Supreme Court - C.20.0323.N: Difference between revisions
No edit summary |
|||
Line 54: | Line 54: | ||
}} | }} | ||
The Belgian Supreme Court ruled that | The Belgian Supreme Court ruled that the lawfulness of a processing activity should have been assessed by the trial judge on the basis of Article 6 GDPR even if no personal data was processed in a case where data subjects have been deprived of an advantage precisely because they did not consent to the processing of personal data. | ||
== English Summary == | == English Summary == |
Revision as of 07:51, 27 October 2021
Supreme Court - C.20.0323.N | |
---|---|
Court: | Supreme Court (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 5(1)(c) GDPR Article 6(1)(a) GDPR Article 57(1)(f) GDPR |
Decided: | 07.10.2021 |
Published: | 07.10.2021 |
Parties: | Gegevensbeschermingsautoriteit (Data Protection Authority) Verreydt BV |
National Case Number/Name: | C.20.0323.N |
European Case Law Identifier: | BE:CASS:2021:ARR.20211007.1N.4 |
Appeal from: | Court of Appeal of Brussels (Belgium) 2019/AR/1600 |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Hof van Cassatie (Nr. C.20.0323.N) (in Dutch) |
Initial Contributor: | Matthias Smet |
The Belgian Supreme Court ruled that the lawfulness of a processing activity should have been assessed by the trial judge on the basis of Article 6 GDPR even if no personal data was processed in a case where data subjects have been deprived of an advantage precisely because they did not consent to the processing of personal data.
English Summary
Facts
A shop owner tied admission to a loyalty scheme to the presentation of an eID (i.e. a Belgian electronic identity card). A data subject refused to provide his eID, considering that such data processing was excessive and not proportionate when taking into account the purpose of the processing. The data subject further filed a complaint before the Belgian DPA (APD/GBA) for being deprived of the advantages conferred by the loyalty scheme.
On 17 September 2019, the Belgian DPA fined the shop owner for requiring customers to present their eID in order to obtain a loyalty card and imposed a fine of €10,000. The shop owner appealed that decision.
The imposed fine of €10,000 was later annulled by the Court of Appeal of Brussels, because (i) the new eID legislation could not be applied retroactively ; (ii) the fine was not sufficiently justified and (iii) the data linked to the eID of the Complainant had actually not been processed by the shop owner, since the data subject had refused to provide such eID. The Belgian DPA appealed that decision before the Supreme Court of Belgium.
Holding
The Supreme Court overturned the decision of the Court of Appeal of Brussels because it considered that the Court of Appeal did not apply the law correctly.
The Supreme Court considered that the Court of Appeal of Brussels erred in law by not properly considering whether the compulsory reading of an identity card as the only means of creating a customer loyalty card is contrary to free consent, when such refusal results into a disadvantage (such as not being able to obtain discounts).
The Supreme Court stated that the Court of Appeal should have considered whether the loss of an advantage must be taken into account in the assessment whether consent is freely given under GDPR. It also confirmed that the Belgian DPA can handle and act on a complaint of a data subject, regardless of whether personal data of that data subject have actually been processed (in this case, the customer who filed the complaint with the Belgian DPA refused to give the eID card and thus no data was processed).
For these reasons, the Supreme Court annulled the decision of the Court of Appeal of Brussels.
