APD/GBA (Belgium) - 188/2022: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 93: Line 93:
}}
}}


The Belgian DPA holds that a controller does not have to erase (art. 17(1) GDPR) a personalised license plate based on a famous Turkish football club because the freedom to (artistic) expression outweighs the limited risk to the data subject (art. 17(3) GDPR)
A TV show correctly invoked artistic freedom under [[Article 17 GDPR|Article 17(3)(a) GDPR]] in order to dismiss an erasure request.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject used a personalised license plate for their car. This car was property of the business owned by the data subject, of which he was the sole manager (one man business). The license plate referred to a famous Turkish football club. The same license plate was used on a car of a criminal organisation in an audiovisual production by the controller.
The data subject used a personalised license plate for his car, which he used for his business. The data subject was the sole owner of his company and did not have any employees. The personalised license plate he was using referred to Galatasaray, a well known Turkish football club. The licence plate contained letters and numbers that referred to this club.  The producer of a television show (controller) used the same personalised licence plate on a similar looking car displayed in certain scenes of the show. This car in the series belonged to a fictional character, who was part of a fictional criminal organisation.  


The data subject asked the controller to remove the license plate from their production, as he was often asked about it in a negative connotation. The controller refused to remove the license plate because the license plate does not constitute personal data in the controller's view and even if it does, the controller is allowed to process it based on their freedom of (artistic) expression. The controller claims that the similarities were purely incidental.
In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the website of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the respective identity. This way, it could be checked beforehand if a desired personalised licence plate was already in use.    


Lastly, the Inspection Service claims that the controller breaches [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR|Article 39 GDPR]] by not appointing a DPO and breaches [[Article 5 GDPR#2|Article 5(2) GDPR]] by not demonstrating how it complies with the GDPR. The controller states that an informed decision was made in the middle of 2018 to not appoint a DPO after extensive discussions. The controller holds it is not mandatory for them to appoint a DPO under [[Article 37 GDPR#1|Article 37(1) GDPR]] and the necessary procedures are implemented to ensure the GDPR is followed.
The data subject asked the controller to remove the license plate from the TV show pursuant to [[Article 17 GDPR|Article 17(1)(c) GDPR]],  because people recognised his licence plate as the one appearing in the TV show. According to the data subject, people also associated the data subject with the fictional criminal organisation from the show. The controller refused to remove the licence plate because, she argued, the license plate did not constitute personal data. In case that the licence plate was personal data, the controller stated that she was allowed to use this licence plate because of their freedom of (artistic) expression. In its reply to the data subject on 21 January 2022, the controller did not refer to the legal provision of [[Article 17 GDPR|Article 17(3)(a) GDPR]], when refusing the data subject's request for erasure. 
 
The data subject filed a complaint at the Belgian DPA on 22 February 2022, who started an investigation into the controller.    


=== Holding ===
=== Holding ===
The Belgian DPA first assesses whether the license plate in this context should be seen as personal data defined in [[Article 4 GDPR#1|Article 4(1) GDPR]]. There are 4 elements which must be examined here: any information which (1) relates to, a (2) an identified or (3) identifiable (4) natural person.
<u>Is a licence plate personal data ([[Article 4 GDPR|Article 4(1) GDPR]])?</u> 


The DPA holds that the license plate is data related to a natural person even though it registered for a company car. The company however, is a one person business (the data subject). The data subject also uses the license plate in his daily life, as a natural person. As such, the first and fourth element are fulfilled.
The Belgian DPA determined that the licence plate was personal data ([[Article 4 GDPR#1|Article 4(1) GDPR)]] in these specific circumstances. The DPA started by acknowledging that a licence plate could constitute indirectly identifiable data. Family, neighbours and acquaintances could use the licence plate to identify the data subject. The DPA also considered the purpose of the processing, which was the appearance of the car in the TV show, and the way the processing took place, which was the publication of the TV series on a large television network and on a streaming service. The DPA also determined that that the license plate was data relating to a natural person, despite the fact that the licence plate was registered to a company car. Because there was only one company car, people could easily associate this car with the owner of the company, the data subject.  


A person is identifiable when it does not require an unreasonable effort to identify it. A combination of data can also lead to identification because of coherence or linking. The DPA states that a license plate can lead to indirect identification. This comes from the fact that the license plate is linked to data subject by neighbours and family. On top of that, the controller could have checked through government websites if the license plate was already in use, but not to identify the data subject. As such, a license plate is able to (indirectly) identify a person.
<u>Was the controller's processing lawful? ([[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6 GDPR]])</u>


As such, a (personalised) license plate constitutes personal data.  
The DPA also assessed if the data processing was lawful in accordance with [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], for which the controller had to fulfill three criteria.  


The controller states that when they are processing personal data, they utilise various techniques to protect the rights and freedoms of the persons such as blurring, informing the people, getting informed consent, etc. The controller also states that they did not inform the data subject because the controller claims that it did not process personal data. And even if they have processed his personal data, they could not identify him through reasonable means. The DPA concludes that there is no breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].  
'''(1)''' The interest of the controller was the creation of the TV show, which was a ''legitimate interest''. This interest was based on the freedom of artistic expression protected by the constitutional right of freedom of expression. The use of this fictional licence plate was purely an artistic expression in order to create and flesh out a fictional character.  


The DPA holds that there is no breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]], [[Article 25 GDPR#1|Article 25(1) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]].
('''2)''' The second aspect was also fulfilled since the processing was ''necessarry'' to pursue the legitimate interest(s), looking at the artistic goal to emphasise the link with Galatasaray and the artistic freedom to choose a suitable way to achieve this goal.  


Then the DPA assesses the lawfulness of the processing as the data subject claims there is no legal basis according to [[Article 6 GDPR|Article 6 GDPR]] and thus a breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA assesses whether the controller can rely on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The processing must take place based on a (1) legitimate and (2) necessary purpose. On top of that, a (3) balancing between the legitimate interest and the rights and freedoms of the data subject must be concluded in favour of the controller.  
'''(3)''' When conducting the ''balancing test'', the DPA determined that the potential damage to the data subject was minimal. Only his personal and business contacts could link this licence plate to the data subject, who could all understand that the data subject was not the same person as the fictional character in the TV show. The TV show also contained a disclaimer that any link between the production and reality was purely incidental. The controller also had no knowledge of the existence of the licence plate of the data subject. The controller created her own licence plate and the similarity was purely coincidental. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It was foreseeable that such a licence plate could also be used for artistic purposes. The fact that the controller could have used a different license plate did not make the controller's use of this licence plate unlawful.  


The DPA notes that the interest of the controller is the creation of audiovisual productions based on the freedom of artistic expression, which is protected by the constitutional freedom of expression. The DPA holds that the processing takes place based on a legitimate and necessary purpose, based on the freedom of artistic expression. The controller is free to use public data, such as the existence of a well known Turkish football club. Using a personalised license plate referring to this club is a form of artistic expression.
In this case, the controller's freedom of artistic expression outweighed the protection of personal data of the data subject. Therefore, the DPA determined that there was no breach of [[Article 5 GDPR#1|Articles 5(1)(a) GDPR]] and [[Article 6 GDPR#1f|6(1)(f) GDPR]].


When conducting the balancing test, the DPA holds that the risk to the data subject is very minimal. Only his personal and business contacts link the license plate to the data subject and there is no link between the fictional character of the audiovisual production and the data subject. On top of that, the audiovisual productions shows a disclaimer at the end that any link between the production and reality is purely incidental. The controller also had no knowledge of the existence of the license plate of the data subject. It should thus be clear to the personal and business contacts of the data subjects that there is no link between data subject and the audiovisual creation. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It is thus foreseeable that this data can be used for artistic purposes. The fact that the controller could have used a different license plate does not make the processing unlawful. It falls under the freedom of artistic expression. In this case, the freedom to artistic expression outweighs the protection of personal data of the data subject.
<u>Did the controller violate [[Article 17 GDPR|Article 17 GDPR?]]</u> 


The DPA holds that there is no breach of [[Article 5 GDPR#1|Article 5(1) GDPR]] and [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
The DPA then considered whether the controller was allowed to use [[Article 17 GDPR|Article 17(3)(a) GDPR]] to deny the erasure request of the data subject pursuant to [[Article 17 GDPR|Article 17(1)(c) GDPR]]. The DPA referred to [[Article 85 GDPR]] and the national implementation of this GDPR provision into [https://www.dataprotectionauthority.be/publications/act-of-30-july-2018.pdf Article 24 of the Belgian law of 30 july 2018 (Act on the protection of natural persons with regard to the processing of personal data]. This national law excluded the applicability of several GDPR articles in order to ensure freedom of speech. [[Article 17 GDPR]] was not part of this law. However, the DPA noted that that [[Article 17 GDPR#3|Article 17(3) GDPR]] explicitly provides the possibility to not comply with an erasure request for journalistic, academic, artistic or literary purposes. Since it was a GDPR provision, it was directly applicable into Belgian Law. The fact that the Belgian law did not mention Article 17 GDPR was therefore of no consequence.


The DPA then assesses whether the right to erasure under [[Article 17 GDPR|Article 17 GDPR]] should have been executed by the controller. The DPA refers to [[Article 85 GDPR|Article 85 GDPR]], which allows the national regulator to reconcile the right to data protection and freedom of artistic expression. The Belgian law of 30 juli 2018 does not include exceptions for among others, artistic purposes. However, the DPA holds that [[Article 17 GDPR#3|Article 17(3) GDPR]] explicitly foresees in this exception. These exceptions do not have to be translated into national law to be applicable.
The DPA held that the car and its license plate constituted an artistic expression, which fell under Article 10 ECHR (Freedom of Expression). The DPA stated that this was a case of a balancing act between two fundamental rights, with the ''freedom of expression'' (Article 10 ECHR and Article 11 CFR) on the one hand, and the ''right of protection of personal data'' (Article 8 CFR) on the other hand. To determine which fundamental right would prevail, a <u>balancing exercise</u> would have to be conducted with all of the relevant circumstances of the case.  


