APD/GBA (Belgium) - 137/2023: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 67: Line 67:
}}
}}


The Belgian DPA held that retroactivity clauses in a data processing agreement are invalid as they would allow for the circumvention of [[Article 28 GDPR#3|Article 28(3)]] GDPR. Moreover, the DPA clarified that both the controller and processor are responsible for concluding the data processing agreement.
The Belgian DPA held that a data processing agreement cannot be applied retroactively, as this would allow for the circumvention of [[Article 28 GDPR#3|Article 28(3)]] GDPR. Moreover, the DPA clarified that both the controller and processor are responsible for concluding the data processing agreement.  


== English Summary ==
== English Summary ==
Line 76: Line 76:
On 6 July 2020, the data subject requested evidence of the parking violation in question and received several photographs of their vehicle. They also sought information on how their personal data was being processed and wanted to obtain the agreement concluded between the municipality (the controller) and a third-party service (the processor) used in the establishment and collection of the fee requested from them. Following their request, the data subject found that there was no data processing agreement in place at the time of the events.
On 6 July 2020, the data subject requested evidence of the parking violation in question and received several photographs of their vehicle. They also sought information on how their personal data was being processed and wanted to obtain the agreement concluded between the municipality (the controller) and a third-party service (the processor) used in the establishment and collection of the fee requested from them. Following their request, the data subject found that there was no data processing agreement in place at the time of the events.


On 4 September 2020, the data subject submitted a complaint against both controller and processor for violation of Article[[Article 28 GDPR#3| ]]28(3)[[Article 28 GDPR#3| ]]GDPR. On 20 November 2020, the DPA opened an investigation and transmitted the case to the Inspection Service (SI). On 11 May 2021, the SI's investigation was closed, and the case was transferred back to the DPA.  
On 4 September 2020, the data subject submitted a complaint against both controller and processor for violation of Article[[Article 28 GDPR#3| ]]28(3)[[Article 28 GDPR#3| ]]GDPR, which obliges controllers to implement a data processing agreement. On 20 November 2020, the DPA opened an investigation and transmitted the case to the Inspection Service (SI). On 11 May 2021, the SI's investigation was closed, and the case was transferred back to the DPA. The SI found that the processing contract between the controller and the processor was only entered into on 27 July 2020. The investigation found that at the time of processing of the data subject's data, no contract existed. 


The SI found that the processing contract between the controller and the processor was only entered into on 27 July 2020. The investigation found that at the time of processing of the data subject's data, no contract existed. However, the contract of 27 July 2020 included a retroactivity clause.  
However, the contract of 27 July 2020 included a retroactivity clause.  


=== Holding ===
=== Holding ===
Line 85: Line 85:
The Belgian DPA noted that [[Article 28 GDPR#1|Article 28(1)]] GDPR mandates a processor to provide sufficient guarantees to protect the rights of data subjects. [[Article 28 GDPR#3|Article 28(3)]] GDPR obliges controllers to implement a data processing agreement. The DPA held that including a retro-activity clause in the agreement does not remedy the absence of the contract at the time of the event. Such an admission would allow for the circumvention of the application of the obligations of [[Article 28 GDPR#3|Article 28(3)]] GDPR which aims to ensure the protection of the rights and freedoms of the data subjects. The DPA concluded that both the controller, as well the processor, were responsible for ensuring that a data processing agreement was timely put into place.   
The Belgian DPA noted that [[Article 28 GDPR#1|Article 28(1)]] GDPR mandates a processor to provide sufficient guarantees to protect the rights of data subjects. [[Article 28 GDPR#3|Article 28(3)]] GDPR obliges controllers to implement a data processing agreement. The DPA held that including a retro-activity clause in the agreement does not remedy the absence of the contract at the time of the event. Such an admission would allow for the circumvention of the application of the obligations of [[Article 28 GDPR#3|Article 28(3)]] GDPR which aims to ensure the protection of the rights and freedoms of the data subjects. The DPA concluded that both the controller, as well the processor, were responsible for ensuring that a data processing agreement was timely put into place.   


The DPA also found violations for lack of transparency under [[Article 12 GDPR#1|Article 12(1)]] GDPR and [[Article 14 GDPR|Article 14]] GDPR. The municipality argued that the exception under [[Article 14 GDPR#5c|Article 14(5)(c)]] GDPR applied to it. The municipality cited the law of 22 February 1965, which permits municipalities to set parking charges to motor vehicles, and the Order of 22 January 2009 relating to the enforcement of parking charges. The DPA rejected this, noting that exceptions must be interpreted restrictively. The legislation cited by the municipality did not contain any exceptions to disclosure obligations. As such, the DPA held that the legislation invoked by the municipality was insufficiently concrete. The DPA added that even if the exemption were to apply, the controller was still required to inform the data subject of the obtention and disclosure of their personal data unless legally prohibited.  
The DPA also found violations for lack of transparency under [[Article 12 GDPR#1|Article 12(1)]] GDPR and [[Article 14 GDPR|Article 14]] GDPR, as the controller had failed to fulfill the informational obligations under Article 14 GDPR. The municipality argued that the exception under [[Article 14 GDPR#5c|Article 14(5)(c)]] GDPR applied to it. The municipality cited the law of 22 February 1965, which permits municipalities to set parking charges to motor vehicles, and the Order of 22 January 2009 relating to the enforcement of parking charges. The DPA rejected this, noting that exceptions must be interpreted restrictively. The legislation cited by the municipality did not contain any exceptions to disclosure obligations. As such, the DPA held that the legislation invoked by the municipality was insufficiently concrete. The DPA added that even if the exemption were to apply, the controller was still required to inform the data subject about sources and recipients of their personal data unless legally prohibited.  


