDPR in
within the framework of the provision of online services to data subjects,8 October 2019., Decision on the merits 71/2022 - 11/29




    Charter of Fundamental Rights, a legislative standard, the essential characteristics of data processing
    must establish what is necessary for the performance of a task in the public interest or for the

    exercise of official authority entrusted to the controller. Qe7

    Litigation room emphasizes that the processing involved should be framed by a standard that

    sufficiently clear accurate is foreseeable of the application for the persons involved

    is. In accordance with Article 6.3 GDPR, the precise purpose(s) of the processing in the legal

    standard itself. The foregoing was not the case in this case. In addition, do not come

    to establish that the e-mails sent were necessary for the implementation of the Royal Decree.

    This stipulates that the defendant can do the necessary and limit the use of the Railpass or

    terminate in case of force majeure. The Covid-19 epidemic and its consequences are not in sight
    discussion. However, according to the Disputes Chamber, the e-mails sent were - as already stated in the

    decision - not necessary for the mere provision of the Hello Belgium

    Rail passes, as a result of which a possible appeal to Article 6.1 e cannot succeed.


36. The legal basis of legitimate interest is laid down in Article 6.1 fAVG. The Disputes Chamber investigates

    or the further processing of the personal data of the railpass applicants in this case

    may have been lawful under the aforementioned provision. To determine this, the
    controller in accordance with the case law of the Court of Justice

    Which:


           1) the interests they pursue with the processing can be justified as legitimate

               recognized (the “target test”)


           2) the intended processing is necessary for the realization of those interests

               (the “necessity test”)

           3) balancing those interests against the interests, fundamental freedoms and

               fundamental rights of data subjects weighs in favor of the

               controllers or a third party (the “balancing test”).


    37. First of all, the question is what interest and purpose the controller with the further

       processing of the personal data (target test). Due to the personal data of the
       to use those involved to send them an email mainly promoting the railpass,

       According to the Disputes Chamber, the defendant's aim was, among other things, to

       to encourage the railpass to travel. The promotion of the railpass by becoming a defendant

       regarded as a (commercial) legitimate interest.


    38. In order to satisfy the second condition, it must be demonstrated that the processing

       was necessary for the achievement of the objectives pursued



7
  See also the advice of the Knowledge Center of the GBA 36/2020, 42/2020, 44/2020, 46/2020, 52/2020 and
64/2020(https://www.dataprotectionauthority.be/burger/zoeken?q=&search_category%5B%5D=taxonomy%3Apublicati
us&search_type%5B%5D=advice&s=recent&l=2, Decision on the merits 71/2022 - 12/29



    (necessity test). This means that the question must be asked whether

    means the same result can be achieved without processing personal data or

    without unnecessary processing for the data subjects. The Disputes Chamber determines

    that it was by no means necessary to further process the passengers' personal data

    To send them the targeted e-mail
    believe that the message announced in the e-mail is also in a different way

    could have been made known. The second condition is therefore not met.


39. The third condition concerns the “balancing test” between the interests of the

    controller on the one hand, and the fundamental freedoms and rights of
    concerned, on the other. In accordance with Recital 47 GDPR, when determining this,

    verify whether the “data subject at the time and in the context of the collection of the

    personal data can reasonably expect that processing for that purpose can take place”

    The Disputes Chamber establishes that those involved could not have expected that the

    personal data provided in the context of a transport contract
    be used for purposes other than processing the request for a rail pass,

    in particular promotional activities. Therefore, any recourse to Article 6. 1, f would not

    to succeed.


40. In view of the above, the Disputes Chamber is of the opinion that the processing of the

    personal data by sending e-mails happened without the choice (and even the
    presence) for a lawful basis. Defendant's appeal on the legal basis

    execution of the agreement of Article 6.1b, cannot be invoked in this case, since the e-mail

    mail is not a necessary corollary of the contract of carriage between the parties. That's why there is

    also not met the principle of necessity as laid down in Article 5.1c of the GDPR. The

    The Disputes Chamber therefore establishes infringements of Articles 5.1 a and c, 5 . 2 and 6 . 1 GDPR.

