Court of Appeal of Brussels - 2019/AR/1600: Difference between revisions

From GDPRhub
No edit summary
Line 4: Line 4:
|
|
|-
|-
|Court:||[[:Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)|Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]
|Court:||[[:Category:Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium)]]
[[Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]
[[Category:Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium)]]
|-
|-
|Jurisdiction:||[[Data Protection in Belgium|Belgium]]
|Jurisdiction:||[[Data Protection in Belgium|Belgium]]

Revision as of 09:24, 14 July 2021

Hof van beroep Brussel - 2019/AR/1600
Court: Category:Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR

Article 6(1) GDPR

Article 13(1)(c) GDPR

Article 13(1)(e) GDPR

Article 13(2)(a) GDPR

Decided: 19. 2. 2020
Published: n/a
Parties: Liquor store v. Belgian DPA
Case Number: 2019/AR/1600
European Case Law Identifier: n/a
Language:

Dutch

Original Source: Hof van beroep Brussel (in NL)

The Court of Appeal of Brussels annulled Belgian DPA's decision which had lead to a 10,000 EUR fine against a liquor store. The Court ruled that the DPA's decision was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint. The DPA was ordered to pay back the fine.

English Summary

Facts

In August 2018, the DPA received a complaint from a customer of a liquor store. According to the complaint, the store had required this person to let them scan her electronic ID in order to issue a customer card. The investigated the complaint and concluded that the complainant had breached the GDPR. More specifically, according to the DPA the liquor store: 1. Did not have a valid legal basis for processing: consent was not freely given because no alternative was offered to the complainant (Article 6(1) GDPR); 2. Did not provide the complainant with enough information prior to the processing (Article 13 GDPR); 3. Processed more personal data than necessary, including national ID number, date of birth and gender (Article 5(1)(c) GDPR).

Dispute

The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated Articles 52(1), 54(2) and 82(2) of the GDPR (independence of the DPA, professional secrecy and damage liability for controllers). Most importantly, the appellant challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.

Holding

The Court annulled the DPA’s decision as insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. The Court did not have the power to order the DPA to pay back the fine, as that falls outside of its jurisdiction, but it did quash the decision imposing the fine.

As for the breach of the data minimization principle: 1. The DPA had no evidence to support the finding that the Appellant was actually processing the national ID number of the complainant; 2. The appellant was not obliged to give the complainant an alternative way of creating a discount card: the relevant provision of the e-ID law was not applicable at the time; 3. No personal data processing took place because the complainant had refused to have her e-ID scanned; 4. The DPA’s finding that the complainant’s birth date was not used to verify her age is a mere assumption; 5. The DPA should not have assumed that the complainant would suffer an undeniable disadvantage by missing out on discounts available via the client card. This is not a disadvantage because only potential benefit was lost in this case.

The Court upheld the appeal against the DPA’s decision also as regards the absence of legal basis for processing: the legislation that requires giving people alternatives to the processing of the e-ID was not applicable at the time of complaint.

Comment

Analyses of the judgment:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.

Brussels Court of Appeal -2019/1 600-p. 2




ABOUT

APPELLANT, represented by its director Mr _____________ with KBO no.

_______________, having its registered office at ______________________________, below
"appelant",
appellant,


represented by its counsel Mr. VANDENDRIESSCHE Gerrit and Mr. CLINC:K Jan,
lawyers, both with offices at ________________________________



against a decision6/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection;




AGAINST


The DATA PROTECTION AUTHORITY, independent public body (supervisory authority)
authority) with legal personality, with CDE No 04694.67 having its registered office at

1000BRUSSEL, rue de la Pression 35, hereinafter referred to as "GBA".
intimate,


represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETSJoos,
advocaten, alien kantoorhoudende te 2018 ANTWERPEN, Oostenstraat 38bus 201




1.     Court of Justice.

The Court's jurisdiction is derived from an appeal lodged by the appellant on 18 December 2010.
October 2019 was deposited at the Registry of the Court of Appeal, and a
redress pursuant to Article 108 § 1 of the Law of 3 December 2017 establishing it

of the Data Protection Authority (hereinafter referred to as the "GBA Act") is brought against the decision on
ground 6/9 of 17 September 2019 (notification dated 19 September 2019) adopted
by the Disputes Chamber of the Data Protection Authority (hereinafter "GBA").


2.     Disputed decisions the facts.
The Chamber of Disputes ruled:

      to impose sanctions in connection with the violation of article/and 5.1. c); 6.1.; 13.1.

      (c);13.1(e) and13.2(a)AVG:



            r PAGE 01-00001582885-0002-0033-01- □1-� r



            L _JCourt of Appeal Brussels - 2019/AR/1600- p. 3




           - • °
              on grand art. 100, Si, 9 WOG, order the defendant to order that the processing in
              be brought into line with Articles 5(1)(c), 6(1); 13(1)(c), 13(1)(e).
              and 13.2. a)AVG

           - on the grand of art. 101 of the WOG, an administrative fee of 10,000.

              EUR as a result of the infringement of°art.5.1. c)and art. 6.1.AVG.
           - on grand of art. 100, 51, 16 WOG, to publish this decision on the
              website of the Data Protection Authority, albeit after anonymisation.


The appellant gives the following factual account:

        1.     The Appellant, the applicant, is a beverage company established at __________. It is a

       family business with more than 40 years of experience. It has offices at ______, _____ and
       _____.


        2.     In the past, the Apellant used paper loyalty cards in order to obtain benefits.
       know to customers. Recently, the appellant has switched to an electronic

       Cash register software system that also allows the electronic identity card (elD card}
       of a customer to be read electronically using the barcode and on this basis

       granting advantages on purchases.