As such, both the municipality and third-party were reprimanded for breach of [[Article 28 GDPR#3|Article 28(3)]], and the municipality was reprimanded for violatiosn of [[Article 14 GDPR|Article 14]] GDPR and [[Article 12 GDPR#1|Article 12(1)]][[Article 28 GDPR#3| ]]GDPR for failure to take appropriate measures to fully inform the data subject.
As such, both the municipality and third-party were reprimanded for breach of [[Article 28 GDPR#3|Article 28(3) GDPR]], and the municipality was reprimanded for violations of [[Article 14 GDPR|Article 14]] GDPR and [[Article 12 GDPR#1|Article 12(1)]][[Article 28 GDPR#3| ]]GDPR for failure to take appropriate measures to fully inform the data subject.


== Comment ==
== Comment ==

Latest revision as of 11:38, 11 October 2023

APD/GBA - 137/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(1) GDPR
Article 14 GDPR
Article 14(5)(c) GDPR
Article 28(1) GDPR
Article 28(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 04.09.2020
Decided: 29.10.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 137/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA held that a data processing agreement cannot be applied retroactively, as this would allow for the circumvention of Article 28(3) GDPR. Moreover, the DPA clarified that both the controller and processor are responsible for concluding the data processing agreement.

English Summary

Facts

On 20 May 2020 the data subject received a parking fine from a municipality, the controller, for a parking violation.

On 6 July 2020, the data subject requested evidence of the parking violation in question and received several photographs of their vehicle. They also sought information on how their personal data was being processed and wanted to obtain the agreement concluded between the municipality (the controller) and a third-party service (the processor) used in the establishment and collection of the fee requested from them. Following their request, the data subject found that there was no data processing agreement in place at the time of the events.

On 4 September 2020, the data subject submitted a complaint against both controller and processor for violation of Article 28(3) GDPR, which obliges controllers to implement a data processing agreement. On 20 November 2020, the DPA opened an investigation and transmitted the case to the Inspection Service (SI). On 11 May 2021, the SI's investigation was closed, and the case was transferred back to the DPA. The SI found that the processing contract between the controller and the processor was only entered into on 27 July 2020. The investigation found that at the time of processing of the data subject's data, no contract existed.

However, the contract of 27 July 2020 included a retroactivity clause.

Holding

The Belgian DPA found a violation of Articles 28, 14 and 12 GDPR.

The Belgian DPA noted that Article 28(1) GDPR mandates a processor to provide sufficient guarantees to protect the rights of data subjects. Article 28(3) GDPR obliges controllers to implement a data processing agreement. The DPA held that including a retro-activity clause in the agreement does not remedy the absence of the contract at the time of the event. Such an admission would allow for the circumvention of the application of the obligations of Article 28(3) GDPR which aims to ensure the protection of the rights and freedoms of the data subjects. The DPA concluded that both the controller, as well the processor, were responsible for ensuring that a data processing agreement was timely put into place.

The DPA also found violations for lack of transparency under Article 12(1) GDPR and Article 14 GDPR, as the controller had failed to fulfill the informational obligations under Article 14 GDPR. The municipality argued that the exception under Article 14(5)(c) GDPR applied to it. The municipality cited the law of 22 February 1965, which permits municipalities to set parking charges to motor vehicles, and the Order of 22 January 2009 relating to the enforcement of parking charges. The DPA rejected this, noting that exceptions must be interpreted restrictively. The legislation cited by the municipality did not contain any exceptions to disclosure obligations. As such, the DPA held that the legislation invoked by the municipality was insufficiently concrete. The DPA added that even if the exemption were to apply, the controller was still required to inform the data subject about sources and recipients of their personal data unless legally prohibited.

As such, both the municipality and third-party were reprimanded for breach of Article 28(3) GDPR, and the municipality was reprimanded for violations of Article 14 GDPR and Article 12(1) GDPR for failure to take appropriate measures to fully inform the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/16





                                                                        ChamberLitigation


                                   Decision on merits 137/2023 of September 29, 2023





File number: DOS-2020-04511


Subject: Complaint relating to the absence of a subcontracting contract (article 28.3. of the GDPR)

and the absence of sufficient information by a public authority (article 14 of the GDPR)




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, president, and gentlemen Romain Robert and Christophe Boeraeve, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter

ACL);

Considering the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Has taken the following decision regarding:



The complainant: Mr.


The defendants: Municipality Y1, hereinafter: “the first defendant”;


                       The company Y2, represented by Maître Louis Leurquin, lawyer, whose

                       firm is established avenue Brugmann, 435 à 1180 Brussels (Uccle), hereinafter:

                       “the second defendant”;


                       Hereinafter referred to together as “the Defendants”. Decision on merits 137/2023 – 2/16




I. Facts and procedure


 1. On September 4, 2020, the complainant lodged a complaint with the Protection Authority

       data (APD) against the defendants.

 2. The subject of his complaint concerns, on the one hand, the absence of a subcontracting contract between the

       first and second defendants in relation to the processing of the complainant's data

       as well as, on the other hand, the manner in which the complainant's data were processed within the framework
       of the establishment and collection by the first defendant of a royalty

       parking due by the complainant.


