APD/GBA (Belgium) - 188/2022: Difference between revisions
No edit summary |
mNo edit summary |
||
(5 intermediate revisions by 3 users not shown) | |||
Line 93: | Line 93: | ||
}} | }} | ||
A TV show correctly invoked artistic freedom under [[Article 17 GDPR|Article 17(3)(a) GDPR]] in order to dismiss an erasure request. | |||
== English Summary == | == English Summary == | ||
Line 102: | Line 102: | ||
In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the website of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the respective identity. This way, it could be checked beforehand if a desired personalised licence plate was already in use. | In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the website of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the respective identity. This way, it could be checked beforehand if a desired personalised licence plate was already in use. | ||
The data subject asked the controller to remove the license plate from the TV show pursuant | The data subject asked the controller to remove the license plate from the TV show pursuant to [[Article 17 GDPR|Article 17(1)(c) GDPR]], because people recognised his licence plate as the one appearing in the TV show. According to the data subject, people also associated the data subject with the fictional criminal organisation from the show. The controller refused to remove the licence plate because, she argued, the license plate did not constitute personal data. In case that the licence plate was personal data, the controller stated that she was allowed to use this licence plate because of their freedom of (artistic) expression. In its reply to the data subject on 21 January 2022, the controller did not refer to the legal provision of [[Article 17 GDPR|Article 17(3)(a) GDPR]], when refusing the data subject's request for erasure. | ||
The data subject filed a complaint at the Belgian DPA on 22 February 2022, who started an investigation into the controller. | The data subject filed a complaint at the Belgian DPA on 22 February 2022, who started an investigation into the controller. | ||
=== Holding === | === Holding === | ||
<u>Is a licence plate personal data ([[Article 4 GDPR|Article 4(1) GDPR]])? | <u>Is a licence plate personal data ([[Article 4 GDPR|Article 4(1) GDPR]])?</u> | ||
The Belgian DPA determined that the licence plate was personal data ([[Article 4 GDPR#1|Article 4(1) GDPR)]] in these specific circumstances. The DPA started by acknowledging that a licence plate could constitute indirectly identifiable data. | The Belgian DPA determined that the licence plate was personal data ([[Article 4 GDPR#1|Article 4(1) GDPR)]] in these specific circumstances. The DPA started by acknowledging that a licence plate could constitute indirectly identifiable data. Family, neighbours and acquaintances could use the licence plate to identify the data subject. The DPA also considered the purpose of the processing, which was the appearance of the car in the TV show, and the way the processing took place, which was the publication of the TV series on a large television network and on a streaming service. The DPA also determined that that the license plate was data relating to a natural person, despite the fact that the licence plate was registered to a company car. Because there was only one company car, people could easily associate this car with the owner of the company, the data subject. | ||
<u>Was the controller's processing lawful? ([[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6 GDPR]])</u> | <u>Was the controller's processing lawful? ([[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6 GDPR]])</u> | ||
The DPA also assessed if the | The DPA also assessed if the data processing was lawful in accordance with [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], for which the controller had to fulfill three criteria. | ||
'''(1)''' The interest of the controller was the creation of the TV | '''(1)''' The interest of the controller was the creation of the TV show, which was a ''legitimate interest''. This interest was based on the freedom of artistic expression protected by the constitutional right of freedom of expression. The use of this fictional licence plate was purely an artistic expression in order to create and flesh out a fictional character. | ||
('''2)''' The second aspect was also fulfilled since the processing was ''necessarry'' to pursue the legitimate interest(s), looking at the artistic goal to emphasise the link with Galatasaray and the artistic freedom to choose a suitable way to achieve this goal. | ('''2)''' The second aspect was also fulfilled since the processing was ''necessarry'' to pursue the legitimate interest(s), looking at the artistic goal to emphasise the link with Galatasaray and the artistic freedom to choose a suitable way to achieve this goal. | ||
'''(3)''' When conducting the ''balancing test'', the DPA determined that the potential damage to the data subject was minimal. Only his personal and business contacts could link this | '''(3)''' When conducting the ''balancing test'', the DPA determined that the potential damage to the data subject was minimal. Only his personal and business contacts could link this licence plate to the data subject, who could all understand that the data subject was not the same person as the fictional character in the TV show. The TV show also contained a disclaimer that any link between the production and reality was purely incidental. The controller also had no knowledge of the existence of the licence plate of the data subject. The controller created her own licence plate and the similarity was purely coincidental. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It was foreseeable that such a licence plate could also be used for artistic purposes. The fact that the controller could have used a different license plate did not make the controller's use of this licence plate unlawful. | ||
In this case, the freedom | In this case, the controller's freedom of artistic expression outweighed the protection of personal data of the data subject. Therefore, the DPA determined that there was no breach of [[Article 5 GDPR#1|Articles 5(1)(a) GDPR]] and [[Article 6 GDPR#1f|6(1)(f) GDPR]]. | ||
<u>Did the controller violate [[Article 17 GDPR|Article 17 GDPR?]]</u> | <u>Did the controller violate [[Article 17 GDPR|Article 17 GDPR?]]</u> | ||
The DPA then | The DPA then considered whether the controller was allowed to use [[Article 17 GDPR|Article 17(3)(a) GDPR]] to deny the erasure request of the data subject pursuant to [[Article 17 GDPR|Article 17(1)(c) GDPR]]. The DPA referred to [[Article 85 GDPR]] and the national implementation of this GDPR provision into [https://www.dataprotectionauthority.be/publications/act-of-30-july-2018.pdf Article 24 of the Belgian law of 30 july 2018 (Act on the protection of natural persons with regard to the processing of personal data]. This national law excluded the applicability of several GDPR articles in order to ensure freedom of speech. [[Article 17 GDPR]] was not part of this law. However, the DPA noted that that [[Article 17 GDPR#3|Article 17(3) GDPR]] explicitly provides the possibility to not comply with an erasure request for journalistic, academic, artistic or literary purposes. Since it was a GDPR provision, it was directly applicable into Belgian Law. The fact that the Belgian law did not mention Article 17 GDPR was therefore of no consequence. | ||
The DPA held that the car and its license plate constituted an artistic expression, which fell under Article 10 ECHR (Freedom of Expression). The DPA stated that this was a case of a balancing act between two fundamental rights, with the ''freedom of expression'' (Article 10 ECHR and Article 11 CFR) on the one hand, and the ''right of protection of personal data'' (Article 8 CFR) on the other hand. To determine which fundamental right would prevail, a <u>balancing exercise</u> would have to be conducted with all of the relevant circumstances of the case. | The DPA held that the car and its license plate constituted an artistic expression, which fell under Article 10 ECHR (Freedom of Expression). The DPA stated that this was a case of a balancing act between two fundamental rights, with the ''freedom of expression'' (Article 10 ECHR and Article 11 CFR) on the one hand, and the ''right of protection of personal data'' (Article 8 CFR) on the other hand. To determine which fundamental right would prevail, a <u>balancing exercise</u> would have to be conducted with all of the relevant circumstances of the case. | ||
The DPA considered that the football club Galatasaray was well known. It was therefore not impossible to imagine that the license plate would be used for the creation of a fictional character. It was also plausible that both the controller and data subject had followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). Since there were no links between the data subject, the controller and the fictional character, the DPA stated that it was most likely just coincidence that 2 identical licence plates were used. It was also not possible for the controller to identify the data subject using the website of the federal institution, which only provided the option to check if a licence plate was in use. Thus, it was impossible for the controller to identify the data subject. The controller also had the freedom to choose this specific licence plate under | The DPA considered that the football club Galatasaray was well known. It was therefore not impossible to imagine that the license plate would be used for the creation of a fictional character. It was also plausible that both the controller and data subject had followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). Since there were no links between the data subject, the controller and the fictional character, the DPA stated that it was most likely just coincidence that 2 identical licence plates were used. It was also not possible for the controller to identify the data subject using the website of the federal institution, which only provided the option to check if a licence plate was in use. Thus, it was impossible for the controller to identify the data subject. The controller also had the freedom to choose this specific licence plate under her freedom of expression under Article 10 ECHR. Lastly, the data subject could have reasonably foreseen that other people could have used the recognisable numbers and letters for this personalised licence plate as well. | ||
Considering all these factors, the DPA determined that the controller did not violate [[Article 17 GDPR]]. The artistic expression of the controller prevailed in the balancing exercise. | Considering all these factors, the DPA determined that the controller did not violate [[Article 17 GDPR]]. The artistic expression of the controller prevailed in the balancing exercise. | ||
Line 135: | Line 135: | ||
<u>Violation of [[Article 12 GDPR|Article 12(1) GDPR]]</u> | <u>Violation of [[Article 12 GDPR|Article 12(1) GDPR]]</u> | ||
Then, the DPA assessed whether the controller did not adequately inform the data subject pursuant | Then, the DPA assessed whether the controller did not adequately inform the data subject pursuant to [[Article 12 GDPR#1|Articles 12(1)]] and [[Article 12 GDPR#4|12(4) GDPR]]. The DPA determined that the controller should have been more comprehensive in her answer, and should have included the specific legal ground it was using to deny the erasure request. The fact that the data subject was represented by legal council did not remove the obligation for the controller to comply with the transparency requirements of [[Article 12 GDPR|Article 12(4) GDPR]]. As such, the DPA concluded a breach of [[Article 12 GDPR#1|Article 12(1) GDPR,]] but only a minor one. | ||
The DPA issued a warning pursuant | The DPA issued a warning pursuant to Article 100(1)(5) WOG in order to make the controller aware of the obligation to comply with the transparency requirements of [[Article 12 GDPR|Article 12(4) GDPR]]. | ||
== Comment == | == Comment == | ||
The | The federal institution registering licence plates in Belgium is the '<nowiki/>''Federale overheidsdienst mobilitei''t'. Within this organisation, the service '''dienst voor inschrijving van voertuigen''<nowiki/>' was responsible for the registering of licence plates. | ||
The DPA also assessed several other violations regarding the controller, such as alleged violations of Articles [[Article 5 GDPR|5]], [[Article 24 GDPR|24,]] [[Article 25 GDPR|25]], [[Article 37 GDPR|37(1]]), [[Article 38 GDPR|38(1)]] and [[Article 39 GDPR|39 GDPR]]. The DPA did not find any violations regarding these provision. These considerations by the DPA were left out of this summary. This summary mainly focusses on the <u>relation between the right of erasure and artistic freedom on the one hand, and the minor violation of not providing the specific legal ground for rejecting an erasure request on the other hand</u>, since the latter was the only violation found in this decision. | The DPA also assessed several other violations regarding the controller, such as alleged violations of Articles [[Article 5 GDPR|5]], [[Article 24 GDPR|24,]] [[Article 25 GDPR|25]], [[Article 37 GDPR|37(1]]), [[Article 38 GDPR|38(1)]] and [[Article 39 GDPR|39 GDPR]]. The DPA did not find any violations regarding these provision. These considerations by the DPA were left out of this summary. This summary mainly focusses on the <u>relation between the right of erasure and artistic freedom on the one hand, and the minor violation of not providing the specific legal ground for rejecting an erasure request on the other hand</u>, since the latter was the only violation found in this decision. |
Latest revision as of 14:27, 25 January 2023
APD/GBA - 188/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 5(1) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 12(1) GDPR Article 12(4) GDPR Article 17 GDPR Article 17(1) GDPR Article 17(1)(c) GDPR Article 17(3) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 38 GDPR Article 38(1) GDPR Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 22.02.2022 |
Decided: | 18.12.2022 |
Published: | 21.12.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 188/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
A TV show correctly invoked artistic freedom under Article 17(3)(a) GDPR in order to dismiss an erasure request.