       The present case concerns the administrative procedure launched by the GBA.

       against the appellant following the complaint of a (1} client of the appellant. The name of
       this customer is otherwise irrelevant and is therefore not mentioned. The customer is hereinafter referred to as

       referred to as 'person concerned'.


       3.     On 28 August 2018, the party concerned lodged a complaint with the
       Data protection authority because she did not want her elD card to be read in
       to grant discounts on its purchases (section A.1}. The complaint was as follows:


              Presentation of the facts
              On Friday 8 June, I went to buy drinks from the appellant,___________.

              __________________________. With a few bottles of spirits it was a high
              amount. At the checkout - arrived they asked me if I would not like a loyalty card.
              I wish. Iia "They asked my identity card to read it in. l
              replied that I didn't want to give my identity card, but that I would feel free to give the
              the data needed to create a loyalty card on paper for a short while
              wanted to put. I was refused the loyalty card - they only make

              customer cards by reading the identity card.

              This/this scenario happened again on Saturday 30 June - this time in the shop
              of drinks trade appellant at ________________________. Because that day we
              having a BBQ with a grate group, the bill for booze was again a hefty

              amount. When I arrived at the checkout they asked me if I would not like a loyalty card.

                                                              �
             I PAGE 01-00001582885-0003-0033-01-01-



             L _JCourt of Appeal Brussels -2019/AR/1600- p. 4




              I said 'yes'. They asked me to read my identity card and I answered.

              dot I didn't want to give my identity card, but dot I feel free to give the data that I need
              wanted to put the goods on paper before creating a loyalty card. The
              customer card was refused to me - one creates enke/ k/anten cards by
              of reading the identity card. At dot moment there were
              different people at the deck mass. One of them also made the remark
              dot it cannot dot for a customer's card the identity card must be read in/receive
              warden. The lady at the checkout said dot she had nothing to do with this and now dot this

              was a mani�on of work.

              Maybe a k/eine remark: I'm 51 years old and I really don't look like a/s anyone
              of 16 years of age:)

       In other words, the person concerned agreed to the processing of her personal data

       information by the appellant to receive a loyalty card. However, it did not wish these
       Processing took place by means of reading her elD card.

       4.     On 26 September 2018 Mr. Willem De Beuckelaere of

       the GBA the message that its complaint was declared "admissible/complainant" and for further action
       treatment has been referred to the competent service which will inform you about
       the vrderever/oop of your k/acht" (piece)B.2


       The first-line service apparently decided not to initiate mediation.

       5.     On 29 October 2018 Mr Van Der l<elen, in his capacity of

       President of the GBA Dispute Settlement Chamber, the Inspector General of the
       ln section of the GBA as follows:


              Pursuant to Article 96, §1 of the Law of 3 December 2017 establishing the
              Data Protection Authority, you hereby become the request of the Dispute Chamber

              from today to the conduct of an investigation, together with the k/eacht
              and the judgment of the court or tribunal. (document B.3)


       De Geschillenkamerveprovided no further details on what aspects of the processing
       the lnspectorate had to investigate.

       On the same day, Mr van der Kelen also informed the person concerned of the decision of the

       Disputes Chamber to have the lnspection Service carry out further investigation of the complaint
       (stuB.4).


       6.     On 7 February 2019, the appellant received a letter from Mr Frank
      Schuermans, Inspector General of the Inspectorate of the GBA (stu k B.6). The
      lnspection Service requested the appellant to provide information and documents in order to

       "to gain a better understanding of your practice for the acquisition of personal data from your


             I PAGE □ 1-00001582885- □ 4-0033- □1-□ 1-;i



             L _JCourt of Appeal Brussels - 2019/AR/1600-p. 5




       customers, the internal use of this personal information in your company and the possible use of this personal information in your company.

       distribution of these obtained personal data to third parties in accordance with the terms of the agreement.
       AVG obligations (...)".


       7.     On 12 April 2019, the appellant's counsel d: replied to the
       questionnaire of the lnspection Service, together with additional documents (document B.7).


       8.     On 10 May 2019, the Inspector General of the GBA's Inspectorate,
       in the meantime, Mr van den Eynde, his report of the enquiry to the chairman of the
       Dispute Chamber, meanwhile Mr. Hielke Hijmans (piece B.8). This report contained the following,

       on the one hand, "findings (within the scope of the k/eight seriousness indications)" and,
       on the other hand, 'additional findings (outside the scope of the k/eight or serious

       indications'.

       9.     On 28 May 2019, the Disputes Chamber decided to hear the substance of the case.

       (part B.9).

       10. On 3 June 2019, the Disputes Chamber informed the appellant of the decision to withdraw the

       deal with the substance of the case (document 8.10). The Appellant was also informed
       on its possibilities such as requesting a copy of the file as well as the
       submission of defences. It was only at this point that the appellant was given the opportunity to

       to take note of the content of the Complainant's complaint against the processing of
       personal data by the appellant.


       On the same day, the GBA Oak sent a registered letter to the person concerned. This
       immediately received a copy of the inspection report (document B.11).


       On 27 July 2011, the appellant submitted her defences (documents C.1 and C.2).

       On 17 September 2019, the Disputes Chamber took a decision on the merits, hereinafter referred to as the

       "Contested Decision" (document D.1).

       For its part, the Data Protection Authority (hereinafter "GBA") shall explain the facts as .
       follows:

       1.     On _28 August 2018, the GBA received a complaint from a person ('the

       person concerned' or 'the complainant') who is a customer of the appellant, a beverage business with
       Various branches at _____________________. In the complaint form, the person concerned stated that they were,
       in order to be able to obtain a loyalty card from the beverage trade, it was obliged to offer its

       to have an electronic identity card read into the computer system of the beverage trade.
       However, the person concerned did not wish her identity card to be read electronically. -Herring
       propose, as an alternative, that the personal data needed to establish a



             I PAGE 01-00001582885-0005-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600-p. 6





        to create a loyalty card in any other way was rejected. As a result,
        the person concerned was refused a loyalty card from the beverage trade, although they would like to

        wished for a loyalty card. This was done on two occasions, both in the branch at the
        _________ (on 8 June 2018) as in the establishment at ____ (on 30 June 2018).