 3. The facts giving rise to the complaint can be summarized as follows.

 4. The plaintiff states that he received a royalty from the first defendant for a

       parking dated May 20, 2020 on the Place (...). This parking fee

       was sent to his home and includes his first and last name, his address and the license plate

       registration of his vehicle.

 5. On July 6, 2020, the complainant contacted the Tax department of the first

       defendant to obtain proof of the parking violation attributed to him.

       In response, the complainant was sent several photographs of his vehicle. He has
       then questioned the said Tax department of the first respondent on the manner in which

       the personal data concerning him were processed within the framework of

       the establishment and collection of the fee claimed from him.

 6. Informed in response that the first defendant would use the services of third parties, including

       second defendant, the plaintiff requested to obtain the agreement concluded with this

       last. It is, by the first defendant’s own admission, proven that the subcontract

       contract which was to link it to the second defendant did not exist at the time of the facts

       concerning the complainant.

 7. The Litigation Chamber mentions here from the outset that it was on July 27, 2020 that a

       “Personal data processing agreement” (CTDCP) was signed between

       the defendants. Article 2 of this CTDCP defines the role of each party. The second

       defendant is described there as a computer engineering company which develops and
       markets software, which manages IT infrastructures and provides its expertise

       intended for both public and private clients. As part of its activities, it may be

       required to carry out processing of personal data belonging to its

       client such as the first defendant in this case, particularly in the context of the exercise of

       its installation, support and/or maintenance and hosting activities. The contract
       continues by indicating that in the context of the treatments carried out, the second defendant Decision on the merits 137/2023 – 3/16



       acts as a subcontractor while its client, the first defendant in

       the species, acts as controller.


 8. On October 23, 2020, the complaint was declared admissible by the First Line Service (SPL)

       of the ODA on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber

       Litigation under article 62, § 1 of the LCA.

 9. On November 20, 2020, in accordance with article 96, § 1 of LCA, the request of the Chamber

       Contentious to carry out an investigation is transmitted to the Inspection Service (IS).


 10. On May 11, 2021, the IS investigation was closed, the report was attached to the file and it was

       transmitted by the Inspector General to the President of the Litigation Chamber (art. 91, § 1 and § er

       2 of the LCA).


 11. This inspection report makes the following findings:

            has. Violation of article 28.3. of the GDPR by the first defendant: the SI establishes that

                 the subcontracting contract between the first defendant in its capacity as

                 data controller and the second defendant in its capacity as sub-processor

                 contract was concluded on July 27, 2020. The SI therefore notes that at the time of the

                 facts denounced and the processing of the complainant's data within the framework of

                 the establishment and collection of the parking fee for May 20, 2020,

                 such a contract did not exist, in violation of article 28.3 of the GDPR. The SI adds

                 that the retroactivity clause contained in said subcontracting contract cannot be

                 prejudice the rights of third parties, in particular those of the complainant.


            b. Violation of articles 12.1 and 14 of the GDPR by the first defendant: the IS establishes

                 that the exemption from information provided for in (article 14.5. c) of the GDPR invoked by the

                 first defendant cannot be accepted in this case. In support of the Lines

                 guidelines on transparency of the European Committee for the Protection of

                 data (EDPS), the SI concludes that the texts 2 invoked by the first

                 defendant, if they establish the lawfulness of the processing, do not require it to obtain (or

                 to receive communication) of the data that it processes within the framework of the

                 collection of the royalty in question and above all, do not contain





1
 European Data Protection Board (EDPS), Guidelines on transparency under the UIE Regulation)
2016/679 of April 11, 2018. These guidelines adopted by Group 29 (WP 260) were adopted by the
EDPS during its inaugural session on May 25, 2018: https://ec.europa.eu/newsroom/article29/items/622227.
2The first defendant invokes the following texts: article 6 of the royal decree of July 20, 2001 relating to

the registration of vehicles which provides that the investigation and criminal prosecution of crimes, misdemeanors and contraventions are
the purposes for which which personal data in the directory may be processed; the law
of February 22, 1065 allowing municipalities to establish parking fees applicable to vehicles
engine ; the fee regulation relating to its municipal parking policy voted by the Municipal Council on the date
of [….] which allows parking fees to be established when a vehicle does not comply with the relevant legislation and
the order of January 22, 2019 (chapter VII) – parking fees and monitoring of compliance with the rules of
parking. Decision on merits 137/2023 – 4/16



                appropriate measures to protect the legitimate interests of the person

                concerned as required by article 14.5.c) of the GDPR in order to be mobilized.

                The SI notes that the first defendant also invokes the AF deliberation

                23/2013 of July 25, 2013 of the Federal Authority Sector Committee (CSAF) of the 3

                Commission for the Protection of Private Life (CPVP) providing single authorization and

                amending with regard to private concessionaires of municipalities

                Brussels, the autonomous Brussels municipal rules and the Brussels Agency

                parking of the Brussels-Capital Region deliberation AF 12/2009

                bearing a single authorization for access to the DIV directory for purposes

                identification of persons who are debtors, due to the use of a

                vehicle, of remuneration, which according to it retains its validity in accordance with

                section 111 of the LCA. The SI notes that this deliberation specifically requires

                provide information to the person concerned via the website

                of the data controller as well as on payment requests. The IS

                notes that such information is neither provided on the website of the first

                defendant nor on the payment requests sent (2nd reminder). The IS

                also points out that the fact of the first respondent being authorized to

                access the DIV (Vehicle Registration Department - directory of

                vehicles) does not exempt it from the information obligation.