N.B. The Supreme Court can only overturn a decision based on its legality ; by contrast, the Supreme Court cannot rule on the merits of a case. Hence, the Court of Appeal of Brussels will have to adopt a new decision in line with the ruling of the Supreme Court.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
OCTOBER 7, 2021 C.20.0323N/1 Court of Cassation of Belgium Judgment No. C.20.0323.N DATA PROTECTION AUTHORITY, with registered office at 1000 Brussels, Drukpersstraat 35, registered with the KBO under number 0694.679.950, plaintiff, represented by mr. Johan Verbist, lawyer at the Court of Cassation, with office in 2000 Antwerp, Amerikalei 187/302, where the plaintiff is domiciled chooses, in return for VERREYDT bv, with registered office at 2200 Herentals, Ring 99, registered with the KBO under the number 0428.824.132, defendant, represented by mr. Bruno Maes, lawyer at the Court of Cassation, with office at 1170 Brussels, Terhulpensesteenweg 177/7, where the defendant lives chooses place. OCTOBER 7, 2021 C .20.0323N/2 I. JURISDICTION BEFORE THE COURT The appeal in cassation is directed against the judgment of the Brussels Court of Appeal, Marktenhof section, from 19 February 2020. Attorney General Els Herregodts has issued a written statement on September 22, 2021 conclusion laid down. Councilor Bart Wylleman has reported. Attorney General Els Herregodts has concluded. II. REMEDIES In its application attached to this judgment, the plaintiff puts forward two pleas: at. III. DECISION OF THE COURT Judgement First remedy Second part 1. Pursuant to Article 2(1) of Regulation (EU) 2016/679 of 27 April 2016, concerning the protection of natural persons with regard to processing of personal data and on the free movement of such data and drawing of Directive 95/46/EC (General Data Protection Regulation, hereinafter GDPR), this regulation applies to all or part of automated processing, as well as to the processing of personal data that are included in a file or are intended to be included therein man. Under Article 4, 2) GDPR, “processing” means an operation or a set of operations relating to personal data or a whole of personal data, whether or not carried out by automated means, 7OCTOBER 2021 C .20.0323N 3 such as collecting, recording, organizing, structuring, storing, updating or modify, retrieve, consult, use, provide by means of forwarding thing, distribute or otherwise make available, align or combine creating, blocking, deleting or destroying data. Article 5(1)(c) GDPR provides that personal data must be adequate, in order to relevant and limited to what is necessary for the purposes for which it is processed (“minimum data protection”). Pursuant to Article 57 GDPR, each supervisory authority on its territory the following tasks: (a) monitor and enforce the application of this regulation; (…) f) handles complaints from data subjects, or from bodies, organizations or associations in accordance with Article 80, examine the content of the complaint to the extent that it is appropriate and the complainant will inform the complainant within a reasonable period of notice of the progress and outcome of the investigation, in particular if further investigation or coordination with another supervisory authority is necessary; (…) (h) conduct investigations into the application of these classification, including on the basis of information received from another supervisory receiving authority or other government agency. Point 141 of the preamble to this regulation provides that "any data subject" should have the right to lodge a complaint with a single supervisory authority authority, in particular in the Member State where he or she usually resides, and a effective remedy in accordance with Article 47 of the Charter of Fundamental Rights of the European Union if he believes that infringement of his rights under this Regulation (…).” 2. Pursuant to Article 4, § 1, first paragraph, of the Law of 3 December 2017 until towards the Data Protection Authority, this authority is responsible body for monitoring compliance with the basic principles of protection of the personal data, within the framework of this law and of the laws that stipulate ments on the protection of the processing of personal data. Pursuant to Article 63 of the aforementioned law, the referral to the inspectorate may be service: 1° when the management committee establishes serious indications of the existence of a practice which may give rise to an infringement of the basic principles of the protection of personal data, in the context of 7OCTOBER 2021 C.20.0323.N/4 this Act and the laws containing provisions for the protection of processing of personal data; 2° when the litigation chamber, at the of a complaint has decided that an investigation by the inspectorate is necessary is; (…) 6° of its own accord when it finds serious indications of the existence of a practice which may give rise to an infringement of the land principles of the protection of personal data, within the framework of this law and of the laws containing provisions for the protection of the processing king of personal data. The legislative history clarifies with regard to the aforementioned Article 63, 2°, that the inspection