Court of Appeal of Brussels - 2020/AR/813: Difference between revisions

From GDPRhub
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DPAdecisionBOX
{{COURTdecisionBOX


|Jurisdiction=Belgium
|Jurisdiction=Belgium
|DPA-BG-Color=
|Court-BG-Color=
|DPAlogo=LogoBE.png
|Courtlogo=Courts_logo1.png
|DPA_Abbrevation=APD/GBA
|Court_Abbrevation=Court of Appeal of Brussels
|DPA_With_Country=APD/GBA (Belgium)
|Court_With_Country=Court of Appeal of Brussels (Belgium)


|Case_Number_Name=2020/AR/813
|Case_Number_Name=2020/AR/813
|ECLI=


|Original_Source_Name_1=A
|Original_Source_Name_1=Hof van beroep Brussel
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-18-november-2020-van-het-marktenhof-ar-813.pdf
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-18-november-2020-van-het-marktenhof-ar-813.pdf
|Original_Source_Language_1=Dutch
|Original_Source_Language_1=Dutch
|Original_Source_Language__Code_1=NL
|Original_Source_Language__Code_1=NL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=


|Type=Complaint
|Date_Decided=18.11.2020
|Outcome=Upheld
|Date_Started=14.05.2020
|Date_Decided=09.09.2020
|Date_Published=
|Date_Published=
|Year=2020
|Year=2020
|Fine=
|Currency=


|GDPR_Article_1=Article 5(2) GDPR
|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#2
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=Article 13(1)(c) GDPR
|GDPR_Article_3=Article 12(1) GDPR
|GDPR_Article_Link_3=Article 13 GDPR#1c
|GDPR_Article_Link_3=Article 12 GDPR#1
|GDPR_Article_4=
|GDPR_Article_4=Article 13(1)(b) GDPR
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=Article 13 GDPR#1b
|GDPR_Article_5=
|GDPR_Article_5=Article 13(1)(c) GDPR
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=Article 13 GDPR#1c


|EU_Law_Name_1=
|Party_Name_1=Insurance company
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=Belgian DPA
|Party_Link_2=
|Party_Link_2=https://www.gegevensbeschermingsautoriteit.be/


|Appeal_From_Body=APD/GBA (Belgium)
|Appeal_From_Case_Number_Name=24/2020
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Status=
|Appeal_To_Link=
|Appeal_To_Link=


Line 63: Line 47:
}}
}}


.
The Court of Appeal of Brussels held the Belgian DPA violated the principles of proper administration by only orally mentioned additional violations to the controller at the hearing, and later basing its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed that its health data was used for a purpose to which he did not explicitly agree by the controller. The DPA upheld the complaint and stated that there was a lack of transparancy in the controller's privacy policy as it did not demontrate any legitimate interest. Therefore the controller violated [[Article 5 GDPR|Article 5(1)(a) and (2)]], [[Article 6 GDPR|Article 6(1)]], [[Article 12 GDPR|Article 12(1)]], [[Article 13 GDPR|Article 13(1)(b) and (c) GDPR]]. The DPA imposed a fine of €50.000.
The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas:
The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas:


# The decision was void because of a lack of reasoning regarding the legal basis for
# The decision was void because of a lack of reasoning regarding the legal basis for
#* the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement and  
#* the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement, and
#* the transfers to third parties set out in Article 6 of its Privacy Statement.
#* the transfers to third parties set out in Article 6 of its Privacy Statement.
# It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties.
# It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties.
# When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent.
# When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent.
# The decision violates its freedom of enterprise.
# The decision violates its freedom of enterprise.
# The fine (€50.000) was disproportionate.
# The fine was disproportionate.
 
In response the DPA requested the Court to declare the appeal unfounded and to order the controller to pay the costs of the proceedings. the DPA stated that:
 
The contested decision was properly reasoned in law and in fact. The DPA argued that it correctly based its assessment on the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller do not affect the lawfulness of the contested decision. ''(regarding the controllers's 1st to 4th plea)''


In addition, the decision did not unlawfully restrict the controller's ability to stop the violations found and comply with the provisions of the GDPR. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. ''(regarding the controller's 2th and 3th plea)''
In response the DPA requested the Court to declare the appeal unfounded, as:


Furthermore, the fine imposed was in no way disproportionate in the light of the various violations found. Each of the violations established (including the uncontested ones) could justify the fine. ''(regarding the controller's 5th plea)''
# the contested decision was properly reasoned in law and in fact. It was based the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller did not change this. ''(regarding the controllers's 1st to 4th plea)''
# the decision did not unlawfully restrict the controller's ability to stop the violations found. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. ''(regarding the controller's 2th and 3th plea)''
# the fine was not disproportionate in the light of the various violations found. Each of the violations established (including the uncontested ones) could justify the fine. ''(regarding the controller's 5th plea)''


=== Holding ===
=== Holding ===
The Court held that the controller did not violate [[Article 6 GDPR#1|Article 6(1) GDPR]].
The Court of Appeal stated the DPA violated the principles of proper administration. The DPA orally mentioned additional violations to the controller at the hearing. The DPA later based its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.
 
''First of all'', because processing could also be carried out based on another legal basis than the consent of the data subject for certain purposes (''performing computer tests, monitoring the quality of the service, training of staff, monitoring and reporting, storing surveillance recordings and compiling statistics of encrypted data'').
 
''Second of all'', because transfers could be carried out based on another legal basis than the consent to (1) the companies of the group to which the controller belongs (for monitoring and reporting) and (2) subcontractors in or outside the EU.
 
The Court further held that the controller did not breach the obligation of accountability under [[Article 5 GDPR|Article 5(2) GDPR]], as the controller invoked its legitimate interest ([[Article 6 GDPR|Article 6(1)(f)]]) as the legal basis for these processing activities.
 
Lastly, the Court held that the controller did not violate Article 13 (1) (c) and (d) of the AVG in so far as the controller invoked its legitimate interest (Article 6(1)(f) of the AVG) as a legal basis for the processing of personal data referred to in the first two points;
 
The Court declared that the controller has not violated Article 5 (1) (a) of the AVG in so far as the controller Relies on its legitimate interest (Article 6(1)(f) of the AVG) as a legal basis for the processing of personal data referred to in the first two points and to impose a warning on the controller


The Court annulled the decision because it was based on insufficient grounds and ordered the DPA to pay the costs of proceedings. Furthermore, the Court noted that if an administrative fine would still be at issue, the DPA had to reduce the amoun.
The Court annulled the decision and ordered the DPA to pay the costs of proceedings. Furthermore, the Court noted that if an administrative fine would still be at issue, the DPA had to reduce the amount.


== Comment ==
== Comment ==

Latest revision as of 15:30, 19 August 2022

Court of Appeal of Brussels - 2020/AR/813
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13(1)(b) GDPR
Article 13(1)(c) GDPR
Decided: 18.11.2020
Published:
Parties: Insurance company
Belgian DPA
National Case Number/Name: 2020/AR/813
European Case Law Identifier: {{{ECLI}}}
Appeal from: APD/GBA (Belgium)
24/2020
Appeal to:
Original Language(s): Dutch
Original Source: Hof van beroep Brussel (in Dutch)
Initial Contributor: Jette

The Court of Appeal of Brussels held the Belgian DPA violated the principles of proper administration by only orally mentioned additional violations to the controller at the hearing, and later basing its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.

English Summary

Facts

This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed that its health data was used for a purpose to which he did not explicitly agree by the controller. The DPA upheld the complaint and stated that there was a lack of transparancy in the controller's privacy policy as it did not demontrate any legitimate interest. Therefore the controller violated Article 5(1)(a) and (2), Article 6(1), Article 12(1), Article 13(1)(b) and (c) GDPR. The DPA imposed a fine of €50.000.

The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas:

  1. The decision was void because of a lack of reasoning regarding the legal basis for
    • the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement, and
    • the transfers to third parties set out in Article 6 of its Privacy Statement.
  2. It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties.
  3. When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent.
  4. The decision violates its freedom of enterprise.
  5. The fine was disproportionate.

In response the DPA requested the Court to declare the appeal unfounded, as:

  1. the contested decision was properly reasoned in law and in fact. It was based the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller did not change this. (regarding the controllers's 1st to 4th plea)
  2. the decision did not unlawfully restrict the controller's ability to stop the violations found. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. (regarding the controller's 2th and 3th plea)
  3. the fine was not disproportionate in the light of the various violations found. Each of the violations established (including the uncontested ones) could justify the fine. (regarding the controller's 5th plea)

Holding

The Court of Appeal stated the DPA violated the principles of proper administration. The DPA orally mentioned additional violations to the controller at the hearing. The DPA later based its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.