English Summary
Facts
The data subject used a personalised license plate for his car, which he used for his business. The data subject was the sole owner of his company and did not have any employees. The personalised license plate he was using referred to Galatasaray, a well known Turkish football club. The licence plate contained letters and numbers that referred to this club. The producer of a television show (controller) used the same personalised licence plate on a similar looking car displayed in certain scenes of the show. This car in the series belonged to a fictional character, who was part of a fictional criminal organisation.
In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the website of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the respective identity. This way, it could be checked beforehand if a desired personalised licence plate was already in use.
The data subject asked the controller to remove the license plate from the TV show pursuant to Article 17(1)(c) GDPR, because people recognised his licence plate as the one appearing in the TV show. According to the data subject, people also associated the data subject with the fictional criminal organisation from the show. The controller refused to remove the licence plate because, she argued, the license plate did not constitute personal data. In case that the licence plate was personal data, the controller stated that she was allowed to use this licence plate because of their freedom of (artistic) expression. In its reply to the data subject on 21 January 2022, the controller did not refer to the legal provision of Article 17(3)(a) GDPR, when refusing the data subject's request for erasure.
The data subject filed a complaint at the Belgian DPA on 22 February 2022, who started an investigation into the controller.
Holding
Is a licence plate personal data (Article 4(1) GDPR)?
The Belgian DPA determined that the licence plate was personal data (Article 4(1) GDPR) in these specific circumstances. The DPA started by acknowledging that a licence plate could constitute indirectly identifiable data. Family, neighbours and acquaintances could use the licence plate to identify the data subject. The DPA also considered the purpose of the processing, which was the appearance of the car in the TV show, and the way the processing took place, which was the publication of the TV series on a large television network and on a streaming service. The DPA also determined that that the license plate was data relating to a natural person, despite the fact that the licence plate was registered to a company car. Because there was only one company car, people could easily associate this car with the owner of the company, the data subject.
Was the controller's processing lawful? (Articles 5(1)(a) and 6 GDPR)
The DPA also assessed if the data processing was lawful in accordance with Article 6(1)(f) GDPR, for which the controller had to fulfill three criteria.
(1) The interest of the controller was the creation of the TV show, which was a legitimate interest. This interest was based on the freedom of artistic expression protected by the constitutional right of freedom of expression. The use of this fictional licence plate was purely an artistic expression in order to create and flesh out a fictional character.
(2) The second aspect was also fulfilled since the processing was necessarry to pursue the legitimate interest(s), looking at the artistic goal to emphasise the link with Galatasaray and the artistic freedom to choose a suitable way to achieve this goal.
(3) When conducting the balancing test, the DPA determined that the potential damage to the data subject was minimal. Only his personal and business contacts could link this licence plate to the data subject, who could all understand that the data subject was not the same person as the fictional character in the TV show. The TV show also contained a disclaimer that any link between the production and reality was purely incidental. The controller also had no knowledge of the existence of the licence plate of the data subject. The controller created her own licence plate and the similarity was purely coincidental. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It was foreseeable that such a licence plate could also be used for artistic purposes. The fact that the controller could have used a different license plate did not make the controller's use of this licence plate unlawful.
In this case, the controller's freedom of artistic expression outweighed the protection of personal data of the data subject. Therefore, the DPA determined that there was no breach of Articles 5(1)(a) GDPR and 6(1)(f) GDPR.
Did the controller violate Article 17 GDPR?
The DPA then considered whether the controller was allowed to use Article 17(3)(a) GDPR to deny the erasure request of the data subject pursuant to Article 17(1)(c) GDPR. The DPA referred to Article 85 GDPR and the national implementation of this GDPR provision into Article 24 of the Belgian law of 30 july 2018 (Act on the protection of natural persons with regard to the processing of personal data. This national law excluded the applicability of several GDPR articles in order to ensure freedom of speech. Article 17 GDPR was not part of this law. However, the DPA noted that that Article 17(3) GDPR explicitly provides the possibility to not comply with an erasure request for journalistic, academic, artistic or literary purposes. Since it was a GDPR provision, it was directly applicable into Belgian Law. The fact that the Belgian law did not mention Article 17 GDPR was therefore of no consequence.
The DPA held that the car and its license plate constituted an artistic expression, which fell under Article 10 ECHR (Freedom of Expression). The DPA stated that this was a case of a balancing act between two fundamental rights, with the freedom of expression (Article 10 ECHR and Article 11 CFR) on the one hand, and the right of protection of personal data (Article 8 CFR) on the other hand. To determine which fundamental right would prevail, a balancing exercise would have to be conducted with all of the relevant circumstances of the case.
The DPA considered that the football club Galatasaray was well known. It was therefore not impossible to imagine that the license plate would be used for the creation of a fictional character. It was also plausible that both the controller and data subject had followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). Since there were no links between the data subject, the controller and the fictional character, the DPA stated that it was most likely just coincidence that 2 identical licence plates were used. It was also not possible for the controller to identify the data subject using the website of the federal institution, which only provided the option to check if a licence plate was in use. Thus, it was impossible for the controller to identify the data subject. The controller also had the freedom to choose this specific licence plate under her freedom of expression under Article 10 ECHR. Lastly, the data subject could have reasonably foreseen that other people could have used the recognisable numbers and letters for this personalised licence plate as well.
Considering all these factors, the DPA determined that the controller did not violate Article 17 GDPR. The artistic expression of the controller prevailed in the balancing exercise.
Violation of Article 12(1) GDPR
Then, the DPA assessed whether the controller did not adequately inform the data subject pursuant to Articles 12(1) and 12(4) GDPR. The DPA determined that the controller should have been more comprehensive in her answer, and should have included the specific legal ground it was using to deny the erasure request. The fact that the data subject was represented by legal council did not remove the obligation for the controller to comply with the transparency requirements of Article 12(4) GDPR. As such, the DPA concluded a breach of Article 12(1) GDPR, but only a minor one.
The DPA issued a warning pursuant to Article 100(1)(5) WOG in order to make the controller aware of the obligation to comply with the transparency requirements of Article 12(4) GDPR.
Comment
The federal institution registering licence plates in Belgium is the 'Federale overheidsdienst mobiliteit'. Within this organisation, the service 'dienst voor inschrijving van voertuigen' was responsible for the registering of licence plates.