service is understood as “when a data subject is of the opinion that violation of his rights under the GDPR and a complaint about this submits to the Data Protection Authority and which, in accordance with Article 62, § 1, is transferred to the litigation chamber. The litigation chamber may decide that an investigation should be conducted.” Pursuant to Article 72 of the aforementioned law, the Inspector General and the inspectors, without prejudice to the provisions of this chapter, proceed to any search, any check and any interrogation, as well as obtain all the information they need deem to ensure that the basic principles of protection of the personal data, within the framework of this law and of the laws that stipulate contain information on the protection of the processing of personal data, which they supervise are actually complied with. Pursuant to Article 100, § 1, of this law, the litigation chamber has the power to take corrective action, including: (…) 9° to order that the processing is brought into conformity, or to (…) 13° administrative to impose fines. 3. It undeniably follows from all the aforementioned legal provisions that a data subject has the right to lodge a complaint with the Data Protection authority against a processing practice that it believes is infringing invokes his rights under the GDPR, such as the right to have his personal to have data processed as a minimum, pursuant to Article 5(1)(c) GDPR, so that he can enjoy a benefit or service. This is also the case when the personal data of the data subject themselves were not processed, but these were processed before 7OCTOBER 2021 C.20.0323.N/5 has not obtained part or the service, because, precisely for the sake of existence, he of the allegedly infringing practice, his consent to the processing has refused. When the Data Protection Authority, after investigating such complaint, determines that the practice actually gives rise to an infringement of the basic principles of the protection of personal data, such as the ginsel of minimum data processing contained in Article 5(1)(c) GDPR, it is authorized to take corrective measures and, if necessary, an administrative to impose a fine, even if the complainant's personal data was not processed itself. After all, the rights of the complainant under the GDPR, when he is obliged to disclose his personal data process data in accordance with that infringing practice so that he is of a benefit or service. 4. From the findings of the appellate courts and the documents on which the Court able to take heed, it appears that: - a customer of the defendant has lodged a complaint with the plaintiff because she, to obtain a loyalty card and receive discounts on her purchases was obliged to show her electronic identity card read into the defendant's computer system and, as a result of a refusal of this and in the absence of an alternative, such as providing the strictly necessary personal data on paper, not of the benefit of the could enjoy discounts; - it appears from the plaintiff's inspection report that the customer data provided by are stored by means of reading the electronic identity card, the the following are: name, first names, address, date of birth, gender, from when if the person concerned is a customer and the amount of the purchases, and that the barcode of the electronic identity card containing the national register number, is linked by the defendant to the customer's data; - the claimant has ruled in the contested decision of 17 September 2019 that an infringement of Article 5(1)(c) of the GDPR has been proven, because the processing of customer data does not follow the principle of data minimum processing because it implies the use of the national register number that is OCTOBER 7, 2021 C.20.0323.N/6 included in the barcode of the electronic identity card, which is not relevant, and it involves the retention of data on gender and date of birth, which are also irrelevant. 5. The appeal judges ruled that "the complainant in this case did not have an eID card" was offered and therefore no processing of its data was carried out. fair. Therefore, [plaintiff] shows no actual infringement in connection with personal data.” 6. By holding on that ground that an infringement of Article 5(1)(c) GDPR has not been proved and set aside the contested decision of the plaintiff, while it is not required that the complainant's personal data have actually been processed to ensure that the claimant takes corrective action or may impose an administrative fine, after it has been established that a practice exists giving rise to a breach of the principle of minimum data effect, the appeal judges do not justify their decision legally. The part is valid. 