The Court annulled the decision and ordered the DPA to pay the costs of proceedings. Furthermore, the Court noted that if an administrative fine would still be at issue, the DPA had to reduce the amount.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

,Brussels Court of Appeal -2020/AR/813 - p. 2




ON:

X. [...],

requesting party,

represented by [...] and [...]

against the decision of the Disputes Chamber of the GBA of 14 May 2020, number 24/2020

 file DOS-2019-02902.


AGAINST:


The DATA PROTECTION AUTHORITY. public institution under Belgian law, ON 0694.679.950,
with registered office 1000 BRUSSELS, Drukpersstraat35,
defendant,

represented by mr. ROETS Joos, Mr. CLOOTS Elke and Mr VAN DIEST Thomas, lawyers,

all office in 2018 ANTWERP, Oostenstraat 38/201


                                              ***





    1. Jurisdiction of the Market Court:

The Court of Appeal derives its jurisdiction from an application lodged with the registry of the Court of Appeal in
Brussels on June 12, 2020 by X against the DATA PROTECTION AUTHORITY (hereinafter

"GBA").


With this petition, X appeals to the Market Court against the decision of the
Dispute chamber of the GBA of 14 May 2020 number 24/2020 file DOS-2019-02902.


    2. The claims before the Market Court:

By opinion lodged at the registry on September 9, 2020, X . claims

       First to declare the (limited) appeal of X admissible and admissible and
       therefore:




              r PAGE 01-00001823325-0002-0040-02-01-� 



              L _J,Court of Appeal Brussels - 2020/AR/813 - p. 3




        In main order:

             • annul the Decision for lack of motivation;

        In subordinate order:


    • to rule that X did not infringe Article 6(1) of the GDPR, to the extent that the
        processing of personal data for the following purposes (Article 4.3 of the
        X}'s privacy statement can be made on the basis of another in Article 6 (1) GDPR
        legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}:


            ► performing computer tests;
            ► monitoring the quality of the service;
            ► training staff;
            ► monitoring and reporting;
            ► the storage of video surveillance recordings during the legal period;

            ► and
            ► compiling statistics on encrypted data, including big data;

    • to consider that X does not infringe Article 6(1) of the GDPR, to the extent that the transfer
        transfers of personal data to the following third parties (Article 6 of the Privacy Statement
        of X) can be made on the basis of another provided for in Article 6 (1) of the GDPR

        legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}:

        o the companies of the Zwaartoe Xbelongs group, for
            ► monitoring and reporting; and
            ► subcontractors in the European Union or beyond, responsible/verifiable for
            ► processing activities defined by X;



    • to rule that X did not infringe the provisions of Article 5(2) of the GDPR
        accountability, to the extent that X invokes its legitimate interest (Article 6, paragraph
        1 lit. f) GDPR} as the legal basis for the processing operations referred to in the first two points
        of personal data;


    • to rule that X did not infringe Article 13(1)(c) and d) GDPR, to the extent that X
        invokes its legitimate interest (Article 6(1)(f) GDPR} if
        legal basis for the processing of personal data referred to in the first two points;


    • to rule that X has not infringed Article 5(1)(a) GDPR, to the extent that X
        invokes its legitimate interest (Article 6(1)(f) GDPR} if
        legal basis for the processing of personal data referred to in the first two points;

        and impose a warning on X.
        In more subordinate order:





               rPAGE □1- □□□□ 1823325-0003- □040-02-01-� 



               L _J,Court of Appeal Brussels -2020/AR/813 - p. 4




             • should an administrative fine still arise, quad non, the amount
                of the administrative fine.


        In each case:

    • order the GBA to pay the costs of the appeal proceedings, including the
        court fee.

By decision lodged on September 30, 2020, the GBA claims:


        - In main order; declare the applicant's application unfounded;

        In any event, order the applicant to pay the costs of the proceedings, including the
        basic amount of the legal compensation, estimated at 1,440 euros.


    3. The facts:

The various parties provide their own facts.


The Marktenhof hereby only reiterates the factual account of the GBA.

The GBA summarizes as follows:

        1. On June 14, 2019, Mr. V (hereinafter: 'the complainant') lodge a complaint with the
        Data Protection Authority (DPA) against X (document 1).

        The complaint concerns the use of health data
                                                                                   that X as
        insurance company has obtained from the complainant in the context of a
        hospitalization insurance- for certain other purposes, without the express
        consent of the insured person. Deck bearing set (piece1):

                "X acquires through coercion the right to process sensitive personal data
               for the granting of his hospitalization insurance. The customer can only access through explicit
               consent to agree to all processing, otherwise no coverage can be provided
               be given for hospitalization insurance.


                This is logical for processing essential for the performance of the obligations.
               However, there are no legitimate interests for the processing operations listed in point 4.3.
               The customer should be given the choice whether to agree to this and will not get it. Even
               online on X one can only agree to everything and the customer only gets 1
               single option.

               Passing on to third parties is also not allowed without permission unless a
               legal obligation exists. This is not the case for many transfers in [point 6],

               the customer has no choice here either. We wish that the customer for this
               matters in point 4.3 and [6] can give individual consent, that X are forms


              r PAGE □1- □□□□ 1823325- □□□ 4-□□ 4□-□ 2- □1-� 



              L _J,Court of Appeal Brussels -2020/AR/813 -p. 5





                and that all customers receive a new form with the
                custom options."

        In other words, the complaint is not aimed at the processing of health data
        for the performance of obligations in the context of the hospitalization insurance that was
        concluded with X. The complaint focuses on the fact that the same health data
        be processed without further ado for the purposes listed in point 4.3. of the

        privacy statement and with the transfer of that data to third parties as stated in point 6
        of the same privacy statement.

        More specifically, the privacy statement of X(document1, appendix) states:

                "2. The following categories of personal data are processed by X:
                identification data, Financial details, Personal characteristics, Physical

                data, Lifestyles, Leisure activities and interests, Image recordings,
                Sound recordings, Health data and Judicial data.

                3. X mainly collects your personal data when:
                • you take out X insurance for yourself or a third person, such as a member
                of your family, by completing the necessary documents;

                • you contact X for information about our products and
                services;
                • you the different services and tools (applications, personal platforms,
                newsletters, etc.) that we make available to inform you or to
                contact us to request information;
                • you exercise a right established as part of our contractual relationship;
                • you visit our websites or social networks;

                • you visit our buildings: for security reasons your visit will be
                video recorded and preserved by CCTV cameras;
                • a third party authorized to do so provides us with your personal data
                (professional service providers, your insurance intermediary, your employer as
                part of a group insurance policy, a healthcare provider, etc.)

                4. Personal data is processed for the following purposes:[...]


                        4.3. Based on the legitimate interest of X,, for:
                • performing computer tests; [1]
                • monitoring the quality of the service; [2]
                • training staff; [3]
                • monitoring and reporting; [4]
                • preventing abuse and fraud; [5]
                •
                        the storage of video surveillance recordings during the legal period;
               [6]
                • compiling statistics on coded data, including big data;
               [7]





               r PAGE 01-00001823325-0005-0040-02-01- � 



               L _J,Court of Appeal Brussels -2020/AR/813 - p. 6





                • providing information, regardless of the means of communication, about the
               commercial actions, products and services of X and of the group to which it
               belongs. [B] [...]

               6. The data will only be used for what is necessary for the above
               purposes are communicated to the following third parties:

                • Insurance intermediaries for the statistical purposes of coded

               data that they will explain at the request of the person concerned and
               produce; [1]
                • Insurance intermediaries, for health data, in
               compensation statements and in the copy of the insurance contract with
               any exclusions and/or additional premiums, if the person concerned informs them beforehand
               has given explicit and informed consent; [2]
                • Health insurance funds, for facilitating reimbursements; {3}
                • One or more insurance companies in case of co-insurance,

               assistance and/or recovery of costs in the event of liability of a
               third party at the occurrence of the damage; [4]
                • The companies of the Z group to which X belongs, for monitoring and
               reporting; [5}
                • Subcontractors in the European Union or beyond, responsible/verifiable for
               processing activities defined by X; {6]
                • The insurance ombudsman in the event of a dispute; [7]
                • Banking institutions; [B]

                • Postal, transport and delivery companies to better send our mail;
               {9]
                • Tax and social administrations, due to legal obligations
               from X; {10)
                • The public supervisory and controlling authorities, because of the
               legal obligations of X; [11)
                • The IPT (Insurance Premium Tax) to which you are, if applicable

               subject to the payment of the international tax.[12)"

               In addition, X's consent form (document 1, appendix) provides:
               "[...] I declare that I have read the attached X Privacy Statement (which
               is also available on the X website [...] under 'Privacy' section or on paper
               request to X).