The DPA also assessed several other violations regarding the controller, such as alleged violations of Articles 5, 24, 25, 37(1), 38(1) and 39 GDPR. The DPA did not find any violations regarding these provision. These considerations by the DPA were left out of this summary. This summary mainly focusses on the relation between the right of erasure and artistic freedom on the one hand, and the minor violation of not providing the specific legal ground for rejecting an erasure request on the other hand, since the latter was the only violation found in this decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/29 Litigation room Decision on the substance 188/2022 of 21 December 2022 File number : DOS-2022-00944 Subject: Publication of a number plate without permission The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainant: Mr X, represented by Mr. Hans Leyssen, office in 2000 Antwerp, Franselei 104, hereinafter “the complainant” The defendant: Y, represented by Mr. Bob Les, Mr. George Report and Mr. Elizabeth Van Nerum, office at 3000 Leuven, Sint-Maartenstraat 61 bus 2, hereinafter “the defendant” Decision on the substance 188/2022 - 2/29 I. Factual Procedure 1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority against the defendant. The complainant owns a car with a personalized number plate through his BV, of which he is the sole business manager. In an audiovisual production of the defendant a similar car with the same personalized license plate portrayed as the car of a criminal organization dealing in narcotics. The license plate according to the complainant, clearly legible, recognizable and can be found in the episode. The complainant is approached very regularly about this, both by business and private relationships. However, the complainant says he is a carpenter and does not want to be associated with the criminal environment. He also did not give permission to the defendant to use his license plate. The complainant asked the defendant for the license plate from the mounting, but the defendant refused to do so based on her right to artistic expression. 2. On March 10, 2022, the First Line Service declares the complaint admissible on the basis of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG submitted to the Disputes Chamber. 3. On March 22, 2022, in accordance with Article 96, § 1 WOG, the request of the Disputes Chamber to carry out an investigation transferred to the Inspectorate, together with the complaint and the inventory of the documents. 4. The investigation by the Inspectorate will be completed on 26 April 2022, the report reads appended to the file and the file is transferred by the Inspector General to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and decision that there is: 1. a breach of Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1) paragraph 2 of the GDPR; and 2. a breach of Article 12 paragraph 1 and paragraph 4 of the GDPR, Article 17 of the GDPR, Article 24 paragraph 1 of the GDPR and Article 25(1) of the GDPR. The report also contains findings that go beyond the subject of the complaint. In general terms, the Inspectorate also notes: 3. Violation of Article 38(1) and Article 39 of the GDPR. 5. On 29 April 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits. Decision on the substance 188/2022 - 3/29 6. On 29 April 2022, the parties involved will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG. they are informed of the time limits for their to file defenses. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the statement of defense from the defendant recorded on 10 June 2022, those for the complainant's reply on 1 July 2022 and finally those for the defendant's statement of reply on 22 July 2022. The deadline for receipt of the statement of defense from the defendant with regarding the findings outside the subject of the complaint was set at 10 June 2022. 7. On June 10, 2022, the Disputes Chamber will receive the statement of defense from the defendant with regard to the findings relating to the subject matter of the complaint. This statement also contains the response of the defendant regarding the findings made by the Inspectorate outside the scope of the complaint. With regard to the first infringement, the defendant argues that in the present case the fictitious license plate does not constitute personal data as it is a reference refers to a very well-known Turkish football club, which means that there can be at most of a coincidental resemblance to the complainant's license plate without this being one processing of one of his personal data. If there were anyway a processing of personal data of the complainant, the defendant is of the opinion that it did not have to comply with his request for data erasure, since the license plate which is used on the carriage in the fiction series was created by one's own artistic choices of the complainant pursuant to Article 17(3)(a) GDPR. With respect to the second finding is that the defendant does indeed not have a privacy policy since the defendant was not aware that the complainant had a car with the same number plate, and therefore did not know that she had the personal data of the complainant would handle. Finally, the defendant argues that Article 37(1) GDPR does not apply to her applies, which means that no data protection officer has been appointed. However, five (one per department) privacy managers have been appointed. 8. On 4 July 2022, the Dispute Chamber receives the conclusion of the reply from the complainant, for which concerns the findings with regard to the object of the complaint that the use of the personalized license plate in the fiction series is indeed a processing of personal data within the meaning of the GDPR and that this processing unlawfully occurred without the defendant being able to rely on the exception for the right to freedom of expression and information including artistic expression. Decision on the substance 188/2022 - 4/29 9. On 22 July 2022, the Litigation Chamber receives the defendant's statement of rejoinder with regard to the findings relating to the subject-matter of the complaint in which they re-explains its arguments from the first statement of reply. In addition the defendant formulates replies to the complainant's arguments. Thus states the defendant that the method of identification proposed by the complainant is cumbersome and would therefore constitute a breach of the GDPR. Then argues the the defendant in what way the exception from article 17, paragraph 3, a) GDPR applies to her is. II. Motivation II.1. Definition of “personal data” Findings in the Inspection Report 10. In the course of the Inspectorate investigation, the defendant raised the situation of the complainant does not involve the processing of his personal data. The Inspection Service concludes, however, that in this case there is indeed the processing of personal data In this context, the Inspectorate refers to one of the defendant's documents in which it itself states that “a registration plate constitutes a personal data”. In addition, the GBA on its website explicitly states the following: “also information that does not allow a identify a person directly (e.g. a name), but indirectly (e.g.) a number plate is personal data.” The Inspectorate makes a decision based on this elements that the defendant does indeed have the personal data of the complainant incorporated. The defendant disputes this conclusion. Defendant's position 11. The defendant disputes the finding of the Inspectorate that it would have acknowledged that the number plate constitutes personal data. This finding is according to the defendant incorrect. Although it certainly does not deny that a number plate is one constitute personal data, it argues that this is not the case in the present case. The defendant argues that the license plate in question was created on the basis of artistic choices that were made in the context of the relevant audiovisual production fictional character to whom the license plate belongs is a member of a family of enthusiastic supporters of a great Turkish football team. The license plate was through designed by the defendant itself on the basis of the data of this football team (i.e. the name and year of establishment). The fact that this fictitious license plate corresponds to the the license plate of the complainant, according to the defendant, is purely coincidental not know that this license plate already existed and to whom the license plate was assigned used to be. For the sake of completeness, the defendant points out that at the end of each episode the The following disclaimer is included: “The program is completely fictional. Any Substantive Decision 188/2022 - 5/29 agreement with actual persons, companies or events is based on pure coincidence". Position of the complainant. 12. The complainant argues that the license plate in question is indeed his personal data matters, as it is far from fictional, invented or specially designed by the defendant. The registration plate was issued by the Vehicle Registration Service assigned to the complainant. In addition, the complainant argues that the complainant's car and the car from the audiovisual production are similar. 13. The complainant refers to the definition of “personal data” and “processing” in Article 4 AVG and states that these definitions in no way imply the existence of any intentional element on the part of the controller. The complainant claims that a vehicle registration plate is an essential information carrier on the basis of which the natural person who always drives the vehicle indirectly identified. This is even more the case when personalizing these license plate is based on the ethnicity and the favorite football club of the person concerned. According to the complainant, this view is confirmed by the first-line services the Inspection Service of the GBA. 14. Contrary to what the defendant claims, it is very simple, according to the complainant identify him by his license plate. The complainant alleges that use must be made from the online publicly available application of the Belgian Common Guarantee Fund, where after entering a specific number plate the insurance data (such as the BA insurers and the policy number) is possible find out a vehicle that has the relevant number plate on a certain date wore. Subsequently, you can contact the third-party liability insurer concerned statement of the policy number and the date of a self-invented accident or another excuse to find out the identity of the insured, being the BV Arisol. Then can one can check via the Crossroads Bank for Enterprises who is the manager of this BV. Since the BV Arisol is a sole proprietorship, the defendant can verify the identity of the easily identify the complainant. The complainant therefore argues that the defendant has done so in advance investigation could and should have been carried out to determine the identity of the complainant. Review by the Litigation Chamber 15. The Litigation Chamber reminds that the GDPR does not apply to the processing of all types of data, but only on the processing of personal data. According to Article 4(1) GDPR, personal data is “any information about a identified or identifiable natural person (“the data subject”); if identifiable is a natural person who can become directly or indirectly Decision on the substance 188/2022 - 6/29 identified, in particular by an identifier such as a name, a identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person”. 16. There are 4 elements in the definition of personal data: 1) relate to 2) an identified or 3) identifiable 4) natural person. 17. If there is to be personal data, the data must, in principle, relate have on a natural person. Data refers only to a natural person when identified or identifiable. A person is identified when it is unique from all other individuals within a group is distinguished. A person is identifiable when it has not yet been identified, but it can be done without disproportionate effort. 