    Right to object and direct marketing


41. The Inspectorate has come to the conclusion that there was direct marketing by the

    dispatch of the newsletters by the defendant and that there is no effective right to object
    was awarded to those concerned. Therefore, according to the Inspectorate, there was an infringement

    on Articles 21. 2 and 21.4 GDPR.


42. On the basis of Article 12 of the GDPR, the controller should inform the data subjects
    transparent information. In doing so, the controller must, among other things:

    exercise of the data subject's rights on the basis of Articles 15 to 22 of the

    to facilitate GDPR. Article 21 of the GDPR sets out the right of objection of the data subjects vis-à-vis

    by the controller. Article 21. 2 provides that when

    personal data are processed for direct marketing purposes, the data subject at all times

    has the right to object to the processing of the data concerning him at any time
    personal data. If the data subject exercises that right against processing for direct, Decision on the merits 71/2022 - 13/29




        marketing, the personal data may no longer be processed for that purpose by
        the controller. The right to object according to Article 21. 4 must be submitted at the latest at the

        first contact with the data subject to be brought to the attention of the data subject and

        displayed clearly and distinctly from the other information.


    43. The defendant disputes the findings of the Inspectorate and argues that there was no

        direct marketing, as: ”(i) the email was not intended for direct or indirect promotion
        of goods, services or the image of SNCB and (ii) the e-mail is part of the implementation of the

        government tasks of SNCB that are excluded from the concept of 'direct marketing'.


    44. The GDPR does not define what is meant by “direct marketing”. Nor

        there is to date an official, legal, or generally accepted definition of this term on

        European level. The GBA clarified its interpretation of this legal concept in recommendation

        1/2020 as follows :

        “Any communication, in whatever form, solicited or unsolicited, from a

        organization or person and aimed at the promotion or sale of services, products (whether or not

        fee), as well as brands or ideas addressed by an organization or person who

        acts in a commercial or non-commercial context, which is directly addressed to one or

        more natural persons in a private or professional context and who
        involves personal data”. Thus, under “direct marketing” various

        forms of promotion, such as email newsletters, commercial telephone calls or

        text messages or e-mails, or online advertising and this, whether or not in a commercial context.”


    45. According to the above interpretation, the promotion or sale of services or products where

        does not have to be paid for can also be regarded as direct marketing. The defendant

        stated, however, that e-mails regarding the Hello Belgium Railpass - among other things - cannot
        be regarded as direct marketing because the railpass was awarded completely free of charge to the

        applicants thereof. The Disputes Chamber is of the opinion that this view is incorrect based on the

        the above interpretation of the term direct marketing.


    46. In addition, according to the defendant, the e-mail regarding the Hello Belgium Railpass falls within the scope of the

        implementation of SNCB's government tasks. In its conclusion, it states in fact: ”NMBS has a

        public service obligation for domestic passenger transport by rail. She received at KB
        28july2020fromtheKingtheordertofittheHelloBelgiumRailtotheBelgianpopulation

        and to provide the train journeys for which this title could be used.

        As a result, e-mail cannot be considered "direct marketing" for this reason either

        after all, expressly confirmed by the Direct Marketing Recommendation of the GBA itself.”






8
 GBA, Recommendation No. 01/2020 of January 17, 2020 regarding the processing of personal data for direct
marketing purposes”, p. 9, Decision on the merits 71/2022 - 14/29




    47. The defendant also quotes the following from the Direct Marketing recommendation of the

        GBA:

       “This definition includes all forms of communication, whether or not they are promotional”

       of goods or services, the promotion of ideas suggested or supported by any person

       or organization, but also the promotion of that person or organization itself, including its

       brand image of the brands owned or used by it, with the exception of

       the promotion carried out at the initiative of public authorities acting strictly in the

       under their legal obligations or public service tasks for services for which

       they alone are responsible.”