               I acknowledge that my personal health data may only be processed

               with my permission. However, if I don't give permission, then it can close
               and/or the proper execution of the insurance contract are prevented. I
               further acknowledge that I have the right to withdraw my consent at any time. The
               withdrawal of consent does not affect the lawfulness of the
               processing based on consent before its withdrawal. [...]

               I hereby give my express permission to X to use my

               process health data (or that of the minor whose data I have


              r PAGE □ 1-□□□ 01823325- □□□ 6- □□ 4□-□ 2-□ 1-� 



              L _J,Court of Appeal Brussels - 2020/AR/813 - p. 7




               legal representative), if necessary by means of full
               automated processing, without the intervention of a professional in the
               healthcare, for risk assessment, management of (pre)contractual
               relationships, the issuance and execution of insurance contracts, claims management,

               possible dispute resolution, prevention, detection and investigation of
               insurance fraud, and notification of an amendment to the insurance contract.,,

        Finally, the complainant indicated that it wanted a data protection impact assessment
       received from X as it involves the processing of high-risk data
       for those involved.


       2. On 26 June 2019, the complaint was declared admissible under Articles 58
       and 60 of the law of December 3, 2017 establishing the
       Data Protection Authority {WOG), the complainant was informed on the basis of
       of Article 61 of the WOG and the complaint pursuant to Article 62, §1 of the WOG was forwarded to the

       Dispute Chamber of the GBA.


       3. On July 23, 2019, the Disputes Chamber decided on the basis of art. 95, §1, 1° and art. 98
       WOG that the file was ready for treatment on the merits. On July 24, 2019, the
       involved parties {complainant and X) were therefore notified of the

       provisions as stated in art. 95, §2 WOG as well as those in art. 98 WOG.


       In its notification to X, the Disputes Chamber stated, among other things (document 6):


               "The complaint concerns the processing of sensitive personal data by X in the
               under a hospitalization insurance, whereby the explicit consent of the
               person concerned would be enforced. A copy of the complaint, as well as the inventory
               of the documents in the file will be sent to you as an attachment.,,

       The parties involved were also notified, pursuant to art. 99 WOG notified of the

       time limits for submitting their defences. The latest date for receipt of the
       conclusion of reply from X was recorded on September 6, 2019. Subsequently, the
       complainant submit a statement of reply by 7 October 2019 at the latest and X could
       submit statement of reply by no later than November 2019. Also, on 30 July 2019
       sent a copy of the file to X.


       4. On September 6, 2019, the Disputes Chamber received the statement of defense
       because of X. Here X {piece 13 stated):

                       firstly, that processing special categories of
               personal data, in this case health data, by health insurer X in a

               lawfully done. The processing of these special categories of
               personal data is in principle prohibited {art. 9 GDPR). X invokes the ·
               processing of health data, however, on the exceptional ground of Article
               9 para. 2 a) GDPR, in particular the ground for exception "explicit consent of the



              r PAGE 01-00001823325-0007-0040-02-01- � 



              L _J,Court of Appeal Brussels - 2020/AR/813 - p. 8





              person concerned'. X further emphasized (piece 13, p. 9): "In this case, the
              consent is only requested for the processing of health data
              necessary for insurance contracts concluded with
              X. The data is necessarily processed for risk analyses,
              claims handling and settlements."

                      X also argued (document 13, p. 10 et seq.) that we/definitely no
              permission is requested for processing of data other than

              health data, nor is consent sought for the
              processing based on legitimate interest. With regard to point 4.3 of the
              Privacy statement emphasizedX (piece 13, p. 10-11):

                      "In his complaint, the complainant points out that a 'separate consent'
                      would be necessary for the processing operations listed in Art. 4.3 of the
                      Privacy declaration. The complainant argues that X "forces" the person concerned to
                      to consent to the processing in Art. 4.3 and them to the point

                      gives no choice.

                      However, the complainant's assertion is based on a misreading of the
                      Privacy Statement and Consent Form. [...]

                      [X] invokes the legitimate interest to obtain certain
                      be able to process personal data (art. 4.3 Privacy statement). X

                      processes this data to perform tasks related to
                      its business activities For example, it is perfectly normal that
                      X processes personal data to prevent abuse and fraud. [...]

                      The complainant cites that the "customer [should] be given the choice whether to use [Art.
                     4.3 of the Privacy Statement].” However, this view is consistent
                     not with the structure of the Privacy Statement. For the processing that
                     are listed in Art. 4.3 (legitimate interest) is no consent

                     required, since [X] invokes the justified
                     interest. In this case, it concerns "ordinary" personal data,
                     where one can perfectly invoke the legitimate interest and
                     should not fall back on the permission as in the case of
                     health data.

                      [...] Nor does the Consent Form contain any consent for

                      such processing. A clear distinction should therefore be made
                      made between the Consent Form on the one hand and the
                      Privacy statement on the other hand.

                      The scope of the Consent Form is limited to the
                     health data of those involved. Although there is a message
                     made from the Privacy Statement, but this is at most proof of
                     acquaintance with the transparency obligations of Chapter II/GDPR

                     to fulfil. [...]


             rPAGE □1- □□□□ 1823325- □□□ 8- □□4□-□ 2- □1-� 



             L _J,Court of Appeal Brussels -2020/AR/813 - p. 9





                      Therefore, no reference is made in this Consent Form to
                      other data, such as data processed on the basis of the
                      legitimate interest for the purposes set out in Art. 4.3 of the
                      Privacy declaration.

                      It can be concluded in conclusion that X in no way asks for permission
                      (and the data subject therefore in no way gives his consent) for the
                      processing operations listed in art. 4.3 of the Privacy Statement. [...]"


               In addition, regarding point 6 of the Privacy Statement, X stated that X did not
       must request separate consent for each of the transfers listed therein. X
       emphasized, in line with what she stated regarding point 4.3 of the Privacy Statement
       (piece 13, p. 12-13):

               "To be able to pass on personal data (read: to process) is a legal requirement
               basis needed. As discussed earlier, X does not only process personal data

               by relying on consent as a legal basis. She also invokes
               relies, as the case may be, on the performance of the agreement, the
               legitimate interest and the legal obligation. [...]

               For each of the persons mentioned in Art. 6 of the Privacy Statement is set out below
               an overview on the basis of which legal basis the transfer takes place."


       In the aforementioned overview, X stated, inter alia, with regard to the following two categories
       of transfer:

               "The companies of the Z group to which X belongs, for monitoring and
               reporting.Legitimate interest

               Subcontractors in the European Union or beyond, responsible for
               processing activities defined by X. Legitimate interest."

               XContinued: "It is clear from this that the difference/purposes stated in Art. 4
               of the Privacy Statement, in particular the execution of the agreement, the
               consent, the legitimate interest and the legal obligation as
               legal basis for the transfer to specific persons."

               Finally, X argued that a data protection impact assessment in
       the present case was not necessary, as it involved pre-existing processing
       concerned and he did not act on new processing operations that started after May 25, 2018.


       5. The complainant, for its part, did not submit a reply. X reported on 7
       November 2019 that it would therefore not submit an (additional) statement of reply.
       However, in addition to its justification with regard to point 4.3 and point 9 of its
       Privacy statement, an overview of case law and legal doctrine submitted to the Disputes Chamber,
       in support of its first conclusion of 6 September 2019 (document 17, with 8 appendices).





              IPAGE □1-□□□ 01823325- □□□ 9-□□ 4□-□ 2-□ 1-� 



              L _J,Court of Appeal Brussels -2020/AR/813 -p. 10




       6. The Disputes Chamber subsequently organized a hearing on 28 January 2020,
       where X was heard. The complainant, although duly summoned, did not appear on the
       hearing.

        During the hearing, the Disputes Chamber requested X to (among other things)
       to provide justification for the legitimate interest on which X relies

       for the processing of data other than health; where X as follows
       replied (piece 23, p. 2):

               "The Disputes Chamber asks what constitutes the legitimate interest in which X
               invokes what would be the processing of non-health data
               based. X argues that it is important to expand its economic activity. X
               states that the complainant can object to this" (opt-out system). The

               The Disputes Chamber asks how the exercise of this objection is facilitated. X
               states that usually collective objections are submitted, mainly/primarily for direct
               marketing purposes, through [...], but less individually. DPO of X answers
               such requests for data, other than health data, should not be
               process.