18. To establish the identity of a person is generally used data that has a unique, personal relationship to that person, so-called 'identifiers'. Identifiers can include data such as a name, address and date of birth. These data, in combination with each other, are so unique for one certain person, date a person on the basis of it with certainty or high probability can be identified. This is called directly identifying data. Persons can also be identified on the basis of other, less direct identifiers, such as appearance, social and economic characteristics and online identifiers. Although this data in itself usually does not lead to the identification of a person, they can be through their interrelationship or through linkage to others data lead to this. This is called indirectly identifying data. 19. In short, whether a data is also a personal data within the meaning of Article 4(1) GDPR for a controller, therefore depends on whether the data or the data that the controller processes enable him to inform someone directly or indirectly identified. When the person is not yet identified (if there is no directly identifying data are processed) the controller determine whether the person is not still identifiable. 20. As already mentioned, the data in question concerns a registration plate, which is a indirectly identifying information. When assessing whether there is identifiability in this case, the Litigation Chamber refers to Recital 26 of the AVG. Decision on the substance 188/2022 - 7/29 21. Recital 26 of the GDPR explains that to determine whether a natural person is identifiable, all means of which must be taken into account can reasonably be expected to be used by the controller or by another person (a third party) for the natural person directly or indirectly. To determine whether of means reasonably it is to be expected that they will be used to identify the natural person, account must be taken of all objective factors, such as the cost of time necessary for identification, taking into account the technology available on it time of processing and technological developments. 22. The Opinion 4/2007 on the concept of personal data of the Working Party on Data Processing states the following in this regard: “[i]f, taking into account "all means of which it can reasonably be assumed that they are processed by the controller or another person", whose possibility of identification does not exist or is negligible, the person should not be considered "identifiable", and the information should not be considered "personal data" are considered. The criterion of "all means of which it can reasonably be assumed that they are processed by the controller or byanotherperson"shouldtakeparticularaccountofallinvolvedfactors.The Cost of identification is one factor, but not the only one. It must be taken into account with the intended purpose, the way in which the processing is structured, the by the controller expected benefit, the risk of organizational dysfunction and technical malfunctions.” (free translation) 23. The registration and allocation of number plates is done by the Registration Service of Vehicles, of the Federal Public Service Mobility. The Disputes Chamber determines that via the website of the Federal Public Service Mobility the availability of a personalized license plate can be verified. If the defendant website would have consulted, it could have determined that the intended registration plate was already in use, without, however, revealing the identity of its holder However, for family, neighbors and acquaintances, that personalized license plate is a means that can be used to identify the complainant (for further justification read marginals 24 and 25 below). The Litigation Chamber reminds that, such as set out by the Data Processing Group 29, when analyzing whether a piece of data is also a personal data, the intended purpose and manner must be taken into account on which the processing is structured. By the purpose of the processing in question (prominently appearing in a well-known audiovisual production) and the manner in which this processing has taken place (a well-known audiovisual production, the broadcast op 1 Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 20 June 2007. 2https://www.mobilit.fgov.be/WebdivPub/wmvpstv1?SUBSESSIONID=3228997. Decision on the substance 188/2022 - 8/29 one of the largest TV channels in Flanders as well as the availability of this production on streaming services), the Disputes Chamber concludes that the complainant is identifiable. 24. With regard to the fourth element ("natural person"), this means that data about partnerships, partnerships and other legal/legal entities individuals are not protected as such by the GDPR. The Court of Justice has nevertheless held that "insofar as the official title of the juridical person is one or more natural persons", the legal person under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union can claim the protection of data related to him. 5 Since the GDPR is a is an elaboration of the overarching safeguards contained in these Charter provisions laid down, such protection for legal entities can also be provided by the GDPR arise, although this protection does not concern the legal person as such, but the natural person(s) who form it, and probably mainly occurs in cases where the legal entity is in fact a sole proprietorship or a small family business with 6 a transparent "company veil". 25. The Litigation Chamber determines that the vehicle and registration plate are registered in the name of BV Arisol as a legal person, and not in the name of the complainant as a natural person. However, this BV is a sole proprietorship that does not have a fleet of vehicles, so that there is a direct link between the license plate and the complainant. Since the complainant, as a natural person, uses the car with this specific number plate, he is associated by his environment with this car with license plate without it this environment is aware of whether the car is registered in the name of his sole proprietorship, or in the name of the complainant as a private person. In view of the above, the Litigation Chamber that the license plate in the specific circumstances of the present case constitutes a license plate. II.2. Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1) and (2) of the AVG 3 Article 7: Everyone has the right to respect for his private and family life, his home and his communication. 4 Article 8: 1. Everyone has the right to the protection of his personal data. 2. These data must be processed fairly, for specified purposes and with the consent of the data subject or on the basis of any other legitimate basis provided for by law. Everyone has the right to inspect the information data collected and rectification thereof. 3. An independent authority monitors compliance with these rules. 5 In this regard, see CJEU, Cases C-92/09 and 93/09, Schecke, § 53, Case C-419/14, WebMindLicenses, § 79 ; Case T-670 / 16, Digital Rights Ireland, §25. 6 L.A. BYGRAVE and L. TOSONI, « Article 4(1) Personal Data » in C. KUNER et.al. « EU General Data Protection Regulation, a commentary, Oxford University Press, 2020, p. 111. Decision on the substance 188/2022 - 9/29 Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR 26. Since the Disputes Chamber has come to the conclusion that the license plate under the circumstances of this case constitutes personal data, means that it is displayed of this personal data in the audiovisual production constitutes processing. The The defendant argues that she was not aware that she was processing personal data. The Litigation Chamber draws attention to the presence or absence of an intention does not constitute a criterion for the processing of personal data within the meaning of Article 4(2) AVG. Regardless of whether it was the defendant's intention to use the personal data process, is the mere fact that the license plate was indeed displayed in the audiovisual production is sufficient to classify this as processing that in accordance with the basic principles of data protection as understood in Article 5 GDPR must be done. 27. As controller, the defendant is obliged to provide the to observe data protection principles and must be able to demonstrate that these principles are adhered to (accountability - Article 5(2) GDPR). 28. In addition, also in its capacity as controller, it must: take necessary measures to ensure and be able to demonstrate that the processing is in is carried out in accordance with the GDPR (Articles 24 and 25 GDPR). 29. In the context of its investigation into accountability, the Inspectorate sent the following to the defendant to provide the following documents: “A copy of [the defendant's] documents on the measures and decisions that were taken to ensure compliance with the processing principles to safeguard personal data with regard to the complainant on the basis of Article 5, Article 24(1) and Article 25 of the GDPR.” 30. The defendant has formulated an answer to this but, according to the Inspectorate, no documents showing what measures and decisions were taken taken to safeguard the principles governing the processing of personal data specific to the complainant based on Article 5, Article 24(1) and Article 25(1) and paragraph 2 of the GDPR. The Inspectorate notes in its report that the transferred documents relate to the principle of transparency in Article 5(1)(a) GDPR, but that the defendant does not clarify how the other principles of Article 5 (1) GDPR 7 Article 4 GDPR: “For the purposes of this regulation: […] 2) “processing” means any operation or set of operations relating to personal data or set of personal data, whether or not carried out through automated processes, such as collecting, recording, organizing, structure, store, update or modify, retrieve, consult, use, provide by transmission, distribute or otherwise make available, align or combine, block, erase or destroy data” Decision on the substance 188/2022 - 10/29 are guaranteed. Moreover, the Inspectorate concludes that certain elements not concretely explained by the defendant, such as or the complainant, whose personal data were processed by the defendant, effectively has a copy received from its general privacy policy. During the investigation, the defendant states that it has not processed any personal data. The Inspectorate does not follow this view and states that the defendant does process personal data. The Inspectorate refers here to the webpage of the Data Protection Authority (https://www.dataprotectionauthority.be/burger/privacy/lexicon) on which stated states that “even information that does not allow to identify a person directly (e.g. a name), but indirectly (e.g. a number plate) is personal data”. As a result, the Inspection Service concludes that there is an infringement of article 5, article 24 (1) and Article 25 (1) GDPR. 31. In its conclusions, the defendant disputes this finding. The defendant clarifies that it considered that it was not processing any personal data in this case. Furthermore, the the defendant on what steps it will take in the event of similar processing operations of personal data, namely the processing of number plates in other audiovisual 8 productions when it is of the opinion that it is processing personal data. 32. The Disputes Chamber states that the Inspectorate is charged as an investigative body of the GBA investigating complaints about and serious indications of violations of the European and Belgian legislation on personal data, including the AVG. One of the ways in which the investigation is conducted is free of all useful information and provide documents. This possibility leaves the controllers and/or processors to explain and demonstrate what measures have been taken to protect the comply with applicable law.9 33. In the context of examining compliance with the Fundamental Principles and the accountability, as understood in Article 5 of the GDPR, the Inspection Service has a general request addressed to the controller to transfer the following to make: “A copy of [the defendant's] documents on the measures and decisions that were taken to ensure compliance with the processing principles to safeguard personal data with regard to the complainant on the basis of Article 5, Article 24(1) and Article 25 of the GDPR.” 34. The Disputes Chamber notes that the Inspectorate's question relates to processing of the complainant's personal data, namely the publication of a registration plate 8 see infra. 