The DPA states that [[Article 17 GDPR#1|Article 17(1) GDPR]] grants the right to erasure, unless, as specified in [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]], there is an overriding interest of the controller. This overriding interest is linked to the compelling legitimate interest of [[Article 21 GDPR#1|Article 21(1) GDPR]]. However, [[Article 17 GDPR#3a|Article 17(3)(a) GDPR]] foresees in an exception for freedom of expression. A balancing between these rights must thus be made. The DPA holds that freedom of expression is granted by Article 10(1) ECHR and Article 11(2) CFR. Freedom of expression also includes artistic expression (ECHR, 25 May 1998, 10737/83, Müller and Others v. Switzerland, § 27 and ECJ, C-460/20, § 62).  
The DPA considered that the football club Galatasaray was well known. It was therefore not impossible to imagine that the license plate would be used for the creation of a fictional character. It was also plausible that both the controller and data subject had followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). Since there were no links between the data subject, the controller and the fictional character, the DPA stated that it was most likely just coincidence that 2 identical licence plates were used. It was also not possible for the controller to identify the data subject using the website of the federal institution, which only provided the option to check if a licence plate was in use. Thus, it was impossible for the controller to identify the data subject. The controller also had the freedom to choose this specific licence plate under her freedom of expression under Article 10 ECHR. Lastly, the data subject could have reasonably foreseen that other people could have used the recognisable numbers and letters for this personalised licence plate as well.  


The DPA holds that the car and its license plate constitute an artistic expression of the controller. The football club is well known. As such, it is not impossible to image the license plate being used for a fictional character. It is plausible that both the controller and data subject have followed the same reasoning to chose the license plate (i.e. showing affinity and association with the football club). There is no link between the data subject and the controller nor between the data subject and the fictional character. And while identification of the data subject is possible through the national registry of license plates, this registry is not freely available and thus it is impossible for the controller to identify the data subject. And even though the controller is free to chose another license plate, it is her freedom of expression to chose this specific one. The data subject could have reasonable foreseen that others could have used the license plate as well. The DPA holds that the usage of both license plates is purely coincidental and that there is no breach of [[Article 17 GDPR|Article 17 GDPR]].
Considering all these factors, the DPA determined that the controller did not violate [[Article 17 GDPR]]. The artistic expression of the controller prevailed in the balancing exercise.  


Then, the DPA assesses whether the controller did not adequately inform the data subject as stipulated in [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 12 GDPR#4|Article 12(4) GDPR]]. The controller states that even though she did not refer to the specific grounds of [[Article 17 GDPR#3a|Article 17(3)(a) GDPR], she did clearly state in her reply on which grounds she decided to not erase the license plate. The DPA holds that the controller should have been comprehensive in her answer, and include the specific legal grounds. The fact that the data subject was being represented by legal council and thus up to date regarding the applicable legislation was deemed irrelevant. The principle of transparency remains applicable to the controller. As such, the DPA concludes a breach of [[Article 12 GDPR#1|Article 17(1) GDPR]] but only a minor one. The DPA warns the controller to pay more attention to this in the future.
<u>Violation of [[Article 12 GDPR|Article 12(1) GDPR]]</u>


The DPA then assesses whether the controller is able to demonstrate its compliance with the GDPR as described in [[Article 5#GDPR#2|Article 5(2) GDPR]]. The Inspection Service asked the controller a general question to demonstrate compliance. The controller answered this question in a general sense, without explaining their procedures in depth. The Inspection Service thus states that the controller couldn't demonstrate its compliance sufficiently and is thus in breach of [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]], [[Article 25 GDPR#1|Article 25(1) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]].
Then, the DPA assessed whether the controller did not adequately inform the data subject pursuant to [[Article 12 GDPR#1|Articles 12(1)]] and [[Article 12 GDPR#4|12(4) GDPR]]. The DPA determined that the controller should have been more comprehensive in her answer, and should have included the specific legal ground it was using to deny the erasure request. The fact that the data subject was represented by legal council did not remove the obligation for the controller to comply with the transparency requirements of [[Article 12 GDPR|Article 12(4) GDPR]]. As such, the DPA concluded a breach of [[Article 12 GDPR#1|Article 12(1) GDPR,]] but only a minor one.  


The DPA states that the Inspection Service should conduct its inspection in a loyal manner. If a response by a controller is not sufficiently concrete, it comes to the Inspection Service to specifically ask for clarification. It is not easy for a controller to answer in a comprehensive way to a general question. The DPA holds that the inspection conducted by the Inspection Service was not sufficiently concrete and thus it would be disproportional to conclude a breach of the GDPR based on this research. The DPA assesses independently if the GDPR is breached. The DPA also clarifies that a breach of [[Article 5 GDPR#2|Article 5(2) GDPR]] does not automatically lead to a breach of [[Article 5 GDPR#1|Article 5(1) GDPR]]
The DPA issued a warning pursuant to Article 100(1)(5) WOG in order to make the controller aware of the obligation to comply with the transparency requirements of [[Article 12 GDPR|Article 12(4) GDPR]].


The DPA confirms that the controller does not fall under one of the three categories under [[Article 37 GDPR#1|Article 37(1) GDPR]] and it is not mandatory for the controller to appoint a DPO. However, this does not exonerate the controller from the responsibilities under the GDPR. The DPA holds that the controller proved that it did take the necessary measures to ensure compliance with the GDPR. The DPA holds that [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR|Article 39 GDPR]] have not been breached.
== Comment ==
The federal institution registering licence plates in Belgium is the '<nowiki/>''Federale overheidsdienst mobilitei''t'. Within this organisation, the service '''dienst voor inschrijving van voertuigen''<nowiki/>' was responsible for the registering of licence plates.


== Comment ==
The DPA also assessed several other violations regarding the controller, such as alleged violations of Articles [[Article 5 GDPR|5]], [[Article 24 GDPR|24,]] [[Article 25 GDPR|25]], [[Article 37 GDPR|37(1]]), [[Article 38 GDPR|38(1)]] and [[Article 39 GDPR|39 GDPR]]. The DPA did not find any violations regarding these provision. These considerations by the DPA were left out of this summary. This summary mainly focusses on the <u>relation between the right of erasure and artistic freedom on the one hand, and the minor violation of not providing the specific legal ground for rejecting an erasure request on the other hand</u>, since the latter was the only violation found in this decision. 
''Share your comments here!''


== Further Resources ==
== Further Resources ==

Latest revision as of 14:27, 25 January 2023

APD/GBA - 188/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 5(1) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 6(1)(f) GDPR
Article 12(1) GDPR
Article 12(4) GDPR
Article 17 GDPR
Article 17(1) GDPR
Article 17(1)(c) GDPR
Article 17(3) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 38 GDPR
Article 38(1) GDPR
Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens
Type: Complaint
Outcome: Partly Upheld
Started: 22.02.2022
Decided: 18.12.2022
Published: 21.12.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 188/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

A TV show correctly invoked artistic freedom under Article 17(3)(a) GDPR in order to dismiss an erasure request.

English Summary

Facts

The data subject used a personalised license plate for his car, which he used for his business. The data subject was the sole owner of his company and did not have any employees. The personalised license plate he was using referred to Galatasaray, a well known Turkish football club. The licence plate contained letters and numbers that referred to this club. The producer of a television show (controller) used the same personalised licence plate on a similar looking car displayed in certain scenes of the show. This car in the series belonged to a fictional character, who was part of a fictional criminal organisation.

In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the website of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the respective identity. This way, it could be checked beforehand if a desired personalised licence plate was already in use.

The data subject asked the controller to remove the license plate from the TV show pursuant to Article 17(1)(c) GDPR, because people recognised his licence plate as the one appearing in the TV show. According to the data subject, people also associated the data subject with the fictional criminal organisation from the show. The controller refused to remove the licence plate because, she argued, the license plate did not constitute personal data. In case that the licence plate was personal data, the controller stated that she was allowed to use this licence plate because of their freedom of (artistic) expression. In its reply to the data subject on 21 January 2022, the controller did not refer to the legal provision of Article 17(3)(a) GDPR, when refusing the data subject's request for erasure.

The data subject filed a complaint at the Belgian DPA on 22 February 2022, who started an investigation into the controller.

Holding

Is a licence plate personal data (Article 4(1) GDPR)?

The Belgian DPA determined that the licence plate was personal data (Article 4(1) GDPR) in these specific circumstances. The DPA started by acknowledging that a licence plate could constitute indirectly identifiable data. Family, neighbours and acquaintances could use the licence plate to identify the data subject. The DPA also considered the purpose of the processing, which was the appearance of the car in the TV show, and the way the processing took place, which was the publication of the TV series on a large television network and on a streaming service. The DPA also determined that that the license plate was data relating to a natural person, despite the fact that the licence plate was registered to a company car. Because there was only one company car, people could easily associate this car with the owner of the company, the data subject.

Was the controller's processing lawful? (Articles 5(1)(a) and 6 GDPR)

The DPA also assessed if the data processing was lawful in accordance with Article 6(1)(f) GDPR, for which the controller had to fulfill three criteria.

(1) The interest of the controller was the creation of the TV show, which was a legitimate interest. This interest was based on the freedom of artistic expression protected by the constitutional right of freedom of expression. The use of this fictional licence plate was purely an artistic expression in order to create and flesh out a fictional character.

(2) The second aspect was also fulfilled since the processing was necessarry to pursue the legitimate interest(s), looking at the artistic goal to emphasise the link with Galatasaray and the artistic freedom to choose a suitable way to achieve this goal.

(3) When conducting the balancing test, the DPA determined that the potential damage to the data subject was minimal. Only his personal and business contacts could link this licence plate to the data subject, who could all understand that the data subject was not the same person as the fictional character in the TV show. The TV show also contained a disclaimer that any link between the production and reality was purely incidental. The controller also had no knowledge of the existence of the licence plate of the data subject. The controller created her own licence plate and the similarity was purely coincidental. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It was foreseeable that such a licence plate could also be used for artistic purposes. The fact that the controller could have used a different license plate did not make the controller's use of this licence plate unlawful.

In this case, the controller's freedom of artistic expression outweighed the protection of personal data of the data subject. Therefore, the DPA determined that there was no breach of Articles 5(1)(a) GDPR and 6(1)(f) GDPR.

Did the controller violate Article 17 GDPR?

The DPA then considered whether the controller was allowed to use Article 17(3)(a) GDPR to deny the erasure request of the data subject pursuant to Article 17(1)(c) GDPR. The DPA referred to Article 85 GDPR and the national implementation of this GDPR provision into Article 24 of the Belgian law of 30 july 2018 (Act on the protection of natural persons with regard to the processing of personal data. This national law excluded the applicability of several GDPR articles in order to ensure freedom of speech. Article 17 GDPR was not part of this law. However, the DPA noted that that Article 17(3) GDPR explicitly provides the possibility to not comply with an erasure request for journalistic, academic, artistic or literary purposes. Since it was a GDPR provision, it was directly applicable into Belgian Law. The fact that the Belgian law did not mention Article 17 GDPR was therefore of no consequence.