               The Disputes Chamber states that it follows from the privacy statement (point 4.3.8} that for

               direct marketing no consent is required. X states that she adheres to all
               legal provisions on direct marketing, but direct marketing almost
               is non-existent with X. It is only as a precaution (for
               possible direct marketing in the future) that this purpose is included in the
               privacy declaration."
       7. On January 29, 2020, the minutes of the hearing was sent to the parties
       transferred (pieces 24 and 25). On January 31, 2020, X, as requested during the

       hearing, information on the annual turnover of the last three financial years to the
       Dispute room. Over the years 2016-2018, this annual turnover always amounted to an amount between
       [...] and [...] million euros (documents 26 and 27). On February 6, 2020, X also made some
       comments on the official report to the Disputes Chamber (document 28), which will be
       the Geschilenkamer were taken into consideration during the deliberations (document 38, p. 4).
       With regard to the representation, in the PV, of the general question of the justified

       interest that X invokes to process other than health data (as well as the
       brief answer from X), X did not formulate any reservations or objections. Only
       X made the following comment about direct marketing (piece 28, p. 2):

               "With regard to the last paragraph on page 2, we point out that the complaint in
               this file does not relate to the direct marketing policy of X. The
               processing of personal data for the purpose of direct marketing was only allowed

               raised as an example of how to exercise an objection to the
               processing of personal data based on the legitimate interests of
               X, is facilitated.

               However, during the hearing we emphasized that the GDPR (more specifically
               recital 47) confirms that direct marketing can be carried out on the basis of
               its legitimate interest: "The processing of personal data for the benefit of



              rPAGE 01-00001823325-0010-0040-02-01- � 



              L _J,Court of Appeal Brussels - 2020/AR/813 - p. 11




               of direct marketing can be regarded as carried out with a view to
               a legitimate interest."

               Consent (opt-in) is required for certain forms of direct marketing, in
               In other cases, however, personal data may be processed for direct

               marketing purposes based on X's legitimate interests. This is
               for example, the case when X sends direct marketing to existing customers
               as the conditions of the Royal Decree of April 4, 2003 to
               regulation of the sending of advertising by electronic mail has been complied with."

        8. On 25 March 2020, the Disputes Chamber, with due observance of the judgment of 19

        February 2020 of your Court, informed X of the intention to proceed with the
        the imposition of an administrative fine, and the contemplated amount thereof,
        in order to hear X about this, before the sanction would actually be imposed (document 30).
        In addition to an announcement of the infringements that the Disputes Chamber intended to
        t pose, the Disputes Chamber also reported (document 30):


                "2. The Disputes Chamber intends to impose a fine of:
                       50,000 euros
               3. The following circumstances in particular play a role:
               • It concerns violations of essential principles of the General
               Data Protection Regulation.
               • Defendant is a company that collects personal data on a large scale, including
               health data processed.

               • A high degree of negligence has been established.
               • The complaint and procedure at the Disputes Chamber did not lead to a
               adaptation of practices.
               4. The amount of this amount is based on the following considerations:
               • Seriousness of the infringement
               er
                  there is a serious violation of the GDPR by the defendant. First and foremost
               there is a breach of fundamental data protection principles.
               In addition, this infringement has a relatively large impact, as there is a large
               number of persons involved have been affected by this infringement (all-insured persons who
               have affiliated hospitalization insurance with X).
               • The duration of the infringement:
               From what the defendant has put forward in the proceedings before the

               The Disputes Chamber does not show that the smell has ended and has therefore continued until
               January 25, 2020. The Disputes Chamber does not take any adjustments into account
               made after the debates on the findings have been concluded.
               • The necessary deterrent effect to prevent further infringements.
               The whole of the elements set out above justifies a
               effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR,

               taking into account the assessment criteria specified therein.
               • The Disputes Chamber relies on the following annual figures of
               defendant:
               The documents you have submitted are based on an annual turnover of EUR [...] for 2018."




              rPAGE 01-00001823325-0011-0040-02-01-� 



              L _J,Court of Appeal Brussels -2020/AR/813 - p. 12






        9. On May 8, 2020, the Disputes Chamber received X's response to the intention to
        the imposition of an administrative fine, as well as regarding the intended amount
        thereof (piece 37). In its response, X argued that the alleged infringements, such as
        included in the notification of the intention to impose an administrative
        fine, would be completely new and that X was unable to take a position on this matter
        to take. X also stated that it disagreed with the imposition of a fine, as well as
        with the intended amount of the fine (document 37).

        10. Subsequently, the Disputes Chamber took the contested decision No 24/2020 on 14 May

        2020, which is currently being challenged in your Court (document 38).

        In this decision, the Disputes Chamber established the following infringements of the GDPR (document 38,
        p. 14}:

        • "Breach of art. 6.1GDPR:
               o the data processing for the purposes stated in parts 1, 2, 3,
               4, 6 and 7 of point 4.3 of the privacy statement, without any evidence
               legitimate interest, is wrongly not based on the consent of the

               complainant in the absence of any other possibly applicable legal ground in art. 6.1 AVG.
               o the data processing for transfers to third parties mentioned in section
               5 and 6 included under 6. of the privacy statement, without any evidence
               legitimate interest, is wrongly not based on the consent of the
               complainant in the absence of any other possible applicable legal basis in art. 6.1
               GDPR.
               • Infringement of the provisions of article 5.2. GDPR enshrined accountability, in
               to the extent that the defendant invokes its legitimate interest as a legal basis

               •for the data processing specified above.
                       Infringement of art. 12.1, art. 13.1, c) and d) GDPR, as well as on Art. 13.2 b) GDPR, in
               to the extent that the defendant has not provided the required information to the complainant and
               has failed to take the appropriate measures to ensure that the complainant
               Articles 13 and the information referred to in art. 21.2 GDPR referred to communication in
               in connection with the processing, in particular:
               o the points 4.3 and 6 of the privacy statement do not make a clear distinction
               make between the processing of health data on the one hand, and the processing
               of the other 'ordinary' data on the other.

               o no information is provided to the data subject regarding his
               legitimate interests.
               o no appropriate measures have been taken to inform the data subject
               regarding, among other things, the provisions in art. 21.2AVG guaranteed upright objection.
               o the processing basis for all transfers not in the privacy statement
               to be mentioned.

        • Infringement of the in art. 5.1.a} enshrined basic principle that personal data must
       are processed in a manner that is lawful, fair and

       transparency."



              r PAGE 01- 00001823325-0012-0040-02-01-� 



              L _J,Court of Appeal Brussels -2020/AR/813 - p. 13




        The (most) relevant parts/motives of the decision in this case are set out below:
        displayed.


        With regard to point 4.3 of X's privacy statement, the Disputes Chamber considered
        (among others) (document 38, p. 6 ff.):

                1a} Purposes in 4.3 of the privacy statement - Processing ground (art. 6.1 AVG}

               The Disputes Chamber establishes that the problem presented by the complainant relates to
               has on point 4.3 of the defendant's privacy statement, which states that
               personal data is processed on the basis of the legitimate interest of
               X, for the following purposes:
               • performing computer tests; [1 Y
               • monitoring the quality of services;[2]
               • training staff;[3}
               • monitoring and reporting;[4]

               • preventing abuse and fraud;[S]
               • the storage of video surveillance recordings during the legal period
               period;[6}
               • compiling statistics on coded data, including big data;[?]
               • providing information, regardless of the means of communication, about the

               commercial actions, products and services of X and of the group to which it
               belongs.[B]

               [...] The defendant argues in this regard that for the processing operations listed in
               4.3 of the privacy statement no consent is required, as the defendant
               for the purposes stated therein, in accordance with Article 6.1f}GDPR, invokes

               the legitimate interest as the legal basis for the processing. The defendant argues
               that he can rely on that legal basis, since only 'ordinary'
               personal data are processed for those purposes and no permission from the
               data subject is required as in the case of health data as referred to in
               article9GDPR.


               The defendant argues that for the purposes set out in point 4.3 of the
               privacy statement, although personal data are processed, but no
               health data.

               The Disputes Chamber has established that for the processing of personal data, other

               than health data, the lawfulness of the processing should be
               assessed in the light of art. 6.1 GDPR that six secondary processing grounds
               including the legitimate interest (art. 6.1.f}GDPR} to which the defendant
               appeals in this case.

               The Disputes Chamber emphasizes, however, that when a

               controller relies on a legitimate interest to
               processing as lawful, in accordance with the jurisprudence of the
               European Court of Justice three cumulative conditions [..] must be met
               in order for the processing of personal data to be lawful, namely, first



              rPAGE 01-00001823325-0013-0040-02-01-� 



              L _J,Court of Appeal Brussels -2020/AR/813 -p. 14




               place, the representation of a legitimate interest of the data processing
               controller or of the third party(s) to whom the data is provided, in the
               secondly, the necessity of the processing of the personal data for

               the representation of the legitimate interest and, thirdly, the fact that the
               fundamental rights and freedoms of data subjects
               person do not prevail.

