Court of Appeal of Brussels - 2022/AR/723: Difference between revisions
No edit summary |
m (Ar moved page Hof van Beroep - 2022/AR/723 to Court of Appeal of Brussels - 2022/AR/723) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
|Court_Original_Name=Hof van Beroep Brussel | |Court_Original_Name=Hof van Beroep Brussel | ||
|Court_English_Name=Market Court of the Brussels appeal court | |Court_English_Name=Market Court of the Brussels appeal court | ||
|Court_With_Country= | |Court_With_Country=Court of Appeal of Brussels (Belgium) | ||
|Case_Number_Name=2022/AR/723 | |Case_Number_Name=2022/AR/723 | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=GBA | |Original_Source_Name_1=APD/GBA (Belgium) | ||
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/arret-du-14-juin-2023-de-la-cour-des-marches-ar-723-disponible-en-neerlandais.pdf | |Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/arret-du-14-juin-2023-de-la-cour-des-marches-ar-723-disponible-en-neerlandais.pdf | ||
|Original_Source_Language_1=Dutch | |Original_Source_Language_1=Dutch | ||
Line 63: | Line 63: | ||
|Party_Link_3= | |Party_Link_3= | ||
|Appeal_From_Body=GBA | |Appeal_From_Body=APD/GBA (Belgium) | ||
|Appeal_From_Case_Number_Name=71/2022 | |Appeal_From_Case_Number_Name=71/2022 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
Line 76: | Line 76: | ||
}} | }} | ||
The Belgian Court of Appeal reduced a €10,000 fine imposed by the DPA to the national railway company to a symbolic €1 due to lacking motivation concerning the amount of the fine. | |||
The Belgian | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. | This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated [[Article 12 GDPR|Articles 12(2)]], [[Article 21 GDPR#2|21(2)]] and [[Article 21 GDPR#4|21(4) GDPR]]. Moreover, the DPA held that the controller violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|5(1)(c)]], [[Article 5 GDPR#2|5(2)]], [[Article 6 GDPR#1|6(1)]], [[Article 12 GDPR#2|12(2)]], [[Article 21 GDPR#2|21(2)]] and [[Article 21 GDPR#4|21(4) GDPR]]. | ||
On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated [[Article 12 GDPR|Articles 12(2)]], [[Article 21 GDPR#2|21(2)]] and [[Article 21 GDPR#4|21(4) GDPR]]. | |||
'' | The controller was fined €10,000 (a summary of this decision is available on the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_71/2022 hub]) and decided to appeal the decision with the Appeal Court on the following grounds: ''First'', the controller contested the applicability of the GDPR, considering that the e-privacy directive was applicable as ''lex specialis.'' ''Second,'' the controller stated Article 6 ECFR had been breached because it had not been able to comment on a piece of evidence. ''Third'', the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘Direct marketing’. It added that it had sent the e-mail in the first place because it was obligated to do so pursuant to the government's instruction. It had to provide COVID-19 related information and promote its full service as part of its public service obligation. ''Fourth'', the controller argued that the DPA did not properly motivate the GDPR violations in the disputed decision. ''Fifth,'' the controller disputed the DPA's application of the national implementation of [[Article 83 GDPR#7|article 83(7) GDPR]] which enables the DPA to fine a public entity controller under certain conditions. ''Sixth,'' the controller stated that the DPA did not properly motivate its fine. | ||
=== Holding === | === Holding === | ||
''First'', the court | ''First'', the court held that both the GDPR and the e-privacy directive were applicable in this case. The court stated that Article 13(2) of the e-privacy directive, which covers the conditions for direct marketing, explicitly mentions that the GDPR should also be respected. | ||
''Second'', the court determined that the controller | ''Second'', the court determined that there was indeed a piece of evidence on which the controller was not able to comment but it was not the main piece of evidence on which the DPA’s decision was based. | ||
''Third,'' the court | ''Third,'' the court held that since the e-mail also included a hyperlink linking to promotional content, it was a form of direct marketing. The court also agreed with the DPA that promotional material for a government service can constitute direct marketing. | ||
''Fourth'' | ''Fourth'', the court held that the DPA properly motivated the violations in the original decision. | ||
''Fifth,'' the court rejected the controller’s argument regarding [[Article 83 GDPR#7|Article 83(7) GDPR]] | ''Fifth,'' the court rejected the controller’s argument regarding [[Article 83 GDPR#7|Article 83(7) GDPR]], considering that the controller did not limit itself to its legal obligation by only providing the railway pass and sanitary information regarding COVID-19. Therefore, [[Article 83 GDPR#7|Article 83(7) GDPR]] was not applicable for the controller. | ||
''Sixth,'' the court | ''Sixth,'' the court held that the DPA did not adequately consider the circumstances brought forward by the controller that could impact the amount of the fine. The court also considered several circumstances on its own initiative, namely that the communication had the main goal of providing safety from COVID-19 infections and the fact that the controller had been obligated by law to issue the travel pass. | ||
In conclusion, following point 6 of the appeal above, the court concluded that the fine was improperly motivated, not proportional and reduced it to a symbolic €1,00. It rejected all the other grounds for the appeal and therefore confirmed the original decision on the other grounds. | |||
== Comment == | == Comment == | ||
'' | ''The court did not refer to the [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en EDPB guidelines on the calculation of administrative fines].'' | ||
== Further Resources == | == Further Resources == |
Latest revision as of 09:54, 14 December 2023
Hof van Beroep - 2022/AR/723 | |
---|---|
Court: | Court of Appeal of Brussels (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(2) GDPR Article 21(2) GDPR Article 21(4) GDPR XV.2, Paragraph 1 WER |
Decided: | 14.06.2023 |
Published: | |
Parties: | Nationale Maatschappij der Belgische Sporen (NMBS) |
National Case Number/Name: | 2022/AR/723 |
European Case Law Identifier: | |
Appeal from: | APD/GBA (Belgium) 71/2022 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | APD/GBA (Belgium) (in Dutch) |
Initial Contributor: | Kv33 |
The Belgian Court of Appeal reduced a €10,000 fine imposed by the DPA to the national railway company to a symbolic €1 due to lacking motivation concerning the amount of the fine.