The DPA held that the car and its license plate constituted an artistic expression, which fell under Article 10 ECHR (Freedom of Expression). The DPA stated that this was a case of a balancing act between two fundamental rights, with the freedom of expression (Article 10 ECHR and Article 11 CFR) on the one hand, and the right of protection of personal data (Article 8 CFR) on the other hand. To determine which fundamental right would prevail, a balancing exercise would have to be conducted with all of the relevant circumstances of the case.

The DPA considered that the football club Galatasaray was well known. It was therefore not impossible to imagine that the license plate would be used for the creation of a fictional character. It was also plausible that both the controller and data subject had followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). Since there were no links between the data subject, the controller and the fictional character, the DPA stated that it was most likely just coincidence that 2 identical licence plates were used. It was also not possible for the controller to identify the data subject using the website of the federal institution, which only provided the option to check if a licence plate was in use. Thus, it was impossible for the controller to identify the data subject. The controller also had the freedom to choose this specific licence plate under her freedom of expression under Article 10 ECHR. Lastly, the data subject could have reasonably foreseen that other people could have used the recognisable numbers and letters for this personalised licence plate as well.

Considering all these factors, the DPA determined that the controller did not violate Article 17 GDPR. The artistic expression of the controller prevailed in the balancing exercise.

Violation of Article 12(1) GDPR

Then, the DPA assessed whether the controller did not adequately inform the data subject pursuant to Articles 12(1) and 12(4) GDPR. The DPA determined that the controller should have been more comprehensive in her answer, and should have included the specific legal ground it was using to deny the erasure request. The fact that the data subject was represented by legal council did not remove the obligation for the controller to comply with the transparency requirements of Article 12(4) GDPR. As such, the DPA concluded a breach of Article 12(1) GDPR, but only a minor one.

The DPA issued a warning pursuant to Article 100(1)(5) WOG in order to make the controller aware of the obligation to comply with the transparency requirements of Article 12(4) GDPR.

Comment

The federal institution registering licence plates in Belgium is the 'Federale overheidsdienst mobiliteit'. Within this organisation, the service 'dienst voor inschrijving van voertuigen' was responsible for the registering of licence plates.

The DPA also assessed several other violations regarding the controller, such as alleged violations of Articles 5, 24, 25, 37(1), 38(1) and 39 GDPR. The DPA did not find any violations regarding these provision. These considerations by the DPA were left out of this summary. This summary mainly focusses on the relation between the right of erasure and artistic freedom on the one hand, and the minor violation of not providing the specific legal ground for rejecting an erasure request on the other hand, since the latter was the only violation found in this decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/29




                                                                           Litigation room


                                       Decision on the substance 188/2022 of 21 December

                                                                                       2022



File number : DOS-2022-00944


Subject: Publication of a number plate without permission



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Having regard to the documents in the file;



Made the following decision regarding:


The complainant: Mr X, represented by Mr. Hans Leyssen, office in

                   2000 Antwerp, Franselei 104, hereinafter “the complainant”


The defendant: Y, represented by Mr. Bob Les, Mr. George Report and Mr. Elizabeth Van

                   Nerum, office at 3000 Leuven, Sint-Maartenstraat 61 bus 2, hereinafter
                   “the defendant” Decision on the substance 188/2022 - 2/29


I. Factual Procedure


 1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority

       against the defendant.


       The complainant owns a car with a personalized number plate through his BV,
       of which he is the sole business manager. In an audiovisual production of the defendant

       a similar car with the same personalized license plate portrayed as

       the car of a criminal organization dealing in narcotics. The license plate

       according to the complainant, clearly legible, recognizable and can be found in the

       episode. The complainant is approached very regularly about this, both by business and

       private relationships. However, the complainant says he is a carpenter and does not want to be associated

       with the criminal environment. He also did not give permission to the defendant to
       use his license plate. The complainant asked the defendant for the

       license plate from the mounting, but the defendant refused to do so

       based on her right to artistic expression.


 2. On March 10, 2022, the First Line Service declares the complaint admissible on the basis
       of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG

       submitted to the Disputes Chamber.


 3. On March 22, 2022, in accordance with Article 96, § 1 WOG, the request of the

       Disputes Chamber to carry out an investigation transferred to the Inspectorate,
       together with the complaint and the inventory of the documents.


 4. The investigation by the Inspectorate will be completed on 26 April 2022, the report reads

       appended to the file and the file is transferred by the Inspector General to

       the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

       The report contains findings regarding the subject of the complaint and decision

       that there is:

          1. a breach of Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1)

              paragraph 2 of the GDPR; and


          2. a breach of Article 12 paragraph 1 and paragraph 4 of the GDPR, Article 17 of the GDPR, Article 24 paragraph

              1 of the GDPR and Article 25(1) of the GDPR.

       The report also contains findings that go beyond the subject of the complaint.

       In general terms, the Inspectorate also notes:

          3. Violation of Article 38(1) and Article 39 of the GDPR.


 5. On 29 April 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

       WOG that the file is ready for treatment on the merits. Decision on the substance 188/2022 - 3/29


6. On 29 April 2022, the parties involved will be notified by registered mail

     of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.

     they are informed of the time limits for their

     to file defenses.

     As regards the findings relating to the subject matter of the complaint, the

     deadline for receipt of the statement of defense from the defendant

     recorded on 10 June 2022, those for the complainant's reply on 1 July 2022

     and finally those for the defendant's statement of reply on 22 July 2022.

     The deadline for receipt of the statement of defense from the defendant with

     regarding the findings outside the subject of the complaint was set at 10

     June 2022.

7. On June 10, 2022, the Disputes Chamber will receive the statement of defense from the

     defendant with regard to the findings relating to the subject matter of the

     complaint. This statement also contains the response of the defendant regarding the

     findings made by the Inspectorate outside the scope of the complaint.
     With regard to the first infringement, the defendant argues that in the present case the

     fictitious license plate does not constitute personal data as it is a reference

     refers to a very well-known Turkish football club, which means that there can be at most

     of a coincidental resemblance to the complainant's license plate without this being one

     processing of one of his personal data. If there were anyway

     a processing of personal data of the complainant, the defendant is of the opinion that it
     did not have to comply with his request for data erasure, since the license plate

     which is used on the carriage in the fiction series was created by one's own

     artistic choices of the complainant pursuant to Article 17(3)(a) GDPR. With respect to

     the second finding is that the defendant does indeed not have a privacy policy

     since the defendant was not aware that the complainant had a car

     with the same number plate, and therefore did not know that she had the personal data of the

     complainant would handle. Finally, the defendant argues that Article 37(1) GDPR does not apply to her
     applies, which means that no data protection officer has been appointed.

     However, five (one per department) privacy managers have been appointed.


8. On 4 July 2022, the Dispute Chamber receives the conclusion of the reply from the complainant, for which
     concerns the findings with regard to the object of the complaint

     that the use of the personalized license plate in the fiction series is indeed a

     processing of personal data within the meaning of the GDPR and that this processing

     unlawfully occurred without the defendant being able to rely on the

     exception for the right to freedom of expression and information

     including artistic expression. Decision on the substance 188/2022 - 4/29


 9. On 22 July 2022, the Litigation Chamber receives the defendant's statement of rejoinder

       with regard to the findings relating to the subject-matter of the complaint in which they

       re-explains its arguments from the first statement of reply. In addition
       the defendant formulates replies to the complainant's arguments. Thus states the

       defendant that the method of identification proposed by the complainant is cumbersome

       and would therefore constitute a breach of the GDPR. Then argues the

       the defendant in what way the exception from article 17, paragraph 3, a) GDPR applies to her

       is.

II. Motivation


    II.1. Definition of “personal data”


       Findings in the Inspection Report

 10. In the course of the Inspectorate investigation, the defendant raised the situation

       of the complainant does not involve the processing of his personal data. The Inspection Service

       concludes, however, that in this case there is indeed the processing of personal data

       In this context, the Inspectorate refers to one of the defendant's documents in which it

       itself states that “a registration plate constitutes a personal data”. In addition, the GBA
       on its website explicitly states the following: “also information that does not allow a

       identify a person directly (e.g. a name), but indirectly (e.g.) a

       number plate is personal data.” The Inspectorate makes a decision based on this

       elements that the defendant does indeed have the personal data of the complainant

       incorporated. The defendant disputes this conclusion.

       Defendant's position

 11. The defendant disputes the finding of the Inspectorate that it would have acknowledged that

       the number plate constitutes personal data. This finding is according to the

       defendant incorrect. Although it certainly does not deny that a number plate is one

       constitute personal data, it argues that this is not the case in the present case.

       The defendant argues that the license plate in question was created on the basis of artistic

       choices that were made in the context of the relevant audiovisual production
       fictional character to whom the license plate belongs is a member of a family of

       enthusiastic supporters of a great Turkish football team. The license plate was through

       designed by the defendant itself on the basis of the data of this football team (i.e. the

       name and year of establishment). The fact that this fictitious license plate corresponds to the

       the license plate of the complainant, according to the defendant, is purely coincidental
       not know that this license plate already existed and to whom the license plate was assigned

       used to be. For the sake of completeness, the defendant points out that at the end of each episode the

       The following disclaimer is included: “The program is completely fictional. Any Substantive Decision 188/2022 - 5/29


     agreement with actual persons, companies or events is based on pure

     coincidence".

     Position of the complainant.


12. The complainant argues that the license plate in question is indeed his personal data

     matters, as it is far from fictional, invented or specially designed by the

     defendant. The registration plate was issued by the Vehicle Registration Service
     assigned to the complainant. In addition, the complainant argues that the complainant's car and the

     car from the audiovisual production are similar.


13. The complainant refers to the definition of “personal data” and “processing” in Article 4
     AVG and states that these definitions in no way imply the existence of any intentional element

     on the part of the controller. The complainant claims that a

     vehicle registration plate is an essential information carrier on the basis of which the

     natural person who always drives the vehicle indirectly

     identified. This is even more the case when personalizing these

     license plate is based on the ethnicity and the favorite football club of the
     person concerned. According to the complainant, this view is confirmed by the first-line services

     the Inspection Service of the GBA.