       Finally, communications from government services conducting certain campaigns (eg.

       vaccination campaigns) or services (e.g. telephone centers for assistance to persons in difficulty)
       promote what they are legally responsible for or offer as a public service,

       not considered direct marketing communications unless they simultaneously provide specific services or

       promote products offered by private service providers.” 9


    48. It is apparent from the above and from what was stated at the hearing that the defendant argues a duty to

        have to promote the Hello Belgium Railpass because they have a legal

        had responsibility. The emails should therefore be classified as a

        “public authorities notice” or a “promotion at the initiative of public authorities”. The

        However, the recommendation of the GBA emphasizes that there must be a promotion that is

        carried out at the initiative of public authorities acting strictly within the framework of their legal

        obligations or public service duties.

    49. In addition, the defendant cannot simply be regarded as a “public service”, such as

        defined above. After all, the defendant is an autonomous public company. Characteristic of

        the status of an autonomous public company is the express possibility that

        these companies are allowed to perform, in addition to their statutory public service missions
                                                      10
        develop other activities. A restrictive conception of

        According to the Disputes Chamber, government service is appropriate in view of the foregoing. The

        The Disputes Chamber also wishes to point out that according to article 221 § 2 of the Act

        protection of personal data is a legal person under public law that offers services on

        the market which makes it unlike "the government and their appointees or agents"
        an administrative fine within the meaning of 83 GDPR may be imposed. This is according to the

        The Disputes Chamber also provides an indication that the defendant cannot be

        considered "classic" government.







9Quotation and marking by defendant from recommendation Direct marketing GBA 01/2020
10
  Article 7 of the Act on the Reform of Certain Economic Public Enterprises, Decision on the Substance 71/2022 - 15/29



50. The Disputes Chamber is of the opinion that the email sent (which also contains general information that

    not related to the specific sanitary situation or not specifically valid when used

    of the Hello Belgium Railpass but could also be applicable when using other

    tickets) cannot be regarded as promotion strictly limited to the

    carrying out the legal obligation imposed on SNCB in the context of offering

    the Hello Belgium Railpass or which was limited to the provision of a public service. The
    The Disputes Chamber also points out that the e-mail sent may also contain the

    (possibly indirectly) promoting services or products provided by private service providers

    are offered, which is an additional indication that the email was not exclusively related

    on a public service.

51. It would also be assumed by the petitioner that it concerns a communication originating from a

    government agency, the content of that communication cannot be unlimited. The defense that the email

    which was sent would not be direct marketing because SNCB had the task as a government agency

    informing the travelers is of no use, according to the Disputes Chamber. It would free the defendant

    have stood in the context of its statutory task / task of general interest, the travelers

    to notify and inform with regard to the special sanitary situation due to the
    pandemic. Therefore, the defendant could have included in the e-mail that the stations were being crowded

    expected and that this crowding could pose a danger. In doing so, she should have

    limit to informing travelers of this danger.

52. In the opinion of the Disputes Chamber, however, the content of the e-mail cannot be interpreted

    as merely factual information about the sanitary situation at the time in which travelers were

    warned and asked to exercise caution and to spread out as much as possible.

    On the contrary, the e-mail had little to do with the referrals and content that

    the sanitary situation, (also) acquired a commendable character, in order to ensure that there

    as many people as possible would use the Railpass (and other services or
    products, or (indirectly) even from other transport tickets).


53. Accordingly, it has not been demonstrated by the defendant that the e-mails were strictly for the purpose of

    encourage travelers to choose less crowded cities. Although there are tips

    given to visit certain cities, the main message of the e-mail is according to the
    Dispute chamber does indeed promote the Hello Belgium Railpass or even others

    tickets and services or products (although not always explicitly mentioned). In addition, it is not

    important that NMBS/SNCB would not derive any financial advantage from this

    of the e-mails referred to the special services provided by SNCB, which

    corporate image. The Disputes Chamber therefore agrees with the Inspectorate, where

    this states that there is promotion: After all, the message is that the services of the VV
    allow train passengers to (1) rediscover more than 500 Belgian destinations, (2)

    travel comfortably and safely and (3) easily use their Railpass.” Defendant had

    can choose to send a notification that immediately and clearly conveys the message, Decision on the substance 71/2022 - 16/29




        it could be deduced that there was a fear that certain cities would be too crowded and
        travelers should take this into account. In addition, the communication

        between the data protection officer and various employees of the defendant

        that one is aware of the fact that the mailing could be classified as direct

        marketing and that for these reasons a correct balance and description was sought so that the e-mail

        emails would be regarded as part of the execution of the agreement. That's how it falls

        among other things to read in this communication: ”Provided that we have the direct link to the blogs

        be able to extract it and replace it with a text that points more to our planning module

        on the site we can bring this information under the justification ground “execution of a

        contract” which is a stronger argument to say that people cannot afford this
        unsubscribe.”