                                                                                            er
 12. On July 9, 2021, the Litigation Chamber decides, under Article 95, § 1, 1° and

       article 98 of the LCA, that the file can be processed on its merits.

 13. On the same date, the parties are informed by registered mail of the provisions such

       as set out in article 95, § 2 and article 98 of the LCA. They are also informed, in

       under section 99 of the LCA, deadlines for transmitting their conclusions. The deadline

       for receipt of submissions in response from the defendants was set for September 6

       2021, that for the conclusions in the complainant's reply as of September 28, 2021 and that for

       the defendants' reply submissions as of October 20, 2021.


 14. Still under the terms of this letter of July 9, 2021, the Litigation Chamber specifies that

       the first respondent is invited to put forward its arguments in light of the findings

       carried out in his regard by the IS. In addition, she invites him to put forward his arguments with regard to the

       compliance with articles 5.2. and 24 of the GDPR as soon as a proven breach of one or the other




3The Commission for the Protection of Private Life (CPVP) was the Belgian data protection authority within the meaning of the article
28 of Directive 95/46/EC. The Data Protection Authority (DPA) succeeded it on May 25, 2018 in execution
of article 3 of the LCA.
4
 Article 36bis of the LVP provided that any electronic communication of personal data by a public service
federal or by a public body with legal personality which comes under the federal authority requires authorization from
principle of the CSAF unless the communication has already been the subject of authorization in principle from another committee
sector created within the CPVP. The mission of the CSAF is to check whether the communication complies with the provisions
legal and regulatory. Decision on merits 137/2023 – 5/16


      of articles 28, 12.1 and/or 14 of the GDPR retained by the IS is likely to constitute, by

      as a result, a breach of these provisions (articles 5.2. and 24 of the GDPR) consecrating

      the principle of accountability.

15. At the start of the complaint filed by the complainant (which also denounces a potential

      breach of its obligations arising from the GDPR by the second defendant – see point

      1), the Litigation Chamber also invites the latter to present its arguments to the

      with regard to article 28 of the GDPR and the obligation to supervise its relationship with the

      first defendant by a subcontracting contract compliant with article 28.3. of the GDPR.

16. On September 2, 2021, the Litigation Chamber receives the conclusions in response from the

      first defendant:

      - As for the complaint based on a violation of article 28.3. of the GDPR, the first defendant

          does not deny that there was in fact no contract or other legal act linking it to the

          second defendant at the time of the facts giving rise to the complaint. The first one

          defendant, however, emphasizes that this contract - the signature of which had not been judged

          priority, particularly in the absence of high risk for the people concerned and
          given the context of the covid 19 pandemic requiring priority - a

          was concluded on July 27, 2020 and that the situation is now regularized, including

          for the past, taking into account the retroactivity clause to May 25, 2018 provided for by

          article 3 of the said contract (article 3).

      - As for the complaint based on a violation of articles 12.1 and 14 of the GDPR, the first

          defendant declares, based on the conclusions of the SI on this point, to take note of

          what article 14.5. c) of the GDPR would not apply and indicates having modified its

          website by adding a text containing the elements of information required by

          article 14 of the GDPR and adapted payment request letters within the framework of

          parking fees by adding an informative clause.

17. On September 3, 2021, the second defendant notified the Litigation Chamber that she

      refers and adheres to the arguments developed by the first defendant in its

      conclusions in response of September 2, 2021 (point 16), which conclusions can be

      considered to be filed in his name and on his behalf as well.

18. On September 4, 2021, the Litigation Chamber receives the conclusions in response to the

      complainant:

      - The complainant welcomes the fact that the first defendant recognizes the breaches

          what to blame her for while doubting her good faith when she invokes “the excuse

          too easy” according to him of the epidemic of the covid 19 virus to explain his delay in

          signing of a subcontracting contract. It notes in this regard that the GDPR was in Decision on the merits 137/2023 – 6/16


          in force since May 25, 2016, i.e. even before the award of the public contract by the

          first respondent to the second respondent in late 2016.

       - The plaintiff also points out that the first defendant minimizes the data

          personal information which it communicates to the second defendant. Only the plate

          registration of offenders would be sent to him while the IS report

          mentions that other personal data concerning him (such as

          photographs of his vehicle) are also communicated. Generally speaking, the
          complainant denounces the lack of exemplarity and transparency of the first

          defendant as a public administration.


       - Finally, the complainant wishes to be made aware of the harm he has suffered as a result of his non-

          respect for personal data both morally and financially
          evaluating its shortfall at €1,500.00 ex aequo et bono with regard to time and

          energy devoted to this matter.


 19. On September 30, 2021, the Litigation Chamber receives the conclusions in response to the
       first defendant. As for the compensation claimed by the plaintiff for damage suffered,

       the first defendant argues that the plaintiff's data was not used to

       purposes not provided for by law and that he cannot have suffered damage due to improper use

       of these. It also emphasizes that public authorities are exempt from

       administrative fines.

 20. Also on September 30, the Litigation Chamber received a final reaction from the

       complainant. This reaction is submitted out of time, the complainant having already had the opportunity to

       conclude (point 18) and the last word goes to the defendants. The complainant insists

       in particular on the fact that the fee could only be established through communication
       contrary to the GDPR of data concerning him which, from his point of view, invalidates the

       royalty as such. He also recalls that if the public authorities are

       exempt from administrative fines, non-pecuniary administrative sanctions

       may be imposed on them as well as criminal sanctions. The complainant finally recalls his

       claim for compensation.