14. Contrary to what the defendant claims, it is very simple, according to the complainant

     identify him by his license plate. The complainant alleges that use
     must be made from the online publicly available application of the Belgian

     Common Guarantee Fund, where after entering a specific

     number plate the insurance data (such as the BA insurers and the policy number) is possible

     find out a vehicle that has the relevant number plate on a certain date

     wore. Subsequently, you can contact the third-party liability insurer concerned

     statement of the policy number and the date of a self-invented accident or another
     excuse to find out the identity of the insured, being the BV Arisol. Then can

     one can check via the Crossroads Bank for Enterprises who is the manager of this BV.

     Since the BV Arisol is a sole proprietorship, the defendant can verify the identity of the

     easily identify the complainant. The complainant therefore argues that the defendant has done so in advance

     investigation could and should have been carried out to determine the identity of the complainant.

     Review by the Litigation Chamber


15. The Litigation Chamber reminds that the GDPR does not apply to the processing of
     all types of data, but only on the processing of personal data.

     According to Article 4(1) GDPR, personal data is “any information about a

     identified or identifiable natural person (“the data subject”); if

     identifiable is a natural person who can become directly or indirectly Decision on the substance 188/2022 - 6/29


     identified, in particular by an identifier such as a name, a

     identification number, location data, an online identifier or one or more

     elements characteristic of the physical, physiological, genetic, psychological,

     economic, cultural or social identity of that natural person”.

16. There are 4 elements in the definition of personal data:

     1) relate to

     2) an identified or

     3) identifiable
     4) natural person.


17. If there is to be personal data, the data must, in principle, relate

     have on a natural person. Data refers only to a natural

     person when identified or identifiable. A person is
     identified when it is unique from all other individuals within a group

     is distinguished. A person is identifiable when it has not yet been identified,

     but it can be done without disproportionate effort.

18. To establish the identity of a person is generally used

     data that has a unique, personal relationship to that person, so-called

     'identifiers'. Identifiers can include data such as a name, address

     and date of birth. These data, in combination with each other, are so unique for one

     certain person, date a person on the basis of it with certainty or high probability

     can be identified. This is called directly identifying data.
     Persons can also be identified on the basis of other, less direct

     identifiers, such as appearance, social and economic characteristics and online

     identifiers. Although this data in itself usually does not lead to the identification

     of a person, they can be through their interrelationship or through linkage to others

     data lead to this. This is called indirectly identifying data.

19. In short, whether a data is also a personal data within the meaning of Article 4(1) GDPR for a

     controller, therefore depends on whether the data or the

     data that the controller processes enable him to inform someone

     directly or indirectly identified. When the person is not yet identified (if there is

     no directly identifying data are processed) the
     controller determine whether the person is not still identifiable.


20. As already mentioned, the data in question concerns a registration plate, which is a

     indirectly identifying information. When assessing whether there is

     identifiability in this case, the Litigation Chamber refers to Recital 26 of the
     AVG. Decision on the substance 188/2022 - 7/29


 21. Recital 26 of the GDPR explains that to determine whether a natural person

       is identifiable, all means of which must be taken into account

       can reasonably be expected to be used by the

       controller or by another person (a third party) for the natural

       person directly or indirectly. To determine whether of means reasonably

       it is to be expected that they will be used to identify the natural person,

       account must be taken of all objective factors, such as the cost of time

       necessary for identification, taking into account the technology available on it

       time of processing and technological developments.

 22. The Opinion 4/2007 on the concept of personal data of the Working Party on Data Processing

       states the following in this regard: “[i]f, taking into account "all means of which

       it can reasonably be assumed that they are processed by the controller or

       another person", whose possibility of identification does not exist or is negligible,

       the person should not be considered "identifiable", and the information should not be considered

       "personal data" are considered. The criterion of "all means of which

       it can reasonably be assumed that they are processed by the controller or
       byanotherperson"shouldtakeparticularaccountofallinvolvedfactors.The

       Cost of identification is one factor, but not the only one. It must be taken into account

       with the intended purpose, the way in which the processing is structured, the by

       the controller expected benefit, the risk of organizational

       dysfunction and technical malfunctions.” (free translation)


 23. The registration and allocation of number plates is done by the Registration Service
       of Vehicles, of the Federal Public Service Mobility. The Disputes Chamber determines

       that via the website of the Federal Public Service Mobility the availability of a

       personalized license plate can be verified. If the defendant

       website would have consulted, it could have determined that the intended

       registration plate was already in use, without, however, revealing the identity of its holder

       However, for family, neighbors and acquaintances, that personalized license plate is

       a means that can be used to identify the complainant (for further justification

       read marginals 24 and 25 below). The Litigation Chamber reminds that, such as

       set out by the Data Processing Group 29, when analyzing whether a piece of data is also a

       personal data, the intended purpose and manner must be taken into account
       on which the processing is structured. By the purpose of the processing in question

       (prominently appearing in a well-known audiovisual production) and the manner in which this

       processing has taken place (a well-known audiovisual production, the broadcast op




1 Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 20 June 2007.
2https://www.mobilit.fgov.be/WebdivPub/wmvpstv1?SUBSESSIONID=3228997. Decision on the substance 188/2022 - 8/29


       one of the largest TV channels in Flanders as well as the availability of this

       production on streaming services), the Disputes Chamber concludes that the complainant

       is identifiable.


 24. With regard to the fourth element ("natural person"), this means that data about

       partnerships, partnerships and other legal/legal entities

       individuals are not protected as such by the GDPR. The Court of Justice has

       nevertheless held that "insofar as the official title of the juridical person is one or more

       natural persons", the legal person under Articles 7 and 8 of

       the Charter of Fundamental Rights of the European Union can claim the

       protection of data related to him. 5 Since the GDPR is a

       is an elaboration of the overarching safeguards contained in these Charter provisions

       laid down, such protection for legal entities can also be provided by the GDPR

       arise, although this protection does not concern the legal person as such, but the

       natural person(s) who form it, and probably mainly occurs in

       cases where the legal entity is in fact a sole proprietorship or a small family business with

                                        6
       a transparent "company veil".

 25. The Litigation Chamber determines that the vehicle and registration plate are registered in the name

       of BV Arisol as a legal person, and not in the name of the complainant as a natural person.

       However, this BV is a sole proprietorship that does not have a fleet of vehicles,

       so that there is a direct link between the license plate and the complainant. Since

       the complainant, as a natural person, uses the car with this specific number plate,


       he is associated by his environment with this car with license plate without it

       this environment is aware of whether the car is registered in the name of his sole proprietorship,

       or in the name of the complainant as a private person. In view of the above, the

       Litigation Chamber that the license plate in the specific circumstances of the present

       case constitutes a license plate.

    II.2. Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1) and (2) of the

         AVG





3 Article 7: Everyone has the right to respect for his private and family life, his home and his
communication.
4
 Article 8:
1. Everyone has the right to the protection of his personal data.

2. These data must be processed fairly, for specified purposes and with the consent of the data subject or
on the basis of any other legitimate basis provided for by law. Everyone has the right to inspect the information
data collected and rectification thereof.

3. An independent authority monitors compliance with these rules.
5 In this regard, see CJEU, Cases C-92/09 and 93/09, Schecke, § 53, Case C-419/14, WebMindLicenses, § 79 ; Case T-670 /
16, Digital Rights Ireland, §25.
6
 L.A. BYGRAVE and L. TOSONI, « Article 4(1) Personal Data » in C. KUNER et.al. « EU General Data Protection Regulation, a
commentary, Oxford University Press, 2020, p. 111. Decision on the substance 188/2022 - 9/29


       Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR


 26. Since the Disputes Chamber has come to the conclusion that the license plate under the

       circumstances of this case constitutes personal data, means that it is displayed

       of this personal data in the audiovisual production constitutes processing. The

       The defendant argues that she was not aware that she was processing personal data. The

       Litigation Chamber draws attention to the presence or absence of an intention
       does not constitute a criterion for the processing of personal data within the meaning of Article 4(2)

       AVG. Regardless of whether it was the defendant's intention to use the personal data

       process, is the mere fact that the license plate was indeed displayed in the

       audiovisual production is sufficient to classify this as processing that in

       accordance with the basic principles of data protection as understood

       in Article 5 GDPR must be done.

 27. As controller, the defendant is obliged to provide the

       to observe data protection principles and must be able to demonstrate that these

       principles are adhered to (accountability - Article 5(2) GDPR).


 28. In addition, also in its capacity as controller, it must:

       take necessary measures to ensure and be able to demonstrate that the processing is in

       is carried out in accordance with the GDPR (Articles 24 and 25 GDPR).

 29. In the context of its investigation into accountability, the Inspectorate

       sent the following to the defendant to provide the following documents:


       “A copy of [the defendant's] documents on the measures and decisions
       that were taken to ensure compliance with the processing principles

       to safeguard personal data with regard to the complainant on the basis of Article 5, Article

       24(1) and Article 25 of the GDPR.”


 30. The defendant has formulated an answer to this but, according to the

       Inspectorate, no documents showing what measures and decisions were taken

       taken to safeguard the principles governing the processing of personal data
       specific to the complainant based on Article 5, Article 24(1) and Article 25(1)

       and paragraph 2 of the GDPR. The Inspectorate notes in its report that the transferred

       documents relate to the principle of transparency in Article 5(1)(a) GDPR, but

       that the defendant does not clarify how the other principles of Article 5 (1) GDPR



7 Article 4 GDPR: “For the purposes of this regulation:

[…]
2) “processing” means any operation or set of operations relating to personal data or set of
personal data, whether or not carried out through automated processes, such as collecting, recording, organizing,
structure, store, update or modify, retrieve, consult, use, provide by transmission,
distribute or otherwise make available, align or combine, block, erase or destroy
data” Decision on the substance 188/2022 - 10/29



       are guaranteed. Moreover, the Inspectorate concludes that certain elements

       not concretely explained by the defendant, such as or the complainant, whose

       personal data were processed by the defendant, effectively has a copy

       received from its general privacy policy. During the investigation, the defendant states that

       it has not processed any personal data. The Inspectorate does not follow this view and states

       that the defendant does process personal data. The Inspectorate refers here
       to the webpage of the Data Protection Authority

       (https://www.dataprotectionauthority.be/burger/privacy/lexicon) on which stated

       states that “even information that does not allow to identify a person directly (e.g.

       a name), but indirectly (e.g. a number plate) is personal data”.

       As a result, the Inspection Service concludes that there is an infringement of article 5, article

       24 (1) and Article 25 (1) GDPR.


 31. In its conclusions, the defendant disputes this finding. The defendant clarifies that

       it considered that it was not processing any personal data in this case. Furthermore, the

       the defendant on what steps it will take in the event of similar processing operations

       of personal data, namely the processing of number plates in other audiovisual
                                                                                   8
       productions when it is of the opinion that it is processing personal data.