7. There is no reason to refer the question to the Court for a preliminary ruling of Justice of the European Union. Fourth part 8. Article 288(2) TFEU provides that a regulation has general application king has. It is binding in its entirety and directly applicable in each Member State. Pursuant to Article 6(1) of the GDPR, the processing is lawful only if and for provided that at least one of the following conditions is met: (a) the the person concerned has given permission for the processing of his personal data vens for one or more specific purposes. Pursuant to Article 4, 11) GDPR, with the “consent” of the data subject, stand: any free, specific, informed and unambiguous expression of will that inform the data subject by means of a statement or an unambiguous active accepts an act concerning him/her concerning the processing of personal data. OCTOBER 7, 2021 C.20.0323.N/7 Point 42 of the preamble to this regulation states that “consent may not” shall be deemed to have been freely granted if the person concerned has no real or free has a choice or cannot refuse or withdraw its consent without detriment effects." 9. It follows from all the above provisions that also the loss of a benefit or service in the event of refusal of consent the possibility of a genuine free choice and can constitute an adverse consequence in the sense of point 42 of the preamble, as a result of which consent is not considered to be freely granted within the meaning of Article 4, 11) GDPR. 10. The appellate courts find that the plaintiff in the contested decision of 17 September 2019 ruled that an infringement of Article 6(1)(a) GDPR essential, as consent is not deemed to have been freely given if the data subject cannot refuse or withdraw it without adverse consequences and there in the present case there is no question of such free consent, because the ger, and by extension all customers, can only enjoy discounts by their electronic identity card and the defendant has no alternative natively for the creation of a loyalty card in order to take advantage of this can enjoy. 11. They then rule that: - the claimant, regarding the lack of an alternative, refers to a still non-applicable legislation, namely Article 6, § 4, of the Law of 19 July 1991 on the population registers, identity cards, aliens gen cards and the residence documents, as amended by the law of 25 November ber 2018, which was not yet applicable at the time of the facts underlying the current dispute; - the plaintiff further erroneously assumes the unproven assumption that the the complainant would suffer an indisputable disadvantage because of the fact that she don't miss out on a loyalty card, discounts would go wrong. This constitutes no disadvantage because only a possible extra advantage is lost. 12. By thus failing to verify whether the plaintiff's decision on the free permission to read in the electronic identity card to receive discounts was correct pursuant to Articles 6.1, a) and 4, 11), GDPR, in particular- 7OCTOBER 2021 C .20.0323N/8 or pursuant to those directly applicable provisions an alternative had to be are offered for the purpose of obtaining discounts where, specifically under those provisions, the loss of the benefit of those discounts in the event of refusal of consent may also have an adverse effect, and to judge on that basis that an infringement of Article 6(1)(a) GDPR has not been proven, the appeal judges the aforementioned provisions. The part is valid. (…) dictum The Council, Set aside the judgment under appeal, in so far as it finds that an infringement of Articles 5(1)(c) and 6(1)(a) GDPR is not proven and the contested decision of the plaintiff on that ground. Orders that this judgment be reported on the side of the partially quashed judgment. Keep the costs and leave the decision to the factual judge. Refers the case thus limited to the Court of Appeal in Brussels, Section Marktenhof, composed differently. This judgment was delivered in Brussels by the Court of Cassation, First Chamber, together composed of section chairman Eric Dirix, as chairman, section chairman Koen Mestdagh, and the counselors Bart Wylleman, Ilse Couwenberg and Sven Mosselmans, and pronounced in a public court hearing on 7 October 2021 by Section Chair Eric Dirix, in the presence of Advocate General Els Herregodts, assisted by Clerk Vanity Vanden Hende. OCTOBER 7, 2021 C.20.0323N9 V. Vanden Hende S. Mosselmans I. Couwenberg B. Wylleman K. Mestdagh E. Dirix APPLICATION/1 EXTRACT FROM THE PROVISION IN CASSATION FOR: the DATA PROTECTION AUTHORITY, independent public institution with legal personality, with social registered office at 1000 Brussels, Drukpersstraat 35, registered in the Crossroads Bank for Enterprises under the number 0694,679,950, plaintiff in cassation, assisted and represented by the undersigned lawyer at the Court of Cassation Johan Verbist, with office in 2000 ANTWERP 1, Amerikalei 187/302, where choice of residence is being done, AGAINST: the NV VERREYDT, with registered office in 2200 Herentals, Ring (NDW) 99, registered in the Crossroads Bank for Enterprises ming under the number 0428.824.132, defendant in cassation, * ** APPLICATION /2 Plaintiff has the honor to submit to your assessment a judgment that was issued on 19 February 2020 contradiction between the parties was pointed out by the Section e Marktenhof (19 Chamber A) of the Court of Appeal in Brussels (2019/AR/1600). APPLICATION 3 FIRST SUBMISSION OF CASSATION Violated legal provisions Articles 4 § 1, 63, 72 and 100 § 1 of the Law of December 3, 2017 establishing the Data Protection Authority; Articles 1319, 1320 and 1322 of the Civil Code; Preamble 42 and Articles 2.1, 4 2), 4.11, 5.1 c), 5.2, 6.1 and 57.1 a), f) and h) of Regulation (EU) 2016/679 of the European Parliament ment and the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data data and on the free movement of such data and until revocation of Directive 95/46/EC (General Data Protection Regulation screening) (hereinafter: GDPR); Article 288, paragraph 2 of the Convention on the Functioning of the European Union (TFEU), as coordinated by the Treaty of Lisbon of December 13, 2007, approved by Law of June 19 2008 (BS 19 February 2009), by Decree of the Flemish Community board/the Flemish Region of October 10, 2008 (BS 5 November 2008), by Decree of the French Community of May 23, 2008 (BS July 15, 2008), by Decree of the German-speaking Community of May 19 2008 (BS 15 July 2008), by Decree of the Walloon Region of 22 May 2008 (BS 29 May 2008), by Decree of the Walloon Region of 22 May 2008 (BS 30 May 2008), by Ordinance of the Brussels Capital Municipal Region of 10 July 2008 (BS 6 August 2008), by Ordonnan- tie of the Joint Community Commission of 10 July 2008 (BS 6 August 2008) and by Decree of the French Commu- committee of 17 July 2008 (BS 26 August 2008). Article 149 of the Constitution. Challenged decision The appeal judges ruled that the decision of 17 September 2019 on has been taken lawfully with regard to the detected infringements of Article 5.1 c) GDPR and 6.1 GDPR, and they annul the decision for the following reasons: APPLICATION /4 “8. Discussion – the grounds for destruction 8.1. Infringement of Article 5.1. c) GDPR [Defendant] asserts: […] [Plaintiff] argues in this regard: […] The contested decision considers: The Inspectorate thus confirms the complaint in the sense that no alternative is offered to customers who want a loyalty card, but do not wish to have their electronic identity card used by the again for the creation of such a loyalty card, while it is obtaining the permission and offering an alternative required by the Inspectorate. The Inspectorate also refers to art. 6, 54 of the law of 19 July 1991 on the population registers, identity cards, de aliens cards and residence documents, as applicable as of December 23, 2018, and which provides that the electronic identity card may only be read or used with the free, specific and informed consent of its holder. When a benefit or service is offered to a citizen through his electronic national identity card in the context of an IT application, must an alternative is also proposed that the use of the elec- tronic ID card not required. Furthermore, the Inspectorate refers in this regard also to Recommendation No. 03/2011 in order to ing requirement and support the offer of an alternative. The Act of 19 July 1991 on the population registers, the identity cards, the aliens cards and the residence documents now in article 6 5 4 second and third paragraph: The National Register Number and the holder's photo may only be used if authorized to do so by. or pursuant to a law, a de- creet or ordinance. The electronic identity card may only be delivered sent or used with the free, specific and informed consent of the holder of the electronic identity card. When a benefit or service is offered to a citizen through his electronic identity card in the context of an IT application, must also an alternative that does not allow the use of the electronic identity card required, be presented to the person concerned. This text was added by the law of November 25, 2018 and took effect effective on December 23, 2018. This law is therefore not applicable to the actual on the basis of the current dispute, since the complaint dates from from August 28, 2018. At the time of the complaint, this text read as follows: "§ 4. Any automated check of the card by optical or other reading procedures must be the subject of a royal decree, after advice of the sectoral committee of the National Register referred to in Article 15 of the Act of 8 August 1983 regulating a National Register of the natural persons. " The motives of the inspection service - which [plaintiff] argues that as serve as the basis for the decision - are illegal. A law that absolutely was not applicable at the time of the complaint and a "recommendation" which does not have legal force cannot serve as a basis for the assessing conduct as being contrary to applicable law caught. It has not been demonstrated, and consequently not conclusively proven, that at the time of the complaint an alternative had to be offered. The contested decision further considers: "The Disputes Chamber also notes that the processing of the customer data (surname, first names, address, date of birth, gender, from when the data subject is a customer and the amount of the purchases) the does not respect the principle of minimum data processing, since it given 'gender and date of birth' are also irrelevant. The Disputes Chamber assumes that the customer card will not be REQUEST /6 used to check the minimum age for alcohol consumption buy. Since the defendant's conduct with regard to the production of loyalty cards do not comply with the principle of data minimum processing, the Disputes Chamber is therefore of the opinion that the infringement of art. 5.1. c) A VG is proven." No EID card was presented by the complainant in this case and there is