II. Motivation

    II.1. As for the breach of article 28.3. of the GDPR by the first and second

         defendants

 21. Article 28.1. of the GDPR provides that when processing must be carried out on behalf

       of a data controller, the latter only uses subcontractors who

       present sufficient guarantees regarding the implementation of technical measures and Decision on the merits 137/2023 – 7/16



       appropriate organizational measures to ensure that the processing meets the requirements of the

       GDPR and guarantees the protection of the rights of the data subject.

 22. Pursuant to article 28.3. of the GDPR, such processing must be governed by a contract or by

       another legal act under Union law or the law of a Member State, which binds the

       subcontractor with regard to the controller, defines the purpose and duration of the processing,

       the nature and purpose of the processing, the type of personal data and the

       categories of data subjects as well as the obligations and rights of the person responsible

       of treatment. This contract or other legal act must also provide in particular for

       burden of the subcontractor the series of obligations listed in letters a) to h) of article 28.3.

       of the GDPR.


 23. In this case, the Litigation Chamber characterizes the first defendant as “responsible for

       processing” within the meaning of Article 4.7. of the GDPR. It is the entity that defines the purposes and

       means of the processing complained of (i.e. the processing of personal data

       relating to the complainant for the purposes of establishing and collecting a payment fee

       parking), as part of the exercise of a competence which has been legally granted to him
       entrusted. This characterization is not contested by the defendants.


 24. The Litigation Chamber qualifies the second defendant as a “subcontractor” within the meaning of

       Article 4.8. of the GDPR in that it acts on instructions from the defendant. This

       qualification is also not contested by the defendants.


 25. The Litigation Chamber decides that both the first and second defendants

       were required to conclude a subcontracting contract or to bind themselves by an act

       legally binding regarding the exercise of the subcontracting mission that they

       had established between them, in accordance with article 28.3. of the GDPR.

 26. The Litigation Chamber endorses in this regard the position of the EDPS according to which “being

       given that the Regulation establishes a clear obligation to conclude a written contract,

       where no other relevant legal act is in force, its absence constitutes a

       GDPR violation. Both the controller and the processor are responsible for

       ensure that a contract or other legal act governs the processing. Subject to

       provisions of Article 83 of the GDPR, the competent supervisory authority will be able to







5European Data Protection Committee (EDPS), Guidelines 07/2020 concerning the notions of responsibility
of processing and subcontractor in the GDPR, version 2.0. from July 7, 2021 https://edpb.europa.eu/system/files/2022-
02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf

6It is the Litigation Chamber which underlines. Article 28, paragraph 3, does not apply only to those responsible for
treatment. When only the subcontractor is covered by the territorial scope of the GDPR (article 3), the obligation
is only directly applicable to the subcontractor. See. also in this sense the Guidelines 3/2018 of the Committee
European Data Protection Authority (EDPS) relating to the territorial scope of the GDPR, p. 12.
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_fr.pdf. Decision on merits 137/2023 – 8/16


       to impose an administrative fine on both the controller and the subcontractor,

       taking into account the circumstances specific to each situation. 7


 27. In other words, the obligation to conclude a contract or to be bound by a legal act

       binding weighs both on the data controller (here the first defendant) and
       on the subcontractor (hereinafter the second defendant) and not on the sole person responsible for

       treatment. This is particularly important when, as is the case in this case, a

       subcontractor offers its specialized services to a large number of managers

       separate treatments. It would not comply with the GDPR (nor with the reality on the ground)

       to consider that the initiative for concluding the contract (and its proposed content) does not

       should only come from the data controller.

 28. In the present case, the first and second defendants do not dispute that the contract of

       subcontracting which was to bind them did not exist at the time of the facts reported. This contract has

       was concluded on July 27, 2020, i.e. on a date subsequent to these facts and the processing of

       subsequent data which, as a reminder, finds its origin in a parking lot at 20

       May 2020. In the explanations she gave to try to justify this signature

       late (point 16), the first defendant (followed by the second defendant – point 17)

       indicates that at the time of the award of the public contract to the second defendant by a
       deliberation at the end of 2016, the GDPR did not yet exist. On this point, the Contention Chamber

       reminds the defendants that in reality, the GDPR was in force since May 25, 2016

       (article 99.1. of the GDPR), i.e. for more than 6 months already at the time of the deliberation

       award of the contract mentioned by the first defendant. Consequently, from

       the award of the public contract by the first defendant to the second defendant, these

       The latter had to comply with the GDPR and therefore sign as quickly as possible and

       in any event, no later than May 24, 2018, a subcontracting contract in accordance with

       Article 28.3. of the GDPR. The legislator had in fact expressly provided for a period

       transitional period of 2 years to enable compliance with the GDPR, including the
       regard to pre-existing situations following the application of the GDPR but which would persist beyond

       this one.


 29. With the SI (point 10), the Litigation Chamber is of the opinion that the retroactivity clause

       provided for by the contract of July 27, 2020 is not likely to compensate for the absence of a contract in

       time of the facts. If such retroactivity were to be admitted, it would de facto allow
       circumvent the application over time of the obligation of article 28.3 of the GDPR which weighs thus

       that it was developed in points 26 and 27 above, both on the data controller and

       on the subcontractor. However, as has just been explained in point 28, the GDPR itself has provided

       a period of 2 years separating its entry into force from its entry into force for implementation

       in progressive compliance by all entities concerned (article 99 of the GDPR).