 32. The Disputes Chamber states that the Inspectorate is charged as an investigative body of the GBA

       investigating complaints about and serious indications of violations of the

       European and Belgian legislation on personal data, including the AVG. One of

       the ways in which the investigation is conducted is free of all useful information and

       provide documents. This possibility leaves the controllers

       and/or processors to explain and demonstrate what measures have been taken to protect the

       comply with applicable law.9


 33. In the context of examining compliance with the Fundamental Principles and the

       accountability, as understood in Article 5 of the GDPR, the Inspection Service has a

       general request addressed to the controller to transfer the following

       to make:

       “A copy of [the defendant's] documents on the measures and decisions

       that were taken to ensure compliance with the processing principles

       to safeguard personal data with regard to the complainant on the basis of Article 5, Article

       24(1) and Article 25 of the GDPR.”


 34. The Disputes Chamber notes that the Inspectorate's question relates to processing

       of the complainant's personal data, namely the publication of a registration plate


8
 see infra.
9 Charter of the Inspection Service, August 2022, available online at
https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf Substantive decision 188/2022 - 11/29


     an audiovisual production. The defendant claims that she has no such document in this case

     previously transferred to the complainant because it was of the opinion that no

     personal data was processed, and moreover, that it also does not dispute that this registration plate
     was assigned to a person and certainly not to whom this license plate

     had been granted. Furthermore, the defendant prepares the documents that it uses

     when it does – consciously – process personal data of data subjects. As above

     explained, the Inspectorate is of the opinion in this case that certain information, which is for the

     Inspection service is essential to arrive at a good assessment, is missing. Consequently

     the Inspectorate ruled that there had been a violation of article 5,
     Article 24 (1) and Article 25 (1) and (2) GDPR.


35. The Disputes Chamber recalls that an investigation by the Inspectorate on a

     must be done in a loyal manner. If the answer of the controller
     is not sufficient for the Inspectorate, it normally falls to the

     Inspection service to clarify on which points more information is requested. This

     this can be done, for example, by asking more specific questions about a certain subject or by

     to request specific documents or information. After all, it is for the

     controller is not always easy to apply in such a general and broad way
     ask to formulate a comprehensive answer or provide the exact documents that the

     Inspectorate wishes to investigate. If the Inspectorate should ask more specific questions

     stated or requested concrete documents and the

     controller and has not been able to provide the requested information

     it to the Inspectorate to report a violation of accountability such as

     understood in Article 5, paragraph 2 and Article 24, paragraph 1 and Article 25, paragraph 1 and paragraph 2 GDPR. The
     The Disputes Chamber notes that the Inspectorate did not ask any additional questions

     on specific subjects and that no specific documents were produced

     requested in order to arrive at a proper assessment of the case. The

     The Litigation Chamber therefore concludes that the Inspectorate's investigation is not sufficiently specific

     conducted with regard to this finding. Consequently, the Litigation Chamber comes to the
     conclusion that it is disproportionate in this case for a violation of Articles 5, 24, paragraph 1 and

     25 (1) and (2) GDPR on the basis of a general question in the context of the

     accountability, which was answered by the defendant, without further notice

     follow-up questions from the Inspectorate. It is up to the Inspectorate to determine on the basis of

     due diligence investigation any shortcoming of Article 5, Article 2(1) and Article 25,
     Paragraphs 1 and 2 GDPR to be demonstrated by the defendant.


     Article 5 (1) GDPR

36. The Disputes Chamber finds that, based on the answer provided by the

     defendant in the context of the investigation, the Inspectorate comes to the conclusion that Decision on the substance 188/2022 - 12/29


     there is a breach of all fundamental principles relating to the protection of

     personal data as stipulated in Article 5 (1) GDPR. Although Article 5(1) and (2) GDPR

     are closely related means any violation of the

     accountability of Article 5 (2) GDPR is not automatically also a violation of
     Article 5, paragraph 1 GDPR

     document compliance with the substantive principles of the GDPR

     to show. Both elements must therefore be assessed separately.


37. The Litigation Chamber notes that the Inspection Report only contains findings regarding
     the principle of transparency as understood in Article 5(1)(a). The Disputes Chamber will then

     also address this finding. As already explained above, the

     Inspectorate finds that certain elements are not explained in concrete terms by the

     the defendant, such as or the complainant, whose personal data were processed by the

     the defendant has actually received a copy of its general privacy policy.

38. In its conclusions, the defendant disputes the findings of the Inspection report. Side pose

     that within its organization various privacy responsibles have been appointed per

     department, also for the fiction department. When the defendant's writing the

     the complainant received via the info address (so not via a specific e-mail address intended for

     privacy matters) it has made every effort to be accurate and timely
     answer. Furthermore, the defendant reiterates that it does not deny that a license plate is a

     personal data may matter, but that this is not the case in this case. Then the light

     to the defendant what appropriate and technical organizational measures it takes to

     to ensure that, in relation to audiovisual productions, the personal data of

     data subjects are processed in accordance with the GDPR. So it ensures that in cases

     in which there could be the processing of personal data in her
     audiovisual productions by filming and subsequently displaying a

     existing number plate of a data subject who does not have permission for this

     given, these relevant scenes are deleted, trimmed or the license plate

     is made illegible (for example by means of blurring). In addition, in other cases where

     personal data of data subjects are processed in the context of an audiovisual

     production (and that is mainly the case in non-fiction productions), is the common one
     working method within the organization of the defendant that either, for those involved who have a

     play a greater role in production, in the agreements with them the necessary

     provisions on data protection are included, either, for data subjects who

     fulfill a smaller role or a short-lived participation within the production, a shortened

     'quit claim' is signed. Include both aforementioned contracts and quit claims

     clauses related to the processing of personal data. These documents
     are provided to the parties involved and explained prior to the collaboration

     between the defendant and the data subject, together with the General Privacy Policy. In the Decision on the substance 188/2022 - 13/29


     In the case of the complainant, there is no signed contract or quit claim, since

     the defendant did not assume at all that any personal data was being processed, late

     that she knew at all whose personal data it concerned. It is also true after that
     the writing of the complainant's counsel of the General Privacy Policy was not addressed to him

     transferred by the defendant. This reflex was not created for the sake of that

     the defendant was first of all convinced that this was not about the

     processing of personal data. The defendant argues that if the

     Litigation Chamber would nevertheless be held that a processing of personal data

     of the complainant has taken place, she wishes to emphasize that this situation, where there
     an alleged processing of personal data has taken place without the

     data subject was informed about this and without having read the General Privacy Policy

     received, constitutes a one-off and isolated case that is inconsistent with the

     common practice regarding the policy on the protection of personal data

     on behalf of the defendant.

39. The Litigation Chamber finds that the defendant, in the creation of the audiovisual

     production was not aware of the identity of the complainant, as holder of the

     personalized license plate.

40. The Inspection Report then finds that the Respondent has failed to

     General Privacy Policy to be passed on to the complainant after he has had contact with her

     taken with a request that his license plate be removed from production. The

     The defendant argues that she did not make this reflex because she believed that there was no question
     was of processing of personal data. The Disputes Chamber notes that in this letter

     only the data erasure request is included. The defendant could not

     reasonably expect that the complainant also wanted to receive the General Privacy Policy

     when the letter from the complainant requesting the erasure, none

     request or reference to the General Privacy Policy.

41. In view of the above, the Disputes Chamber rules that there is no question of a

     violation of the principle of transparency as understood in Article 5 (1) a) GDPR for what

     concerns not transmitting the General Privacy Policy.

42. The Litigation Chamber finds that the Inspection Report constitutes a violation of all

     basic principles of Article 5. This violation arises from the alleged non-

     compliance with the above accountability obligation. The Disputes Chamber points out that
     the determination of an alleged breach of all fundamental principles regarding

     data processing based on an alleged determination of the

     accountability is disproportionate. Consequently, the Litigation Chamber concludes that the

     determination of the Inspectorate regarding these principles is not sufficiently substantiated by Decision on the substance 188/2022 - 14/29


      evidence that makes further treatment of these findings impossible

      the Disputes Chamber is of the opinion that there is no infringement of the above

      Articles 5, 24 (1) and 25 (1) and 2 GDPR.


    II.3. Article 5(1)(a) and Article 6 of the GDPR regarding legality


 43. In its conclusions, the complainant argues that the contested processing took place without

      consent and is therefore unlawful within the meaning of Article 5, paragraph 1, a) GDPR. Deklagerstel
      that he did not give permission to the defendant for worldwide exhibition

      of his personalized number plate, so that the processing of his personal data

      is unlawful under Article 6 GDPR.


 44. The complainant argues that a weighing of interests between, on the one hand, the right of the complainant to

      protection of his personal data and, on the other hand, the legitimate interest of the

      defendant, namely freedom of expression and information (including freedom of

      artistic expression) also results in a rating against
      latter.


      The Litigation Chamber recalls that, in order to rely on this legal basis from Article 6(1)(f)

      GDPR to be able to rely on the processing of personal data, it must

      legitimate interest of the controller or third parties

      balanced against the interests or fundamental rights and freedoms of the

      data subjects. The legitimate interest is closely related to – but different from – it
      concept of processing purpose, which must be specific pursuant to Article 5(1)(b) GDPR. While it

      'purpose' relates to the specific reason why the data is being processed, i.e.

      the purpose or intention of the data processing, the concept of 'interest' is related to

      the wider interest that a controller may have in the processing, or

      the benefit to the controller — or a third party, which is not necessarily as

      co-controller needs to be qualified — from the processing
            11
      fetches.

 45. In accordance with article 6, paragraph 1, f) of the GDPR, the case law of the Court of Justice should

      three cumulative conditions must be met for a

      controller can validly rely on this

      ground of legitimacy, “namely, in the first place, the defense of a

      legitimate interest of the controller or of the third party(ies)

      to whom the data are provided, secondly, the need for the processing

      of the personal data for the purposes of the legitimate interest, and, in the



10
  cf. Section A.1 of the dismissal policy of the Litigation Chamber.
1 CJEU Judgment of 11 December 2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064,
para. 44. See also decision 21/2022 of 2 February 2022. Decision on the substance 188/2022 - 15/29


      third, the condition that the fundamental rights and freedoms of the

      data protection of the person concerned does not prevail” (judgment “Rigas”) .12


 46. In other words, in order to rely on Article 6(1)(f) of the GDPR

      the legal ground of the “legitimate interest”, the

      to demonstrate to the controller that:

         1) the interests it pursues with the processing can be justified
         be recognized (the “goal test”);

         2) the intended processing is necessary for the fulfillment of these interests

         (the “necessity test”); and

         3) the balancing of these interests against the interests, fundamental

         freedoms and fundamental rights of data subjects in favor of the

         controller or a third party (the “balancing test”).