               This requires a balancing of the interests or fundamental rights and
               fundamental freedoms of the data subject (Art. 6.1.f) GDPR) and in this balancing
               the considerations of the GDPR related to Art. 6.1.f) GDPR eligible
               [...] be taken, in particular Recital 47.

               Thus, the Disputes Chamber is of the opinion that for each of the purposes stated in

               point 4.3 of the privacy statement, it should be checked to what extent the
               the defendant can invoke the legitimate interest as a legal ground on which
               processing is based. Recital 47 of the GDPR focuses on the fact that a
               careful assessment is required to determine whether a
               legitimate interest, as well as to determine whether a data subject at the time and in
               the context of the collection of the personal data may reasonably
               expect that processing for that purpose can take place.

               On the basis of the elements available to the Disputes Chamber, it is of the opinion
               that the defendant can base the data processing on the justified

               importance for the purpose/statement of "preventing abuse and fraud" as stated in
               part 5 of point 4.3 of the privacy statement. After all, it is certain that the
               processing of personal data for this purpose is necessary for the
               representing the legitimate interest of the defendant and that this interest
               outweighs the complainant's interest in protecting his/her
               personal data. In this regard, the Disputes Chamber refers to recital 47
               of the GDPR, which states that the processing of personal data that is strictly
               is necessary for fraud prevention a legitimate interest of the
               is the controller.


               The Disputes Chamber adds that notwithstanding the claim of the
               defendant that no health data is processed for the purposes in
               4.3 of the privacy statement, including the purpose of "preventing misuse
               and fraud", it is nevertheless clear from the consent form that the
               explicit consent is requested to process health data
               for, among other things, "prevention, detection and investigation of insurance fraud." The
               The Disputes Chamber establishes here that there is an incoherence between what the defendant in
               declares his conclusion and what determines the consent form and comes to this
               back to the assessment of the obligation of transparency that rests on the defendant.


               The purpose stated in section 8 of point 4.3 of the privacy statement "the
               providing information, regardless of the means of communication, about the
               commercial actions, products and services of X and of the group to which it
               belongs" that should be qualified as direct marketing, is also possible


                                                                   � 
              r PAGE 01-00001823325-0014-0040-02-01-


              L _J,Court of Appeal Brussels- 2020/AR/813- p. 15




               on the basis of the legitimate interest, but must be read in conjunction with Art.
               21.2 GDPR, which provides that the data subject has the right at any time to
               to object to the processing of personal data concerning him for
               direct marketing, including profiling related to direct
               marketing. The Disputes Chamber will also return to this when assessing the
               transparency obligation on the part of the defendant.


               For the other purposes included in art. 4.3 of the privacy statement is the
               The Disputes Chamber is of the opinion that there is no legitimate interest in
               on behalf of the defendant that would outweigh the interests and
               fundamental rights of the complainant to the protection of his personal data.

               Recital 47 stating that a legitimate interest may be present

               when there is a relevant and appropriate relationship between the data subject
               and the controller, in situations where the data subject is a customer,
               according to the Disputes Chamber does not mean that in the context of that relationship in which
               the complainant is acting as a customer of the defendant, a data processing would be possible
               are for any purpose. The defendant does not demonstrate in any way
               what his legitimate interest would consist of and also fails to demonstrate
               to what extent his interest would outweigh the interests and fundamental rights

               of the complainant, although he is obliged to do so by virtue of his
               accountability (art. 5.2.GDPR}.

               The Disputes Chamber is therefore of the opinion that the infringement of art. 6.1 GDPR is
               proven, since the data processing for the purposes stated in the
               parts 1, 2, 3, 4, 6 and 7 of point 4.3 of the privacy statement, without any

               demonstrated legitimate interest, must be based on the consent of
               the complainant in the absence of any other possibly applicable legal ground in art. 6.1
               GDPR. The diversity of purposes listed in 4.3 of the privacy statement
               brings the Disputes Chamber to the decision that for each of those purposes separately
               the possibility should be given to the complainant, and by extension to all
               data subjects who use the service offered by the defendant, in order to
               not consent to the processing of his personal data. The

               The Disputes Chamber refers in this regard to the Guidelines on consent
               in accordance with Regulation 2016/679, which provides: a service
               may include multiple processing activities for multiple purposes. In
               In such cases, data subjects should be able to choose freely which purpose they
               accept, instead of having to grant permission for a package from
               processing purposes. In a particular case, according to the GDPR, it may be
               be justified in having to obtain multiple consents for using the

               provision of a service is commenced."

       With regard to point 6 of X's privacy statement, the Disputes Chamber also considered
       (among others) (document 38, p. 12 ff):

               "In addition to 4.3 of the privacy statement, the complainant also states that with regard to point 6
               of the privacy statement, which relates to the transfer of personal data



              rPAGE 01-00001823325-0015-0040-02-01- � 



              L _J,Court of Appeal Brussels -2020/AR/813 -p. 16




               to third parties, poses a problem because he is not given the choice here either
               offered to decide whether or not to transfer his personal data to third parties

               to agree. The complainant states that transfers to third parties are not allowed without permission
               are permitted, unless there is a legal obligation to do so.

               The defendant argues that it does not rely solely on the consent as
               legal basis for the transfer of personal data to third parties, but
               on the other hand, also, depending on the case, to rely on the implementation of the
               agreement, the legitimate interest and the legal obligation and specifies
               for each of the categories of third parties mentioned in 6. of the privacy statement,
               each time on which legal basis the transfer is based.

               [...] The Disputes Chamber notes, however, that for both the transfer to "De

               companies of the Z group to which X belongs, for monitoring and
               reporting", if the transfer to "Subcontractors in the European Union or
               beyond, controller/verification for processing activities defined by X", de
               defendant relies on his legitimate interest as the legal basis for the
               processing.

               However, the defendant does not demonstrate in any way what is justified
               interest would exist and also fails to demonstrate to what extent his interest would prevail
               outweigh the interests and fundamental rights of the complainant, even though he is
               held on the basis of its accountability obligation (Art. 5.2 and 24 GDPR). The

               The Disputes Chamber also refers to the requirements for the use of the
               processing basis legitimate interest arising from the previously
               cited case law of the European Court of Justice.

               The Disputes Chamber is therefore of the opinion that also with regard to the transfer
               of personal data to third parties the infringement of art. 6.1 GDPR is proven,
               as the data processing for the transfers to third parties mentioned in
               parts 5 and 6 included under 6. of the privacy statement, without
               any demonstrated legitimate interest, should be based on the
               consent of the complainant in the absence of any other possibly applicable

               legal basis in art. 6.1AVG."
       With regard to the requirement of transparent information (art. 5.1.a), art. 12.1 and art. 13.1 and 13.2
       GDPR}, the Disputes Chamber observed (among other things) with regard to point 4.3 and point 6 of the
       privacy declaration:

               With regard to point 4.3 of the privacy statement (document 38, p. 9):

               Under the GDPR, the controller is obliged to inform the data subject
               a concise, transparent, comprehensible and easily accessible form and in
              _clear and plain language to inform (art. 5.1.a), art. 12.1 and art. 13.1 GDPR}.

               The Disputes Chamber notes that, with regard to 4.3 and 6 of the
               privacy statement, the defendant falls short of that obligation.




                                                                   ;i
              r PAGE 01-00 □□ 1823325-0016- □□4□-□ 2- □1-



              L _J,Court of Appeal Brussels-2020/AR/813- p. 17 75 0




               First, the defendant fails to make a clear distinction between the

               processing of health data on the one hand, and the processing of the other
               'ordinary' personal data on the other hand and this for each of the purposes of
               4.3 of the privacy statement, as for each of the transfers of 6 of the
               privacy declaration. Such a distinction is, however, of fundamental importance to
               determine the legal basis on which the processing can be based for a
               specific purpose or transfer to a third party (art. 13.1.c}GDPR}.

               [...] In addition, the privacy statement only states that for the . mentioned in 4.3
               purposes personal data are processed on the basis of the justifiable

               interest of the defendant without indicating from which that legitimate interest
               then exactly would exist, while art. 13.1.d) GDPR does require that the
               controller is obliged to provide the data subject with information
               about its legitimate interests, if the processing is based on Article
               6, ld 1, point f), is based.

               The Disputes Chamber also refers to the Guidelines on Transparency
               in accordance with Regulation (EU) 2016/679, emphasizing that the specific
               interest in question must be identified for the benefit of the data subject. [...]"