so no processing of her data happened. Therefore shows [plaintiff] no actual infringement in connection with personal data at. There was no legal alternative (yet) offered to the complainant at the time turn into. This has changed since December 23, 2018, but those regulations can cannot be applied retroactively by [plaintiff]. Moreover, the Disputes Chamber erroneously assumes a number of essence assumptions: • that a liquor store loyalty card would not be used for monitoring the prohibition of the sale of alcohol to minors; • that the complainant would suffer an undeniable disadvantage by the fact that she by missing out on the creation of a loyalty card, discounts would pen. This does not constitute a disadvantage because only a possible additional advantage is lost (the Court emphasizes). It is different when the EID card is asked for a legal or contractual right (for example, the to obtain or retain the right to warranty). An infringement of art. 5.1. c) GDPR is therefore not applicable in this specific case proven. The [defendant]'s sixth plea is well founded on this point. 8.2. Infringement of art. 6.1. GDPR: APPLICATION /7 [Plaintiff] further bases its decision on an infringement of Article 6.1. GDPR, to know that the lawfulness of the processing depends on the consent of the data subject for the processing of his personal data data for one or more specific purposes or the processing is necessary is for the protection of the legitimate interests of the public operations manager or a third party, except when the interested or the fundamental rights and freedoms of the data subject that require the protection of personal data outweigh those interests, in particular where the data subject is a child. [Plaintiff] states: […] To the extent that [plaintiff] refers again to the lack of an alternative native, it refers again (see point 8.1 above) to a not yet applicable sane legislation. The Marktenhof refers to what was stated under point 8.1 above. suggested. The infringement of article 6.1. AVG is therefore not proven. the seventh [defendant]'s plea is well founded on this point. 8.3. Conclusion of points 8.1 and 8.2: To the extent that the contested decision is not sufficiently motivated to that certain motives of the contested decision are incompatible with the documents from the file and with the current legal provisions on the moment of the complaint and the Marktenhof cannot determine which motive or which motives, according to them, were de facto decisive for the to justify the contested decision, the Market Court must determine that the motives cited by [plaintiff] explain the proven fact of the infringements (and, as a consequence, likewise the imposition of sanctions for the sake of of these alleged infringements). The decision is to that reason was taken unlawfully and must therefore be declared null and void. to be cleared” (judgment challenged p. 24-29) P ENDING 8 Grievances (…) Second part Under Article 288(2) TFEU, a regulation has a general my meaning. It is binding in its entirety and directly applicable seldom in every Member State. Pursuant to Article 2.1 of the GDPR, this Regulation applies to the wholly or partly automated processing, as well as to the processing of personal data that are included in a file or that are intended to to be included therein. Pursuant to Article 4 2) GDPR, "processing" should be understood, an operation or set of operations relating to personal data data or a set of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, update or change, request, consult, use, provide by means of transmission, distribution or otherwise making available, alignment or combine, block, erase or destroy data. Pursuant to Article 5.1 c) GDPR, personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (“minimal data processing”). Pursuant to Article 57.1 a), f) and h) GDPR, each and every supervisory authority in its territory the application of this Regulation; it handles complaints from data subjects, or from bodies, organizations or associations in accordance with Article 80, investigate the content of the complaint to the extent appropriate and inform the complainant within a reasonable time of the progress and outcome of the investigation, in particular if further find out whether coordination with another supervisory authority is necessary; and it shall conduct investigations into the application of this Regulation, including to based on information received from another supervisory authority or other received by the government agency. APPLICATION /9 Pursuant to Article 4 § 1 of the Law of 3 December 2017 establishing the Data Protection Authority, the Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the protection of personal data, in the context of this law and of the laws containing provisions on the protection of the processing of personal data. Without prejudice to the competences of the Community or Regional minorities, of the Community or Regional Parliaments, of the United ge or of the United Assembly referred to in Article 60 of the Special Law of January 12, 1989 with regard to the Brussels institutions, the Gege- protection authority carries out this mission throughout the territory of the Kingdom, regardless