APD/GBA (Belgium) - 141/2021: Difference between revisions
No edit summary |
m (Jg moved page APD/GBA (Belgium) - 141-2021 to APD/GBA (Belgium) - 141/2021) |
Latest revision as of 12:35, 3 August 2022
APD/GBA (Belgium) - 141-2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 38(6) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 16.12.2021 |
Fine: | 75000 EUR |
Parties: | n/a |
National Case Number/Name: | 141-2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 141/2021 van 16 december 2021 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA fined a bank €75,000 because its DPO was also the head of three departments with decision-making powers over processing of personal data, which resulted in a conflict of interest in breach of Article 38(6) GDPR.
English Summary
Facts
The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.
The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.
Holding
The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments.
Thus, because the DPO held the final responsibility over the referenced departments, the DPA held that there was a conflict of interest, in breach of Article 38(6) GDPR.
In light of this violation, the DPA fined the bank €75,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/26 Litigation Chamber Decision on the merits 141/2021 of 16 December 2021 File reference : DOS-2020-03763 Subject : The exercise of data subjects' rights in relation to a Bank's information systems of a Bank. The Dispute Resolution Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans chairman, and Messrs Dirk Van Der Kelen and Frank De Smet; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the Data Protection Regulation), hereinafter referred to as the AVG; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has adopted the following decision concerning: The defendant: the bank Y, represented by Mr. Erik Valgaeren and Mr. Carolien Michielsen, Hereinafter referred to as 'the defendant'. . . . Decision on the merits 141/2021 - 2/26 I. Facts and Procedure A. Investigation of the Inspectorate 1. On 22 April 2020, the Executive Committee of the Data Protection Authority (hereinafter referred to as GBA) decided to bring a case before the Inspectorate of the GBA on the basis of Article 63, 1° WOG. Following decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May 2019 and the subsequent judgment of the Markets Court dated 9 October 2019, the Executive Committee indeed found that there were serious indications of practices that could give rise to could give rise to breaches of the fundamental principles of personal data protection. The Management Board has therefore referred the matter to the Inspectorate with the request to conduct an investigation into the extent to which the request to conduct an investigation into the extent to which the defendant's information systems enables the exercise of the rights of the data subject, in particular the right to rectification (Article 16 AVG), is possible. This means that the Inspectorate has been caught up in verifying whether the information systems of the defendant are in line with the requirements of the AVG with regard to the exercise of the rights which each data subject1 has in his as a client of the defendant. 2. The Inspectorate shall transmit its report dated 23 March 2021 to the Dispute Resolution Chamber on the basis of of Article 91, §2 WOG, as a result of which the Dispute Resolution Chamber was constituted pursuant to Article 92, 3° WOG; B. Procedure before the Litigation Chamber 3. On 6 April 2021 the Litigation Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the ready for treatment on the merits. 4. On the same day the defendant is informed by registered mail of this decision, as well as of the inspection report and the 4. On the same day, the defendant is informed by registered mail of this decision, as well as of the inspection report and the inventory of the documents of the file that are 4. On the same day the defendant is notified by registered mail of this decision, as well as of the inspection report and the inventory of documents of the file that has been submitted to the Litigation Chamber by the Inspection Department. The defendant is also The defendant is also informed of the provisions as mentioned in art. 98 WOG and is informed pursuant to art. 99 WOG. 99 WOG of the time limit to submit his defence. The deadline for receipt of the defendant's statement of defence was set at 28 May 2021. 5. On 10 May 2021 the defendant asks for a copy of the case file (art. 95, §2, 3° WOG), which is On May 12, 2021. In addition, the defendant electronically accepts all 1 Decision No. 01/2019 of 15 May 2019, on the other hand, concerns only the safeguarding of the rights of one specific complainant whose personal data are processed by the personal data are processed by the Respondent, as the Dispute Resolution Chamber was only seized for that processing in the complaint. Decision on the merits 141/2021 - 3/26 communication relating to the case and has indicated that he wishes to avail himself of the possibility to be heard, in accordance with Article 98 of the WOG. 6. On 28 May 2021 the Litigation Chamber received the respondent's statement of defence in which it is requested to establish in the main order that there is no violation of articles 5.1(c), 5.1(d), 5.1(e) and 5.1(f). Articles 5.1(c), (d) and (f), 5.2, 12, 16, 24, 25, 30.1, 31, 32, 38.3 and 38.6 of the AVG, and, in secondary order take into account the mitigating circumstances when imposing a sanction. 7. On 14 July 2021, the Respondent is informed that the hearing will take place on 30 September 2021. 8. On 30 September 2021 the respondent shall be heard by the Dispute Resolution Chamber and thus be given 8. On 30 September 2021 the defendant shall be heard by the Disputes Committee and thus have the opportunity to present his arguments. The Dispute Resolution Chamber shall decide to The Dispute Resolution Chamber decides to continue the proceedings in order to give the defendant the opportunity to present his arguments. 15 November 2021, as the date on which the introduction of diacritical marks in the the introduction of diacritical marks in names and forenames in its applications, the defendant has to come and explain the new computer system. A new hearing will be scheduled scheduled for shortly after that date. 9. On 1 October 2021, the Respondent shall be notified that the hearing for the of the case in continuation will take place on 22 November 2021. 10. On 12 October 2021, the minutes of the hearing held on 30 September 2021 shall be submitted to the Respondent in accordance with Article 54 of the Rules of Internal Procedure of the GBA. The Respondent shall hereby be given the opportunity to have any comments he may have on the record to be added as an annex to the record. 11. On 19 October 2021 the Dispute Resolution Chamber receives some comments from the Respondent 11. On 19 October 2021 the Disputes Committee receives some remarks from the defendant with regard to the official report. the hearing established on 22 November 2021. 12. On 22 November 2021, the Respondent shall be heard by the Dispute Resolution Chamber and the On 22 November 2021, the Panel shall hear the Respondent and explain the implementation of the introduction of diacritical marks in the names and first names in its its applications. 13. On 23 November 2021, the minutes of the hearing held on 22 November 2021 shall be submitted to the Respondent in accordance with Article 54 of the Rules of Internal Procedure of the GBA. The Respondent is hereby given the opportunity to have any comments he may have on the matter be added as an annex to the record, without reopening the debates constitutes a reopening of the debates. 14. On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to impose an administrative fine, as well as the amount of the fine. Decision on the merits 141/2021 - 4/26 thereof in order to give the Respondent the opportunity to defend itself, before the sanction is before the penalty is actually imposed. 15. On 29 November 2021, the Dispute Resolution Chamber shall receive the comments to the transcript of the hearing that took place on 22 November 2021, which the Litigation Chamber shall include in its deliberations. In its deliberations. 16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the proposal to 16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the intention to impose an administrative fine as well as the amount thereof. The The Respondent submits that a number of mitigating circumstances set out in the conclusion for Y Belgium and at the hearing, do not appear to have been taken into account by the Dispute Resolution Chamber as they do not appear in the penalty form, as well as that the proposed fine is disproportionately high. would be disproportionately high in relation to the decision on the merits no. 18/2020 of 28 April 2020 for an identical infringement. April 2020 for an identical infringement. II. Reasons 17. Hereafter, the Litigation Chamber assesses each of the findings included in the report of the Inspectorate in the light of the relevant information provided by the parties. Inspectorate in the light of the pleas put forward in that regard by the Respondent. (a) Principle of accuracy (Article 5.1(d) of the AVG), accountability (Article 5.2 of the AVG), transparency information, communication and detailed arrangements for exercising the rights of the data subject (Article 12 AVG), right to rectification (Article 16 AVG), data protection by design and default settings (Article 25 AVG) and the duty to cooperate (Article 31 AVG). 18. The first element to be examined by the Inspectorate concerns the assessment of the extent to which the Respondent has made the necessary adjustments in order to remove the diacritical marks in its ICT systems. The Inspectorate finds that the Respondent is unable to provide a clear and systemic picture of the in terms of time horizon for the implementation of diacritical marks in the current ICT system (applications + mainframe) and possible first results showing the efforts made. efforts made. Furthermore, the Inspectorate also states that the Respondent remains stuck in the "exploratory phase" of preliminary studies and discussions without wanting to achieve concrete goals and results. achieve. 