               With regard to point 6. of the privacy statement (document 38, p. 11}:

               "Also with regard to point 6. of the privacy statement, the defendant states in his
               argumentation from which his legitimate interest, on which he relies,
               would exist to process the complainant's personal data for the purpose of
               transfer to "the companies of the Z group to which X belongs, for
               monitoring and reporting", and "Subcontractors in the European Union or

               beyond, responsible for processing activities defined by X".
               However, art. 13.1.d) GDPR it is true that the controller
               must provide the information concerned with regard to his legitimate
               interests, if the processing is based on Article 6(1)(f). The
               The Disputes Chamber refers again to the Guidelines on Transparency
               in accordance with Regulation {EU) 2016/679 and the above mentioned."

       Finally, with regard to the sanctions imposed (including the imposed administrative fine of
       50,000 euros), the Disputes Chamber considered (among other things) (document 38; p. 13 et seq.):


               "[...] The Disputes Chamber establishes that an infringement of art.5.1.a), art.5.2, art. 6.1, art.
               12.1, art. 13.1.c} and d) and 13.2.b) AVG, has been proven and it is appropriate to recommend that the
               processing is brought into line with these articles of the GDPR (Art.
               58.2.d} GDPR and Art. 100, §1, 9 WOG}, as well as in addition to this corrective measure
               impose an administrative fine (art. 83.2 GDPR; art. 100, §1, 13 WOG and
               art. 101 WOG}.

               [...] Taking into account Article 83 GDPR and the case law of the Market Court,

               does the Disputes Chamber motivate the imposition of an administrative sanction in
               concretely:


              rPAGE 01-00001823325-0017-0040-02-01- � 



              L _J, 7S 1
Court of Appeal Brussels -2020/AR/813 - p. 18




                        The gravity of the infringement: the foregoing reasoning shows the seriousness of the infringement
                infringement.

                        The duration of the infringement: from what the defendant has put forward in
                the proceedings before the Disputes Chamber do not show that the infringement has ended and therefore
               has lasted until January 25, 2020. In addition, the Disputes Chamber does not
               take into account adjustments made after the debates on the findings have been
               Closed.


                        The necessary deterrent effect to prevent further infringements.
                With regard to the nature and seriousness of the infringement {Art. 83.2 a) GDPR} emphasizes 'the
                Dispute chamber that compliance with the principles stipulated in art. 5 GDPR - in
               in the present case, in particular the principle of transparency and legality, as well as
               accountability - is essential, because it is the fundamental principles of
               data protection. The Disputes Chamber considers the infringements of the
               defendant on the principle of legality as specified in art. 6 GDPR and
               the principle of transparency laid down in concrete terms in Articles 12 and 13 GDPR,
               as a serious violation.


               While no data subjects' health data is processed without
               the express consent required for that purpose and the defendant invokes a
               other processing ground with regard to the data not covered by a
               special protection regime in the GDPR, the Disputes Chamber is of the opinion that the
               relatively large impact of the identified infringements affecting all insured persons
               who have joined X through hospitalization insurance, in
               must be taken into account when determining the administrative
               fine.


               The whole of the elements set out above justifies a
               effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR,
               taking into account the assessment criteria laid down therein. The Dispute Room
               points out that the other criteria of art. 83.2. GDPR in this case are not of a nature that
               they lead to an administrative fine other than that imposed by the
               Disputes Chamber under this decision."


    4. The legal framework of the jurisdiction of the Market Court:

The matter is governed by the Belgian Law of December 3, 2017 establishing the
Data Protection Authority (hereinafter WOG).

With regard to the commencement and admissibility of a complaint or request, the articles
58 and next what follows.

        Art. 58


        Anyone can submit a complaint or request in writing, dated and signed to the
        Data Protection Authority.
        The Data Protection Authority will draw up a form for this purpose.

                            □1- □□□□ 1823325- □□ 18- □□4 □-□ 2-□ 1-;i
               !PAGE



               L _J,,,,,,,,,,Court of Appeal Brussels -2020/AR/813 - p. 28




        kJ any other aggravating or mitigating action applicable to the circumstances of the case
        factor, such as financial gains made or losses avoided, which may or may not be directly
        arising out of the infringement.,,


    Recital 47 reads as follows:

        "The legitimate interests of a controller, including those of
        a controller to whom the personal data may be disclosed, or
        of a third party, may provide a legal basis for processing, provided that the interests or
        fundamental rights and fundamental freedoms of the data subject do not outweigh,

        taking into account the reasonable expectations of the data subject based on his
        relationship with the controller. Such a legitimate interest may
        be present, for example, when there is a relevant and appropriate relationship
        between the data subject and the controller, in situations where the data subject
        is a customer or is employed by the controller. In any case, a
        careful assessment is required to determine whether there is a legitimate interest,
        as well as to determine whether a data subject at the time and in the context of the collection

        of the personal data can reasonably expect that processing for that purpose
        take place. In particular, the interests and fundamental rights of the data subject may
        outweigh the interests of the controller when
        personal data is processed in circumstances in which the data subjects reasonably
        do not expect further processing. Since it is up to the legislator to
        legal basis for personal data processing by public authorities,

        legal basis do not apply to the processing by public authorities in the context
        of the performance of their duties. The processing of personal data that is strictly necessary
        is for fraud prevention is also a legitimate interest of the
        controller in question. The processing of personal data for the purpose of
        of direct marketing can be regarded as carried out with a view to
        legitimate interest."


    5. The invoked pleas.

5.1.

X applies the following means:


        First plea- In principal order- The Decision is null and void, as it is poorly motivated what
       concerns the legal basis for the processing of personal data for purposes ex article
       4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers
       third parties exArticle6 of X's Privacy Statement.

        Second plea - In subordinate order - X should be able to rely on her

        legitimate interests in the processing of personal data for certain
        purposes and transfers to third parties.

       Third plea - In subordinate order - X should have the option, if she
        could not rely on its legitimate interests, to rely on
       legal grounds other than the consent of the data subject.


              rPAGE 01-00001823325-0028-0040-02-01-� 



              L _J,Court of Appeal Brussels -2020/AR/813 - p. 29




        Fourth plea- In minor order - The Decision constitutes an infringement of the liberty of
        entrepreneurship of X.

        Fifth plea- In minor order - The administrative fine of EUR 50,000 is
        disproportionately.


5.2.

The GBAlaat apply:

        3.1. First ground of defence: In the main proceedings - The appeal is unfounded, as the

        contested decision of the Disputes Chamber is properly substantiated in fact and in law
        The Disputes Chamber has, based on the active accountability that rests on the
        controller, in its assessment, appropriately based on the
        available data - The considerations of interests currently provided by X (post factum) are
        not of a nature to jeopardize the regularity of the contested decision
        (defence against the applicant's first to fourth complaints)


        3.2. Second ground of defence: In the main proceedings - The appeal is unfounded, as the
        contested decision does not unlawfully restrict X's ability to
       to terminate established violations and to comply with the provisions of the
        AVG - The fact that the GBA, in view of the available data, expresses a possible
        adjustment on the basis of art. 6.1.a) GDPR is not intended to affect the regularity of the

       contested decision (defense against the second and third complaints of
        applicant)

       3.3. Third ground of defence: In the main order - The . imposed by the Disputes Chamber
        administrative fine is properly justified in fact and in law
        fine is by no means disproportionate in light of the various

       infringements - Any of the established infringements (including the uncontested infringements) may
       justify the fine (defense against the applicant's fifth ground of appeal)

    6. Assessment - the reasons for the decision as to the legal basis for the
           processing of personal data for purposes pursuant to Article 4.3 of the

           X's privacy statement, as well as regarding the legal basis for the transfers to
           third parties ex Article 6 of the Privacy Statement of X.

                   (GBA's first plea of Xen's first defense)
6.1.


X allows, among other things, the following:

       However, on the basis of the first conclusion on appeal from the GBA, X now learns that she is
       convicted because the GBA believes that X should have proactively demonstrated from which her
       legitimate interests exist, this on the basis of a so-called 'active'

       accountability, in accordance with Article 5(2) of the GDPR.



              1 PAGE □1- □0001823325-0029-0040-02-01- � 



              L _J,Court of Appeal Brussels - 2020/AR/813- p. 30



        47. By stating that X should have provided the necessary information proactively

       carry in the Joop of the proceedings, and by using the term 'active'
       accountability, the DPA masks the fact that it had not requested the information and
       that it consequently failed to provide sufficient reasons for the Decision. As mentioned before,
       the complaint mainly related to the processing of medical data and the related
       related consent.