        In particular, the person concerned described the facts as follows in the complaint form which she submitted to
        submitted the GBA (part 1):


               On Friday 8 June, I went to buy drinks from the drinks trade appellant,___________ __________________________________--appella,t
               appellant's address: ________. With a few bottles of spirits it was a high amount.
               At the checkout - arrived they asked me if I didn't want a loyalty card. I said
               ia. I was asked to read my identity card and I replied that

               I did not want to give my identity card, but that I would feel free to give the data that I needed
               wanted to put the goods on paper before creating a loyalty card. The
               loyalty card was refused to me - one only creates loyalty cards by means of
               of reading the identity card.
               This/this scenario happened again on Saturday 30 June - this time in the shop of

               beverage trade appellant in _____ address address address address address address address address . Because we
               day had a BBQ with a grate group, the bill for booze was again a
               considerable amount. When I arrived at the checkout they asked me if I would not like a loyalty card.
               I said 'la'. They asked me to read my identity card. Yk

               replied that I did not want to give my identity card, but that I would be happy to give the
               data needed to create a loyalty card on
               wanted to make paper. The loyalty card was refused to me - they only make
               customer cards by reading the identity card. On that
               moment ston_ den er different/ende people behind me at the checkout. A v them

               made the comment that it is not possible for a loyalty card to have the
               Identity card must be read in. The lady at the checkout said that she was here
               had nothing to do with it and that this was their way of doing things.
               Perhaps a small remark: I am 51 years old and I really do not look like someone
               of 16 years @."


       2.      On 26 September 2018, the GBA declared the complaint admissible on grand of the
       Articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter referred to as 'the Act'):
                  1
       "GBA Act") (document 2). The complaint was subsequently submitted to the Disputes Chamber of
       the GBA, in accordance with Article 62(1) of the GBA Act. The admissibility decision was
       also notified to the complainant on 26 September 2018, in accordance with Article

       61 GBA Act (document3).

                                                                                         °
       3.      On 23 October 2018, the Chamber of Disputes ruled on grand of article 63(2) , and
       article94, °,GBA law honor:, investigated questions to the lnspectiedienst van de GBA (document4).


       4.      On 29 October 2018, the request of the Disputes Chamber to carry out
       submitted an investigation to the lnspectorate, in accordance with Article 96(1) of the GBA-

1
 Law 3 December 2017 establishing the Data Protection AuthorityB.S.10 January 2018.


              I PAGE 01-00001582885-0006-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 7




       law. The complaint and the minutes of the decision of the Dispute Chamber of 23

       October 2018 was attached to this request. The person concerned was referred to the Dispute Chamber
       informed cle by letter dated 29 October 2018 of the transfer to the
       lnspection service (document 5).


       5.     In order to examine the file, the lnspection Service sent an
       written questioning of the person responsible for processing (document 6). As he or she is
       written questioning was not initially answered, sent by the lnspectorate on 4 April

       2019 a reminder by registered letter (piece 7). On 12 April 2019, the
       The appellant, through her counsel, finally gave an answer to the
       lnspection service (document 8).


       6.     On 10 May 2019, following the completion of its investigation, the lnspection's Office issued an
       report and attach it to the dossier in accordance with Article 91 § 1 GBA Act (document 9).

       The inspection report mentioned in particular the following findings (p. 1-2):
              "The k/acht [...] concerns the automatic /healing of the e/D for the creation of an

              loyalty card at a drinkshande/. At the consecutive/ordinary visits of the k/side
              the barcode is linked to the customer's data [...].
              - The customer data stored in this way are: name, first names, address,
              date of birth, date of birth/eight, from which the person concerned is a customer, amount of purchases.
              - The dispute/en-su Chamber did not provide any additional indications that should have been given.
              examined by the inspectorate [...], soa/s concerning an examination of the

              privacy statement of the processing responsible/ijke.
              - The Commission has previously accepted that some traders may disclose to their customers
              identify these customers if they register in a strictly personal
              fidelity system allowing the c/anten to benefit from a price reduction or for the/and
              received in the gout of purchases made (marginal 17 recommendation
              03/2011).
              -However, the Commission also considered it belong dot the consent of the client.

              is obtained at the /reading of the e / D in the framework of a loyalty system,
              and dot the customer 'an a/ternative for the use of his identity card'.
              proposed' (recommendation 6 at the end of recommendation 03/2011).
              -The e-D legislation has been adapted by article 27 of the law of 25 November 2018.
              containing various provisions relating to the National Register and the
              humidification/registers. Artike/ 6 § 4 of the law of 19 July 1991 provides a new framework.
              for the use of the e/D dot data as from 23 December 2018

              must have been checked/checked by the person responsible for processing. This article ste/t o.a.
              The electronic identity card may only be read or used with the free one,
              specific and informed consent of the holder of the electronic
              identity card'.
              When a benefit or service is offered to a citizen through his
              electronic identity card in the context of an IT application, must
              also an alternative that the use of the electronic identity card does not

              required, be introduced to the person concerned'.



             r PAGE □ 1-□□□□ 1582885-0007-0033- □1-i;-i



             L _J Hof van beroep Brussel - 2019/AR/1600- p. 11





        The Chamber of Disputes took note that the defendant admitted that this method of proceeding was inconsistent.
        with the AVG and indicated that additional measures would be taken in the short term in order to strengthen the
       bring data processing in line with the AVG.