20. The Inspectorate concludes that the Respondent is in breach of Articles 5.1 d, 5.2, 12, 16, 25 and 31 of the AVG because the Respondent does not want to or is not able to present a concrete time horizon with concrete results, nor is it able to The defendant is not willing or able to provide a concrete time horizon with concrete results, nor is it willing or able to demonstrate systemic changes that would have a have a positive impact on the initial demand of the data subject. According to the Inspectorate since the decision taken by the Dispute Resolution Chamber on 15 May 2019 - subject to the carrying out of some preliminary study work (feasibility) - has not changed and has therefore not improved. Decision on the merits 141/2021 - 5/26 21. The Inspectorate makes the following considerations in this regard: o The Respondent has IT applications and database systems (some 150) including the central customer system which concerns a mainframe system that was put into use in 1995. taken into use in 1995. That central customer system supports only EBCDIC ("extended binarycoded decimal interchange code"). Although diacritical marks have since been added to the EBCDIC table in the meantime, the defendant did not make any changes to the central customer central customer system. In 2020, the Respondent is still using an IT system that dates system dating back to 1995 and does not appear to be able to implement the right of rectification. rectification. o With regard to the number of underlying applications that interact with the central customer system system, which need to be changed due to the introduction of diacritical marks, the Inspectorate diacritical marks, the Inspectorate notes that the Respondent in the initial letter dated 6 November 2019 lists 150 applications and is only able to deliver a list that corresponds to the exact number as stated on 6 November 2019, supplemented by the correct systemic naming and filtering out of double counting. The Inspectorate notes in this regard that the Respondent often replied that the analysis was 'not yet complete', which is strange given the number of months of lead time, the number of staff, the financial resources and capabilities of the Respondent. o With regard to the large and very old systems for which the Respondent on 6 November 2019 states that a lead time of 18 months is expected for their adaptation, the Inspectorate notes that the Respondent does not issue a list until 2 November 2020 describing and specifically naming those systems. o By examining the 'change management' and the plan of approach to proceed implementation of the technical proposals, the Inspectorate is attempting to gain insight into the process development and the way in which implementations are carried out at the defendant. defendant. The Inspectorate notes that on 16 September 2020 that the changes that need to be made in view of the the introduction of accented letters will be made according to the AGILE principle, which is the principle of AGILE, which means that the Respondent will resolve the restriction of accented letters in small, manageable steps. the restriction of accented letters. On 12 October 2020, the Respondent reports that it has taken initiatives to include the diacritical marks into the central customer system, following a 4-phase approach is being followed and at that time phase 1 and 2 are being processed: 1) analysis of all systems and applications potentially affected; Decision on the merits 141/2021 - 6/26 2) adaptation of these systems in the test environment and testing them separately for the processing of diacritical marks; 3) Performing chain tests to ensure consistency of the applications; 4) actually implementing the changes On 2 November 2020, the defendant documents how AGILE was translated into its organisation and provides information about the feasibility study in the form of two diagrams of the testing approach. The Inspectorate concludes that it is strange that there is little structured and umbrella and umbrella information is available to follow up on this change over all. follow-up. Apart from general information about the AGILE approach and the pre-study phase, the Respondent is unable to provide any information that demonstrates any progress or concrete results that could have a positive impact on the data subject and the exercise of his exercise of his rights. o Following the examination of the technical design, the inspection report contains the technical figures with regard to the architectural design whereby the defendant indicates whether, and if so to what extent, changes can have an impact on each of the components, both for each of the components, both for the central customer system, the supporting and underlying technologies - middleware, the mainframe Z applications, the non-mainframe Z applications, as well as for the channels and front-end applications. Articles 5.1 d), 12 and 16 AVG 22. The Respondent submits that Articles 5.1(d), 12 and 16 AVG are complied with and argues as follows: - The exercise of the data subject's rights is facilitated in accordance with Article 12 AVG by allowing customers to modify their data themselves via the Internet banking applications, or have them changed by employees in the front office. The Privacy Statement also provides the necessary contact details for exercising the right to correction. In addition, there is also an internal guide and documentation of the procedures for exercising the of the rights of those involved. Furthermore, the necessary processes have been implemented to adequately handle requests to exercise rights. - The right to rectification (Article 16 of the AVG) is respected for all requests for adjustment or rectification. The impossibility for the respondent to comply with the request for rectification is limited to the processing of the data. request for rectification is limited to the processing of diacritical marks in a name. Decision on the merits 141/2021 - 7/26 - The implementation of a complex IT project involving adjustments to many systems, which requires a great deal of time and time and investment in order to be able to satisfy an absolute minority of requests for improvement is, according to the improvement requests cannot, in the opinion of the defendant, be regarded as a reasonable measure within the meaning of Article 5(1)(d) TFEU. of Article 5.1(d) of the AVG. - The Respondent cites that the judgment of the Markets Court dated 9 October 2019 is still pending before the Court of Cassation and, pending the judgment, it cannot be simply claimed that Articles 5.1(d), 12 and 16 of the AVG are not complied with because of the lack of display of diacritical marks. 23. The Respondent's Conclusion states that it was initially foreseen to implement diacritical marks in its signs in its ICT systems as part of the UNITE ICT project already underway in 2019 within the Y Group, which aimed to upgrade the systems and applications of the Y entities in Belgium and those of the Y entities in the Netherlands, but the UNITE project proved to be too ambitious, with the result that in 2020 the defendant will be operating under separate the defendant had to carry out the necessary technical system changes in 2020 under separate management, i.e. without Y Netherlands. implement. On the basis of this statement, the Dispute Resolution Chamber finds that there was an intention to diacritical marks in the Respondent's applications, but that this did not take place due to the the Respondent within the UNITE project. The defendant now concludes that the inclusion of diacritical marks in the applications presupposes that this exceeds the bounds of reasonableness, whereas Article 5.1(d) of the AVG merely requires that the defendant to take every reasonable step to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are not used for other purposes. which are inaccurate, having regard to the purposes for which they are processed. 24. Based on the inspection report, the Dispute Resolution Chamber notes that the central customer system which is at the core of the bank in that customer data is stored centrally and retrieved from from there are retrieved by adjoining systems, is a mainframe system that was brought into use in 1995. taken into use in 1995. Although diacritical marks were added to the EBCDIC table, no changes were made by the defendant to the central customer system supporting EBCDIC. customer system which supports EBCDIC. This means that the Respondent did not use this opportunity to made use of this opportunity to adapt its system. 25. Although the reasonableness of the implementation of this measure is disputed by the Respondent, the Dispute The Dispute Resolution Chamber is of the opinion that it is part of the normal expectations of a customer whose personal data are processed in the context of the customer whose personal data are processed in the context of his financial relationship with the bank, that his name is correctly displayed, precisely in view of the importance of correctness of data in the provision of financial services and the supply of financial products. The Dispute Resolution Chamber also refers in this regard to the judgment of the Markets Court dated 9 October 2019 in which it states that a correctly operating banking institution may be expected to have a computer program that meets computer programme that meets current standards, to which the above-mentioned right to the correct spelling of the name of the bank may be added. right to correct spelling of the name. The Court adds that the right to Decision on the merits 141/2021 - 8/26 rectification is a fundamental right2 . It therefore seems reasonable for the bank to use the measures at its disposal to It therefore appears reasonable for the bank to use the measures at its disposal to process the names of customers with diacritical marks and thus to use the customers' names with diacritical marks and thus to adapt the mainframe system in use since 1995 to current current possibilities. With regard to the defendant's argument that such adaptation would require not not only to its central customer system, but also to the underlying or adjacent systems would require significant time and investment, which cannot be considered reasonable, the Dispute Resolution Chamber observes that this is generally inherent in any fundamental change of systems, which is all the more true in the case of old systems such as the one at issue here. as in the present case. The need to devote time to and invest in appropriate adapted IT systems in order to be able to process diacritical marks is not - contrary to what the defendant maintains contrary to what the defendant maintains, is not limited to an absolute minority of requests for requests for correction but is necessary in the interests of every customer whose name contains diacritical marks. contains diacritical marks. Indeed, the starting point should be that the defendant, like any The starting point should be that the defendant, like any data controller, makes every effort to process correct data and does not take a not adopt a 'wait and see' approach, i.e. take action only following a customer's request for the name to be changed. of a customer's request for the amendment of his name. 26. The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to proceed to date with the rectification of the name of the Client is a serious problem. The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to correct, to date, the name of customers requesting the display of diacritical marks in their name signs in their name, constitutes an infringement of Article 5(1)(d) of the AVG. It also constitutes Infringement of Article 16 of the AVG, since the defendant is not in a position to fully respect the right to rectification. fully respect the right to rectification. The Respondent submits that all requests for rectification or correction are are implemented, except for the request to adapt diacritical marks. This leads the Dispute Resolution Chamber to conclude that the Respondent has not complied with any exercise of the right to rectification. right of rectification. However, the right of rectification must be respected in all its facets. 