 47. In the present case, the Disputes Chamber finds that the interest of the defendant consists of

      creating audiovisual productions as an exercise of her artistic expression, which becomes

      enshrined in the constitutionally protected freedom of expression. In view of this

      personal data of the complainant are processed.


 48. Artistic expression includes creating fictional characters and their

      living world. In doing so, the defendant can use public data, as in the present case
      the case is. The license plate matches the fictional character, whose son is a fan of the

      Turkish football club Galatasaray S.K., which was founded in 1905. Consequently, the use of

      this license plate under the design of a fictional character a

      exclusively artistic expression. In the opinion of the Disputes Chamber there is none

      doubt that the purpose test from the case law of the Court of Justice is met. Having

      on the artistic aim of emphasizing the link with the football club and the freedom for the

      defendant in this context to choose a suitable remedy, the

      Litigation Chamber that the necessity test is also met.

 49. With regard to the balancing test, the interest of the complainant consists in the protection of his

      personal data and the related fact that he is addressed about

      the similarity between his license plate and the fictional license plate.


 50. As far as the interests of the complainant are concerned, the Disputes Chamber states that it has little

      it is plausible that the bearing is greatly hindered by the similarity
      only personal and/or business relationships are the agreement between the two

      discover number plates and confront the complainant with this. The audiovisual



1 CJEU Judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rigas pašvaldības SIA

'Rīgas satiksme', C-13/16; ECLI:EU:C:2017:336, para. 28-31. See also CJEU Judgment of 11 December 2019, TK v/ Asociaţia
de Proprietari bloc M5A-ScaraA,C-708/18, ECLI:EU:C:2019:1064,para. 40.
13While the concept of “purpose” should be read in the light of the previous points of this decision. Decision on the substance 188/2022 - 16/29


     production is fictitious and, moreover, there is no other link between the complainant and the fictitious

     character. In addition, each episode indicates that it concerns a fictional production

     and that any similarity with persons is purely coincidental. In this regard, the

     Litigation Chamber that, despite the matching license plates, there are no others
     resemblance, similarity or any other link exists between the fictional character and

     the complainer. In this context, the Disputes Chamber also points out that the defendant has no

     knew of the existence of the complainant's license plate, so

     inspiration. The creation was therefore independently created by the defendant.

51. Consequently, the Disputes Chamber concludes that it is for this personal or business

     relations it should be clear that the complainant has no connection whatsoever with milieus

     in which the fictional character from the audiovisual productions moves.


52. The Disputes Chamber also points out that the complainant has opted for a
     license plate, consisting of public data linked to a

     football club known worldwide. It could therefore have been foreseen by the complainant that

     this data could be used for artistic purposes. The

     circumstance that the defendant as a program maker does not necessarily have this

     number plate could have used does not make the disputed processing unlawful

     would be on the basis of Article 6(1)(f) GDPR. The choice to shape a character
     the hand of a certain cultural background with reference to a very

     meaningful football club within this culture, falls under the freedom of the artistic

     form of expression.

53. In view of the above, the Disputes Chamber concludes that in this case the interest of the

     artistic expression of the defendant outweighs the right to protection

     personal data of the complainant. Therefore, the defendant complies with the

     balancing test. The data was therefore allowed to be processed. The question to what extent the

     possible adverse consequences for the bearing could have been limited by used

     exercising the right to erasure is discussed below in Section II.4.

54. The Disputes Chamber therefore concludes that there is no infringement of Article 5,

     paragraph 1, a) and Article 6, paragraph 1, f) GDPR.

   II.4. Violation of Article 12(1) and (4) of the GDPR, Article 17 of the GDPR, Article 24(1)

        of the GDPR and Article 25 (1) of the GDPR

55. The Inspectorate finds that the defendant has fulfilled the obligations imposed by Article 12,

     has not complied with paragraphs 1 and 4, Article 17, Article 24 paragraph 1 and Article 25 paragraph 1 of the GDPR. The

     In this context, the Inspectorate first of all points to the fact that the complainant's request for

     to erase his personalized license plate from the audiovisual production

     rejected because of the “right to artistic expression”, without clarifying the substance Decision 188/2022 - 17/29


      which provision of Article 17 (3) GDPR is invoked. Second, according to the

      Inspectorate does not make this explanation transparent in accordance with Article 12, paragraph 1 and paragraph 4

      AVG since it is not clear to the complainant on what exact basis his investigation

      was refused and, furthermore, no mention was made of the possibility of lodging a complaint

      serve at the GBA. The Disputes Chamber will first reject the refusal to proceed to

      assess data erasure and subsequently the resulting transparency obligations
      from Article 12 GDPR.


       II.4.1. Article 17 of the GDPR, Article 24 (1) of the GDPR and Article 25 (1) of the GDPR


 56. The Disputes Chamber points out that on 5 January 2022 the complainant submitted its request for

      performed data erasure with regard to the defendant, which refused
      was made by the defendant on the basis of her freedom of artistic expression.


 57. The Inspection Service establishes in its Inspection Report that the erasure of data is unlawful

      was refused by the defendant. The Inspectorate hereby refers to the law of30

      July 2018 on the protection of natural persons with regard to the
      processing of personal data 14 (hereinafter: Law of 30 July 2018). This law provides

      exceptions to the rights of the data subjects for processing of

      personal data for, among other things, "artistic forms of expression". The

      However, the Inspectorate emphasizes that those exceptions do not apply to the

      Articles 12, 17, 24 and 25 of the GDPR. In addition, those exceptions must be read

      in view of article 85, paragraph 2 of the GDPR and thus effectively “necessary for the right to

      to reconcile the protection of personal data with the freedom of
      expression and information”. The complainant endorses this view in its conclusions.


 58. The defendant disputes this finding of the Inspectorate. She leads in her

      conclusions that the law of July 30, 2018 in article 24 indeed provides that a number

      provisions of the GDPR do not apply “to processing of personal data

      for journalistic purposes and for academic, artistic or literary purposes
      forms of expression”. The defendant first enters into the determination of the

      Inspectorate that Article 17 of the GDPR does indeed not appear in the enumeration of

      the articles of the GDPR to which the exceptions from the law apply.


 59. In this regard, the defendant refers to the Explanatory Memorandum accompanying the bill
      of the Law of 30 July 2018 clarifying the following: “[t]he draft law

      informs the controller for journalistic, academic, artistic or

      literary purposes are not exempt from the obligation to exercise the right to be forgotten

      to the person concerned (Article 17 of the Regulation). Article 17.3 of the GDPR



14
  Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, BS 5 September 2018. Substantive decision 188/2022 - 18/29



       itself states that the right to be forgotten does not apply to processing

       purposes of free expression and free information. The regulation is therefore direct
       applies and it is therefore not necessary for the law to recreate that exemption.”15


 60. This position was also followed by the Council of State, stating:


       “Article 29 (current Article 24) rightly does not state that it does not apply to

       the processing of data for journalistic, academic, artistic or literary purposes

       purposes, as that exclusion is already provided for in paragraph 3(a) itself of that
       article 17”.


 61. The Litigation Chamber refers to the structure of Article 85 GDPR that the general assignment

       formulates to the (national) legislator to watch over the reconciliation of the relationship

       between freedom of expression and the protection of personal data. The

       The Belgian legislator has regulated this relationship in the law of 30 July 2018. Article 24

       of this law states that for processing for journalistic, academic, artistic or

       literary purposes, certain rights of the data subject do not apply. The law

       refers in this context to Articles 7 to 10, Article 11(2), Articles 13 to 16, 18 to

       20 and 21 (1) GDPR. After all, there is no such exception for these articles in the GDPR

       provided for processing of personal data for journalistic, academic,

       artistic or literary purposes. Article 24 of the law of 30 July 2018 states the

       controller for journalistic, academic, artistic or literary
       purposes, however, are not expressly exempt from the obligation to exercise the right to erasure

       (“right to be forgotten”) to the data subject (Article 17 GDPR). A

       such explicit exemption is also not necessary since, as rightly so

       noted by the defendant, Article 17(3) GDPR is directly applicable in the

       Belgian law.


 62. Based on the above, the Disputes Chamber adopts the position of the

       the defendant and is of the opinion that Article 17(3) GDPR itself provides the possible grounds for exception

       provides for the right to erasure, without having to read them again in the

       law of 30 July 2018.

 63. The Litigation Chamber refers to Article 17(1) of the GDPR, which stipulates that the data subject

       has the right to obtain from the controller without unreasonable delay

       to obtain the deletion of the personal data concerning him. Based on the same

       point c), the controller is obliged to process the personal data



15
  Draft law of 11 June 2018 on the protection of natural persons with regard to processing
of personal data, Parl.St. Room No. 54-3216/001, 54.
16Advice of 19 April 2018 of the Council of State, Legislation Division on a draft law 'regarding the
protection of natural persons with regard to the processing of personal data”, Parl.St. Senate No.
63.192/2, 80, No. 4.4; Draft law of 11 June 2018 on the protection of natural persons with regard to
to the processing of personal data, Parl.St. Chamber no. 54-3216/001, 54. Decision on the substance 188/2022 - 19/29



       without undue delay, including when the data subject
       object to the processing in accordance with Article 21 (1) GDPR and does not object

       prevailing legitimate grounds for the processing. Such as

       set out above, the complainant has a request pursuant to Article 17(1)(c) GDPR

       addressed to the defendant.


 64. However, Article 17(3)(a) GDPR states that Article 17(1) GDPR does not apply when

       such processing is necessary for exercising the right to freedom of

       expressions information. This article provides an exception rule right away

       balancing of interests between two fundamental rights, namely the balance between the right to
       freedom of expression and information on the one hand and the right to protection of

       personal data on the other. It is on this ground that the defendant refused

       to implement the request for erasure of the complainant.


 65. In the context of the present file, the Litigation Chamber will thus verify whether the request for

       data deletion in accordance with 17 (1) c) GDPR rightly refused by the defendant

       became pursuant to Article 17 (3) (a) GDPR and in particular whether the right to freedom of

       information, on the one hand, and the right to the protection of personal data,

       on the other hand, are properly balanced against each other.