        15. In accordance with Article 100, § 1, 9 , GBA Act, the Dispute Settlement Chamber ordered the

       Respondent to bring the data processing in conformity with Article 5.1(c),
       article 6.1 and article 13 AVG. In addition, the Disputes Chamber decided the following sanctions on
       to be laid:

               - an administrative fine of EUR 10 000 as a result of the infringement of an article

               5.1.c) and Article 6.1 AVG (on the basis of Article 101 of the GBA Act);
                  the publication of the decision on the website of d°
               Data protection authority, after rendering anonymous (on the basis of Article 100(1)(a), 16)
               GBA Act).

       In order to justify its decision to impose an administrative fine of that amount on

       the Chamber of Disputes referred in particular to the seriousness and nature of the
       infringements of Article 5.1.c) and Article 6.1 AVG. In particular, the Disputes Chamber found that
       relevant that:
       - the infringed Article 5.1.c) AVG contains a fundamental principle;
              - the infringement of Article 6.1 of the AVG is such that there is no valid legal basis at all
              is for data processing.


       Non-compliance with the relevant provisions of the GCG must, in accordance with the
       Litigation chamber was considered to be "grossly negligent with a far-reaching impact
       not all/one on the data processing of the k/ager, but on that of a/le customers of the
       defendant.


       16. On 19 September 2019, the Chamber of Disputes informed the parties of its
       decision and of the possibility of applying for reprimand within a time limit of thirty days
       days, as from the notification, before the Market Court (Article 108(1)(1) of the GBA Act) (doc.

       18).


       17. By petition of 18 October 2019, the appellant made the following amendments
       Your Court appealed against the decision of the Dispute Chamber of 17 September.
       2019. That decision is hereinafter referred to as the 'contested decision'.




3.     The claims before the Court.

3.1.
By Summary Conclusion lodged at the Court Registry on 20 December 2019, the
appellant:

       "to declare the appellant's appeal admissible and well-founded,




              I PAGE 01-00001582885-0011-0033-01-01-�



              L _JCourt of Appeal Brussels -2019/AR/1600- p. 12





       the decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
       Destroy the data protection authority and the data protection authority to
       recommend the administrative fine of EUR 10 000 already paid by the appellant

       appellantterugte beta/en,
       do justice again:

       o in main order, that is to say, before entitlement to dot the complaint of the person concerned dated 28 August 2018 by

           the data protection authority was unfounded in relation to the appellant, and
           to dismiss this k/eight, or


       o subordinate, if your court is of the opinion that the Complainant's complaint dated 28 August

           2018 at the Data Protection Authority in respect of the appellant's breach of
           constitutes a reprimand on the appellant's right to data protection.

           formulate.

       In each case, order the data protection authority to pay a/le
       court costs to the appellant, including the procedural indemnity for the appellant

       of EUR 1,440.00.

3.2.
The GBA concludes as follows by conclusion deposited on January 1, 2020:


              Declare that the appellant's claim is/is outside the jurisdiction of
              Your Court is falling;
               Declare the appellant/ante's claim to be unfounded;
              In any event, order the appellant to pay the costs, including the costs of the proceedings.

              basic amount of the legal claim/legal allowance.

3.3.
All these conclusions have been laid down in accordance with the final calendar.



4.     The legal framework.


The appellant's claim is based on the following articles:
- Art. 5 AVG

       Principles governing the processing of personal data.
       Personal data must be:

       [...]


3 Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data and repealing
Directive 95/46/EC (general data protection regulation).



             IPAGE 01-00001582885-0012-0033-01- �




             L _Jourt of Appeal Brussels - 2019/AR/1600- p. 15




- Article 63:

       "Referral to the inspectorate may be made:

       1° when the executive committee establishes serious indications of the existence of a
       practices which may give rise to a breach of the fundamental principles of protection
       of the personal data, within the framework of this law and of the laws that provide for it
       contain provisions on the protection of the privacy of personal data;
       2° when the dispute/en-su Chamber has decided on the basis of a k/acht a

       investigation by the inspectorate is necessary;
       3° by the Disputes Chamber within the framework of a request for the performance of a
       additional research;
       4 at the request of the Management Committee, with a view to cooperating with a

       g°data protection authority of another stoat;
       5 request from the management committee in the event that the data protection authority is caught
       by a judicial authority or an administrative supervisor;
       6 on its own initiative where it finds serious indications of the existence of a

       practices which may give rise to a breach of the fundamental principles of protection
       of the personal data, within the framework of this law and of the laws that provide for it
       contain provisions on the protection of the processing of personal data.

Article 108 § 1:


       "The Arbitration Chamber shall inform the parties of the court's decision and of the decision.
       may/can appeal within a period of thirty days from [...] the date of receipt of the letter of appeal.
       notification, at the Court of Justice of the European Communities.


       Subject to the exceptions laid down by law or unless the dispute/court with
       special reasons for decision/commissioning otherwise the decision/commission is enforceable in the case of
       stock, notwithstanding an appeal.

                                                                                  °
       The decision to delete data in accordance with Article 100(1)(10) is not
       workable stockpiles'.



5.     Discuss admissibility.

The admissibility ratione materiae and ratione temporis have not been disputed.


The GBA concludes {page 8, No 16 with reference to its document 18) that the notification -
dates from 19 September 2019.

The appellant is the party in respect of whom the decision has been taken and the recourse is by
within a period of 30 days from notification of the decision, and

in accordance with the legal form requirements.

The appeal is admissible.




                                                              �
             I PAGE 01-00001582885-0015-0033-01-01-



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 16




6.      Discussion - the means invoked.


6.1.