    54. The Dispute Board is therefore of the opinion that the targeted e-mails should be marked as

        direct marketing.

    55. Article 21.1 provides that the right to object should be facilitated in the event that

        data is processed on the basis of Article 6.1(e) off) GDPR. In accordance with article 21. 2 of the

        GDPR has the data subject whose personal data is used for direct marketing purposes

        also processes the right to object to the processing concerning him at any time

        personal data, including profiling related to direct marketing

    56. Defendant invoked with regard to the processing of the personal data for the transmission

        of the e-mails to the applicants (wrongly, by the way, cf. supra) on the legal basis of the

        execution of an agreement article 6.1, b, arguing that the targeted e-mails

        were necessary to comply with that agreement and to ensure the safety of the travelers and the

        employees as a result of which art 21.1 AVG would not apply. from direct

        marketing would also be out of the question since the defendant in the context of its assignment from the

        government has sent these e-mails, so that Art 21.2 AVG would not apply.
        As discussed above, according to the Disputes Chamber, the e-mails can

        be regarded as direct marketing whereby the defendant had the obligation to

        art. 21.2 and art. 12.2 GDPR to provide and facilitate the right to object.


    57. The defendant points out that the disclaimer of the e-mail regarding the Hello Belgium Railpass contains a

        contained a clear hyperlink to the SNCB privacy statement. Via this hyperlink,
        data subjects informed about other rights such as the right to erasure about which they

        possessed. Therefore, according to the defendant, the persons concerned had invoked the right to

        having their data erased can have the same effect as the right to object.


    58. The Disputes Chamber rules that the right to object has not been facilitated in this case. Defendant

        points out that data subjects could have other rights such as the right to erasure



11
 Document 11 to the defendant's claim: e-mail from DPO of 6 October 2020, Decision on the merits 71/2022 - 17/29




        This should be done by sending an e-mail to SNCB together with a copy

        of the identity card. The Disputes Chamber emphasizes that the right of objection is a right that

        is expressly assigned to data subjects according to Article 21. 2 GDPR. This right is according to

        Article 21.4 in addition, during the first contact and clearly separated from other any other

        information to be displayed. With regard to information about the right to object

        (Article 14.2 b) GDPR) in particular, Article 21.4 GDPR expressly states that this possibility,

        separate from the other information, already in the first message to the data subject, should be

        Hospitalized. However, the e-mail that is the subject of these proceedings does not

        in no way expresses the right of objection. What's more, it doesn't contain any reference to this

        right of objection. Recital 70 GDPR provides, however, that this right is expressly, in a clear

        manner and separately from other information, should be brought to the attention of the data subject

        brought. In the absence of notice of this right of objection in the emails targeted, the

        controller also acted in violation of Article 21.4 of the GDPR.


    59. In Recommendation 1/2020 on direct marketing, the DPA also states that the data subject is entitled to

        object to direct marketing should be easy to exercise, taking into account the

        means by which the controller communicates with the data subject: “if the

        mandatory information is provided digitally or if you contact the person through digital channels,
                                             13
        a single click should suffice”

    60. In view of the above, the Disputes Chamber establishes infringements of Articles 12. 2, 21.2, 21.

        3 and 21.4 of the GDPR as the defendant does not have the right to object for data subjects

        facilitated while the targeted e-mails can be regarded as direct marketing.