        48. Article 5, Jid 2 GDPR does indeed imply an accountability, which means that
       controller/verify compliance with the principles of processing
       personal data (Article 5(1) of the GDPR) must be able to demonstrate. One of these principles is
       the principle of lawfulness/ (Article 5, Jid 1, point a) GDPR), which provides that
       personal data must be processed in a manner that is appropriate for the data subject

       is lawful, which means, among other things, that it is based on a legal basis (such as
       included in Article 6 GDPR).

        49. This duty of accountability implies that controllers/calibrators always
       must be technically and organizationally capable of complying with the GDPR
       demonstrate. On the other hand, it does not imply that controllers/gauges must always
       assess whether and when they should be held accountable. The GBA
       interprets this accountability in a way that suits it
       justification of its inadequately motivated decision and encloses this duty in a role
       in the context of the taking of evidence in legal proceedings that does not have.


        50. It is therefore incomprehensible that the GBA is of the opinion that X in the context of the procedure
       would have had sufficient opportunity for the Disputes Chamber to demonstrate
       out of which its legitimate interests consist. That would have been the case, among other things
       at the session of January 28, 2020, in the context of which the GBA asked X from which the
       legitimate interests of X exist on which it relies for the processing of
       other than medical information.

        51. X replied that that interest consists in pursuing its economic
       activities, which is also true. It is impossible to verbally

       to give a comprehensive answer to a question that requires a bulky and nuanced answer
       required, such as the extent of the weighing of interests that X has in the context of this procedure
       teaches, oo demonstrates (see Papers 10, 11A, 118, 11C, 12, 13, and 14).

       Nor did the GBA inquire into the weighing of interests during this session or allude to
       the fact that it was advisable to add it anyway.

       52. It is therefore not correct that the GBA alludes that X only has reservations or
       should have formulated objections to the official report of the session of 28 January
       2020 to demonstrate its legitimate interests. The main arguments went

       about the permission and the case was after all considered after the hearing, which is also
       is expressly confirmed by the record of the hearing: "The defendant was
       heard and has had the opportunity to present his arguments.
       The case is then taken into consideration and today the Disputes Chamber proceeds to:
       making her decision." (self-emphasis).



              r PAGE 01-00001823325-0030-0040-02-01-� 


              l
                                                                   _J,Court of Appeal Brussels -2020/AR/813-p. 31
                   ---�--->-��--------------------------




       53. It cannot be denied that the GBA also has a responsibility to
       to safeguard the rights of defense and due process, inter alia guaranteed in Article
       6 of the European Convention on Human Rights.


       54. All this means that at the time the GBA made the Decision, there was no
       there had been a debate about the existence of legitimate interests under X and they
       only X's Privacy Statement had to make a statement about this. However, a
       privacy statement alone is not sufficient to verify whether
       based on a legal basis for a particular processing. Moreover, as your Court has already pointed out
       has judged, the motives invoked by the GBA can only make a decision
       support if they appear from the documents in the file on which the GBA was able to consider
       to beat.

       55. More specifically, a privacy statement, identifying which legal basis of
       applies to which processing purpose is only a reflection of the analysis that serves
       have been carried out to determine whether the concrete processing carried out in practice by the

       controller is assumed, actually complies with all
       relevant legal requirements for the application of that legal basis. In this case, the
       balancing of interests drawn up by X demonstrated that the processing operations in question
       may indeed be based on its legitimate interests.

       56. The foregoing partly explains why the statement of reasons for the Decision is flawed as to what
       concerns the legal basis for the processing of personal data for purposes ex article
       4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers
       to third parties pursuant to article 6 of X's Privacy Statement.

       57. However, there are other cases in which it was established that decisions of the
       GBA are lacking motivation. Both in judgments of your Court of 23 October 2019; if that

       of February 19, 2020, decisions of the GBA were quashed because of
       motivational flaws. In yet another judgment, that of 9 October 2019, your Court held,
       prima facie, that the contested decision "without any contradictory debate"
       was conducted - does not seem to comply with the aforementioned law of July 29, 1991, but the
       Marktenhof is not authorized to ex officio this decision, the validity of which and
       conformity with the general principles of good administration, is not disputed, to
       sanction".

       58. However, Articles 2 and 3 of the Law of 29 July 1991 on the
       explicit motivation of the administrative acts, the administrative authority (in this case
       the GBA) to include the legal and factual considerations in the deed (in this case the Decision)
       that underlie the Decisions and that in an 'adequate' way.


       59. The adequacy of the statement of reasons means that it must be pertinent,
       that is, it must clearly be related to the Decision, and that it
       must be sound, i.e. the reasons cited must suffice to
       Decision to wear.




              r PAGE 01-00001823325-0031-0040-02-01-� 

                     �!l�l!I
              L oo-w. _J, Court of Appeal Brussels -2020/AR/813- p. 32




        60. The main raison d'être of the obligation to state reasons, as imposed by
        the aforementioned law of 29 July 1991, consists in the fact that the person concerned in the
        Decision itself must be able to find the motives on the basis of which it was taken,

        so that the person concerned can determine in full knowledge of the facts whether it is appropriate to
        Fight decision.

        61. The substantive obligation to state reasons means that every administrative legal act must
        rely on motives whose actual existence has been duly argued and which are in law
        accountable for that act.


        62. Next, X will show on which points the reasoning of the Decision is not
        is sufficient, which means that the Decision must be quashed. Given the
        GBA has imposed an administrative sanction for all alleged infringements together and
        not a separate sanction for each infringement, is the (defective) motivation

        regarding the processing of personal data for the purposes of article 4.3 of the
        X's privacy statement as well as regarding the legal basis for transfers to third parties
        parties pursuant to Article 6 of X's Privacy Statement, not severable from the rest of the
        Decision. As a result, the Decision must be annulled in its entirety."

6.2.


In the complaint2, as it was brought to the attention of X (document 1 file GBA), Mr
        V is concerned that X proceeds through compulsion to process sensitive
personal data for the provision of his hospitalization insurance. If the customer does not
gives explicit permission for all processing, he will not be covered for the
hospitalization insurance. The complainant does not consider this a problem for the hospitalization insurance itself

but for the processing listed in point 4.3 of the privacy statement.

That point states that Xde processes data:

        Based on X's legitimate interest, for:

                • performing computer tests;
                • monitoring the quality of the service;
                • training staff;
                • monitoring and reporting;
                • preventing abuse and fraud;
                • the storage of video surveillance recordings during the legal period;

                • compiling statistics of coded data, including big data;
                • providing information, regardless of the means of communication, about the
                commercial actions, products and services of X and of the group to which it
                belongs."


2 This is not a person who lodges a complaint in his capacity as a citizen, but in his
capacity of data protection officer of the association [...]. By mail
of 9 September 2019 (document 14 file GBA), Mr V complains · by the way
about that with regard to the proceedings before the Disputes Chamber as
private person was written to by X where his complaint emanates from his company.



               1 PAGE 01-00001823325-0032-0040-02-01-� 



               L _J, Court of Appeal Brussels - 2020/AR/813- p. 33



By registered letter dated 24 July 2019 (document 6 GBA), the Disputes Chamber of the GBA indicates to X

knowledge of the complaint that is ready for substantive treatment.

 The complaint itself is expressed in the electronically completed form (document 3, same file), in which the
the complainant states:

        "X has been using this for a long time, more than a year after the entry into force of the Framework Protection Act
        of personal data from July 30, 2018, they still have no adjustment for this
        applied. Attached you will find the form for the customers as proof. As a citizen you do not have
        choice and they process this from a lot of customers, by definition this is a high

        risk, moreover I want to request the DPIA {GBEB) privacy analysis which is an obligation
        for processing high-risk data for citizens".

As part of enabling the case, X has reached a detailed conclusion in which it
defends itself with regard to the issue of explicit consent (document 13
GBA).

The contested decision (document 39 GBA) is entitled "lack of transparency in the

privacy statement of an insurance company".

The GBA does not dispute that the question of legitimate interest was only raised orally on the
hearing where the complainant was not present.

The GBA concludes: "With regard to the representation, in the PV, of the general question regarding the
legitimate interest that X relies on to process data other than health
(as well as X's brief answer), X did not formulate any reservations or objections.,,


The GBA adds: "On March 25, 2020, the Disputes Chamber, with due observance of the judgment
of 19 February 2020 of your Court/to X of the intention to proceed with the
the imposition of an administrative fine, and communicated the contemplated amount thereof, in order to
Hear about this before the sanction was actually imposed (document 30). "

6.3.

In accordance with the WOG, the Disputes Chamber of the GBA is established in one of the following ways
caught (Article 92):

        1° by the frontline service, in accordance with Article 62, §1, for the treatment of a
        k°eight;
        2 by a concerned party lodging an appeal pursuant to Articles 71 and 90
        against measures taken by the inspection service;
        3°by the inspection service after it has concluded an investigation in accordance with Article
        91 §2.