The appellant puts forward the following pleas in law:

        1. The GBA shall not establish at a/s a full/full independent/several supervisory authority within the meaning of this Directive.
            of Article 52(1) of the General Data Protection Regulation (hereinafter referred to as the "GSA") (First

            midde/J;
        2.   The GBA violated art. 54.2 AVG and art. 48, §1 GBA Act, because the guard / hats did not comply with the

            ve respected the obligation to preserve the confidentiality of the facts,
            acts or information coming to their knowledge in the course of their duties

            (Second midshipman J;
        3.   The GBA violated art. 96, §1 of the GBA Act because the request of the Geschi/lenkamer for

            do not carry out an investigation by the lnspection service within thirty days

            after the k/eight was brought before the Dispute Chamber by the
            First line service was transferred to the inspector-generaa/of the /nspection service

            (Third midshipman J;
        4.   The GBA violated Article 63 of the GBA Act by the fact that the Inspectorate carried out an investigation.

            for aspects not brought before the Court of Justice (Fourth mids;
        5.   The GBA violated the rights of defence and the principles of good administration

            (Fifth amendment);
        6.   The Appellant respected the beginning/of minimum data processing and starting point.

            no infringement of Article 5(1)(c) AVG (Sixth VAT Directive);
        7.   The processing of the appellant was not unlawful and did not infringe

            artike/ 6.1 AVG from (Seventh midde/J;
        8.   The GBA / imposed the administrative fine without taking into account the Jijst

            of criteria from article 83.2 AVG (Eighth plea in law).
        9.   NINE MEASUREMENT: THE RESPONSIBILITY OF THE COURT




6.2.

The GBA will use the following means:
        o Principally, that the appellant's claim is in part outside the jurisdiction of

            the Court falls.

She is subordinate:

        o With regard to the appellant's first plea in law: Article 52.1 and Article 53.1 of the AVG are not
            violated;



5 Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and
on the free movement of such data and repealing Directive 95.4Pub L119/1 Data Protection Directive)


               IPAGE 01-00001582885-0016-0033-01- �




                                                                     Court of Appeal Brussels - 2019/AR/1600-p. 24




of a rule of procedure or consultation prior to the adoption of the contested decision.
decision was necessary).


However, in the exercise of that voile jurisdiction, the -Markthof must not exceed the limits of its jurisdiction.
respect judicial debate. Within the limits of the rules of public order and within the
limits of the interpretation to be given to the pleas in law relied on before the Court,
the Court must carry out its assessment, that is to say - the possible substitution of its own

decision - limited to the grounds and pleas in law put forward by the applicant
defence of the rebellion17-

In short, the Market Court may substitute its decision for that annulled by the Court.
judgment under appeal, provided that the Court does not give rise to any challenge which is not contradictory

were subject to the same conditions in the course of proceedings before the Court of Justice, and in so far as no decision has been given
shall be affected where the parties to the proceedings have been unable to defend themselves in the
proceedings before the Court of Justice.

The GBA's criticism where it says:

        In addition to "ordinary" councillors, there are also a number of18 councillors in the Market Court with
        "specific/advanced knowledge of economic, financial/ or market law Well, the rules
       in the field of data protection, cannot immediately be dealt with in one of those areas of law
       be caught. On the other hand, these are rules to ensure that an individual
       human rights and therefore a so-called transversa/jurisdiction, which in many aspects
                                                                                     19
       of society (similar to the law of discrimination, for example).
overlooks the fact that (also) the !eden of the Market Court, which show the specialized
knowledge (see above) are, at the same time, legal advisers in the Brussels Court of Appeal who satisfy the following requirements
meet the legal requirements to which each magistrate of the court is subject and that their appointment

shall be made on the proposal of the Supreme Judicial Council and that any interested party shall have the opportunity to
has a claim to annul the appointment before the Council of State.

A "critique" by a party to proceedings of the alleged or alleged (in)competence of one or more of the following
in the light of the foregoing, the Court's reasoning is considered to be of little pertinence or relevance.

over.

The Court of Justice of the European Communities therefore has jurisdiction to give the contested decision.
destroy and, where appropriate, replace the sanction by another sanction such as that imposed by the
Appellant in a minor capacity, a plea which the GBA was able to rely on

defend.

8.      Discussion of the grounds for destruction.

8.1. Infringement of Article 5.1. clAVG

The appellant is asserting himself:

17
18 Compare Cour °es marches 22 January 2020, 2019 AR 1470, no. 26.
19A rt. 207, § 3, 4 , Ger. W.
   These were the subject of various comments in the parliamentary debates on
the draft that led to the GBA Act. See Par/. St. Kamer 2017-2018, no. 54-2648/6, 10, 13, 48, 50,
57, 59, 61-62, 69-70 and 77.


              r PAGE 01-00001582885-0024-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600 - p. 25




       44. The Dispute Chamber ruled that the infringement of the principle of minimum
           data processing would include the use made by the appellant

           have the riiksreqisternumber by reading in the e/D card to create
           a loyalty card:


               "For the Dispute Chamber, the following is paramount, Data processing
               implies the use of the national registry number, included in the barcode of the
               e/ektronic identity card, which is irrelevant. The

               Geschillenkamer het van belong dat er bijzonder rege/s ge/den voor het gebruik van
               the National Register number (oak already ge/dend v66r 23 December 2018), which has a very high number of
               prescribe restrained roaring of this National Register number. Because the
              barcode before/when the lnspection service is used to identify the customer
              to be found in the client database, the Disputes Chamber assumes that the

               become a national registration number or at least a dee/ of the identity card bucket
               used contrary to the principle of minima/e
               data protection". (emphasis added by the appellant)

       In other words, the Chamber of Disputes 'assumes' that the appellant has not received the

       would process the national register number. The Inspectorate's report mentions this in the following terms
       However, no enke/e report was made. The lnspectorate requested we/
       the appellant's written information. She asked the appellant "more
       information about the specific data your company reads and uses from the

       eDs of your customers". The Appellant replied: "the data that
       saved are [...] Surname, first names, address, date of birth, age, customer since,
       turnover and the latest 10 purchase amounts and the number of points". (document 8.8) The
       The national register number was not given.