 66. The Disputes Chamber points out that in this case the complaint was lodged against the

       defendant as a production house, which, among other things, makes fictional audiovisual productions.

       First of all, the Disputes Chamber reminds that the right to freedom of expression

       and information is protected by Article 10(1) of the European Convention on the

       Human Rights (hereinafter: “ECHR”). “This right includes the freedom to hold an opinion

       and freedom to receive or impart information or ideas, without

       interference by any public authority […]" and the equivalent Article 11 of the

       Charter of Fundamental Rights of the European Union (hereinafter: “Charter”), paragraph 2 of which
       in particular guarantees respect for freedom and pluralism of the media.


 67. As also cited by the defendant, the right to freedom of expression is true

       Article 17(3)(a) GDPR refers to does not only apply to certain species

       information, ideas or forms of expression such as of a political nature, it also includes artistic
               18
       expressions. The European Court of Human Rights (ECtHR) also stated: “[d]e

       confirmation, to the extent still necessary, that this interpretation is correct is provided by the

       second sentence of paragraph 1 of Article 10 (Art. 10-1), which refers to "broadcasting, television or

       cinema companies", media whose activities extend to the field of
       the art. A confirmation that the concept of freedom of expression also includes artistic expressions

       can also be found in Article 19(2) of the International Convention on



17See CJEU judgment of 24 September 2019, G.C et al. v CNIL, ECLI:EU:C:2019:773, § 56 et seq.
18 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. Decision on the substance 188/2022 - 20/29



       civil and political rights, that information and ideas "in the form of art"
                                                                        19
       expressly includes the right to freedom of expression. ” Consequently, resort
       expressions of art expression under the protection of Article 10 ECHR and Article 11 of the

       charter.


 68. As already mentioned, the present case is about the trade-off between the right to liberty of

       expression and information, and in particular freedom of artistic expression, of the

       defendant (Article 10 ECHR and Article 11 Charter) and the right to protection of

       personal data of the complainant (Article 8 of the Charter). So it is one

       balance of fundamental rights.

 69. In this context, the Disputes Chamber refers to the case law of the Court of Justice in the

       under the takedown requests to search engines, most recently the judgment

       Google, C-460/20. 20 In this, the Court states: “The circumstance that Article 17(3)(a)

       AVG expressly stipulates that the right to erasure of data belongs to the data subject

       excluded when the processing is necessary for the exercise of the activities referred to in Article 11

       the right to, inter alia, freedom of information guaranteed by the Charter

       expression of the fact that the right to the protection of personal data is not absolute

       right, but, as has been emphasized in recital 4 of this Regulation, needs to be considered

       in relation to its function in society and in accordance with it

       The principle of proportionality must be balanced against other fundamental rights. [..]In the GDPR,

       and more specifically in Article 17(3)(a), there is thus an explicit requirement that there

       a trade-off must be made between those set out in Articles 7 and 8 of the Charter

       enshrined fundamental rights to respect for private life and to the protection of

       personal data on the one hand, and what is guaranteed by Article 11 of the Charter

       fundamental right to freedom of information on the other.”

 70. The answer to the question which of these two rights is heavier in the specific case

       weighs, must be found by weighing up all relevant

       circumstances of the case. This assessment must be done in one go

       considers that either right, having regard to all relevant circumstances,

       outweighs the other right, entails that the other right is infringed

       law satisfies the necessity test of the relevant paragraph 2 of Article 8 and

       Article 10 ECHR, as specified in Article 52 of the Charter.

 71. The judgment in Karatas v. Turkey of the ECtHR that the freedom of artistic

       expression includes the following: “particularly within the freedom to share information and ideals

       receiving and transmitting, which provides the opportunity to participate in the public



19 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. See also CJEU, C-460/20, § 62.
20
  CJEU, 8 December 2022, ECLI:EU:C:2022:962, §§ 60-62.
21 ECtHR, VGT Verein gegen Tierfabriken v. Switzerland, 28 June 2001, § 68. Decision on the substance 188/2022 - 21/29


       exchange of cultural, political and social information and ideals of all kinds. They who

       creating, performing, distributing or exhibiting works of art contribute to the exchange

       of ideas and opinions that are essential for a democratic society. Hence the

       obligation on the state not to unnecessarily infringe on their freedom of
                      22
       expression” (free translation).

 72. The defendant argues that the choices made to select the characters of the

       to shape audiovisual production under the freedom of artistic expression

       fall. The Defendant has made the creative choice to select certain of her characters

       a Turkish background, with a family passionately supporting the

       Galatasaray football club with a car with a personalized number plate that refers to this one

       club refers. The defendant clarifies in this regard that the letters and numbers of the

       number plate refer to the name of the club itself and the founding year 1905.

 73. On the other hand, the complainant argues that this license plate was assigned to him, as a result of which this

       his personal data. With the publication of this license plate, he is recognized by his

       contacts (both private and business) about possible ties with a criminal

       gang, as the fictional character with this license plate would have ties to it

       criminal environment.

 74. The Litigation Chamber finds that the conception of the character in question, with his

       car and license plate, is an expression of the defendant's artistic freedom.

       Galatasaray is a very well-known club with a very large fan following, especially in the

       Turkish community. Consequently, it is not inconceivable that, when creating a fictional

       Turkish character and his background and world references to one of the greatest

       and most popular Turkish football clubs are included. The defendant made one
       choice, partly in view of the limited space on a license plate, for public data

       from which it is immediately clear that it concerns that football team, namely the abbreviation of the

       name and the year of establishment. These are data that the Turkish community immediately

       associates with the football team in question.


 75. It is therefore plausible that an identical
       license plate was chosen by the complainant. The Disputes Chamber notes that,

       apart from the corresponding license plate, there is no link between the complainant and

       defendant. The personal data was not collected or obtained from the complainant and there is

       also no other link between the complainant and the fictional character and the milieu in which they find themselves

       are located.

 76. That the combination of these data through the assignment of the registration plate by the

       Vehicle Registration Service has been given a personal character for the complainant



22 ECtHR, Karatas v. Turkey, 8 July 1999, § 49. Decision on the substance 188/2022 - 22/29


       according to the Disputes Chamber, this does not detract from the public character of the club and the

       artistic thought process based on which the character with his car with

       registration plate has been established.


 77. The Disputes Chamber notes in this regard that the information relating to the allocation
       number plates is also not freely available. The aforementioned website of the Service

       Registration Vehicles allows you to check whether a particular vehicle has been personalized

       license plate is still available. It was also impossible for the defendant to

       identity of the holder of this particular number plate.


 78. The complainant argues that publishing the number plate is not necessary in a
       democratic society. When assessing the condition of necessity goes

       the ECtHR takes a global approach. One has to look at the tension between

       both rights in the context of the entire case.23 The Disputes Chamber notes that the

       the defendant could have checked whether this personalized license plate was still available via

       the aforementioned website of the Vehicle Registration Service. The circumstance

       that the defendant, as a program maker, could not necessarily have used this number plate

       using,but could have chosen another,doesn't prevent this creative choice from being made

       under the artistic expression as protected in Article 10 ECHR.

 79. With regard to the complainant's grievances regarding the fact that he is being treated in this regard

       addressed by family, friends and business relations, the Disputes Chamber notes that

       only people from the complainant's environment can make the link between the car and the car

       person of the complainant, assuming that these relations enter the audiovisual production

       have seen the issue and noticed the similarity between the license plates.

       In addition, it is also explicitly stated with each delivery that any agreement with
       persons or organizations is purely coincidental. In addition to using the

       matching license plate in the fiction series also does not become one at any point

       link made to or focused on the person of the complainant, or elements quoted that

       refer to him personally or to his private sphere. This is also explained by the fact

       that the defendant was not, or could not be, aware of the identity of the complainant on the

       moment of the creation of the audiovisual production. The Disputes Chamber notes

       finally notes that the complainant has made the choice to obtain public data from a very

       known club to be mentioned on a license plate. So he could reasonably expect
       that this data could also be devised by other persons.


 80. The Disputes Chamber therefore decides that the agreement between the two license plates

       coincidentally based on a parallel thinking process of the complainant and the defendant to

       have come about, namely expressing an identity as a staunch supporter of



23 ECtHR VGT Verein gegen Tierfabriken t. Switzerland, 28 June 2001, § 68 and ECtHR, Feldek v. Slovakia, July 12, 2001, §77. Decision on the substance 188/2022 - 23/29


     Galatasaray. Both parties have used the name and the

     founding year of the club, being known public data with a direct association

     with the club. In view of the foregoing, the circumstances on the side of the complainant of
     insufficient weight, to the right to freedom of expression, including the right to

     artistic expression of the defendant, as guaranteed by Article 10 ECHR te

     restrict or remove it. The Disputes Chamber concludes that there is no question

     an infringement of Article 17 GDPR.

      II.4.2. Article 12 (1) and (4) GDPR


81. Based on Article 12 of the GDPR, the controller must inform the data subjects

     provide transparent information and, in principle, reply to them free of charge within 1 month

     to request. It is essential that the information provided is understandable and easy

     accessible to those involved. It is also important that the
     controller the exercise of the rights of the data subjects on the basis

     of Articles 15 to 22 of the GDPR. Finally, the

     inform the data subjects of the rejection of their request

     why that request was rejected and inform those concerned about the possibility

     to lodge a complaint with a supervisory authority as well as appeal to the courts
     configure.


82. The defendant argues that, although in its letter of reply to the complainant dated. 21

     January 2022 has not explicitly referred to the specific legal basis of Article 17,
     paragraph 3, a) of the GDPR, she has very clearly indicated in her letter of reply to

     the grounds on which it decided not to comply with the request

     until the erasing of the number plate in question from the fiction sequence, causing them to submit

     the Disputes Chamber would nevertheless be ruled that a processing of

     personal data of the complainant has taken place, still complies with her

     obligation under Article 12(1) of the GDPR imposed by the controller
     to, if it does not comply with the request of the data subject, the latter

     “without delay and at the latest within one month of receipt of the request [to be communicated]

     why the request has not been acted upon”.

83. The Disputes Chamber notes that the defendant in the aforementioned letter dd. 21st of January

     2022 has explained that it believes that it should not comply with the request

     erasure of data because it believes that there is no processing of

     personal data. In a subordinate order, if there would nevertheless be processing

     of personal data, it invokes its right to artistic expression, part
     of the right of expression, in order not to erase the number plate.