27. However, in determining the sanction for these breaches, the Dispute Resolution Chamber shall take into account the defendant's statement to undertake to implement all the necessary changes by 15 November 2021 in order to to make all the necessary adjustments to the diacritical marks in the names and first names by 15 November 2021. 2 The judgment of the Market Court is drafted in the following terms: "[...] The fact that it would require a technical 'effort' to use a computer program that does place accents on capital letters is neither serious nor relevant. To state now (in the year 2019!) that adapting a computer program would require several months of work and/or financial additional costs for the banking institution, does not allow NV Y BELGIUM to disregard the rights of the person concerned. The rights granted to the person concerned are equivalent to obligations to produce a result on the part of the processor of the personal data. A correctly functioning banking institution may be expected - if it uses a computer program - to have a computer program that meets current standards, including the above-mentioned right to correct spelling of the name. name. The right of rectification is a fundamental right. [...]" Decision on the merits 141/2021 - 9/26 be able to reproduce the name in its applications. In this obligation of result, the defendant In this result commitment, two caveats are made by the defendant, of which the Litigation Chamber takes note: 1° In accordance with the globally applicable industry standard, bank cards do not show diacritical marks. 1° In accordance with the globally applicable industry standard, bank cards do not bear diacritical marks. If the Defendant were to do so, this could lead to problems in using the bank cards. If the Defendant did so, this could lead to problems in the use of the bank card, both online and offline. Also with regard to the electronic payment transactions (SEPA), all Belgian banks have jointly decided to limit themselves to the standard set of characters without diacritics. the standard character set without diacritical marks. 2° The display of diacritical marks on printed statements of credit cards will only be available at a later date. be available at a later date. During the hearing of 22 November 2021, the defendant demonstrated by means of a presentation that the necessary presentation that the necessary steps had been taken to incorporate the diacritical marks into the names of the persons concerned. diacritical marks in the customers' names, allowing the Dispute Resolution Chamber to conclude that there has been there is progress in this respect. Specifically with regard to the Complainant in Decision 01/2019 of 15 May 2019, the Respondent also demonstrates that the diacritical mark is processed in his name. 28. With respect to Article 12 AVG, the Dispute Resolution Chamber finds that the Respondent adequately adequately demonstrates that there is transparent communication with customers in order to inform them of the inform customers about the exercise of their rights, as well as that the necessary means are made available to are made available for the exercise of those rights, thereby facilitating the exercise of those rights. those rights. In addition, it is not apparent from the inspection report that the defendant does not provide transparent communication (Article 12.1 of the AVG). The inspection report merely demonstrates that it is not technically possible for the Respondent to comply with a rectification request that relates to a data subject The inspection report only shows that it is not technically possible for the defendant to comply with a request for rectification concerning diacritical marks, but that does not prevent the defendant from However, the defendant does facilitate the exercise of the rights of its customers (Article 12(2) of the AVG) via the online banking applications or with the assistance of the front office staff, but the defendant is not in a position to respond appropriately and to proceed without delay to rectification, in so far as the request concerns diacritical marks (Article 16 AVG). It follows that It follows that no infringement of Article 12 of the AVG can be established. 29. Concerning the Respondent's assertion that the Dispute Resolution Chamber cannot proceed to finding an infringement of Articles 5.1(d), 12 and 16 of the AVG on account of the lack of display of diacritical marks, because of diacritical marks, because of the pending proceedings before the Court of Cassation brought by the Defendant against the judgment of the Market Court rendered pursuant to decision 01/20193 of the 01/20193 of the Chamber of Disputes, the Chamber points out that the appeal in cassation is an extraordinary legal remedy that does not have a Appeal in cassation is an extraordinary legal remedy that does not have a suspensive effect. This means that the judgment of Court of Appeal has full effect pending the judgment of the Court of Cassation. 3 Decision 01/2019 of 15 May 2019 regarding a complaint for failure to comply with a request to correct the spelling of a name of name Decision on the merits 141/2021 - 10/26 and the Inspectorate was able to catch the Litigation Chamber through the inspection report of 23 March 2021 so that the Disputes Chamber can now proceed to take the present decision on the merits. merits. Article 25 AVG 30. The Respondent submits that the Inspectorate establishes an alleged breach of Article 25 AVG but does not explain what this breach would consist of. 31. The Dispute Resolution Chamber considers that the Inspection Report clearly demonstrates that the Respondent continues to use for its central customer system a mainframe which was brought into service put into service in 1995 and notwithstanding the technical possibility of incorporating and processing diacritical diacritical marks, it has chosen not to adapt its system accordingly. to do so. In accordance with Article 25 of the AVG, the state of the art which allows diacritical marks to be processed requires that the system be adapted to this state of the art. of diacritical marks requires the defendant to implement appropriate technical and organisational take appropriate technical and organisational measures so that the principles of data protection, including the principle of correctness, in an effective manner and to implement the necessary safeguards in the processing in order to incorporate the necessary safeguards into the processing to ensure compliance with the requirements of the AVG and to protect the rights of data subjects. 32. The Respondent cites that Article 25 AVG also refers to implementation costs as criteria for determining the appropriate The Respondent cites Article 25 AVG as also referring to the costs of implementation as well as the risks to the rights and freedoms of data subjects in terms of probability and seriousness. The Respondent cites that Article 25 AVG also refers to the costs of implementation as criteria for determining the appropriate measures, as well as to the risks to the rights and freedoms of natural persons associated with the processing. In that regard, the defendant claims that there is no risk whatsoever in relation to as regards the identification of the person on the basis of the specific use of a given name without displaying the specific diacritical mark. Moreover, the implementation of a very complex IT project involving adjustments to numerous systems takes a great deal of time and investment in order to respond to an absolute minority of requests for correction which, in the defendant's view, means that the risk is extremely limited. According to the defendant, the risk is extremely limited in terms of seriousness and probability with regard to the rights and freedoms of natural persons. 33. The Respondent's assertion that there would be no risk of identification of the data subject in the absence of the processing of diacritics is not correct. The defendant's allegation that there is no risk of identification of the data subject in the absence of the processing of diacritical signs, as well as the The Respondent's allegation that there is no risk of identification of the data subject in the absence of processing of diacritical marks, as well as the extremely limited risk alleged by the Respondent given the small number of requests for correction of diacritical marks cannot, in the opinion of the Dispute Resolution Chamber, result in the Respondent being entirely at fault, as in the present case. as in the present case, to implement any measure to comply with possible requests for correction. possible requests for correction. Decision on the merits 141/2021 - 11/26 34. Furthermore, the Respondent refers to the Guidelines 4/2019 on Article 25 Data protection by design and by default4 which, in relation to the accuracy of data of data, it is stated that the requirements set forth in Article 5.1(d) of the AVG must be considered in relation to the risks and consequences of the concrete use of the data. From that The defendant takes the view that the measure consisting in the inclusion of diacritical marks in its systems is not proportionate. signs in its systems is not proportionate to the risks for the data subject. The defendant However, the defendant disregards the fact that the Guidelines provide, with regard to the design and standardisation elements standard setting elements on accuracy, specifically as regards erasure/rectification provides that the controller must delete or rectify incorrect data without delay. The Guidelines thus confirm what is stipulated in Article 5.1(d) of the AVG, namely that every controller has the obligation to delete or rectify incorrect data without delay. controller has the obligation to erase or rectify incorrect data without delay, and thus not to allow the processing of incorrect data to continue. rectify incorrect data without delay, and it is thus not up to the controller to decide whether or not to accede to a request for rectification. whether or not to accede to a request to erase or rectify inaccurate data, motivated by financial considerations or risk analysis from financial considerations or risk analysis. 