       De Geschil/enkamer ha d bijgevo/g geen enke/e grand om appellant een inbreuk op het
       principle of minimum data processing at Jaste te Jeggen because of the
       Alleged use of the national registration number to create a loyalty card.
       She was not allowed to "assume", without any document in the file, that the appellant's
       State registry number used.


       The Disputes Chamber was not allowed to take the national register number into account in order to
       to withhold an infringement of the AVG and to impose an administrative fine.
       Soa/s your court noted in previous appeal proceedings against decisions of the GBA can
       reasons invoked by the GBA "only support a decision where it is apparent from the

       documents of the case on which the authority {GBA} deems s/a20 to be murdered and holds "the
       subject matter/justification of the fact that it is required to support the administrative act.
       for reasons of which the fact/factual existence has been duly proven and which have been the subject of legal proceedings.
       may have taken into account the justification for that act" 21 The motives

       of the Contested Decision on the infringement of the principle of minimum standards for the protection of legitimate expectations.
       data processing in connection with the national register number did not find any enke/e support in the
       documents of the file.

20
21Brussels (Sectie Marktenhof) 23 October 2012, FOO Public Health t. GBA, 2019/AR/1234, 24.
  Brussels (Sectie Marktenhof) 23 October 2019, ING Be/gie NV t. GBA, 2019/AR/1006, 19.


              I PAGE 01-00001582885-0025-0033-01-01-�



              L _JCourt of Appeal Brussels - 2019/AR/1600- p. 26






The GBA argues in this regard:
       "74. Furthermore, the GBA notes that the Disputes Chamber infringed Article 5(1)(c) AVG
       derived, not al/one from the use of the national register number, but oak from the
       save the date of birth and the date of birth of the k/sides. That the /aatste
       personal data were kept by the appellant, does not contest the appeal/ante, so that the

       Infringement of article 5.1.c) AVG how oak remains. It is indeed impossible to see
       how the gender and date of birth could be relevant for the act/
       of data processing, namely the creation of a loyalty card. The fact that there is
       other do(s) could exist for the purpose of which such data we/
       lawfully processed, such as the verification of compliance with legal requirements.
       minimum age for the purchase of alcohol is irrelevant in this context. To be superfluous

       reminds me that, following the ruling of the Constitutional Court of 19 June 2019 on
       the law on transgender persons22 the registration of the sex/esteem of persons in any case not
       is no longer taken for granted, not by the government and therefore certainly not by a private company.
       person, soa/s a drinkhande/.
       75. Finally, it is clear that the e/ektronic identity card does not show how oak cattle/ more

       data is then required for the creation of a loyalty card. It is precisely for this reason that
       the complainant is/are willing to provide the specific information required
       for the creation of a loyalty card, but not agreeing to read hoar

       e/ektronic identity card, where he or she loses control over which data was on him or her.
       read and kept by the processing responsible/keeper.

       76. Conclusion: The Dispute Chamber led the infringement of Article 5.1.c}. AVG on the basis of proven facts".


The contested decision is under consideration:
       The lnspectiedienst thus confirms the k/acht in the sense that no alternative is offered
       to customers who want a k/s edge card, but not their electronic identity card

       the defendant wishes to use /have used /aten for the creation of a third party /ijke
       customer card, while obtaining the consent and offering an
       a/terative ffor the lnspection servicewe/ is required.

       The Inspectorate also refers to Article 6(4) of the Act of 19 July 1991.
       on population registers, identity cards, aliens' identity cards and aliens' identity documents

       verb/ive documents, as applicable from 23 December 2018, containing
       that the e/ektronic identity card may be read or used enke/ with the
       free, specific and informed consent of the holder. When a forement/
       or service is offered to a citizen through his e/ektronial identity card within the framework of
       of an informatics application, an alternative should also be proposed that the
       use of the e/ektronic identity card is not required. In addition, the lnspection Service

       with regard to oak, to Recommendation No 03/2011 in order to meet the consent requirement and the
       support the offer of an a/terative.




22GwH, No 99/2019, 19 June 2019.


             r PAGE 01-00001582885-0026-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 27





The Law of 19 July 1991 on population registers, identity cards, the
Alien cards and residence documents now state in Article 6 § 4 second and third
Member:
       The National Register number and the Joto of the holder may only be used if
       is authorised to do so by. or by virtue of a law, a decree or an ordinance. The
       e/ektronic identity card may be enkeed/ read or used with the free, specific

       and informed consent of the holder of the electronic identity card.
       When a benefit or service is offered to a citizen through his e/ektronial
       identity card in the context of an IT application, should also provide an alternative
       dot require the use of the e/ektronic identity card, proposed/d were added to the
       person concerned.

This text was added by the law of 25 November 2018 and entered into force on 23 December.

2018. This law is therefore not applicable to the facts giving rise to the current dispute.
since the complaint dates from 28 August 2018.

At the time of the complaint, the text was as follows:
       "Any automated check of the card by optical or other/eesprocessing means must
       be the subject of a royal decree, no opinion of the sectoral committee of the

       National Register referred to in section 15 of the Act of 8 August 1983 on the regulation of an
       National Register of Natural Persons, ..,

The motives of the inspectorate - which the GBA states serve as a basis for the
decision - are unlawful. A law that was absolutely inapplicable at the time of the complaint and
a "recommendation" which has no legal force cannot serve as a basis for the

assessment of conduct as contrary to the legislation in force.

It has not been demonstrated, nor has it been conclusively proven, that at the time of the complaint a
The alternative had to be offered.