3
 Marktenhof, 19 February 2020, roll no. 2020/1471.

               r PAGE □1- □□□ 01823325- □□33- □□ 4□-□ 2- □1-;i



               L _J,,Court of Appeal Brussels -2020/AR/813 - p. 35




6.4.

The official report of the hearing of 28 January 2020 (document 25 GBA) shows that the members of the
The Disputes Chamber orally asked the question "what constitutes the legitimate interest

on which X invokes what would be the processing of non-health data
based".

The official report then mentions X's oral answer, after which the decision
followed from the Disputes Chamber that there was no reason to reopen the debates (see
for this).

6.5.

The GBA has opted to provide an exceptionally low-threshold system for the

submitting a complaint in particular filling out an online form. This method involves a
danger, namely that the complaint is (often) not formulated in a legally responsible manner
but rather in the terms of the complainant, who often limits himself to putting "in the picture" of
citing an alleged fact.

If the Disputes Chamber of the GBA then decides that the complaint can be handled, but the
does not adjust the formulation of the complaint and does not articulate the stated facts according to the
possible infringements of the privacy legislation sensu fata with indication of the relevant
articles of law, it can leave the data subject in the dark about the actual legal scope
and possible consequences of the complaint.


The Marktenhof is of the opinion that he/she with regard to whom a complaint is being handled (who
may give rise to a sanction, including an administrative fine) in clear,
in an ambiguous and transparent manner must have knowledge of the actual allegation both in
fact a Is in a right way that he/she can defend himself/herself in a correct manner.

The mention of the infringements (read: the articles of the privacy legislation sensu fata) is
primordial.

The sanctions that the legislator has permitted to the Disputes Chamber of the GBA requires that

the defender clearly knows what he has to defend against.

It certainly cannot be regarded as a bad thing for the complainant that he limits himself in his complaint to the
mentioning alleged facts that he believes are in conflict with privacy legislation,
but it cannot be the case that the person concerned who has to defend himself, more in the legal
is left in the dark other than the person posing for any criminal or administrative
infringement sensu fata to justify.

6.6.


It is the Disputes Chamber of the GBA - after it judges that the file is ready for handling
on the merits - of course allowed to sensu fata . the possible infringements of privacy legislation
(much) broader than the infringement(s) for which the initial complainant had turned to the GBA.


               r PAGE 01-00001823325-0035-0040-02-01- � 



               L _J,, !no
Court of Appeal Brussels -2020/AR/813 - p. 37




It must be deduced from reading these articles together that the legislator in the administrative
procedure for handling complaints has wanted to introduce a kind of procedure that
has a form of comparability with legal proceedings (as regulated in the Ger.

W.).

The decisions of the litigation chamber of the GBA are purely administrative decisions, which
legal force cannot be equated with judicial decisions, but which are nevertheless in
to the extent that this is reasonably possible, should take the form of a judicial decision as much as possible
trying to approach. To this end, it is also required that the rules of procedure, which apply to ensure that a
valid decision could be reached, should be followed to the extent possible
become.


Even though the Disputes Chamber of the GBA is not a body that meets the requirements of the
independent and impartial judge, yet it must - in accordance with the rules of good administration that
it is obliged to comply - openly and with as much equality of arms as possible
communicate with the data subject against whom she is prosecuting a complaint.

It constitutes mismanagement not to inform the person concerned prior to the treatment of

to inform the file of the exact allegations or infringements to which he - according to °the
investigation conducted - could be guilty. It is for this reason that Article 95 § 2, 2 WOG
states that the person concerned must be informed of the complaint. The person concerned must be able to
defend "against the allegations of the complaint".

If the Disputes Chamber of the GBA is of the opinion that the infringement constitutes another fact or
object than that which is described in the complaint, then it belongs to at least 4
Dispute chamber of the GBA to make that clear and unambiguous in the convocation (provided

in Article 95 § 2 WOG) to make known to the person concerned so that he/she is informed in writing about this
can defend (through the conclusions drawn by him or his lawyer).

Whilst at the hearing, the person concerned may respond verbally to the
comments from the designated member or members of the Disputes Chamber, but, if
than the Disputes Chamber is of the opinion that the infringement(s) is (are) broader than what is stated in the
convocation was made, then it should be very transparent to communicate about this and the

to respect arms equality and the rights of defence.

The Disputes Chamber of the GBA states that X was given the opportunity to defend himself about the
fine that the litigation chamber intended to impose on her. Well, just in the same context and
for the same reasons, it belongs to the Disputes Chamber of the GBA to open the debate
reopen - with the possibility for the data subject to re-open in writing and orally
respond-to the amended allegations of infringement(s).


It appears from the present documents that the Disputes Chamber has adopted these principles of elementary
transparent good governance - in which the rights of defense are fully respected
- has not complied.



4Insofar as the Inspectorate should not (should) be caught.


               1 PAGE 01-00001823325-0037-0040-02-01-� 



               L _J,Court of Appeal Brussels -2020/AR/813-p. 38





The statement of the Disputes Chamber of the GBA that X asked on the occasion of the hearing
was (which was stated in the record of the hearing) to take a position regarding
the general question of the legitimate interest on which X invokes other than

to process health data and that X only formulated a brief answer to this
without reservations or objections, the contested decision does not adequately justify.

X had to be given the opportunity - after the complaint was clearly and clearly formulated in writing -

to reach a written conclusion thereon. The reasoning of the Dispute Chamber of the
After all, GBA must be able to be tested by the Market Court in relation to the means or
arguments that the person concerned has developed in his conclusion.


In the letter of 14 April 2020 (document 37 GBA) it is stated that the term for reply by X
is determined by 8 May 2020 at the latest and adds "this term comes to the Disputes Chamber as
reasonable, given the rather limited scope of the Disputes Chamber's request to
respond to the proposed sanction, which moreover does not imply a reopening of the debates".


The circumstance that the Market Court in a judgment of 19 February 2020 (in another case)
has stated that the Disputes Chamber of the GBA, before imposing an administrative fine,
should inform the data subject of this intention and give him the opportunity

responding to this: does not have the consequence that the Disputes Chamber of the GBA for all other new
elements (other than the imposition of a fine) would have a safe conduct. It
The principle laid down by the Marktenhof naturally applies to all new elements that do not
have been the subject of the complaint and the accompanying file documents as they are submitted to the

person concerned were notified. That in the aforementioned judgment the Marktenhof only
mentioned administrative sanction is, of course (simply) due to the fact that the Court did not
pronounces judgment in general terms, but only judges in a specific dispute and at least

with regard to the specific points of dispute that are at issue in that dispute.

6.8.


The complainant requested a DPIA (= a data protection impact assessment). That is an instrument to
to map out the privacy risks of data processing in advance and to
to take measures to reduce the risks.


Now that the Disputes Chamber of the GBA has followed X's argument in this regard,
point not to be entered.

6.9.


It appears from the foregoing that the rules set out above (points 6.5 to 6.7) were not complied with.
The basic plea of lack of sufficient motivation is not made concrete by the GBA
refuted. The invoked motives can only support a decision if they appear

from the documents of the file that the authority (DPA) was able to observe.

Admittedly, the GBA establishes in an unassailable manner the existence of the facts on which it relies; the
consequences he deduces from this are left to his judgment and policy, but the Marktenhof




              rPAGE 01-00001823325-0038-0040-02-01-� 




              L _J,Court of Appeal Brussels - 2020/AR/813- p. 39




checks whether the DPA has not drawn any conclusions from the facts established by it that
cannot be justified on the basis of those facts.

For those reasons, the contested decision disregards the rules of good administration and must
to be destroyed.



    7. Decision.

The contested decision is annulled.


    8. The court costs.

The GBA is the unsuccessful party. The costs are settled on the
legal compensation for disputes that cannot be valued in money, amounting to €1,440.00.





FOR THESE REASONS,
THE COURT,



Right to contradiction ;


Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court cases;


Declares the appeal admissible and well-founded;

Annuls the contested decision number 24/2020 file DOS-2019-02902 of 14 May 2020 of

the Dispute Chamber of the Data Protection Authority regarding X;


Orders the Data Protection Authority to pay the costs of the appeal, settled on
1,460 euros (€20.00Budgetary Fund + €1,440 court fee).


Condemns the Data Protection Authority, in accordance with Article 269/2 of the Code of

registration, mortgage and court fees to be paid to the Belgian State, FPS Finance, of the
right of appeal in the amount of 400.00 euros;







               rPAGE 01-00001823325-0039-0040-02-01-� 



               L _J,