35. The failure of the Respondent to adapt its IT systems in order to facilitate the processing of diacritical marks in the name of clients if requested, a breach of contract has occurred. This constitutes an infringement of Article 25 of the AVG. The fact that the Respondent asserts that in the meantime, namely since Decision 01/2019 of 15 May 2019 and the The fact that the Respondent shows that it has already made numerous efforts to make its systems AVG-compliant with regard to the processing of diacritical marks is also an important element in the determination of the penalty. important element in determining the penalty for this infringement. However, this cannot lead to to retroactively undo the infringement. 36. In view of the efforts which the defendant has meanwhile made and the limited gravity and risk to the fundamental rights of the affected persons, in the light of recital 75 of the AVG, the Dispute AVG, the Dispute Resolution Chamber decides that despite having found infringements of articles 5.1.d), 16 and 25 AVG, not to impose a penalty for those infringements. It therefore orders a discontinuation of proceedings pursuant to Article 100, §1, 2° WOG. Article 5.2 and 31 AVG 37. The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers. The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers to the questions asked, from which the Inspectorate concludes that the Inspectorate concludes that the Respondent did not comply with its duty of accountability and cooperation. with his duty of accountability and cooperation. The Inspectorate also finds it strange that there is little structured and information to follow up on the adjustments from an overarching view. follow-up. Apart from general information about the AGILE approach and the preliminary study phase, the According to the Inspectorate, the defendant cannot provide any information that would enable any progress to be made in the 4 https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_nl.pdf Decision on the merits 141/2021 - 12/26 dossier or concrete results that could have a positive impact on the person concerned and the exercise of his or her rights and freedoms. 38. However, on the basis of the documents provided by the Respondent, the Dispute Resolution Chamber must establish that the Respondent is able, by means of the necessary documentation, to demonstrate the extent to which the AVG is complied with. Not only does the Respondent have an internal guide and documentation of the procedures for exercising the rights of the data subjects but also specifically documentation relating to the IT project to implement the diacritical marks and the processes demonstrating the progress of the project. In this way, the documented the steps already taken and to be taken. The Respondent's explanation for the length of time it took to respond in several phases to the The explanation given by the Respondent for the time taken to answer the questions asked by the Inspectorate in several phases is that further analysis was required to determine which applications were required in order to determine which applications could be affected by the addition of diacritical marks and addition of diacritical marks and that this was not immediately possible. The defendant submits that time was needed to carry out analyses and tests in order to then implement the The Respondent submits that time was needed to carry out analyses and tests in order to then implement the changes in a controlled manner without endangering the stability of its systems. In this regard, the Dispute Resolution Chamber finds, based on the documents before it, that the Respondent has documentation that unmistakably demonstrates the progress of the dossier and concrete results, so that there is no concrete results, so that no breach of Article 5.2 of the AVG can be identified. 39. The Dispute Resolution Chamber also assessed the findings of the Inspectorate in the light of the Respondent's The Dispute Resolution Chamber also assessed the Inspectorate's findings in the light of the Respondent's duty of cooperation and found that the Inspectorate has insufficiently demonstrated that the Respondent has not, by means of reply letters, attempted to attempted, by means of reply letters, to answer the questions posed in a comprehensive and circumspect manner. In addition the Respondent stated on several occasions that it was prepared to enter into consultation in addition as a result of which it cannot be established that he did not fulfil the obligation to cooperation with the supervisory authority. 40. The Dispute Resolution Chamber therefore finds that no violation of Article 31 AVG can be established. This opinion is based on factual findings, so that it is not necessary in this This opinion is based on factual findings, so that it is not necessary in this case to give an opinion in principle on the scope of the duty to cooperate. b) Principle of minimal data processing (Article 5.1(c) of the AVG), integrity and confidentiality (Article 5.1(f) of the AVG), accountability (Article 5.2 of the AVG), the responsibility of the controller (Article 24 of the AVG) controller (Article 24 AVG), data protection by design and by default (Article 25 AVG), data default settings (section 25 AVG) and security of processing (section 32 AVG). 41. The Inspectorate notes that the Respondent uses the surname of the Complainant5 in 5 The Inspectorate refers to the complainant in decision No. 01/2019 of 15 May 2019 Decision on the merits 141/2021 - 13/26 - internal notes for and presentations by the Data Council - email traffic and ICT testing which relates to the ICT programme in connection with the use of diacritical marks. 42. The Inspectorate concludes that this processing activity by the Respondent is a violation of Articles 5.1 c) and f), 5.2, 24, 25 and 32 of the AVG, which is based on the consideration that the use of the plaintiff's surname is not necessary for the purpose for which it is processed and purpose for which it is processed and can therefore be avoided. The name for the project or the case could bear another name and the surname of the complainant has no added value. There According to the Inspectorate, there are various words in other languages with diacritical marks that can be used for this purpose, the use of the complainant's surname could be stigmatising and and by spreading it throughout its organisation the Respondent has no control over it. The inspection report concludes that using the family name as a "test person" or as a "case" is not proportionate to - the application of the basic principles of "minimum data processing" and "integrity and confidentiality"; - the appropriate technical or organisational measures to be taken; - ensuring the confidentiality, integrity, availability and resilience of its processing systems and services; - the contractual (banking) duty of discretion or the discrete processing of the personal data as a Bank towards the Customer. 43. The Dispute Resolution Chamber states that the complainant's surname in Decision No. 01/2019 of 15 May 2019 does constitute personal data within the meaning of Article 4.1) of the AVG, as the complainant is identifiable on the basis of the name of the person who is the subject of the decision. is identifiable on the basis of the decision No. 01/2019 taken by the Dispute Resolution Chamber, and the judgment of the Market Court dated 9 October 2019, in which the defendant was a party in each case and the identity of the complainant was thus known to him. identity of the complainant was thus known to him. This implies that the complainant can be identified on the basis of This implies that the complainant can be directly identified within the organisation of the defendant on the basis of his surname alone, since they are both parties. Respondent's organisation, since they were both parties to the dispute. According to the Dispute Resolution Chamber, the use the use of the surname as a project name should be regarded as a processing based on the legitimate interest of the legitimate interest of the Respondent (Article 6.1(f) of the AVG). 44. In accordance with Article 6.1(f) AVG and the case-law of the Court of Justice of the European Union (hereinafter 'the Court'), three cumulative conditions must be met in order for a controller, being the defendant, to be able to exercise the right to data protection. for a controller, i.e. the defendant, to be able to validly rely on this ground of law, 'namely lawfulness, 'namely, first, the legitimate interest of the controller or of the defendant in the processing of personal data. of the controller or of the third party or parties to whom the data are disclosed Decision on the substance 141/2021 - 14/26 and, second, the necessity of processing the personal data for the purposes of the legitimate interests of the data controller or of third parties to whom the data are disclosed. for the purposes of the legitimate interests pursued, and, third, the condition that the fundamental rights and freedoms of the persons concerned must be protected. third, that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas v. Guardian, 2010, p. 12). prevail" (Rigas judgment6 ). ). 45. In order to be able to rely on the legal ground of the "legitimate interest" under Article 6.1(f) of the AVG, the data controller must be able to prove that the person concerned has a legitimate interest. "legitimate interest" under Article 6.1(f) AVG, the controller must demonstrate that demonstrate that: - the interests it pursues with the processing can be recognised as legitimate (the "purpose test"); - the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and "necessity test"); and - the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the interests, fundamental freedoms and rights of data subjects. freedoms and fundamental rights of data subjects in favour of the controller (the "balancing test"). 46. As regards the first condition (the "purpose test"), the Litigation Chamber is of the opinion that that the purpose of implementing both the above-mentioned decision of the Dispute As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the purpose of implementing the aforementioned decision of the Dispute Resolution Chamber and the judgment of the Market Court7 can be regarded as pursuing a legitimate interest. a legitimate interest. The interest pursued by the defendant as data controller may be can in itself be considered justified pursuant to recital 47 of the AVG. in accordance with recital 47 of the AVG. Consequently, the first condition laid down in Article 6(1)(f) of the AVG is fulfilled. 