9 Charter of the Inspection Service, August 2022, available online at https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf Substantive decision 188/2022 - 11/29 an audiovisual production. The defendant claims that she has no such document in this case previously transferred to the complainant because it was of the opinion that no personal data was processed, and moreover, that it also does not dispute that this registration plate was assigned to a person and certainly not to whom this license plate had been granted. Furthermore, the defendant prepares the documents that it uses when it does – consciously – process personal data of data subjects. As above explained, the Inspectorate is of the opinion in this case that certain information, which is for the Inspection service is essential to arrive at a good assessment, is missing. Consequently the Inspectorate ruled that there had been a violation of article 5, Article 24 (1) and Article 25 (1) and (2) GDPR. 35. The Disputes Chamber recalls that an investigation by the Inspectorate on a must be done in a loyal manner. If the answer of the controller is not sufficient for the Inspectorate, it normally falls to the Inspection service to clarify on which points more information is requested. This this can be done, for example, by asking more specific questions about a certain subject or by to request specific documents or information. After all, it is for the controller is not always easy to apply in such a general and broad way ask to formulate a comprehensive answer or provide the exact documents that the Inspectorate wishes to investigate. If the Inspectorate should ask more specific questions stated or requested concrete documents and the controller and has not been able to provide the requested information it to the Inspectorate to report a violation of accountability such as understood in Article 5, paragraph 2 and Article 24, paragraph 1 and Article 25, paragraph 1 and paragraph 2 GDPR. The The Disputes Chamber notes that the Inspectorate did not ask any additional questions on specific subjects and that no specific documents were produced requested in order to arrive at a proper assessment of the case. The The Litigation Chamber therefore concludes that the Inspectorate's investigation is not sufficiently specific conducted with regard to this finding. Consequently, the Litigation Chamber comes to the conclusion that it is disproportionate in this case for a violation of Articles 5, 24, paragraph 1 and 25 (1) and (2) GDPR on the basis of a general question in the context of the accountability, which was answered by the defendant, without further notice follow-up questions from the Inspectorate. It is up to the Inspectorate to determine on the basis of due diligence investigation any shortcoming of Article 5, Article 2(1) and Article 25, Paragraphs 1 and 2 GDPR to be demonstrated by the defendant. Article 5 (1) GDPR 36. The Disputes Chamber finds that, based on the answer provided by the defendant in the context of the investigation, the Inspectorate comes to the conclusion that Decision on the substance 188/2022 - 12/29 there is a breach of all fundamental principles relating to the protection of personal data as stipulated in Article 5 (1) GDPR. Although Article 5(1) and (2) GDPR are closely related means any violation of the accountability of Article 5 (2) GDPR is not automatically also a violation of Article 5, paragraph 1 GDPR document compliance with the substantive principles of the GDPR to show. Both elements must therefore be assessed separately. 37. The Litigation Chamber notes that the Inspection Report only contains findings regarding the principle of transparency as understood in Article 5(1)(a). The Disputes Chamber will then also address this finding. As already explained above, the Inspectorate finds that certain elements are not explained in concrete terms by the the defendant, such as or the complainant, whose personal data were processed by the the defendant has actually received a copy of its general privacy policy. 38. In its conclusions, the defendant disputes the findings of the Inspection report. Side pose that within its organization various privacy responsibles have been appointed per department, also for the fiction department. When the defendant's writing the the complainant received via the info address (so not via a specific e-mail address intended for privacy matters) it has made every effort to be accurate and timely answer. Furthermore, the defendant reiterates that it does not deny that a license plate is a personal data may matter, but that this is not the case in this case. Then the light to the defendant what appropriate and technical organizational measures it takes to to ensure that, in relation to audiovisual productions, the personal data of data subjects are processed in accordance with the GDPR. So it ensures that in cases in which there could be the processing of personal data in her audiovisual productions by filming and subsequently displaying a existing number plate of a data subject who does not have permission for this given, these relevant scenes are deleted, trimmed or the license plate is made illegible (for example by means of blurring). In addition, in other cases where personal data of data subjects are processed in the context of an audiovisual production (and that is mainly the case in non-fiction productions), is the common one working method within the organization of the defendant that either, for those involved who have a play a greater role in production, in the agreements with them the necessary provisions on data protection are included, either, for data subjects who fulfill a smaller role or a short-lived participation within the production, a shortened 'quit claim' is signed. Include both aforementioned contracts and quit claims clauses related to the processing of personal data. These documents are provided to the parties involved and explained prior to the collaboration between the defendant and the data subject, together with the General Privacy Policy. In the Decision on the substance 188/2022 - 13/29 In the case of the complainant, there is no signed contract or quit claim, since the defendant did not assume at all that any personal data was being processed, late that she knew at all whose personal data it concerned. It is also true after that the writing of the complainant's counsel of the General Privacy Policy was not addressed to him transferred by the defendant. This reflex was not created for the sake of that the defendant was first of all convinced that this was not about the processing of personal data. The defendant argues that if the Litigation Chamber would nevertheless be held that a processing of personal data of the complainant has taken place, she wishes to emphasize that this situation, where there an alleged processing of personal data has taken place without the data subject was informed about this and without having read the General Privacy Policy received, constitutes a one-off and isolated case that is inconsistent with the common practice regarding the policy on the protection of personal data on behalf of the defendant. 39. The Litigation Chamber finds that the defendant, in the creation of the audiovisual production was not aware of the identity of the complainant, as holder of the personalized license plate. 40. The Inspection Report then finds that the Respondent has failed to General Privacy Policy to be passed on to the complainant after he has had contact with her taken with a request that his license plate be removed from production. The The defendant argues that she did not make this reflex because she believed that there was no question was of processing of personal data. The Disputes Chamber notes that in this letter only the data erasure request is included. The defendant could not reasonably expect that the complainant also wanted to receive the General Privacy Policy when the letter from the complainant requesting the erasure, none request or reference to the General Privacy Policy. 41. In view of the above, the Disputes Chamber rules that there is no question of a violation of the principle of transparency as understood in Article 5 (1) a) GDPR for what concerns not transmitting the General Privacy Policy. 42. The Litigation Chamber finds that the Inspection Report constitutes a violation of all basic principles of Article 5. This violation arises from the alleged non- compliance with the above accountability obligation. The Disputes Chamber points out that the determination of an alleged breach of all fundamental principles regarding data processing based on an alleged determination of the accountability is disproportionate. Consequently, the Litigation Chamber concludes that the determination of the Inspectorate regarding these principles is not sufficiently substantiated by Decision on the substance 188/2022 - 14/29 evidence that makes further treatment of these findings impossible the Disputes Chamber is of the opinion that there is no infringement of the above Articles 5, 24 (1) and 25 (1) and 2 GDPR. II.3. Article 5(1)(a) and Article 6 of the GDPR regarding legality 43. In its conclusions, the complainant argues that the contested processing took place without consent and is therefore unlawful within the meaning of Article 5, paragraph 1, a) GDPR. Deklagerstel that he did not give permission to the defendant for worldwide exhibition of his personalized number plate, so that the processing of his personal data is unlawful under Article 6 GDPR. 44. The complainant argues that a weighing of interests between, on the one hand, the right of the complainant to protection of his personal data and, on the other hand, the legitimate interest of the defendant, namely freedom of expression and information (including freedom of artistic expression) also results in a rating against latter. The Litigation Chamber recalls that, in order to rely on this legal basis from Article 6(1)(f) GDPR to be able to rely on the processing of personal data, it must legitimate interest of the controller or third parties balanced against the interests or fundamental rights and freedoms of the data subjects. The legitimate interest is closely related to – but different from – it concept of processing purpose, which must be specific pursuant to Article 5(1)(b) GDPR. While it 'purpose' relates to the specific reason why the data is being processed, i.e. the purpose or intention of the data processing, the concept of 'interest' is related to the wider interest that a controller may have in the processing, or the benefit to the controller — or a third party, which is not necessarily as co-controller needs to be qualified — from the processing 11 fetches. 45. In accordance with article 6, paragraph 1, f) of the GDPR, the case law of the Court of Justice should three cumulative conditions must be met for a controller can validly rely on this ground of legitimacy, “namely, in the first place, the defense of a legitimate interest of the controller or of the third party(ies) to whom the data are provided, secondly, the need for the processing of the personal data for the purposes of the legitimate interest, and, in the 10 cf. Section A.1 of the dismissal policy of the Litigation Chamber. 1 CJEU Judgment of 11 December 2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, para. 44. See also decision 21/2022 of 2 February 2022. Decision on the substance 188/2022 - 15/29 third, the condition that the fundamental rights and freedoms of the data protection of the person concerned does not prevail” (judgment “Rigas”) .12 46. In other words, in order to rely on Article 6(1)(f) of the GDPR the legal ground of the “legitimate interest”, the to demonstrate to the controller that: 1) the interests it pursues with the processing can be justified be recognized (the “goal test”); 2) the intended processing is necessary for the fulfillment of these interests (the “necessity test”); and 3) the balancing of these interests against the interests, fundamental freedoms and fundamental rights of data subjects in favor of the controller or a third party (the “balancing test”). 47. In the present case, the Disputes Chamber finds that the interest of the defendant consists of creating audiovisual productions as an exercise of her artistic expression, which becomes enshrined in the constitutionally protected freedom of expression. In view of this personal data of the complainant are processed. 