of which national law on the processing of personal data concerned pass. Pursuant to Article 63 of the same law, the application may be brought before the inspection service, including when the management committee has serious indications singing establishes the existence of a practice that may give rise to a breach of the basic principles of the protection of personal data, in within the framework of this law and of the laws containing provisions on the protection of the processing of personal data; when the litigation chamber has decided in response to a complaint that an investigation by the Inspectorate service is needed; or of her own accord when she finds serious indications of the existence of a practice which may give rise to an infringement of the basic principles of the protection of personal data, in the context of this Act and the laws containing provisions for the protection of processing of personal data. Under Article 72 of the same law, the Inspector General and the inspectors, without prejudice to the provisions of this chapter, proceed to any inquiry, inspection and interrogation, as well as any information they obtain deem it necessary to satisfy themselves that the basic principles of the protection of personal data, in the context of this law and of the laws containing provisions on the protection of the processing of personal data, which they monitor, are actually complied with. Article 100, § 1 of the same law lists the measures that the disputed room can impose. APPLICATION /10 It follows from these provisions, read in conjunction with each other, that the Data protection authority can act investigating and sanctioning against with regard to a practice which may give rise to an infringement of the land principles of the protection of personal data, and that they are more particularly can act without investigating and sanctioning a practice which may give rise to a breach of the principle of data minimum processing. It is therefore in no way required that a complainant first has actually provided his data. unlawfully processed before the claimant could act. This would go against both the spirit and the text of the Law of December 3, 2017. If the claimant, whether or not on the basis of a complaint, establishes a practice that may lead to a breach of the fundamental principles of the protection of the personal data, it can investigate and impose sanctions against this practice. action, even if the complainant's own data has not been processed. be. The contested decision dated September 17, 2019 of the Plaintiff refers to the manner of the defendant with regard to the production of loyalty cards. "From the inspection report also shows that the customer data being processed is gender are: name, first name, address, date of birth, gender, from when the the person concerned is a customer and the amount of the purchases. The barcode of the electronic national identity card containing the national register number is issued by the defendant linked to the customer's data […] Because the course of action of the defendant with regard to the production of loyalty cards, the principle of does not comply with minimum data processing, the Disputes Chamber is therefore of considers that the infringement of art. 5.1. c) GDPR is proven” (p. 6) This concerns a processing established by the claimant with regard to per- personal data within the meaning of the GDPR, and in any case a practice that gives rise to indicates or at least may constitute an infringement of the fundamental principles of the protection of personal data within the meaning of the Act of 3 December 2017. The appellate judges consider that “the complainant in this case did not have an EID card [has] been presented and no processing of its data has therefore taken place. fair. Therefore, [plaintiff] shows no actual infringement in connection with per- personal data”. APPLICATION /11 By ruling on this ground that a breach of Article 5.1 c) GDPR is not proven and to set aside the contested decision, where an actual The processing of the complainant's data is not a necessary requirement in order for the Data Protection Authority can take an investigative and sanctioning action, and it is sufficient that a practice is identified which may give rise to a violation of the principle of data minimum processing, the appeal judges Articles 2.1, 4 2), 5.1 c) and 57.1 a), f) and h) GDPR, to the extent necessary read in conjunction with Article 288(2) TFEU and Articles 4 § 1, 63, 72 and 100 § 1 of the Law of 3 December 2017 establishing the Gege- protection authority. In a subordinate order, Plaintiff requests the Court for the following preliminary ruling: cial question to the Court of Justice of the European Union: “Is Article 57.1, in particular the provisions a), f) and h), of the Regulation deing (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation connection with the processing of personal data and with regard to the freedom of movement of such data and repealing Directive 95/46/EC, thus be understood that the supervisory authority receiving a complaint who, after investigating the complaint, determines that there is a practice giving rise to a breach of fundamental principles of the