47. In order to comply with the second condition, it must be demonstrated that the processing is In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular whether the same result could be achieved by other means without processing personal data or without a result without processing personal data or without processing that is unnecessarily burdensome for the data subject. for the data subject. 48. Given that the defendant was a party to each of the proceedings before the Dispute Chamber and the As the defendant was always a party to the proceedings before the Dispute Chamber and the Market Court, the identity of the complainant was thus already known to a limited circle of persons within the defendant's organisation. persons within the Respondent's organisation. 49. Moreover, the Respondent states that the surname was used in purely internal and confidential documents confidential documents within the Data Council consisting of only 7 members, and in some emails limited to the strictly necessary persons involved in the project. From none of the documents 6 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA "Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 40. 7 See in the same sense Decision on the merits 35/2020 of 30 June 2020, para. 28. Decision on the merits 141/2021 - 15/26 show that the processing of the complainant's surname would have been unnecessarily intrusive for the person concerned. Thus, the Dispute Resolution Chamber finds that the Respondent did not process the surname of the did not process the surname of the person concerned in disregard of the principle of minimum data processing, so that the data processing, so that the second condition is satisfied. 50. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and freedoms and fundamental rights of the data subject, on the other hand - can be fulfilled, the following must be taken into account In accordance with recital 47 AVG, the reasonable expectations of the data subject should be taken into account. reasonable expectations of the data subject. In particular, it must be evaluated whether the "data subject at the time and in the context of the collection of the personal data, the data subject may reasonably expect that the reasonably expect that processing can be carried out for that purpose "8 . . 51. This is also emphasised by the Court in its judgment "TK v. Asociaţia de Proprietari bloc M5AScaraA" of 11 December 20199 , in which it states , where it states: "Also relevant to this balancing exercise are the reasonable expectations of the data subject that his or her personal data will not be processed if, in the given circumstances of the case, the data subject cannot reasonably expect further processing of the data". 52. From both the decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May 2019, and the judgment of the Markets Court dated 9 October 2019, it follows that the Respondent had to adapt its applications, at least as regards the adapt its applications, at least as regards the processing of diacritical marks in the surname of the data subject. This necessarily implies that the data subject could reasonably could reasonably expect10 that his family name would be used within the organisation of the Respondent's organisation in order to meet the requirements laid down in the aforementioned decision of the Dispute Resolution Chamber, as well as in this one by the Market Court. 8 Recital 47 AVG. 9 CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 58. 10 Recital 47 AVG. The legitimate interests of a controller, including those of a controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the interests of the controller or of a third party are safeguarded. provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden, taking into account the data subject's reasonable expectations based on his/her relationship with the controller. controller. Such a legitimate interest may be present, for example, when there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or employee of the controller. customer or is employed by the data controller. In each case, a careful assessment is required to determine whether legitimate interest, as well as to determine whether a data subject may reasonably expect, at the time and in the context of the collection of the personal data, may reasonably expect that processing can take place for that purpose. The interests and fundamental rights of the data subject may in particular outweigh the interests of the controller where personal data are processed in circumstances where the data subjects would not reasonably expect any further processing. Since it is for the legislator to create the legal basis for personal data processing by public authorities that legal basis should not apply to processing by public authorities in the course of their duties. The processing of personal data that is strictly necessary for the purposes of fraud prevention is also a legitimate interest of the controller in question. The processing of personal data for the purpose of direct marketing may be considered to be considered to be carried out with a view to a legitimate interest. (own emphasis added) Decision on the merits 141/2021 - 16/26 53. The totality of the aforementioned elements leads the Dispute Chamber to the conclusion that the Respondent has lawfully processed the surname of the person concerned within its organisation on the basis of processed within its organisation on the basis of Article 6.1(f) of the AVG and that there are no elements showing that the Respondent acted contrary to the requirements of the AVG, so that there is no violation on the part of the Respondent. no infringement of Articles 5.1(c) and (f), 5.2, 24, 25 and 32 of the AVG was committed by the defendant. committed. c) Position of the Data Protection Officer (Articles 38.3 and 38.6 AVG) 54. The Inspectorate's report notes with regard to the position of the Data Protection Officer that The report of the Inspectorate establishes that there is a conflict of interest on his/her part and that he/she does not report directly to the highest management level. The report of the Inspectorate establishes with regard to the position of the DPO that there is a conflict of interest on his part and that he does not report directly to the highest management body. 55. The defence raises the question of the requirement to report directly to the highest management level 55. The defence emphasises, regarding the requirement to report directly to the highest management level (Article 38.3 AVG), that the DPO reports to the Executive Committee and that he does not report directly to the highest management level. reports to the Executive Committee, also referred to as the Management Committee, and This is done through the Chief Risk Officer (CRO) who himself sits on the Executive Committee, being the highest body. The defendant emphasises that the reporting line does indeed go directly from the Data Protection Officer to the Executive Committee. Reporting to a body can only be done through a natural person, in this case the CRO who serves as the point of access to that body. that body. The Respondent justifies this choice of the CRO by the fact that he is the member of the Executive Committee which is the privileged interlocutor of the Risk Committee which takes cognisance of all the important privacy-related takes cognisance of all important privacy-related issues. 56. The DPO is himself a permanent member of the Data council, which is a delegated subcommittee and extension of the Executive Committee, whereby the decisions of the Data Data Council's decisions are binding on the Executive Committee. The Respondent underlines that the Data Protection Officer's seat on the Data Council constitutes a form of reporting to the highest level. 57. The Respondent also adds that the Executive Committee is a collegiate body, whereby the CEO has one vote in the decision-making process, as do all other members of it. The Respondent emphasises during the hearing that the DPO does not have to report to the highest individual namely the CEO, within the highest body, but that reporting to the highest body is sufficient. Moreover, all other members of the Executive Committee, including the CEO, are responsible for departments that process data. It follows, according to the Respondent that it cannot be argued that any particular member of the Executive would be more neutral than the other members. 58. On the basis of the documents substantiating the explanation provided by the Respondent, the Dispute Resolution Chamber that no violation of Article 38.3 AVG can be established. Decision on the merits 141/2021 - 17/26 59. As regards the Inspectorate's finding of a conflict of interest (Article 38.3 AVG) on the part of the Data Protection Officer As regards the Inspectorate's finding that there is a conflict of interests (Article 38.6 of the AVG) on the part of the Data Protection Officer because he is also the head of the Operational Risk Management (ORM), Information Risk Management (IRM) and the Special Investigation Unit (SIU), the defendant argues that the head of these services does not have the power to take decisions. those departments does not have decision-making powers at the level of the purposes and means of operational processing of personal of operational processing of personal data, but a purely advisory and supervisory power. 60. During the hearing, the Dispute Resolution Chamber examined the impact that the Data Protection Officer Data Protection Officer has on decision-making by virtue of his other functions. 61. The Dispute Resolution Chamber notes that the Respondent, in its conclusion, does not consider the purely advisory and supervisory competence of each of the three services, namely Operational Risk Management Information Risk Management and Special Investigation Unit, stresses. The defendant believes This allows the defendant to argue that the DPO has no duties (including through his functions in each of the relevant services) that would enable him to take decisions about the purpose and means of any processing. the purposes and means of any processing of personal data. 62. The Dispute Resolution Chamber considers that this does not demonstrate that the Data Protection Officer who is also the who is also the head of each of those departments and therefore has a position of responsibility within them is in a position of responsibility, would not carry out tasks incompatible with his position as Data Protection Officer. as the Data Protection Officer. 