7It is the Litigation Chamber which underlines. Decision on merits 137/2023 – 9/16



       The obligation to conclude such a contract is also intended to clearly distribute the

       responsibilities of each of the defendants in their respective capacity as responsible for

       processing on the one hand and the subcontractor on the other. As highlighted in recital 79 of

       GDPR, this obligation also pursues the objective of guaranteeing the protection of rights and

       freedoms of the persons concerned including the data which will be processed within the framework

       of the relationship that the data controller chooses to create between them (here the

       first defendant) and the subcontractor (here the second defendant) are thus

       protected. This absence of protection - while it is required by the GDPR - cannot be

       covered by a contractual retroactivity clause agreed solely by the

       defendants in disregard of the rights of the persons concerned - who are not parties to the

       contract – enshrined in a standard, of European rank in addition.

 30. In light of the above, the Litigation Chamber concludes that both the first and the second

       The second defendants were guilty of a breach of Article 28.3. of

       GDPR. For all useful purposes, the Litigation Chamber specifies that it is empowered to retain a

       breach of this provision by the second respondent notwithstanding the absence of

       breach pointed out in the head of the latter by the IS and this, in execution of its

       own skills. The second defendant implicated under the terms of the complaint

       filed (point 1) was also invited to defend itself with regard to this breach in

       respect for the contradictory debate (point 15) and does not deny the absence of a contract at the time

       facts.


 31. The defendants also claim that in any event, they respected the

       obligations arising from the Law of December 8, 1992 relating to the protection of private life

       with regard to data processing (LVP) previously applicable (article 16 devoted to
                                   9
       obligations of the subcontractor) and that taking into account other emergencies particularly linked to the

       covid-19 virus pandemic, compliance with the GDPR has not been seen

       as a priority from 2018 given the few risks incurred by the taxpayer in the

       context concerned. The defendants also argue that the rights of the plaintiff have

       always been respected, even before the conclusion of the contract on July 27, 2020 and that the

       data concerning him have not been used for purposes other than those related to the royalty

       parking.




8The LCA does not require the Litigation Chamber to use the Inspection Service. Indeed, the Litigation Chamber

decides sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63.2° of the LCA and
art. 94, 1° of the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber may
process the complaint without resorting to the Inspection Service. It thus has a power of appreciation of the complaint which is
independent of the inspection (Cour des Marches (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Court of
markets (19th ch. A), December 7, 2022, 2022/AR/556).

9It should be noted that the obligations of the subcontractor were very limited compared to the requirements required by article
28 of the GDPR. Article 16 of the LVP was in fact limited to providing that the subcontractor could only act on instructions from the
data controller and must present sufficient guarantees to ensure the security of the processing which it
were subcontracted. Decision on merits 137/2023 – 10/16


32. For the Litigation Chamber, the circumstances invoked by the defendants -

     even if they prove to be true, they are not likely to eliminate the existence of a failure in

     their boss. They could, however, at most be taken into account by the Chamber

     Contentious in the assessment of the appropriate sanction with regard to all of the
     circumstances of the case.



   II.2. As for the breach of article 12.1. and 14 of the GDPR by the first defendant


33. The Litigation Chamber takes note of what the first defendant has now

     provided for information reflecting the elements required in execution of article 14 of the GDPR to

     destination of the persons concerned on its website on the one hand and has also
     committed to providing information to the persons concerned when sending requests

     payment of royalties on the other hand.


34. The Litigation Chamber nevertheless concludes that for the past, the first

     defendant was guilty of a breach of articles 12.1 and 14 of the GDPR in
     not providing adequate information for the attention of the persons concerned. There

     In this regard, the Litigation Chamber shares the analysis of the SI which rules out the applicability of

     Article 14.5.c) of the GDPR.


35. Under the terms of this article 14.5.c), the data controller is exempt from his obligation
     information when and to the extent that “obtaining or communicating information

     information is expressly provided for by Union or Member State law

     to which the controller is subject and which provides for appropriate measures

     aimed at protecting the legitimate interests of the data subject.

36. The Litigation Chamber notes a difference in language between the French version and, by

     example, the Dutch and English versions of this provision. Indeed, while the

     French version of article 14.5.c) of the GDPR mentions “when and to the extent that

     obtaining or communicating information is expressly provided for by law

     of the Union or the Member State", the Dutch and English versions of the text retain

     respectively the following terms: “wanneer en voor zover het verkrijgen de verstrekken
     van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of lidstaatelijk recht” and “

     where and insofar obtaining or disclosure is expressly laid down by Union or Member State

     law”. (read: obtaining or disclosure of data in accordance with the terms of recital 62).

     The Litigation Chamber is of the opinion that it is indeed the obtaining and communication of

     data which must be provided for by national law (or, where applicable, by Union law

     European) and notwithstanding the terms of the French version of article 14.5.c) of the GDPR.

37. What is provided for in article 14.5. c) of the GDPR constitutes an exception to the right to information.

     Failing to be informed that data processing concerning it is being carried out, the Decision on the merits 137/2023 – 11/16


      data subject is deprived of information which is in principle spontaneously available to him

      provided by the data controller and which facilitates the exercise of his other rights including

      it is also informed of the existence and methods of exercise through this means (article

      13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).