English Summary
Facts
This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated Articles 12(2), 21(2) and 21(4) GDPR. Moreover, the DPA held that the controller violated Article 5(1)(a), 5(1)(c), 5(2), 6(1), 12(2), 21(2) and 21(4) GDPR.
The controller was fined €10,000 (a summary of this decision is available on the hub) and decided to appeal the decision with the Appeal Court on the following grounds: First, the controller contested the applicability of the GDPR, considering that the e-privacy directive was applicable as lex specialis. Second, the controller stated Article 6 ECFR had been breached because it had not been able to comment on a piece of evidence. Third, the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘Direct marketing’. It added that it had sent the e-mail in the first place because it was obligated to do so pursuant to the government's instruction. It had to provide COVID-19 related information and promote its full service as part of its public service obligation. Fourth, the controller argued that the DPA did not properly motivate the GDPR violations in the disputed decision. Fifth, the controller disputed the DPA's application of the national implementation of article 83(7) GDPR which enables the DPA to fine a public entity controller under certain conditions. Sixth, the controller stated that the DPA did not properly motivate its fine.
Holding
First, the court held that both the GDPR and the e-privacy directive were applicable in this case. The court stated that Article 13(2) of the e-privacy directive, which covers the conditions for direct marketing, explicitly mentions that the GDPR should also be respected.
Second, the court determined that there was indeed a piece of evidence on which the controller was not able to comment but it was not the main piece of evidence on which the DPA’s decision was based.
Third, the court held that since the e-mail also included a hyperlink linking to promotional content, it was a form of direct marketing. The court also agreed with the DPA that promotional material for a government service can constitute direct marketing.
Fourth, the court held that the DPA properly motivated the violations in the original decision.
Fifth, the court rejected the controller’s argument regarding Article 83(7) GDPR, considering that the controller did not limit itself to its legal obligation by only providing the railway pass and sanitary information regarding COVID-19. Therefore, Article 83(7) GDPR was not applicable for the controller.
Sixth, the court held that the DPA did not adequately consider the circumstances brought forward by the controller that could impact the amount of the fine. The court also considered several circumstances on its own initiative, namely that the communication had the main goal of providing safety from COVID-19 infections and the fact that the controller had been obligated by law to issue the travel pass.
In conclusion, following point 6 of the appeal above, the court concluded that the fine was improperly motivated, not proportional and reduced it to a symbolic €1,00. It rejected all the other grounds for the appeal and therefore confirmed the original decision on the other grounds.
Comment
The court did not refer to the EDPB guidelines on the calculation of administrative fines.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Brussels Court of Appeal - 2022/AR/723 - p. 2 The SA under public law NATIONALE MAATSCHAPPIJ DERBELGISCHE RAILWAYS ("NMBS"), with company number 0203.430.576, with registered office at 1060 Brussels, Rue de France 56, applicant, represented by mr. WAEM Heidi and mr VERSCHAEVE Simon, lawyers with office in [...] in return for DATA PROTECTION AUTHORITY ("GBA"), with company number 0694.679.950, with registered office at Drukpersstraat 35, 1000 BRUSSELS, defendant, represented by mr. ROETS Joos, mr. CLOOTS Elke and mr. ROES Timothy, lawyers with office in [...] *** Considering the procedural documents the decision no. 71/2022 of the Disputes Chamber of the Data Protection Authority from May 4, 2022; the petition for appeal as filed with the clerk of the Brussels Court of Appeal by NMBS on June 2, 2022; the introductory session of 15 June 2022 of the Marktenhof; the request of NMBS pursuant to Article 748 GerW filed on November 28, 2022; the decision of the Market Court of 5 December 2022; the (synthesis) conclusions of both parties; the bundles of documents filed by both parties;