        The Data Protection Officer


    61. Article 38.3 provides that the data protection officer reports directly

        to the highest management level of the controller. In the guidelines of

        the Working Group 29 on the Data Protection Officer becomes the following explanation

        given to reporting to the most senior manager as referred to in Article

        38.3: ”If the controller or processor makes decisions that are not in line

        subject to the General Data Protection Regulation and the opinion of the officer

        data protection, the latter should be given a chance to express his/her dissenting opinion

        to the top managers and to those who make the decisions

        Article 38.3 provides that the data protection officer "directly

        [reports] to the senior manager of the controller or the
                    14
        processor". Such reporting ensures that senior management (e.g. the


12Article 21.4 GDPR. The right referred to in paragraphs 1 and 2 shall be exercised at the latest at the time of the first contact with the data subject
expressly brought to the attention of the data subject and presented clearly and separately from any other information.
13
   GBA, Recommendation no.01/2020 of January 17, 2020 on the processing of personal data for direct
marketing purposes, marginal number 162, p. 54
14Guidelines for the Data Protection Officer of the Working Group 29, WP 243 rev.01, p.19, adopted by the
EDPB., Decision on the merits 71/2022 - 18/29



    board of directors) is aware of the advice and recommendations that the officer

    data protection provided in the context of its mission to the controller

    or to inform and advise the processor.

62. The Inspectorate has established that the defendant does not comply with this provision, as

    explained by the Working Group 29. From the respondent's answer to questions from the

    Inspection service about the exact position of the official within the organization chart, according to

    the Inspectorate that the officer does not report directly to the highest level,

    in this case the CEO.

63. The defendant disagrees with the Inspectorate's finding. To demonstrate this lay

    defendant in conclusion various documents about e-mail correspondence between

    the data protection officer and the assistant to the CEO regarding privacy

    issues. A PowerPoint prepared by the data protection officer is also available

    presentation to the executive committee entitled: “GDPR points for attention and interim update
    audit” added. A “Governance Charter for the Protection of Personal Data” was issued

    also inserted therein it reads:


   - That the Data Protection Officer together with the Chief Information Security

       develop a policy for the protection of personal data and submit it to the
       executive committee.


   - He advises the Executive Committee and all parts of SNCB on the protection of

       personal data and on setting up a structure and processes to ensure compliance with the

       ensure rules for the protection of personal data

   - The DPO reports important shortcomings in the processing of personal data, the

       comply with the rules or policies for the protection of personal data directly

       to the Executive Committee


   - The management committee ratifies the policy for the protection of personal data and the

       information security policy and makes the necessary resources available to the Data Protection
       Officer to indicate the direction desired by SNCB for the management of personal data

       to the entire organization.


64. The Disputes Chamber is of the opinion that, on the basis of the documents submitted

    and has made sufficiently plausible what was stated by the official at the hearing

    that the data protection officer reports or can report directly
    to the highest management level within the organization. At the hearing, the officer

    declared not to have experienced any opposition and was encouraged by the board

    is fulfilling its legal obligations. According to the Disputes Chamber, the

    mail correspondence between the data protection officer and the CEO as well as from the

    “Governance Charter” that can be reported directly to the CEO who also, Decision on the merits 71/2022 - 19/29




        is permanent chairman of the Executive Committee as well as the Executive Committee of SNCB. The

        The Disputes Chamber is therefore of the opinion - unlike the Inspectorate - that the defendant has

        Article 38. 3 GDPR and there is therefore no infringement of that Article.





III.Sanction


    65. The Disputes Chamber puts the following points first when determining the sanction.

        emails sent to customers in connection with the use of the Hello Belgium Railpass. It
        it has been established before the Disputes Chamber that the NMBS/SNCB/NMBS is responsible for the sanitary and commercial considerations

        mixes. Where it is justifiable in connection with the Covid-19 crisis that the NMBS are

        inform customers about health risks associated with the use of the train, this does not apply to

        incentives to use the train as much as possible, including for tourist

        field trips.


    66. Another point concerns the power to impose a fine on SNCB. The

        SNCB is a legal entity under public law that offers services to a market

        NMBS/SNCB does not fall under the exception with regard to the imposition of administrative fines,

        as provided for in art. 221 § 2 of the Law on the Protection of Natural Persons with

        with regard to the processing of personal data from 30 July 2018.