38. This exemption must be interpreted restrictively since it constitutes a

      exception to the information obligation provided for by the fundamental right to the protection of

      data and the corollary information obligation imposed on the data controller.

      It also deprives, as already mentioned, the person concerned of information on
      the existence and methods of exercising their other rights which are, for their part, not

      subject to the same exception “in the event of obtaining or communication expressly provided for

      by the law”. As an example, the right of access (article 15 of the GDPR) - which in turn opens the way

      to exercise other rights such as the right to rectification, opposition or even erasure

      – does not know this exception (article 15.4. of the GDPR).

39. The ratio legis of this exception in Article 14.5.c) of the GDPR is based on the fact that the

      national legislation would require the obtaining or communication of said data. He imports

      provided that this legislation is particularly clear and complies with the qualities that must

      adopt any data protection legislation and that this

      obtaining/communication is binding on the data controller which he must
      be able to demonstrate. Said legislation must also provide for appropriate measures to

      guarantee the legitimate interests of the data subject.


40. The Litigation Chamber adds that finally, the obligation to obtain or communicate
      of said data must, in order to trigger the exception of article 14.5.c) of the GDPR,

      logically cover all the data which would have been processed by the person responsible for

      processing which would invoke exemption from information.


41. The SI report notes that the first defendant relies on the following texts:

           has. Article 6 of the royal decree of July 20, 2001 relating to vehicle registration

               which provides that the search and criminal prosecution of crimes, misdemeanors and

               contraventions are the purposes for which personal data

               from the DIV directory (Directorate of Vehicle Registration) can make
               the subject of treatment.


               The Litigation Chamber notes that this provision specifies the purposes of the DIV

               consultation of which is authorized for the benefit of the first defendant for
               these purposes, including that of establishing the fee.


           b. The law of February 22, 1965 allowing municipalities to establish royalties

               parking applicable to motor vehicles. Decision on merits 137/2023 – 12/16


               Here too the Litigation Chamber notes that this is a text which allows the

               first respondent to establish the parking fee. When examining the

               text, the Litigation Chamber notes that article 2 of the legislation provides that “

               for the collection of remunerations, taxes or royalties from

               parking referred to in Article 1, the towns and municipalities and their

               concessionaires and autonomous municipal authorities are authorized to request

               identity of the holder of the number of the registration mark to the responsible authority
               of vehicle registration, in accordance with the law on the protection of

               private life ". The text thus provides the right for municipalities such as the first

               defendant to consult the DIV for the purposes of establishing the fee.


            vs. The fee regulation relating to the municipal parking policy voted by

               the municipal council dated […] which makes it possible to establish the royalties of
               parking when a vehicle does not comply with the relevant legislation.


               Upon analysis of this text communicated by the first defendant SI, the Chamber

               Litigation notes (i) that it organizes the modalities according to which the

               parking is regulated, subdivided (paid zone, blue zone etc.) and according to what rate,

               (ii) that it details the terms of amicable recovery and amicable complaint
               as well as (iii) the terms of forced recovery and recourse against the procedure

               forced recovery. The text further details the exemption cards

               existing.


               The Litigation Chamber, however, does not identify any provision which specifies

               what data the first defendant would be required to obtain in the context

               of the establishment and collection of a parking fee.

            d. The order of January 22, 2009 10 – chapter VII – royalties

               parking and monitoring compliance with parking rules. The text

               organizes the parking policy in the Brussels-Capital region, creates

               the Parking Agency, sets the amount of fees and addresses the issue

               of the control and collection of these royalties as well as their cost for the
               municipalities etc.


               Here too, the Litigation Chamber does not identify any provision relating to

               the compulsory obtaining/communication of data including the first defendant

               could rely on it to found the exemption from information that it invoked.






10Read the Order of January 22, 2009 on the organization of parking policy and creation of the Parking Agency
parking lot of the Brussels-Capital Region, M.B., January 30, 2009. Decision on the merits 137/2023 – 13/16


42. In support of the above, the Litigation Chamber concludes that if we understand that the

     first respondent certainly needs certain data to establish a fee

     parking and collect it (and be authorized to consult a source such as theDIV at

     this effect), the texts that it invokes in support of its competence do not provide for obtaining
     or mandatory communication of the data it has processed in this case (including

     photographs). As the SI also points out, none of these texts provides for

     additional appropriate measures intended to protect the interests of individuals

     concerned in this context where no information would therefore be provided to them in the sense

     proactive that the GDPR gives to this obligation. Consequently, the Litigation Chamber

     notes that the conditions for application of article 14.5.c) of the GDPR are not met and
     that the first defendant was, therefore, not authorized to invoke this exception.


43. In this sense, the deliberation of the CSAF to which the first respondent refers enjoined

     to inform the people concerned, which the first defendant failed to do

     TO DO.

44. Finally, for cases where the data controller would be entitled to rely on article

     14.5.c of the GDPR, the Litigation Chamber recalls as highlighted by the EDPS in its

     Transparency guidelines already cited, this exemption does not require them

     less than “the controller should clearly notify individuals
     concerned that it obtains or communicates personal data in accordance with

     the right in question, unless there is a legal prohibition preventing it from doing so. This

     This provision complies with recital 41 of the GDPR, which provides that a legal basis or

     a legislative measure should be clear and precise and its application should be

     foreseeable for litigants, in accordance with the case law of the Court of Justice of

     the European Union and the European Court of Human Rights”. This obligation
     is in line with that which the data controller has to identify - in execution

     of articles 13.1.c) and 14.1.c) of the GDPR - the legal bases of its processing and this,

     prior to their operationalization. In this regard, it is not enough to indicate that

     data processing will take place in execution of a legal obligation or to refer

     purely and simply to the application of article 6.1. c) of the DPR. It is the responsibility of the person responsible

     of processing to identify the relevant legislation which underlies the processing it carries out.