48. Artistic expression includes creating fictional characters and their living world. In doing so, the defendant can use public data, as in the present case the case is. The license plate matches the fictional character, whose son is a fan of the Turkish football club Galatasaray S.K., which was founded in 1905. Consequently, the use of this license plate under the design of a fictional character a exclusively artistic expression. In the opinion of the Disputes Chamber there is none doubt that the purpose test from the case law of the Court of Justice is met. Having on the artistic aim of emphasizing the link with the football club and the freedom for the defendant in this context to choose a suitable remedy, the Litigation Chamber that the necessity test is also met. 49. With regard to the balancing test, the interest of the complainant consists in the protection of his personal data and the related fact that he is addressed about the similarity between his license plate and the fictional license plate. 50. As far as the interests of the complainant are concerned, the Disputes Chamber states that it has little it is plausible that the bearing is greatly hindered by the similarity only personal and/or business relationships are the agreement between the two discover number plates and confront the complainant with this. The audiovisual 1 CJEU Judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rigas pašvaldības SIA 'Rīgas satiksme', C-13/16; ECLI:EU:C:2017:336, para. 28-31. See also CJEU Judgment of 11 December 2019, TK v/ Asociaţia de Proprietari bloc M5A-ScaraA,C-708/18, ECLI:EU:C:2019:1064,para. 40. 13While the concept of “purpose” should be read in the light of the previous points of this decision. Decision on the substance 188/2022 - 16/29 production is fictitious and, moreover, there is no other link between the complainant and the fictitious character. In addition, each episode indicates that it concerns a fictional production and that any similarity with persons is purely coincidental. In this regard, the Litigation Chamber that, despite the matching license plates, there are no others resemblance, similarity or any other link exists between the fictional character and the complainer. In this context, the Disputes Chamber also points out that the defendant has no knew of the existence of the complainant's license plate, so inspiration. The creation was therefore independently created by the defendant. 51. Consequently, the Disputes Chamber concludes that it is for this personal or business relations it should be clear that the complainant has no connection whatsoever with milieus in which the fictional character from the audiovisual productions moves. 52. The Disputes Chamber also points out that the complainant has opted for a license plate, consisting of public data linked to a football club known worldwide. It could therefore have been foreseen by the complainant that this data could be used for artistic purposes. The circumstance that the defendant as a program maker does not necessarily have this number plate could have used does not make the disputed processing unlawful would be on the basis of Article 6(1)(f) GDPR. The choice to shape a character the hand of a certain cultural background with reference to a very meaningful football club within this culture, falls under the freedom of the artistic form of expression. 53. In view of the above, the Disputes Chamber concludes that in this case the interest of the artistic expression of the defendant outweighs the right to protection personal data of the complainant. Therefore, the defendant complies with the balancing test. The data was therefore allowed to be processed. The question to what extent the possible adverse consequences for the bearing could have been limited by used exercising the right to erasure is discussed below in Section II.4. 54. The Disputes Chamber therefore concludes that there is no infringement of Article 5, paragraph 1, a) and Article 6, paragraph 1, f) GDPR. II.4. Violation of Article 12(1) and (4) of the GDPR, Article 17 of the GDPR, Article 24(1) of the GDPR and Article 25 (1) of the GDPR 55. The Inspectorate finds that the defendant has fulfilled the obligations imposed by Article 12, has not complied with paragraphs 1 and 4, Article 17, Article 24 paragraph 1 and Article 25 paragraph 1 of the GDPR. The In this context, the Inspectorate first of all points to the fact that the complainant's request for to erase his personalized license plate from the audiovisual production rejected because of the “right to artistic expression”, without clarifying the substance Decision 188/2022 - 17/29 which provision of Article 17 (3) GDPR is invoked. Second, according to the Inspectorate does not make this explanation transparent in accordance with Article 12, paragraph 1 and paragraph 4 AVG since it is not clear to the complainant on what exact basis his investigation was refused and, furthermore, no mention was made of the possibility of lodging a complaint serve at the GBA. The Disputes Chamber will first reject the refusal to proceed to assess data erasure and subsequently the resulting transparency obligations from Article 12 GDPR. II.4.1. Article 17 of the GDPR, Article 24 (1) of the GDPR and Article 25 (1) of the GDPR 56. The Disputes Chamber points out that on 5 January 2022 the complainant submitted its request for performed data erasure with regard to the defendant, which refused was made by the defendant on the basis of her freedom of artistic expression. 57. The Inspection Service establishes in its Inspection Report that the erasure of data is unlawful was refused by the defendant. The Inspectorate hereby refers to the law of30 July 2018 on the protection of natural persons with regard to the processing of personal data 14 (hereinafter: Law of 30 July 2018). This law provides exceptions to the rights of the data subjects for processing of personal data for, among other things, "artistic forms of expression". The However, the Inspectorate emphasizes that those exceptions do not apply to the Articles 12, 17, 24 and 25 of the GDPR. In addition, those exceptions must be read in view of article 85, paragraph 2 of the GDPR and thus effectively “necessary for the right to to reconcile the protection of personal data with the freedom of expression and information”. The complainant endorses this view in its conclusions. 58. The defendant disputes this finding of the Inspectorate. She leads in her conclusions that the law of July 30, 2018 in article 24 indeed provides that a number provisions of the GDPR do not apply “to processing of personal data for journalistic purposes and for academic, artistic or literary purposes forms of expression”. The defendant first enters into the determination of the Inspectorate that Article 17 of the GDPR does indeed not appear in the enumeration of the articles of the GDPR to which the exceptions from the law apply. 59. In this regard, the defendant refers to the Explanatory Memorandum accompanying the bill of the Law of 30 July 2018 clarifying the following: “[t]he draft law informs the controller for journalistic, academic, artistic or literary purposes are not exempt from the obligation to exercise the right to be forgotten to the person concerned (Article 17 of the Regulation). Article 17.3 of the GDPR 14 Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, BS 5 September 2018. Substantive decision 188/2022 - 18/29 itself states that the right to be forgotten does not apply to processing purposes of free expression and free information. The regulation is therefore direct applies and it is therefore not necessary for the law to recreate that exemption.”15 60. This position was also followed by the Council of State, stating: “Article 29 (current Article 24) rightly does not state that it does not apply to the processing of data for journalistic, academic, artistic or literary purposes purposes, as that exclusion is already provided for in paragraph 3(a) itself of that article 17”. 61. The Litigation Chamber refers to the structure of Article 85 GDPR that the general assignment formulates to the (national) legislator to watch over the reconciliation of the relationship between freedom of expression and the protection of personal data. The The Belgian legislator has regulated this relationship in the law of 30 July 2018. Article 24 of this law states that for processing for journalistic, academic, artistic or literary purposes, certain rights of the data subject do not apply. The law refers in this context to Articles 7 to 10, Article 11(2), Articles 13 to 16, 18 to 20 and 21 (1) GDPR. After all, there is no such exception for these articles in the GDPR provided for processing of personal data for journalistic, academic, artistic or literary purposes. Article 24 of the law of 30 July 2018 states the controller for journalistic, academic, artistic or literary purposes, however, are not expressly exempt from the obligation to exercise the right to erasure (“right to be forgotten”) to the data subject (Article 17 GDPR). A such explicit exemption is also not necessary since, as rightly so noted by the defendant, Article 17(3) GDPR is directly applicable in the Belgian law. 62. Based on the above, the Disputes Chamber adopts the position of the the defendant and is of the opinion that Article 17(3) GDPR itself provides the possible grounds for exception provides for the right to erasure, without having to read them again in the law of 30 July 2018. 63. The Litigation Chamber refers to Article 17(1) of the GDPR, which stipulates that the data subject has the right to obtain from the controller without unreasonable delay to obtain the deletion of the personal data concerning him. Based on the same point c), the controller is obliged to process the personal data 15 Draft law of 11 June 2018 on the protection of natural persons with regard to processing of personal data, Parl.St. Room No. 54-3216/001, 54. 16Advice of 19 April 2018 of the Council of State, Legislation Division on a draft law 'regarding the protection of natural persons with regard to the processing of personal data”, Parl.St. Senate No. 63.192/2, 80, No. 4.4; Draft law of 11 June 2018 on the protection of natural persons with regard to to the processing of personal data, Parl.St. Chamber no. 54-3216/001, 54. Decision on the substance 188/2022 - 19/29 without undue delay, including when the data subject object to the processing in accordance with Article 21 (1) GDPR and does not object prevailing legitimate grounds for the processing. Such as set out above, the complainant has a request pursuant to Article 17(1)(c) GDPR addressed to the defendant. 64. However, Article 17(3)(a) GDPR states that Article 17(1) GDPR does not apply when such processing is necessary for exercising the right to freedom of expressions information. This article provides an exception rule right away balancing of interests between two fundamental rights, namely the balance between the right to freedom of expression and information on the one hand and the right to protection of personal data on the other. It is on this ground that the defendant refused to implement the request for erasure of the complainant. 65. In the context of the present file, the Litigation Chamber will thus verify whether the request for data deletion in accordance with 17 (1) c) GDPR rightly refused by the defendant became pursuant to Article 17 (3) (a) GDPR and in particular whether the right to freedom of information, on the one hand, and the right to the protection of personal data, on the other hand, are properly balanced against each other. 66. The Disputes Chamber points out that in this case the complaint was lodged against the defendant as a production house, which, among other things, makes fictional audiovisual productions. First of all, the Disputes Chamber reminds that the right to freedom of expression and information is protected by Article 10(1) of the European Convention on the Human Rights (hereinafter: “ECHR”). “This right includes the freedom to hold an opinion and freedom to receive or impart information or ideas, without interference by any public authority […]" and the equivalent Article 11 of the Charter of Fundamental Rights of the European Union (hereinafter: “Charter”), paragraph 2 of which in particular guarantees respect for freedom and pluralism of the media. 