63. In this regard, the Litigation Chamber notes that the advisory and supervisory role of the departments as such does not mean that they do not determine the purposes and means of data processing. data processing. 64. The Dispute Resolution Chamber should assess how and to what extent the independence of the 64. The Dispute Resolution Chamber should assess how and to what extent the independence of the Data Protection Officer in relation to each of these three departments - of which he is the Head of Service - is ensured. of which he is head of department - is ensured. 65. The Respondent thus appoints the same physical person as the head of each of the three departments and as the Data Protection Officer. The defendant itself thus appoints the same physical person as being responsible for each of the three departments and as being the Data Protection Officer. This responsibility for each of those three departments undeniably means that, in that capacity determines the purposes and means of the processing of personal data within these three departments and is thus responsible for departments and is thus responsible for the data processing processes that fall under the domain of Operational Risk Management, Information Risk Management and Special Investigation Unit as established in the inspection report. Decision on the merits 141/2021 - 18/26 66. The Group 29 Guidelines for Data Protection Officers11 explain that the Data Protection Officer cannot hold any position within the organisation where he or she he or she must determine the purposes and means of the processing of personal data. determine. This is thus a substantial conflict of interest. The role of controller of a service is thus incompatible with the function of the data protection officer, who must be able to perform his or her tasks be able to perform his tasks independently. By combining in the same physical person the functions of the controller for each of the services, the data protection officer is able to carry out his tasks independently. the function of controller for each of the three services concerned separately on the one hand, and the function of Data Protection Officer on the other hand, each of those three services lacks any possible independent supervision. of those three services any possible independent supervision by the Data Protection Officer. data protection officer. In addition, the combination of these functions may lead to a lack of secrecy and confidentiality vis-à-vis staff members in accordance with Article 38(5) of the AVG cannot be sufficiently guaranteed. can not be sufficiently guaranteed. 67. The Respondent seeks to rebut the existence of a conflict of interest in relation to the Data Protection Officer by arguing that the The Respondent seeks to rebut the existence of a conflict of interest in respect of the DPO by arguing that the services IRM, ORM and SIU are part of the second-line function. are part of the second level function which only include supervisory and control functions. The head of these services, who is also the Data Protection Officer, has, according to the defendant no decision-making power at the level of the purposes and means of operational processing of personal processing of personal data, but only in an advisory and supervisory capacity. power. The defendant considers that this reasoning is supported by decision 56/2021 of 26 April 2021. 68. As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the Litigation Chamber considers that the assessment of any 11 Under Article 38(6), data protection officers may "perform other tasks and duties". To this end, the However, the organisation must ensure that "these tasks or duties do not lead to a conflict of interest". The absence of a conflict of interest is closely linked to the requirement to act autonomously. Although data protection officers may other functions, they can only be entrusted with other tasks and duties if these do not give rise to any conflict of interest. give rise to any conflict of interest. This implies in particular that the DPO within the organisation a position in which he or she determines the purposes and means of the processing of personal data. Given the specific organisational structure of each organisation, this should be assessed on a case-by-case basis. As a rule of thumb, the following are considered to be positions with a conflict of interest within the organisation: senior management positions (e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, head of the marketing department, head of Human Resources or head of the IT department). Resources or head of the IT department), but also lower positions within the organisational structure if these persons have to define the objectives of and means of data processing. In addition, a conflict of interest may also arise, for example, when arise when an external data protection officer is asked to represent the controller or processor in the legal proceedings. or the processor in court in cases involving data protection issues. Depending on the activities, size and structure of the organisation, it may be good practice for controllers or processors to identify the positions that may be incompatible with the data protection officer function provide internal rules to this effect in order to avoid conflicts of interest;-include a more general explanation of conflicts of interest declare that their data protection officer has no conflict of interest in his or her role as data protection officer, as a way of avoiding conflicts of interest. officer, as a way of sensitising others to this requirement;-include safeguards in the organisation's internal rules and ensure that Include safeguards in the organisation's internal rules and regulations and ensure that the vacancy for the position of DPO or the service agreement is service agreement is sufficiently precise and detailed to avoid conflicts of interest. In this context, we should take into account that conflicts of interest can take different forms depending on whether the data protection officer is recruited internally or externally. officer is recruited internally or externally. WP243Rev01, para 3.5, underlining by Dispute Chamber. These guidelines have been endorsed by the European Data Data Protection Board (EDPB). 12 See above, footnote 11. Decision on the merits 141/2021 - 19/26 conflict of interest should be done on a case-by-case basis, taking into account the specific organisational structure of each organisation. each organisation. Thus, the Dispute Resolution Chamber assesses in concreto. 69. Although the Respondent maintains that the three services in question belong to the Although the Respondent maintains that the three services in question belong to the second-line function, which means that these services do not introduce any processing themselves, but only Although the Respondent maintains that the three services in question belong to the second-line function so that these services do not introduce processing themselves but only supervise, set frameworks for and carry out checks, during the the Dispute Resolution Chamber inquires into the relationship between the second-line and first-line functions in order to find out whether whether the second-line function can fulfil its advisory and supervisory role without determining the purpose and means of any processing of its own. determine the purpose and means of any processing carried out by itself and by the first-line function. first-line function. Specifically, during the hearing, the Dispute Resolution Chamber found that If the second-line function has to exercise its supervisory and monitoring powers, it also needs information to do so. to do so, it also needs information from the front-line function. This is also evident from the register of processing activities which lists a large number of categories of personal This is also apparent from the register of processing activities, which lists a large number of categories of personal data processed by the second-line function. According to the According to the Dispute Resolution Chamber, this clearly shows that personal data are processed by the second-line function for which it has second-line function for which it determines the purpose and the means. 70. The Respondent's response to this is that taking note of, being the reading, of personal data is not sufficient to qualify as processing personal data. processing of personal data. The defendant here makes the comparison with an employee who consults personal data in the exercise of his/her job. The defendant hereby makes the comparison with an employee who consults personal data in the course of his/her work, but does not himself/herself act as a separate controller of the processing. To follow a different interpretation would lead, according to the defendant, to each employee being regarded as a separate controller. controller. 71. As regards the categories of personal data indicated in the Register of Processing With regard to the categories of personal data processed by the second-line function indicated in the processing register, the Respondent argues that these have been listed out of prudence', because the second-line function may become aware of those personal data in the function in the performance of its tasks. Again, the Respondent adds that the second-line function is not responsible for the processing of personal data. second-line function is not responsible for the processing of personal data, but may become aware of certain categories of personal data only through the exercise of their supervisory powers categories of personal data and the second-line function will never be able to determine how personal data will be filled in and processed within the bank. personal data will be filled in and processed within the bank. 72. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4(2) of the AVG. It should be noted here that the processing of personal data does not result in the person carrying out the processing, such as an employee, being regarded as a separate processor, such as an employee, should be regarded as a separate controller. controller. The controller is the person who determines the purposes and means of the processing within the meaning of Article 4(1)(b) of the Act. The data controller is the one who determines the purpose and means of the processing in the sense of Article 4, 7) AVG. The second tier function determines - as an entity within Decision on the merits 141/2021 - 20/26 the controller - determines the purposes and means of the processing of personal personal data that the front-line function is required to supply to it - and thus contributes to determining the purpose and means of the the purpose and the means of the processing carried out by the front-line service - so that the second-line function can exercise its own supervisory functions. second-line function to fulfil its own supervisory and advisory role. This is indisputably from the processing register. It follows that the Data Protection Officer who also holds the position of Head of Department of the ORM/IRM/SIU, determines the purposes and means of the data processing operations carried out by the first-line function to the extent that this information is necessary for the tasks entrusted to the second-line function and second-line function and then also determines the purposes and means of the data processing operations carried out by the second-line data processing by the second-line function. 