    67. The Disputes Chamber decides to impose an administrative fine that does not matter

        serves to end an offense committed, but with a view to a powerful

        enforcement of the rules of the GDPR. As is clear from Recital 148 GDPR, the GDPR states

        after all, it is important to note that for every infringement – thus also when an infringement is first established – penalties,

        including administrative fines, in addition to or instead of appropriate measures

        imposed. 15




    68. Next, the Disputes Chamber shows that the infringements committed by the defendant of the

        Articles GDPR in no way concerns minor infringements, nor that the fine would be a disproportionate burden

        to a natural person as referred to in Recital 148 GDPR, where in any of

        in both cases a fine can be waived. The fact that it is a first finding of

        a violation of the GDPR committed by the defendant, thus in no way prejudices



15Recital 148 states: “In order to strengthen the enforcement of the rules of this Regulation, penalties, including
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in lieu of appropriate
measures imposed by the supervisory authorities pursuant to this Regulation. If it is a small
infringement or if the expected monetary fine would cause a disproportionate burden and on a natural person, instead of a
fine are chosen for a reprimand. However, the nature, severity and duration of the
the infringement, with the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility,
or with previous relevant infringements, with the manner in which the infringement came to the attention of the supervisory authority, with
compliance with the measures taken against the controller or processor, with the affiliation with
a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including
administrative fines must be subject to adjusting the procedure and guarantees in accordance with the general principles
of Union law and the Charter, including an effective remedy and a fair administration of justice. [own
underline], Decision on the substance 71/2022 - 20/29



       the possibility for the Disputes Chamber to impose an administrative fine. The

       The Disputes Chamber imposes the administrative fine in accordance with Article 58.2 i) GDPR. It

       The administrative fine is in no way intended to end infringements. To that end

       the GDPR and the WOG provide for a number of corrective measures, including the orders

       mentioned in article 100, § 1, 8° and 9° WOG.

    69. Taking into account Article 83 AVG and the case law 16 of the Marktenhof, the motivation

       Dispute chamber imposing an administrative sanction in concrete terms:


       - The gravity of the infringement: It is established that the defendant has committed several infringements of

           the principles of Articles 5 and 6 of the GDPR and the rights of data subjects in
           Articles 12 and 21 of the GDPR. Such infringements constitute a significant infringement of

           the objectives of the Regulation, namely to protect fundamental rights and

           fundamental freedoms of natural persons and in particular their right to the protection of

           personal data.In addition, article 83.5 prescribes before the highest administrative fines

           may be imposed for violations of the aforementioned articles. The NMBS has

           cooperated during the investigation.


       - The duration of the infringement: sending the newsletter to the applicants of the Hello

           Belgium Railpass happened in October 2020. It is therefore a one-off violation,

           which justifies the relatively low amount of the fine.


       - The size : As can be seen from the sent targeted newsletter itself, there are 3.6 million Hello

           Belgium Rail passes requested. This therefore concerns almost a third of the entire

           Belgian population, making the size of the infringement exceptionally large.

       - The necessary deterrent effect to prevent further infringements.

           It appears from this file that insufficient account was taken of the

           personal data protection of data subjects, which should actually be central

           given the defendant's business model. Processing personal data

           is after all an important part of the defendant's activity. It is of crucial importance
           that such companies comply with data protection rules. The facts

           anddeterminedviolationsnoontoapenaltythatmeetstheemergencysome

           to have sufficient deterrent effect, whereby the defendant becomes sufficiently strong

           sanctioned, so that practices involving such violations would not be repeated, and

           so that the defendant would henceforth pay more attention to

           personal data protection.