protection of personal data, although there are specific until the complainant is not actual processing of personal data happened now that he had not given his consent, not sanctioned can take action with regard to the established practice?” (…) Fourth part Under Article 288(2) TFEU, a regulation has a general my meaning. It is binding in its entirety and directly applicable seldom in every Member State. APPLICATION /12 Pursuant to Article 6.1 of the GDPR, the processing is only lawful if and provided that at least one of the following conditions is met: a) the data subject has consented to the processing of are personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract arrival to which the data subject is a party, or at the request of the the party to take measures before the conclusion of a contract to take; c) the processing is necessary for compliance with a legal obligation on the controller; d) the processing is necessary to protect the vital interests of the data subject to protect the traveler or another natural person; e) the processing is necessary for the performance of a task of public interest or of a task in the course of the performance of the public authority vested in the controller dedicated; f) the processing is necessary for the representation of judicial legitimate interests of the controller or of a third party, except where the interests or fundamental rights and fundamental freedoms of the data subject for the protection of require personal data, outweigh those interests, with especially when the person concerned is a child. Pursuant to Article 4.11 of the GDPR, subject to the 'consent' of the data subject, understood, any free, specific, informed and unambiguous expression of will with which the data subject by means of a statement or an unambiguous accepts active action regarding the processing of personal data. Preamble 42 also stipulates that permission may not be considers to be freely granted if the data subject has no real or free choice or cannot refuse or withdraw its consent without detriment. The decision of the claimant dated September 17, 2019 states the following: next one: According to the Dispute Chamber, contrary to what the defendant submits, there is no question of consent as a legal basis for the APPLICATION /13 effect, since the consent within the current working method of the defendant can in no way be regarded as a free consent in the meaning of art. 4.11 GDPR, in the absence of an alternative system that allows allows to create a loyalty card without using the electronic identity card, which makes it possible for the data subject also in that case to benefit from discounts […] As a general rule, the GDPR that if a data subject has no real choice, he is forced to feels to give permission or it will negatively affect him if he or she does not consent, the consent is not valid […] By- that in the present case the complainant, and by extension all customers, only can enjoy discounts through their electronic identification identification card, and no alternative is offered by the defendant for the creation of a loyalty card, in order to take advantage of this advantage enjoy, it is clear that there is no question of free consent […] The Disputes Chamber decides that the infringement of art. 6.1. GDPR is moving zen” (p. 7) The appellate judges judge, partly through a reference to their previous considers that the motives of the contested decision are illegal, now that this tens are once again based on the lack of an alternative and thus on a law that was not applicable at the time of the complaint (in particular the Act of July 19, 1991 as amended by the Law of November 25, 2018). In doing so, however, the appeal judges interpret the decision which is incompatible with its wording. From the motives of the disputed After all, this decision, as cited above, shows that the legal basis battle is indeed located in Article 6.1 AVG and Article 4.11 AVG. It's from the- they provisions, read in conjunction with Preamble 42 . to the extent necessary GDPR, that the requirement of a “free consent” is derived and made concrete sed as being a consent that must involve a free choice without adverse effects. In so far as the appellate judges consider the motives of the contested decision sing an interpretation inconsistent with its wording, with in particular by reading therein that to find the legal basis of the decision is in the Law of 19 July 1991 as amended by the Law of 25 November 2018, where it appears from the wording that the legal basis is indeed can be found in Article 6.1 AVG and Article 4.11 AVG, the appeal judges are violating the evidential value of these motives (violation of articles 1319, 1320 and 1322 of the Civil Code). APPLICATION /14 To the extent that the appellate courts fail to verify whether the legal analysis taken with regard to Article 6.1 AVG and Article 4.11 AVG correct is, in particular with regard to the interpretation of the required 'free consent', they also misunderstand the judicial obligation to state reasons (violation of Article 149 of the Constitution) as well as Articles 6.1 and 4.11 GDPR, to the extent necessary in read in conjunction with Preamble 42 GDPR and Article 288(2) TFEU. (…)