73. This leads the Dispute Resolution Chamber to conclude that the combination of the capacity of Data Protection Officer with the function of Head of Service of the three departments ORM/IRM/SIU is not sustainable without a conflict of interest on the part of the DPO. Data Protection Officer. Consequently, the Dispute Resolution Chamber finds that the breach of Article 38.6 AVG has been proven. 74. It is important that the Data Protection Officer is able to perform his or her duties and tasks with respect for the position assigned to him by Article 38 AVG, in particular that he can act without any conflict of interest. The Litigation Chamber therefore instructs the The Dispute Resolution Chamber therefore instructs the Respondent to bring the processing in this respect into line with article 38.6 of the 38.6 AVG in this respect and thus ensure that these tasks or duties do not give rise to a conflict of interest. 75. Taking into account that the AVG has assigned a key role to the Data Protection Officer by giving him an informative and Data Protection Officer (DPO) by giving him an informing and advising role vis-à-vis the controller with regard to the controller on all matters relating to the protection of personal data, including the protection of personal data, including the notification of data breaches, the Dispute Resolution Chamber shall also impose an administrative fine. 76. In addition to the corrective measure to bring the processing into compliance with Article 38.6 of the AVG 76. In addition to the corrective measure to bring the processing into line with Article 38.6 of the AVG, the Litigation Chamber also decides to impose an administrative fine which does not aim to put an end to a violation committed, but aims to ensure vigorous enforcement of the AVR rules. vigorous enforcement of the rules of the AVG. As is clear from Recital 148, the AVG requires For serious breaches, penalties, including administrative fines, to be imposed in addition to, or instead of, appropriate measures.13 of appropriate measures to be imposed.13 The Dispute Resolution Chamber does so in application of 13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative pecuniary sanctions, should be applied in addition to or instead of appropriate measures. including administrative pecuniary sanctions, should be imposed for any breach of the Regulation, in addition to or as an alternative to any appropriate measure taken by the supervisory authorities under the Regulation. measures imposed by the supervisory authorities under this Regulation. If the infringement is minor infringement or where the likely fine would impose a disproportionate burden on a natural person, a fine may be replaced by a reprimand. a reprimand may be chosen instead of a fine. However, account should be taken of the nature, seriousness and duration of the infringement and of whether it was committed intentionally. the infringement, the intentionality of the infringement, any damage limitation measures taken, the degree of responsibility or previous relevant infringements, how the breach came to the attention of the supervisory authority, and compliance with the measures taken against the controller or processor, with the affiliation to Decision on the merits 141/2021 - 21/26 Article 58.2(i) AVG. The instrument of administrative fine therefore does not aim in any way to terminate infringements. To that end, the AVG and the WOG provide for a number of corrective measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. 77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber 77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber in order to justify the imposition of this sanction and its amount. 78. In this respect the Dispute Resolution Chamber finds that although there is no evidence of a deliberate infringement, there is a In this regard, the Dispute Resolution Chamber finds that, although there is no evidence of an intentional breach, there is evidence of gross negligence on the part of the Respondent. Although the Data Protection Officer is a function that was first mandated at the European level in the AVG, it is not a mandatory at the European level in the AVG, the concept of a data protection officer is not new and has existed for a long time. data protection officer is not new and has existed for a long time in many Member States and in many organisations.14 79. Moreover, already on 13 December 2016, the Working Party 29 adopted guidelines for these officers. These guidelines were, after a wide public consultation, on 5 April 2017 revised. As shown below, these guidelines are clear on the extent to which the which the data protection officer can also fulfil other functions within the company, taking into account the organisational structure specific to each organisation and should be assessed on a case-by-case basis. 80. In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the function of DPO with that of a company can be a good thing. In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the position of data processing officer with a position as head of a department (in which personal data are also processed) which (where personal data are also processed) which the data processing officer must supervise, cannot take place on a must supervise, cannot be done in an independent manner. 81. An organisation such as the Respondent may be expected to carefully prepare for the introduction of the AVG and already from the time of the entry into force of the AVG pursuant to Article 99 AVG in May 2016. After all, the processing of personal data is a core activity of the Respondent, which moreover processes personal data on a very large scale. 82. The duration of the breach is also taken into consideration. The Data Protection Officer data protection officer was created in the AVG applicable since 25 May 2018, so that the breach of Article 38.6 AVG has already been established from that date. In any event, the breach lasted until the date on which the full-time appointed Data Protection Officer took up his duties, i.e. Data Protection Officer, i.e. 1 July 2021. 83. Finally, the defendant processes personal data of a huge number of people. Ineffective safeguards for the protection of personal data, in particular through the appointment of a data protection officer who does not comply with the requirement of a code of conduct and any other aggravating or mitigating factors. The imposition of sanctions, including administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter Union law and the Charter, including effective remedy and fair trial. 14 See, inter alia, WP243Rev01, para 1. Decision on the merits 141/2021 - 22/26 independence and therefore not free from any conflict of interest, thus have a potential impact on a huge number of stakeholders. 84. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction within the meaning of Article 83 AVG, taking into account the assessment criteria laid down therein, in the amount of criteria laid down therein, in the amount of EUR 75,000. The Litigation Chamber points out that the other criteria of Article 83.2. AVG are not of such a nature in this case that they lead to an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision. for the purposes of this decision. 85. The mitigating circumstances referred to by the Respondent in its response to the The mitigating circumstances referred to by the Respondent in its response to the Dispute Resolution Chamber's intention to impose an administrative fine, namely the absence of harm to the data subjects (Article 83.2(a) AVG ); the measures taken to detect and prevent potential conflicts of interest in a timely manner, notably by implementing appropriate policies and mechanisms as described in the conclusion (Article 83.2, c) AVG 83.2 (c) AVG); the absence of previous relevant infringements (Section 83.2 (e) AVG), as well as the cooperation in good faith with the cooperation with the GBA in good faith (article 83.2 f) AVG), are taken into consideration by the Dispute Resolution Chamber when taken into account when determining the amount of the administrative fine. 86. To answer the Respondent's objection concretely, the Dispute Resolution Chamber stated that although it has not been established that there was any damage on the part of the parties concerned the absence of any injury has not been established, nor have any previous infringements been identified. have been established. This finding leads the Chamber to reduce the initially proposed amount of the administrative fine, i.e. the amount of the fine that was imposed on the parties involved. EUR 100,000 to EUR 75,000. 87. As regards the implementation of policies and mechanisms to avoid conflicts of interest, the With regard to the implementation of policies and mechanisms to avoid conflicts of interest, the Dispute Resolution Chamber notes that these were adopted late, i.e. well after the entry into force15 as well as the applicability16 of the AVG. The Conflicts of Interest Policy dates from 20 January 2020 and the specific DPO policy was implemented on 12 October 2020 following the decision on the merits no. 18/2020 of 28 April 2020, as mentioned in the conclusion, a full-time DPO was not appointed until 1 July 2021. appointed on 1 July 2021. This means that although the Respondent cooperated with the GBA to remedy the breach and mitigate its potential negative effects, but this took place well after the entry into force and application of the AVG, which has an impact on the duration of the breach (see above, peripheral). 15 Pursuant to Article 99.1 AVG, the AVG entered into force on 25 May 2016. 16 Article 99.2 AVG provides that the AVG will apply from 25 May 2018. Decision on the merits 141/2021 - 23/26 88. As regards the amount of the fine, the Respondent argues that the fine is higher than the one As to the amount of the fine, the Respondent argues that the fine is higher than the one imposed for an identical infringement in the decision on the merits no. 18/2020 of 28 April 2020, whereas the Respondent claims that its consolidated turnover is lower, it has already taken measures to address to address the GBA's concerns and has a smaller market position. 