67. As also cited by the defendant, the right to freedom of expression is true Article 17(3)(a) GDPR refers to does not only apply to certain species information, ideas or forms of expression such as of a political nature, it also includes artistic 18 expressions. The European Court of Human Rights (ECtHR) also stated: “[d]e confirmation, to the extent still necessary, that this interpretation is correct is provided by the second sentence of paragraph 1 of Article 10 (Art. 10-1), which refers to "broadcasting, television or cinema companies", media whose activities extend to the field of the art. A confirmation that the concept of freedom of expression also includes artistic expressions can also be found in Article 19(2) of the International Convention on 17See CJEU judgment of 24 September 2019, G.C et al. v CNIL, ECLI:EU:C:2019:773, § 56 et seq. 18 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. Decision on the substance 188/2022 - 20/29 civil and political rights, that information and ideas "in the form of art" 19 expressly includes the right to freedom of expression. ” Consequently, resort expressions of art expression under the protection of Article 10 ECHR and Article 11 of the charter. 68. As already mentioned, the present case is about the trade-off between the right to liberty of expression and information, and in particular freedom of artistic expression, of the defendant (Article 10 ECHR and Article 11 Charter) and the right to protection of personal data of the complainant (Article 8 of the Charter). So it is one balance of fundamental rights. 69. In this context, the Disputes Chamber refers to the case law of the Court of Justice in the under the takedown requests to search engines, most recently the judgment Google, C-460/20. 20 In this, the Court states: “The circumstance that Article 17(3)(a) AVG expressly stipulates that the right to erasure of data belongs to the data subject excluded when the processing is necessary for the exercise of the activities referred to in Article 11 the right to, inter alia, freedom of information guaranteed by the Charter expression of the fact that the right to the protection of personal data is not absolute right, but, as has been emphasized in recital 4 of this Regulation, needs to be considered in relation to its function in society and in accordance with it The principle of proportionality must be balanced against other fundamental rights. [..]In the GDPR, and more specifically in Article 17(3)(a), there is thus an explicit requirement that there a trade-off must be made between those set out in Articles 7 and 8 of the Charter enshrined fundamental rights to respect for private life and to the protection of personal data on the one hand, and what is guaranteed by Article 11 of the Charter fundamental right to freedom of information on the other.” 70. The answer to the question which of these two rights is heavier in the specific case weighs, must be found by weighing up all relevant circumstances of the case. This assessment must be done in one go considers that either right, having regard to all relevant circumstances, outweighs the other right, entails that the other right is infringed law satisfies the necessity test of the relevant paragraph 2 of Article 8 and Article 10 ECHR, as specified in Article 52 of the Charter. 71. The judgment in Karatas v. Turkey of the ECtHR that the freedom of artistic expression includes the following: “particularly within the freedom to share information and ideals receiving and transmitting, which provides the opportunity to participate in the public 19 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. See also CJEU, C-460/20, § 62. 20 CJEU, 8 December 2022, ECLI:EU:C:2022:962, §§ 60-62. 21 ECtHR, VGT Verein gegen Tierfabriken v. Switzerland, 28 June 2001, § 68. Decision on the substance 188/2022 - 21/29 exchange of cultural, political and social information and ideals of all kinds. They who creating, performing, distributing or exhibiting works of art contribute to the exchange of ideas and opinions that are essential for a democratic society. Hence the obligation on the state not to unnecessarily infringe on their freedom of 22 expression” (free translation). 72. The defendant argues that the choices made to select the characters of the to shape audiovisual production under the freedom of artistic expression fall. The Defendant has made the creative choice to select certain of her characters a Turkish background, with a family passionately supporting the Galatasaray football club with a car with a personalized number plate that refers to this one club refers. The defendant clarifies in this regard that the letters and numbers of the number plate refer to the name of the club itself and the founding year 1905. 73. On the other hand, the complainant argues that this license plate was assigned to him, as a result of which this his personal data. With the publication of this license plate, he is recognized by his contacts (both private and business) about possible ties with a criminal gang, as the fictional character with this license plate would have ties to it criminal environment. 74. The Litigation Chamber finds that the conception of the character in question, with his car and license plate, is an expression of the defendant's artistic freedom. Galatasaray is a very well-known club with a very large fan following, especially in the Turkish community. Consequently, it is not inconceivable that, when creating a fictional Turkish character and his background and world references to one of the greatest and most popular Turkish football clubs are included. The defendant made one choice, partly in view of the limited space on a license plate, for public data from which it is immediately clear that it concerns that football team, namely the abbreviation of the name and the year of establishment. These are data that the Turkish community immediately associates with the football team in question. 75. It is therefore plausible that an identical license plate was chosen by the complainant. The Disputes Chamber notes that, apart from the corresponding license plate, there is no link between the complainant and defendant. The personal data was not collected or obtained from the complainant and there is also no other link between the complainant and the fictional character and the milieu in which they find themselves are located. 76. That the combination of these data through the assignment of the registration plate by the Vehicle Registration Service has been given a personal character for the complainant 22 ECtHR, Karatas v. Turkey, 8 July 1999, § 49. Decision on the substance 188/2022 - 22/29 according to the Disputes Chamber, this does not detract from the public character of the club and the artistic thought process based on which the character with his car with registration plate has been established. 77. The Disputes Chamber notes in this regard that the information relating to the allocation number plates is also not freely available. The aforementioned website of the Service Registration Vehicles allows you to check whether a particular vehicle has been personalized license plate is still available. It was also impossible for the defendant to identity of the holder of this particular number plate. 78. The complainant argues that publishing the number plate is not necessary in a democratic society. When assessing the condition of necessity goes the ECtHR takes a global approach. One has to look at the tension between both rights in the context of the entire case.23 The Disputes Chamber notes that the the defendant could have checked whether this personalized license plate was still available via the aforementioned website of the Vehicle Registration Service. The circumstance that the defendant, as a program maker, could not necessarily have used this number plate using,but could have chosen another,doesn't prevent this creative choice from being made under the artistic expression as protected in Article 10 ECHR. 79. With regard to the complainant's grievances regarding the fact that he is being treated in this regard addressed by family, friends and business relations, the Disputes Chamber notes that only people from the complainant's environment can make the link between the car and the car person of the complainant, assuming that these relations enter the audiovisual production have seen the issue and noticed the similarity between the license plates. In addition, it is also explicitly stated with each delivery that any agreement with persons or organizations is purely coincidental. In addition to using the matching license plate in the fiction series also does not become one at any point link made to or focused on the person of the complainant, or elements quoted that refer to him personally or to his private sphere. This is also explained by the fact that the defendant was not, or could not be, aware of the identity of the complainant on the moment of the creation of the audiovisual production. The Disputes Chamber notes finally notes that the complainant has made the choice to obtain public data from a very known club to be mentioned on a license plate. So he could reasonably expect that this data could also be devised by other persons. 80. The Disputes Chamber therefore decides that the agreement between the two license plates coincidentally based on a parallel thinking process of the complainant and the defendant to have come about, namely expressing an identity as a staunch supporter of 23 ECtHR VGT Verein gegen Tierfabriken t. Switzerland, 28 June 2001, § 68 and ECtHR, Feldek v. Slovakia, July 12, 2001, §77. Decision on the substance 188/2022 - 23/29 Galatasaray. Both parties have used the name and the founding year of the club, being known public data with a direct association with the club. In view of the foregoing, the circumstances on the side of the complainant of insufficient weight, to the right to freedom of expression, including the right to artistic expression of the defendant, as guaranteed by Article 10 ECHR te restrict or remove it. The Disputes Chamber concludes that there is no question an infringement of Article 17 GDPR. II.4.2. Article 12 (1) and (4) GDPR 81. Based on Article 12 of the GDPR, the controller must inform the data subjects provide transparent information and, in principle, reply to them free of charge within 1 month to request. It is essential that the information provided is understandable and easy accessible to those involved. It is also important that the controller the exercise of the rights of the data subjects on the basis of Articles 15 to 22 of the GDPR. Finally, the inform the data subjects of the rejection of their request why that request was rejected and inform those concerned about the possibility to lodge a complaint with a supervisory authority as well as appeal to the courts configure. 82. The defendant argues that, although in its letter of reply to the complainant dated. 21 January 2022 has not explicitly referred to the specific legal basis of Article 17, paragraph 3, a) of the GDPR, she has very clearly indicated in her letter of reply to the grounds on which it decided not to comply with the request until the erasing of the number plate in question from the fiction sequence, causing them to submit the Disputes Chamber would nevertheless be ruled that a processing of personal data of the complainant has taken place, still complies with her obligation under Article 12(1) of the GDPR imposed by the controller to, if it does not comply with the request of the data subject, the latter “without delay and at the latest within one month of receipt of the request [to be communicated] why the request has not been acted upon”. 83. The Disputes Chamber notes that the defendant in the aforementioned letter dd. 21st of January 2022 has explained that it believes that it should not comply with the request erasure of data because it believes that there is no processing of personal data. In a subordinate order, if there would nevertheless be processing of personal data, it invokes its right to artistic expression, part of the right of expression, in order not to erase the number plate. In this context, the Disputes Chamber points out that the defendant must state the reasons for the refusal to delete, without specifying the relevant decision on the substance 188/2022 - 24/29 articles of law in this regard. The Disputes Chamber rules that in this case the explanation regarding the refusal to erase data could have been formulated more clearly of the complainant. The additional mention of the legal articles and a more detailed explanation could also have contributed to the clarity of the refusal. 