The contested decision is also under consideration:

       "The Chamber of Disputes also notes the processing of customer data.
       (surname, first names, address, date of birth, gender, date of birth, date from which the person concerned is a customer)
       and the amount of purchases) the starting/of minimum data processing not
       respects, as the given 'gender and date of birth' is also irrelevant
       are. In this case, the Dispute Resolution Chamber does not use the loyalty card for
       check/erendage the minimum age for alcohol sales.


       The fact that the defendant's hand/method in relation to the creation of loyalty cards
       the beginning/of minimum data processing does not n,,eeft, the Dispute/Chamber is consequently
       of the opinion that the infringement of Article 5.1. c)AVG has been proven.

No EID card was offered by the complainant in this case, so there is no processing at all
of its data. Therefore, the GBA does not show any actual infringement in relation to

personal data.





             I PAGE 01- 00001582885-0027-0033-01-01-�



             L _JCourt of Appeal Brussels 2019/AR/1600-p. 28





At that time, the complainant was not (yet) legally obliged to offer alternatives. This is different since
23 December 2018, but that regulation could not have been applied retroactively by the GBA.

In addition, the Dispute Carner is wrongly based on a number of unsubstantiated assumptions:
- that a loyalty card of a beverage company would not have been used to check the

    a ban on the sale of alcohol to minors;
- that the complainant would suffer an undeniable disadvantage as a result of the creation of a

    loyalty card, discounts would run riot. This is not a disadvantage because only a
    possible additional advantage is lost (the Court emphasises). The situation is different when the EID card
    request a legal or contractual right (e.g. the right to a guarantee) to

    to be shortened or retained.


A breach of Article 5.1. c)AVG has not been proven in this specific case.


The appellant's sixth plea is well-founded on this point.

8.2. Infringement opart. 6.1. AVG:

The GBA shall further base its decision on a breach of Article 6.1. AVG, namely that the

the lawfulness of the processing is subject to the data subject's consent for the
softening of his personal data for one or more specific purposes or the processing thereof
is necessary in order to safeguard the legitimate interests of the
controller or of a third party, except where interests or fundamental rights
and fundamental freedoms of the data subject which require the protection of personal data,

outweigh those interests, especially when the person involved is a single child.

The GBA states:
       "Contrary to what the defendant argues, there can be no
       there is consent a/s legal basis for the processing, as the consent

       within the defendant's current modus operandi, cannot in any way be regarded as a
       free consent within the meaning of Article 4.11. AVG, in the absence of an alternative system dot
       Allow/allows the creation of a loyalty card without the use of the electronic identity card,
       which makes it possible for the person concerned to benefit from discounts even in such cases.


       In this context, the Dispute Settlement Chamber also refers to the Group 29 Guidelines on
       authorisation in accordance with Regulation 2016/6792 stating that the element
       implies "free" work/rich choice and control for those involved. As a general rule, the
       AVG for the fact that if a person concerned has no work or choice, he or she is compelled to
       to give his or her consent as to whether it will have negative consequences for him or her if he or she does not

       consent, the consent is not valid. lndien consent shall be merged as a
       non-negotiable/negotiable part of terms and conditions, it is presumed not free
       to be given. Accordingly, authorisation shall not be deemed to have been granted if the
       cannot refuse the person concerned or hoar consent_ without adverse consequences, or
       withdraw. Because, in the present case, the complainant, and by extension a/le customers, only of

       can benefit from discounts by m_ ddel of their electronic identity card, and by the
       the defendant is not offered any alternative to the creation of a loyalty card


              IPAGE □1- □0001582885-0028-0033- □1- □1-�



                                                                 Court of Appeal Brussels - 2019/AR/1600- p. 29




       In order to benefit from this advantage, it is clear/seemly that there is no free
       consent.

       Although the defendant did not rely on it, the Litigation Chamber examined in

       to what extent the processing could be based on Article 6.1. f). AVG and the
       processing necessity/justification could be necessary for the protection of his legitimate interest.
       De Geschil/enkamer observes that in order to do so, it is necessary to weigh up the following issues with the
       the importance of the end of the chain concerned to be assessed/and to be given more weight. Oak for
       As far as this legal basis is concerned, the Dispute Settlement Chamber states that such a weighing-up should be carried out,
       in the present case, /decides that it is in the complainant's interest, and extends to
       a/le customers of the defendant, takes precedence.


       The Dispute / Chamber rules that the infringement of Article 6.1. AVG has been proven"

To the extent that the GBA again refers to the lack of an alternative, it refers again (see
point 8.1 above) to a secondary legislation which is not applicable.

The Market Court refers to what was stated above under point 8.1.
The infringement of Article 6.1. AVG has therefore not been proven. The seventh ground of appeal of the

The appellant is well-founded on this point.


8.3.          Decision of points 8.1 and 8.2:

To the extent that the contested decision does not contain an adequate statement of reasons on the grounds that certain
reasons for the contested decision are incompatible with the documents in the file and with the
legal provisions in force at the time of the complaint and cannot be verified by the Market Court

what motive or motives, if any, were de facto decisive for the contested decision?
In order to justify its decision, the Market Court must find that the GBA cited
grounds for declaring the infringements to be proven (and, as a consequence, imposing
sanctions because of these alleged infringements).
The decision was therefore taken unlawfully and should be annulled.
warden.



8.4. Infringement of Articles 13.1. c), 13.1. e) and 13.2. a)AVG:

With regard to the other findings of the lnspection Service, that is:

       (a) the contradiction between the defendant's assertion that there has been no communication of
       data to third parties, while the privacy statement states that transfer is possible within the
       European Economic Area for associated companies.