     In this context, the Disputes Chamber points out that the defendant must state the reasons for the refusal

     to delete, without specifying the relevant decision on the substance 188/2022 - 24/29


     articles of law in this regard. The Disputes Chamber rules that in this case the explanation regarding the

     refusal to erase data could have been formulated more clearly

     of the complainant. The additional mention of the legal articles and a more detailed

     explanation could also have contributed to the clarity of the refusal.

84. In addition, the defendant argues that the complainant was represented by counsel

     who was aware of the applicable legislation and therefore the possibility to collect a complaint

     to the GBA, since it had already indicated that it might file a complaint

     at the GBA. The Disputes Chamber takes note of this explanation, but does not consider it
     convincing. As far as necessary, the Disputes Chamber reminds that this

     transparency principles from Article 12 (4) GDPR apply regardless of whether the complainant

     whether his counsel is aware of the complaints procedure at the GBA.


85. In view of the above, the Disputes Chamber is of the opinion that the defendant on a
     could have handled the transparency obligation in a more careful manner. There is talk

     of an infringement of article 12, paragraph 1 GDPR, but this infringement is not of such a serious nature

     that a penalty should be imposed. It is sufficient for the defendant to

     warn for the future that the transparency principles from Article 12 (4) GDPR

     apply regardless of whether the complainant or his council is aware of this or not

     are.

   II.5. Article 38(1) and Article 39 of the GDPR


86. The Inspectorate finds that the defendant's obligations imposed by Article 38,

     paragraph 1 of the GDPR and has not complied with Article 39, paragraph 1 of the GDPR. The Inspection Service
     refers in this context to the following elements:


87. “For the purpose of informing and sensitizing the personnel concerned with

     with regard to the processing of personal data by (employees of) [de

     [respondent] was organized by the client for the necessary consultations between its employees
     and its legal advisers for the purpose of preparing and implementing the necessary

     documentation to comply with its obligations under the GDPR and were internally de

     necessary information moments are organized to explain this. In addition, a

     “Privacy and Confidentiality Policy” for Defendant's employees

     drawn up and implemented, which the employees of [the defendant] must comply with

     life and explaining the policy for handling confidential information,
     including personal data, by these employees. You will find a copy of this policy here

     attachment 3".


88. However, the Inspectorate argues that the defendant fails to demonstrate:

     - what the aforementioned “necessary consultation” and “the necessary information moments” mean in practice

     mean (no supporting evidence was provided for these aspects); Decision on the substance 188/2022 - 25/29


     - whether and, if applicable, how its data protection officer is involved

     and/or was in the creation and follow-up of the foregoing;

     - whether and, if applicable, how its data protection officer is involved

     and/or was involved in the creation and follow-up of the “Privacy and

     Confidentiality Policy” (e.g. using supporting documents such as internal

     emails);

     - how compliance with the “Privacy and Confidentiality Policy” is put into practice

     guaranteed. After all, imposing data protection directives is in itself

     insufficient if compliance is not effectively guaranteed by the defendant

     with the cooperation of its data protection officer.

89. The GDPR recognizes that the data protection officer is a key figure for what

     concerns the protection of personal data whose designation, position and duties to

     rules are subject. These rules help the controller to
     comply with its obligations under the GDPR, but also assist the officer

     data protection to properly perform its tasks.


90. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the
     controller ensures that the officer for

     data protection is timely and properly involved in all matters

     related to the protection of personal data. Based on Article 39(1).

     GDPR, the data protection officer (a) must be the controller

     informing and advising on its obligations under the GDPR and others

     Union or Member State data protection provisions and (b) monitor
     compliance with the GDPR, other Union or Member State law

     data protection provisions and of the policy of the controller

     or the processor with regard to the protection of personal data, including

     of the allocation of responsibilities, awareness raising and training of the

     processing of personnel involved and the relevant audits.

91. The defendant emphasizes in its conclusions that, however, at the time of the

     introduction of the GDPR in mid-2018 has made a well-considered decision not to appoint an official for this

     establish data protection. In this respect she refers to Article 37(1) of the
     GDPR in which the designation of a data protection officer becomes mandatory

     made in three cases:


     “1. The controller and the processor designate an officer
     data protection in any case where:


     a) the processing is carried out by a public authority or body, except in

     the case of courts in the exercise of their judicial functions; Decision on the substance 188/2022 - 26/29


     b) a controller or processor is principally entrusted with

     processing which, due to its nature, its scope and/or its purposes, is regular and

     require systematic surveillance of data subjects on a large scale; or

     c) the controller or processor is mainly responsible for

     large-scale processing of special categories of data under Article 9

     and of personal data related to criminal convictions and offences

     facts as referred to in Article 10.”

92. The defendant considers that none of these three cases applies to her. She is not

     government agency or body, nor as a producer of audiovisual works

     a large-scale processor of special categories of data, nor of

     personal data relating to criminal convictions and offences.

93. The defendant's main activity is the production of audiovisual works

     admittedly, the defendant regularly processed (and processes) personal data in the context

     of (part of) its activities (i.e. for part of its non-fiction activities), but

     on the other hand, its main activity does not focus on processing operations that are “regular and
     systematic observation of data subjects” required “on a large scale”, Article 37(1) became

     of the GDPR was not considered applicable and it was therefore decided not to appoint an official for

     establish data protection. The defendant did consider it more useful and practical –

     as is still the case today – to work with some

     data controllers (five to be precise), one per department. aforementioned

     considerations and decision – not to have a data protection officer, but to have one
     to appoint privacy officers per department – were announced in 2018 at the time

     explicitly included in the summary overview of all measures taken by the

     the defendant then took to make the business activities GDPR-compliant.


94. As stated by the controller, Article 37(1) of the GDPR makes that
     the designation of a data protection officer is made mandatory in

     three cases (see marginal 92). The Disputes Chamber adopts the position of the

     defendant and notes that none of these three cases from Article 37 GDPR of

     applies to the controller, which means that it is not obliged to provide a

     appoint a data protection officer. Consequently, obligations for

     neither does the data protection officer as defined in Articles 38 and 39 GDPR
     applicable in this case.


95. However, this does not mean that the defendant has not taken measures to

     process personal data in accordance with the GDPR. Based on concrete examples

     In its conclusions, the defendant refutes the findings of the Inspectorate. For
     with regard to the Inspectorate's finding that the defendant would not demonstrate what

     the "above-mentioned consultation" and "the necessary information moments" mean in practice, makes decision on the merits 188/2022 - 27/29


     the defendant a report on the main concrete measures and steps taken

     it has performed since the entry into force of the GDPR. The defendant does so

     emails about information sessions that were given, as well as attendance lists with
     signature. With regard to the journey towards transformation to GDPR compliance

     the defendant makes several email conversations about which it appears that there is a direct

     and close cooperation appears between the defendant's lawyers and some of the

     data controllers of the defendant. The defendant also makes e-

     correspondence about which it appears that the council members on the one hand and the

     data controllers, on the other hand, have close consultations about the Privacy and
     Confidentiality Policy. As far as the further follow-up is concerned, the defendant refers

     to its documents, including a document on the procedure to be followed in the event of

     a data breach. New employees are also systematically informed

     regarding the privacy and confidentiality policy and submit to it through their

     agreement with the defendant.

96. Finally, the Inspectorate states that the defendant does not demonstrate how compliance with the

     privacy and confidentiality policy is guaranteed in practice. First of all, you can

     It should be noted that the defendant has taken a lot of organizational and technical measures
     provides, among other things, for access by unauthorized persons and/or unwanted or unintentional

     secure distribution. In the first instance, reference can be made to the list

     with the most important IT security measures. The defendant is also light

     its data breach procedures in its conclusions. Furthermore, the

     defendant to the use of the quit claims (see section II.2). Production employees

     know that they also always have enough copies of the necessary
     consent forms regarding the processing of personal data

     take them to the shooting locations (and do so), so that the candidate participants

     sufficiently informed to be able to confirm whether or not they agree with the processing

     of their personal data. Also when concluding the agreements with new ones

     employees (permanently employed or freelance) are provided with sufficient information. Further
     they consistently receive the necessary explanation – including through delivery of the text of

     the “Privacy and Confidentiality Policy” – before committing to signing

     agree to their agreement with the privacy rules. Finally, the

     the defendant again to the complaint that gave rise to the current one

     procedure. As soon as the letter from the complainant's counsel has been received by the
     defendant, the complaint was immediately forwarded to Mr

     for the fiction department and the defendant's lawyers requesting the

     defendant in this regard. The data protection officer then took the matter further

     followed up with the defendant's counsel, which again shows that the defendant

     does take its privacy policy seriously and does not limit it to the mere Substance decision 188/2022 - 28/29


      "imposing guidelines" by means of the necessary texts, as the Inspectorate incorrectly

      thought to determine.

 97. The Disputes Chamber argues that it is disproportionate in this case to declare a violation of the

      Articles 38 (1) and 39 GDPR. Since the defendant is not obliged to

      to appoint a data protection officer are the obligations

      not applicable to the defendant pursuant to Articles 38 and 39 GDPR. Consequently

      the Litigation Chamber concludes that there is no infringement of Articles 38(1) and 39 GDPR
      was committed by the defendant.


III. Publication of the decision


 98. Given the importance of transparency with regard to decision-making by the
      Litigation Chamber, this decision will be published on the website of the

      Data Protection Authority. However, it is not necessary for the

      identification data of the parties are disclosed directly.





    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

    - to dismiss on the basis of Article 100, §1, 1° WOG with regard to the violations of:


           o Articles 5, 24 (1) and 25 (1) and (2) GDPR

           o Articles 5(1)(a) and 6 GDPR,

           o Articles 17 of the GDPR, Article 24(1) of the GDPR and Article 25(1) of the

               GDPR; and

           o Articles 38(1) and 39 GDPR.

    - on the basis of article 100, §1, 2° WOG order the external prosecution with regard to the

        violation of Article 12 (1) GDPR.

    - pursuant to Article 100, §1, 5° WOG, to warn the defendant for the future

        that the transparency obligations in Article 12 (4) GDPR must be complied with.





Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

appeal in Brussels), with the Data Protection Authority as defendant. Decision on the substance 188/2022 - 29/29



Such an appeal may be made by means of an inter partes petition

the entries listed in article 1034ter of the Judicial Code must contain .The 24

a contradictory petition must be submitted to the Registry of the Market Court

                                                                           25
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).









(get). Hielke HIJMANS

Chairman of the Litigation Chamber

















































24
  The petition states under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be

     summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.

25 The petition with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.