84. In addition, the defendant argues that the complainant was represented by counsel who was aware of the applicable legislation and therefore the possibility to collect a complaint to the GBA, since it had already indicated that it might file a complaint at the GBA. The Disputes Chamber takes note of this explanation, but does not consider it convincing. As far as necessary, the Disputes Chamber reminds that this transparency principles from Article 12 (4) GDPR apply regardless of whether the complainant whether his counsel is aware of the complaints procedure at the GBA. 85. In view of the above, the Disputes Chamber is of the opinion that the defendant on a could have handled the transparency obligation in a more careful manner. There is talk of an infringement of article 12, paragraph 1 GDPR, but this infringement is not of such a serious nature that a penalty should be imposed. It is sufficient for the defendant to warn for the future that the transparency principles from Article 12 (4) GDPR apply regardless of whether the complainant or his council is aware of this or not are. II.5. Article 38(1) and Article 39 of the GDPR 86. The Inspectorate finds that the defendant's obligations imposed by Article 38, paragraph 1 of the GDPR and has not complied with Article 39, paragraph 1 of the GDPR. The Inspection Service refers in this context to the following elements: 87. “For the purpose of informing and sensitizing the personnel concerned with with regard to the processing of personal data by (employees of) [de [respondent] was organized by the client for the necessary consultations between its employees and its legal advisers for the purpose of preparing and implementing the necessary documentation to comply with its obligations under the GDPR and were internally de necessary information moments are organized to explain this. In addition, a “Privacy and Confidentiality Policy” for Defendant's employees drawn up and implemented, which the employees of [the defendant] must comply with life and explaining the policy for handling confidential information, including personal data, by these employees. You will find a copy of this policy here attachment 3". 88. However, the Inspectorate argues that the defendant fails to demonstrate: - what the aforementioned “necessary consultation” and “the necessary information moments” mean in practice mean (no supporting evidence was provided for these aspects); Decision on the substance 188/2022 - 25/29 - whether and, if applicable, how its data protection officer is involved and/or was in the creation and follow-up of the foregoing; - whether and, if applicable, how its data protection officer is involved and/or was involved in the creation and follow-up of the “Privacy and Confidentiality Policy” (e.g. using supporting documents such as internal emails); - how compliance with the “Privacy and Confidentiality Policy” is put into practice guaranteed. After all, imposing data protection directives is in itself insufficient if compliance is not effectively guaranteed by the defendant with the cooperation of its data protection officer. 89. The GDPR recognizes that the data protection officer is a key figure for what concerns the protection of personal data whose designation, position and duties to rules are subject. These rules help the controller to comply with its obligations under the GDPR, but also assist the officer data protection to properly perform its tasks. 90. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the controller ensures that the officer for data protection is timely and properly involved in all matters related to the protection of personal data. Based on Article 39(1). GDPR, the data protection officer (a) must be the controller informing and advising on its obligations under the GDPR and others Union or Member State data protection provisions and (b) monitor compliance with the GDPR, other Union or Member State law data protection provisions and of the policy of the controller or the processor with regard to the protection of personal data, including of the allocation of responsibilities, awareness raising and training of the processing of personnel involved and the relevant audits. 91. The defendant emphasizes in its conclusions that, however, at the time of the introduction of the GDPR in mid-2018 has made a well-considered decision not to appoint an official for this establish data protection. In this respect she refers to Article 37(1) of the GDPR in which the designation of a data protection officer becomes mandatory made in three cases: “1. The controller and the processor designate an officer data protection in any case where: a) the processing is carried out by a public authority or body, except in the case of courts in the exercise of their judicial functions; Decision on the substance 188/2022 - 26/29 b) a controller or processor is principally entrusted with processing which, due to its nature, its scope and/or its purposes, is regular and require systematic surveillance of data subjects on a large scale; or c) the controller or processor is mainly responsible for large-scale processing of special categories of data under Article 9 and of personal data related to criminal convictions and offences facts as referred to in Article 10.” 92. The defendant considers that none of these three cases applies to her. She is not government agency or body, nor as a producer of audiovisual works a large-scale processor of special categories of data, nor of personal data relating to criminal convictions and offences. 93. The defendant's main activity is the production of audiovisual works admittedly, the defendant regularly processed (and processes) personal data in the context of (part of) its activities (i.e. for part of its non-fiction activities), but on the other hand, its main activity does not focus on processing operations that are “regular and systematic observation of data subjects” required “on a large scale”, Article 37(1) became of the GDPR was not considered applicable and it was therefore decided not to appoint an official for establish data protection. The defendant did consider it more useful and practical – as is still the case today – to work with some data controllers (five to be precise), one per department. aforementioned considerations and decision – not to have a data protection officer, but to have one to appoint privacy officers per department – were announced in 2018 at the time explicitly included in the summary overview of all measures taken by the the defendant then took to make the business activities GDPR-compliant. 94. As stated by the controller, Article 37(1) of the GDPR makes that the designation of a data protection officer is made mandatory in three cases (see marginal 92). The Disputes Chamber adopts the position of the defendant and notes that none of these three cases from Article 37 GDPR of applies to the controller, which means that it is not obliged to provide a appoint a data protection officer. Consequently, obligations for neither does the data protection officer as defined in Articles 38 and 39 GDPR applicable in this case. 95. However, this does not mean that the defendant has not taken measures to process personal data in accordance with the GDPR. Based on concrete examples In its conclusions, the defendant refutes the findings of the Inspectorate. For with regard to the Inspectorate's finding that the defendant would not demonstrate what the "above-mentioned consultation" and "the necessary information moments" mean in practice, makes decision on the merits 188/2022 - 27/29 the defendant a report on the main concrete measures and steps taken it has performed since the entry into force of the GDPR. The defendant does so emails about information sessions that were given, as well as attendance lists with signature. With regard to the journey towards transformation to GDPR compliance the defendant makes several email conversations about which it appears that there is a direct and close cooperation appears between the defendant's lawyers and some of the data controllers of the defendant. The defendant also makes e- correspondence about which it appears that the council members on the one hand and the data controllers, on the other hand, have close consultations about the Privacy and Confidentiality Policy. As far as the further follow-up is concerned, the defendant refers to its documents, including a document on the procedure to be followed in the event of a data breach. New employees are also systematically informed regarding the privacy and confidentiality policy and submit to it through their agreement with the defendant. 96. Finally, the Inspectorate states that the defendant does not demonstrate how compliance with the privacy and confidentiality policy is guaranteed in practice. First of all, you can It should be noted that the defendant has taken a lot of organizational and technical measures provides, among other things, for access by unauthorized persons and/or unwanted or unintentional secure distribution. In the first instance, reference can be made to the list with the most important IT security measures. The defendant is also light its data breach procedures in its conclusions. Furthermore, the defendant to the use of the quit claims (see section II.2). Production employees know that they also always have enough copies of the necessary consent forms regarding the processing of personal data take them to the shooting locations (and do so), so that the candidate participants sufficiently informed to be able to confirm whether or not they agree with the processing of their personal data. Also when concluding the agreements with new ones employees (permanently employed or freelance) are provided with sufficient information. Further they consistently receive the necessary explanation – including through delivery of the text of the “Privacy and Confidentiality Policy” – before committing to signing agree to their agreement with the privacy rules. Finally, the the defendant again to the complaint that gave rise to the current one procedure. As soon as the letter from the complainant's counsel has been received by the defendant, the complaint was immediately forwarded to Mr for the fiction department and the defendant's lawyers requesting the defendant in this regard. The data protection officer then took the matter further followed up with the defendant's counsel, which again shows that the defendant does take its privacy policy seriously and does not limit it to the mere Substance decision 188/2022 - 28/29 "imposing guidelines" by means of the necessary texts, as the Inspectorate incorrectly thought to determine. 97. The Disputes Chamber argues that it is disproportionate in this case to declare a violation of the Articles 38 (1) and 39 GDPR. Since the defendant is not obliged to to appoint a data protection officer are the obligations not applicable to the defendant pursuant to Articles 38 and 39 GDPR. Consequently the Litigation Chamber concludes that there is no infringement of Articles 38(1) and 39 GDPR was committed by the defendant. III. Publication of the decision 98. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - to dismiss on the basis of Article 100, §1, 1° WOG with regard to the violations of: o Articles 5, 24 (1) and 25 (1) and (2) GDPR o Articles 5(1)(a) and 6 GDPR, o Articles 17 of the GDPR, Article 24(1) of the GDPR and Article 25(1) of the GDPR; and o Articles 38(1) and 39 GDPR. - on the basis of article 100, §1, 2° WOG order the external prosecution with regard to the violation of Article 12 (1) GDPR. - pursuant to Article 100, §1, 5° WOG, to warn the defendant for the future that the transparency obligations in Article 12 (4) GDPR must be complied with. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of appeal in Brussels), with the Data Protection Authority as defendant. Decision on the substance 188/2022 - 29/29 Such an appeal may be made by means of an inter partes petition the entries listed in article 1034ter of the Judicial Code must contain .The 24 a contradictory petition must be submitted to the Registry of the Market Court 25 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 24 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 25 The petition with its annex is sent, in as many copies as there are parties involved, by registered letter sent to the clerk of the court or deposited at the clerk's office.
- APD/GBA (Belgium)
- Belgium
- Article 4(1) GDPR
- Article 5(1) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 6 GDPR
- Article 6(1)(f) GDPR
- Article 12(1) GDPR
- Article 12(4) GDPR
- Article 17 GDPR
- Article 17(1) GDPR
- Article 17(1)(c) GDPR
- Article 17(3) GDPR
- Article 24(1) GDPR
- Article 25(1) GDPR
- Article 25(2) GDPR
- Article 38 GDPR
- Article 38(1) GDPR
- 2022
- Dutch