       (b) The lack of clear information for the person concerned, in particular on the
       the legal basis and the storage period.





             r PAGE 01-00001582885-0029-0033-01-01-�



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 30




the Clerk of Disputes takes note that the appellant admits that he is right to submit as
shortcomings in the AVG may have been considered and indicates that in the short term
additional measures will be taken to ensure that the data processing complies with

with the requirements of the AVG.
To the extent that these elements fall outside the scope of the complaint and do not give rise to a sanction,
should not be assessed separately.

The order in accordance with Article 100 § 1, 9 of the GBA Act, to the effect that the appellant must submit the processing in
brings it into line with Art. 5.1. c), Art. 6.1, Art. 13.1. c), Art. 13.1. e) and 13.2. a) AVG makes

is not in itself the object of the story. The appellant does not develop any
only means.


9.     The sanction


In addition to the fact that the contested decision does not contain an adequate statement of reasons (see point 8.3.
for this), the penalty imposed, namely a fine of €10,000, is in turn inadequate
motivated.

lndien with the GBA may have argued that it is not every possible sanction of Article 83.2 AVG
it should be overflowing and it should not justify why some sanctions were not considered,

this does not detract from the fact that the choice of the sanction imposed is adequate
must be substantiated. When determining the sanction in concrete terms, the following should be taken into account
general criteria should be leading:

     the seriousness of the infringement;
     the duration of the infringement;

     the necessary deterrent effect to prevent further infringements.

The GBA shall determine the manner in which it considers that a sanction is appropriate.

However, as stated above, a decision of the GBA with regard to (the amount of) an
financial penalty is not binding on the Market Court.


The Market Court shall assess the extent of a possible sanction in such a way that, on the one hand, in
is appropriate to the circumstances and proportionate to the infringement found
and to the capacity of the party committing the infringement.


The mere statement that the infringement relates to a fundamental legal principle of
Data protection is not enough. The nature and seriousness of the infringements constitute a
of the appreciation characteristics for determining the sanction and its budget if there are
a fine is opted for, but these elements must be assessed against 'all'.
elements of the dossier (e.g. whether it is a one-off infringement or not,
what the impact is generally considered to be in legal life, or any intention or intent by virtue of

of the il'.l offender is demonstrated,.....) and where - in the absence of a clear
Qualification and quantification of the possible sanctions through a publicly accessible tool
document (guideline or scale transparently communicated by the GBA) before a


                        □ 1-□□□□1582885-0030-0033- □1-□ 1-;i
             I PAGE



             L _JCourt of Appeal Brussels - 2019/AR/1600- p. 31




concrete facts - at least a justification must be given as to why a sanction less far-reaching than
the imposition of a fine of€ 10 000 could not be of such a nature as to deter the infringements
to put an end to it. Only if these requirements of sufficient, clear and transparent
Article 83 AVG, which states that the sanction shall be effective in every case,

must be proportionate and dissuasive, effectively enforced. In this respect, the
criteria of effectiveness and proportionality

Where the GBA once again retains as a motive "a gross negligence with a far-reaching impact
not all/one on the data processing of the k/ager, but on that of a/le customers of the
defendant in the absence of an a/ternative for the creation of the c/antic file on grand of the

e/ektronic identity card absence of valid consent and excessive
data processing" and from . the data of the dispute it appears that the plaintiff has never given her
has made identity information available to her, so that she cannot suffer any personal disadvantage
and the fact that no alternative was available was not a valid legal basis on
the moment of the complaint, it follows that oak is the sanction in itself (oak even if infringements have been proven)
have been) illegal.


For that reason alone, the contested decision should be annulled. Oak the Eighth
middeI of the appellant is well-founded.

The reasons currently put forward by the GBA in conclusion (No 106) to post factum the imposed and
sanctions implemented cannot be taken into account. The

the offender must be informed of the nature of the sanction before the imposition of a sanction
which is under consideration and of its scale (where a fine is contemplated). The
the offender must be warned (with a view to avoiding unnecessary sanctioning)
and have the opportunity to defend themselves on the issues proposed by the Dispute Settlement Chamber
amounts of the fine, before the sanction is effectively imposed and executed.



10.    The publication.

To the extent that the sanctioning of infringements of the AVG and the GBA Act should be of a nature to
should be partly dissuasive, the Market Court recommends that the GBA recommends that the present judgment
publish on its website omitting the identification details of the person concerned

parties.


11.    Decision,

The appeal is admissible and well founded.


The contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the
Data protection authority concerning the appellant is destroyed.

It will belong to the Data Protection Authority those already paid by the appellant.
administrative fine of€ 10,000 to be refunded to the appellant. The Market Court may




             I PAGE 01-00001582885-0031-0033-01- �




             L _J Court of Appeal Brussels19/AR/1600p. 32




 However, the Court of Justice of the European Communities and the Court of Justice of the European Communities were not seized of a claim for payment of a subjective right.
 cannot, therefore, condemn it.




.12.    The costs,


 in accordance with the law of 21 apri! 2007 and the Royal Decree of 26 October 2007 shall become the
 nursing care allowance budgeted at the basic fee of€ 1,440.




 For these reasons,
 The court,




 Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court proceedings,

 Declares the higher beroepontvankelijken grorn;l;



 Annuls the contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of
 the data protection authority collapsed appellant;



 Orders the Data Protection Authority to pay the costs of the appeal, settled on
 1,860.00 euro (being € 400.00 rolling right, € 20.00 contribution Budgetary Fund and € 1440.00
 procedural indemnity).



 Condemns the Data Protection Authority, in accordance with Article 269/2 of the Belgian Data Protection Code
 registration, mortgage and court registry fees for the payment to the Belgian State, Federal Public Service Finance, of the
 an appeal in the amount of EUR 400.00, and until such time as the final charge is borne by the

 contribution of€20.00Budgetary Fund;

                                            * * *















              IPAGE 01- □□□□ 1582885-0032- □033-01-01-�




                                                                _J