    70. On March 18, 2022, a sanction form (“form for response against intended

       sanction") addressed to the defendant. In summary, the defendant responded as follows:



16
  Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020. Judgment on the merits 71/2022 - 21/29



   According to the defendant, the Disputes Chamber did not take sufficient account of the special

   situation and context in which the respondent was at the time of sending the newsletter. The

   communication happened during the second wave of the epidemic and served as much as possible

   to distribute travelers. Defendant was obliged by the government to issue the Railpass and

   received a flat-rate compensation, regardless of whether the card was used or not. Defendant

   was only trying to properly perform the contractual obligation that it was
   entered into with Railpass users. Referring to other destinations in the

   newsletter was only a limited part of the communication. There is no mention of it

   knowingly mixing commercial and sanitary considerations by such as by the

   Dispute chamber is stated in the sanction form. The defendant argues that there is also political

   no initiative has been taken to spread travelers across different destinations,

   as a result of which the defendant has done this in order to properly implement the contractual
   relationship with Railpass users. According to the defendant, the Disputes Chamber

   furthermore, disregarding the fact that the defendant has indeed taken into account

   taking into account the rights of data subjects. According to the defendant, the aforesaid was done by a

   analyze the legal basis used, seek advice from the officer and

   facilitating the rights of data subjects.

71. The defendant is of the opinion that the sanctions are unacceptable. Especially now that the Railpass was framed

    within the public service obligation of the defendant to offer the Railpass free of charge.

    In other words, the defendant would be sanctioned for failing to take the measures it

    imposed by the government.

72. The Disputes Chamber is of the opinion that all arguments put forward by the defendant in the

    sanction form have already been dealt with in this decision and were taken into consideration

    taken in the determination of the administrative fine in accordance with article 83.2 AVG

    Defendant's assertion that it was trying to properly implement the

    agreement between her and the travelers cannot succeed, according to the Disputes Chamber, since

    the processing in this case was not necessary for the execution of the agreement (see above
    marginal 29 ff.) The reference to other destinations in the e-mail was according to

    defendant only a limited part of the communication and there is no question of the

    the deliberate mixing of commercial and sanitary considerations

    disagree with this. According to the Disputes Chamber, the targeted e-mail does contain earlier

    commercially oriented content. Therefore, the sanitary purposes which according to the defendant

    the actual purpose in sending the email was deliberate and commercial considerations
    mixed. Finally, the Disputes Chamber points out that it is not under any obligation, nor on the basis

    of the AVG or the WOG, nor on the basis of case law of the Market Court, to explain the motivation of

    the present decision prior to the taking of the decision concerned to the

    to submit contradictions of the defendants, the sanction form serves only

    to offer the possibility of opposing the intended sanction., Decision on the merits 71/2022 - 22/29



    73. On the basis of all the elements set out above, the Disputes Chamber decides

       to maintain the intended sanction of €10,000. The determined infringements justify and a

       effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account

       with the assessment criteria specified therein. The Disputes Chamber points out that the other criteria

       of art. 83.2. GDPR in this case are not of a nature that they lead to a different administrative
       fine than that which the Disputes Chamber has set in the context of this decision.




IV. Publication of the decision


    74. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data protection authority, stating the identification data of the defendant

       having regard to the public interest of the present decision, on the one hand, and the inevitable
       possibility of re-identification of the defendant in case of pseudonymization, on the other hand.






   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
   - Pursuant to article 100, §1, 13° WOG and art. 101 WOG to impose an administrative fine

       to impose €10,000 for infringements of Articles 5.1 sub a and c, 5. 2 , 6. 1, 12. 2, 21. 2, 3 and

       4 GDPR.



   Against this decision, pursuant to art. 108, § 1 WOG, appeal to be lodged
   within a period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant





   Against this decision, pursuant to art. 108, § 1 WOG, appeal must be lodged within a
   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.


(trans.) Hielke Hijmans

Chairman of the Disputes Chamber, Decision on the merits 71/2022 - 23/29




Attachment: The targeted e-mail in Dutch and French together with the website where you are right

comes after clicking on the link in the mail, Decision on the merits 71/2022 - 24/29, Decision on the merits 71/2022 - 25/29, Decision on the merits 71/2022 - 26/29









































NL, Decision on the substance 71/2022 - 27/29, Decision on the substance 71/2022 - 28/29
































Via the link "rediscover more than 500 destinations in Belgium" you recently (May 2, 2022) ended up

on the website with the following:,Decision on the merits 71/2022 - 29/29