45. In conclusion, the Litigation Chamber notes a breach of Article 14 of the GDPR

     on the part of the first defendant combined with a breach of article 12.1 of the

     GDPR. Indeed, failing to provide the information listed in Article 14 of the GDPR

     to the persons concerned, the first respondent also fails to comply with this provision
     which requires the data controller to take appropriate measures to provide

     any information referred to in Articles 13 and 14 in a concise, transparent,

     understandable and easily accessible, in clear and simple terms. Decision on merits 137/2023 – 14/16


   II.3. As for corrective measures and sanctions


46. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:

       1° close the complaint without further action;

       2° order the dismissal of the case;

       3° pronounce a suspension of the sentence;

       4° propose a transaction;

       5° issue warnings or reprimands;

       6° order to comply with the requests of the person concerned to exercise their rights;
       7° order that the person concerned be informed of the security problem;

       8° order the freezing, limitation or temporary or definitive ban on processing;

       9° order compliance of the processing;

       10° order the rectification, restriction or erasure of data and notification of

       these to the recipients of the data;

       11° order the withdrawal of the accreditation of certification bodies;
       12° give fines;

       13° issue administrative fines;

       14° order the suspension of cross-border data flows to another State or a

       international body;

       15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the

       follow-up given to the file;
       16° decide on a case-by-case basis to publish its decisions on the website of the Authority of

       Data protection.


47. It is important to contextualize the failings of which each of the defendants committed

      made responsible in order to identify the most corrective measures and/or sanctions
      adapted.


48. The Litigation Chamber wishes to point out that it is sovereignly its responsibility

      independent administrative authority - in compliance with the relevant articles of the GDPR and

      of the LCA - to determine the corrective measure(s) and/or sanction(s)
      appropriate(s) with regard to all the circumstances of the file. Thus, it does not belong

      for the complainant to ask the Litigation Chamber to order this or that measure

      corrective or sanction (exemplary) and even less that it takes measures which do not

      would not appear among those that the Litigation Chamber is authorized to impose. If,

      notwithstanding the above, the complainant had to make such a request, it is not the responsibility

      not for the Contentious Chamber to justify why it would not retain one or the other
      request thus formulated by the complainant. These considerations leave the obligation intact

      for the Litigation Chamber to provide reasons for the choice of measure and/or sanction for which Decision on the merits 137/2023 – 15/16


       judge, (among the list of measures and sanctions made available to him by articles 58 of the

       RGPD and 95.1 and 100.1 of the LCA) appropriate to condemn the party(ies) involved.

 49. Still in this regard, the Litigation Chamber specifies that it does not have jurisdiction to

       grant damages or compensation for possible harm suffered or to

       invalidate a parking fee. These skills are not provided for by the article

       58 of the aforementioned GDPR nor by article 100.1. of the LCA cited above. The imposition of such

       Measures are reserved, if necessary, to the competent courts and tribunals.

 50. In view of the failings noted on the part of the first respondent in the

       Articles 28.3. (point 30), 14 and 12.1. of the GDPR (point 45) in its capacity as a public authority, the

       Litigation Chamber decides that the reprimand constitutes the appropriate sanction.

 51. The Contentious Chamber also notes that it emerges from the recognition of the facts by the

       first defendant, the signing of a subcontracting contract in July 2020 and

       commitments made in terms of information to the people concerned, that the first

       The defendant took stock of the breaches denounced in articles 28.3., 14 and 12.1. of

       GDPR already mentioned.

 52. Concerning the second defendant, the Litigation Chamber also decides to

       send a reprimand with regard to the breach noted in article 28.3 of the GDPR (point

       30) in his head as well. Considering all the circumstances of the case, this

       In the eyes of the Litigation Chamber, this measure constitutes the appropriate sanction for the
       past breach noted.




III. Publication of the decision


 53. Given the importance of transparency regarding the decision-making process of the Chamber

       Contentious, this decision is published on the APD website. However, it is not

       not necessary for this purpose that the identification data of the parties be directly

       mentioned. Decision on merits 137/2023 – 16/16







     FOR THESE REASONS,


     the Litigation Chamber of the Data Protection Authority decides, after deliberation:


     - Under article 100.5° of the LCA, to send a reprimand to the first

         defendant for breaches of articles 28.3, 14 and 12.1. of the GDPR.


     - Under article 100.5° of the LCA, to send a reprimand to the second

         defendant for the breach of article 28.3. GDPR





In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (court


of Appeal of Brussels), with the Data Protection Authority (DPA) as a party

defendant.

Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory request must be

                                                                                                          12
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).










(sé). Hielke H IJMANS

President of the Litigation Chamber














11The request contains barely any nullity:
 1° indication of the day, month and year;

 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
     Business Number;
 3° the surname, first name, address and, where applicable, the status of the person to be summoned;
 4° the object and summary of the grounds of the request;
 5° indication of the judge who is seized of the request;
 6° the signature of the applicant or his lawyer.
12
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.