89. The Dispute Resolution Chamber states that the maximum amount of the administrative fine for an violation of Article 38 AVG is determined by Article 83.4 AVG17. The amount of the fine imposed The amount of the fine imposed in this decision is significantly lower than the maximum amount laid down in Article 83.4 AVG, in view of the fact that the The amount of the fine imposed in this decision is significantly lower than the maximum amount stipulated in Article 83.4 AVG, in view of the fact that the Dispute Resolution Chamber has has been taken into account. Moreover, the Dispute Resolution Chamber evaluates the concrete elements of each case separately in order to impose an appropriate sanction. individually in order to impose an appropriate penalty18 . The reference by the defendant to decision on the merits no. 18/2020 of 28 April 2020 concerns the same infringement, namely the existence of a conflict of interest on the part of the Data Protection Officer (Article 38.6 AVG), but otherwise the Dispute Resolution Chamber must take into account all factual elements that are specific to each case, whereby in this case the duration of the breach is an important element which justifies the imposition of a fine of EUR 75,000 in this case, whereby the duration of the infringement is an important element. EUR 75,000, whereby the Dispute Resolution Chamber based itself on the defendant's consolidated annual accounts of the defendant. d) Register of processing activities (Article 30 of the AVG) 90. With regard to the register of processing activities, the Inspectorate makes the following findings, as summarised below: - The register of processing activities of the ORM/IRM/SIU19 services is incomplete; - the register of processing operations contains only three processing operations, namely one processing activity for each of the services. The Inspectorate finds this strange, since in each of the three services there are different processing activities within the second-line function, so that it is rather abnormal to combine these processing activities into a single processing activity. these processing activities into one processing activity; 17 Article 83.4 AVG. Breaches of the following provisions are subject to administrative fines in accordance with paragraph 2 up to EUR 10 000 000 or, for an undertaking, up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater figure is higher: (a) the obligations of the controller and processor under Articles 8, 11, 25 to 39, and 42 and 43; [...] 18 See in this respect the judgment of the Markets Court dated 7 July 2021, roll number 2021/AR/320, NV Nationale Dienst voor Promotie van Kinderartikelen (N.D.P.K. N.V.) v. GBA, p. 42. 19 Operational Risk Management (ORM)/Information Risk Management (IRM)/Special Investigation Unit (SIU) Decision on the merits 141/2021 - 24/26 - The defendant failed to provide a complete list of all processing purposes of personal personal data in accordance with Article 30.1(b) of the AVG; - the following information in the register of processing activities is not visible: - the name and contact details of the data protection officer in accordance with Article 30.1(a) of the AVG; - a description of the time limits envisaged for the deletion of the different categories of data in accordance with Article 30.1(a) of the of data are to be erased pursuant to Article 30.1 f) AVG; - a description of the technical and organisational security measures in accordance with Article 30.1 g) AVG. - The register of processing activities should be complete and clear in itself, but the following terms are not explained: "12. TIN" and "S9. Criminal data" . Also, the description of the purposes of the processing is vague: 'E7_To support the activities to safeguard and ensure the security and integrity of Y and/or the financial sector" and "C6_Compliance with legal obligations', and does not accurately reflect the processing activity and processing purpose of these services provided by the defendant. - Specifically with regard to the SIU service, the register of processing activities states that personal data relating to criminal convictions and offences are processed with processed with the following statement "S9. Criminal data". The Inspectorate finds it strange that The Inspectorate finds it strange that this is not specifically explained. 91. With regard to these findings by the Inspectorate, the Respondent has the following apply: - Except for the enumeration of the elements that must be included in the register and the obligation to communicate the register to the supervisory authority upon request, the AVG does not impose any authority, the AVG does not impose any other legal obligation concerning the register. According to the respondent, by its findings in the inspection report, the Inspectorate seems to want to set the threshold higher than it is obliged to do. the Inspectorate seems to want to set the threshold higher than the legal requirements in this respect. The defendant adds and demonstrates that it has additionally taken into account Recommendation no. 06/2017 of 14 June 2017, as stipulated by the Commission for the Protection of Privacy Commission; - With regard to the vague terms and vague description of the purposes of the processing, the Respondent argues that the Register is an internal tool and resource for the controller. The Respondent recognises that the Register also serves as a The Respondent acknowledges that the Register also serves as a source of information for the GBA and in that sense it should also be understandable for the GBA itself. However, it However, it is not excluded that the controller may, with regard to the GBA Decision on the merits 141/2021 - 25/26 may still provide an explanation of certain internal terminology used in the register. register. Article 30.1 AVG requires that the register of processing activities contain a description of the of the categories of personal data, as well as the processing purposes, but does not does not contain any concrete obligations regarding the level of detail of these categories of personal data and the processing purposes. The aforementioned Recommendation no. 06/2017 does, however, provide examples of categories of personal data and processing purposes. examples of categories of personal data and purposes which are of a similar 'general' nature. general' nature. As regards the concepts and purposes identified by the Inspectorate as vague, the Respondent states that these were defined in another internal document. The definitions from that document were taken up in the register - both as regards the categories of personal data and the purposes The definitions from that document - both with regard to the categories of personal data and the purposes - were taken up again in the register and were already available in the register by clicking on the relevant terms. relevant terms. - The respondent emphasises that the Inspectorate has only used the register for the processing activities of the ORM/IRM/SIU services and not the full register. register. The document supplied by the Respondent was a limited extract from the The document supplied by the respondent was a limited extract from the register and only contained details of the processing activities of the departments concerned. - The processing activities of the ORM, IRM and SIU services are further explained by the Respondent. explained by the Respondent. He states that the IRM and ORM services are primarily of an advisory and nature, without actually having any executive function in the area of processing information and/or personal data. processing of information and/or personal data. It concerns very limited processing that are grouped in the register under one processing activity for each of the two services. of both services. A number of processing activities that the Inspectorate ascribes to the IRM IRM and ORM services respectively relate to activities that are described elsewhere in the register under the responsible departments. described elsewhere in the register under the responsible departments. As far as the SIU service is concerned the activities are also described and here, too, they were grouped in the excerpt from the register as being Register extract as being one processing activity. The defendant emphasises again that the AVG does not prescribe a specific required level of detail. - With regard to the information missing from the register of processing activities, according to the inspection report, the processing activities, the defendant argues that the name and contact details of the data protection officer are included in the register of processing activities. Data Protection Officer are contained in a large number of internal documents and are thus well known within documents and are thus well known within the Respondent's organisation, but that those data concerning the Data Protection Officer are not included in the register. data concerning the Data Protection Officer were not included in the extract from the did not appear in the extract from the register of processing activities for technical reasons. As regards retention periods and technical and organisational measures Article 30 AVG requires the register to contain this information if possible, but does not as as such mandatory to mention them in the register itself. The defendant submits that it is necessary to Decision on the merits 141/2021 - 26/26 opted, for pragmatic reasons and with a view to greater clarity, to describe this information in a separate The Respondent submits that for pragmatic reasons and for the sake of greater clarity, it was decided to describe this information in a separate document. 92. Based on the defence and the supporting documents, the Litigation Chamber decides that There has been no infringement by the Respondent of article 30 of the AVG. III. Publication of the decision 93. In view of the importance of transparency with regard to the decision making of the Dispute Resolution Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this purpose to publish the identification details of the parties to be published directly. (get). Hielke Hijmans President of the Dispute Resolution Chamber FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority, after deliberation, decides to: - Pursuant to Article 100, §1, 2° WOG, to order a dismissal for the violation of Articles 5.1 d), 16 and 25 AVG ; - On the basis of Article 100, §1, 13° and Article 101 WOG, impose an administrative fine of € 75,000 for the as a result of the violation of Article 38.6 of the AVG. This decision may be appealed pursuant to Article 108, §1 WOG within a period of thirty days from the notification of the decision. period of thirty days from the notification, before the Market Court, with the Data Protection Authority as defendant.