APD/GBA (Belgium) - 15/2023: Difference between revisions

Revision as of 09:01, 8 March 2023

APD/GBA - 15/2023

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 4(11) GDPR Article 5(1) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(a) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 12(6) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 25(1) GDPR Article 30(1)(a) GDPR Article 38(3) GDPR Article 186 §1 Decreet Lokaal Bestuur Article 78 Bijzondere wet tot hervorming der instellingen
Type:	Complaint
Outcome:	Partly Upheld
Started:	31.03.2021
Decided:	21.02.2023
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	15/2023
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Dutch
Original Source:	Gegevensbeschermingsautoriteit (in NL)
Initial Contributor:	Enzo Marquet

The Belgian DPA reprimanded a government body for not updating the legal basis for GPS tracking of a company car after the entry into force of the GDPR. The DPA stated that a government entity can rely on Article 6(1)(e) GDPR for GPS tracking since there were no less invasive alternatives and it was necessary efficient usage of their scarce resources.

English Summary

Facts

The controller was a public authority and the data subject was its employee. The data subject used a company car which the controller was tracking with a GPS. The GPS tracking was active since 2009, before the GDPR came into existence but was put on hold once the complaint was submitted.

At some point, the data subject received a fraud report where his registered work time schedule was compared to the tracking of his car. This report included certain addresses, such as his mother’s, a bar and some random streets.

On 31 March 2021, the data subject submitted a complaint explaining that he was not informed about the GPS tracking before receiving the report, nor was it included in the privacy policy. Following the complaint, the DPA investigated and the Investigation Service issued a report in 5 parts : the GPS tracking system, cookiebanner and cookie policy, the controller’s information obligation, the register of processing activities and role of the data protection officer.

The Investigation Service concluded that the controller breached the GDPR in several ways. The controller did not refute this and in the meantime, it implemented a new privacy policy, cookiebanner, cookie notice and GPS tracking information process, as well as an updated register of processing activities and new procedures to involve the DPO.

The controller did not refute this and explained that these practices were prior to the GDPR and that it recently updated the internal processes as well as the privacy and cookie policy in line with the GDPR, following an internal audit and the recommendations of the Investigation Service.

Holding

The holding is divided according to the structure of the Investigation report.

GPS tracking

The DPA clarified that for the original GPS tracking, Directive 95/46/EC (predecessor of the GDPR) must be considered. The DPA concluded that the controller, in 2009, assured that the processing was aligned with the principles of purpose limitation, proportionality and transparency to protect the rights of the data subjects as much as possible. The access was also limited to specific people.

However, since the introduction of the GDPR on the 25th of May 2018, the controller had to ensure that all processing activities were compliant with, among others, Article 5(1) GDPR, Article 6(1) GDPR. The DPA held that the controller was thus obligated to take a proactive approach and to inform its data subjects about the legal ground of the processing, regardless of any complaint submitted. The DPA held that by not reworking its privacy policy and by not informing its employees, the controller breached those Articles.

Regarding the legal basis for the processing, the DPA stipulated that the controller relied on legitimate interest under Article 6(1)(f) GDPR, which cannot be relied upon by a public authority in the performance of their tasks according to Article 6(1).

The DPA therefore assessed if the processing was necessary for the performance of a legal obligation under Article 6(1)(c) GDPR. The DPA held that under national law, public authorities only possess competences formally assigned to them by law. This implies that a public authority may only process personal data if this is necessary for a task it is legally obliged to fulfill. Article 6(1)(c) could therefore not be considered as a legal basis.

The DPA then assessed how the controllers could rely on Article 6(1)(e) GDPR: the GPS tracking had to be necessary and directly related to the performance of a task in the public interest. The DPA stated that this should be interpreted in a broad way. It held that the efficient use of scarce government resources by checking the time tables of employees and the use of the company car falled under a task carried out in the public interest. However, the controller must also have a clear, precise and predictable legal basis to rely on Article 6(1)(e) GDPR. The DPA referred to its decision 149/2022 (summary of this decision is available here) and concluded that controllers must assess themselves if they can rely on Article 6(1)(e) GDPR.

For the necessity condition, the DPA analysed whether the GPS tracking in this case was necessary for the task in the public interest and if there were less invasive alternatives. The DPA determined that the processing happened under specific parameters (professional activities, with the company car, limited to the strictly necessary personal data, transparently explained to the data subject). Other tracking could also be more invasive and there was no other possible way for the controller to monitor the movements of the company car. Lastly, the amount of people who could access the data was strictly limited. The DPA concluded that there was no breach of Article 6(1)(e) GDPR since the controller only processed personal data related to movement of a company car and that the intrusion on the personal life of the data subject was limited to what was strictly necessary for the purpose of fulfilling a public task.

The DPA then assessed if the controller fulfilled its transparency obligations under Article 5(1) GDPR. Even though the controller did not deny relying on a faulty legal basis in the past, it has since then mended its legal basis including in the privacy policy.

The controller must be able to demonstrate its compliance with the processing principles at all times, implementing appropriate technical and organizational measures, as stipulated in Article 5(2) GDPR juncto Article 24(1) GDPR and Article 25(1) GDPR. The controller breached the accountability principle under Article 5(2) GDPR by not actualising its GPS tracking policy, nor informing its employees and by not requiring an acknowledgement of receipt by its employees. As the controller could not prove it had taken adequate technical and organizational measures, the DPA also concluded a breach of Article 24(1) GDPR and Article 25(1) GDPR.

Cookiebanner and cookie policy

The DPA also assessed the usage of non-strictly necessary cookies and recommended to implement a reject all button on all layers of the cookie banner. It held that the old cookie policy breached Article 4(11) GDPR, Article 5(1)(a) GDPR and Article 6(1) GDPR while the new one partially remedies these breaches.

Information obligation

Then, the DPA assessed the requirements of transparency and information of data subjects in the privacy policy under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR. The DPA stated that the new privacy policy did not clearly state the retention period of the personal data as stipulated in Article 13(2)(a) GDPR. As such, the DPA concluded to a breach of Article 13(1)(c) GDPR and Article 14(2)(c) GDPR.

On top of that, the DPA held that the applicable legal basis was not included in a sufficiently precise way, resulting in a breach of the accountability principle of Article 5(2) GDPR and Article 24 GDPR.

Register of processing activities

The DPA concluded a historical breach of Article 30(1)(a) GDPR by not including the contact details of the data protection officer in the register of processing activities. The new register of processing activities did include these contact details either.

Role of the DPO

Regarding the role of the DPO, the DPA concluded no breach of Article 38(1) GDPR, Article 38(3) GDPR and Article 39(1) GDPR but a historical breach of Article 38(3) GDPR which has been remedied.

Conclusion

Put together, the DPA concluded a (historical) breach of the GDPR for following reasons:

Article 5(1a) GDPR, Article 6(1) GDPR, Article 24(1) GDPR and Article 24(2) GDPR for the GPS tracking system.

Article 4(11) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR,Article 6(1)(a) GDPR, Article 7(1) GDPRand Article 7(3) GDPR for the usage of non-strictly necessary cookies.

Article 12(1) GDPR, Article 12(6) GDPR, Article 13(1) GDPR, Article 13(2) GDPR, Article 14(1) GDPR, Article 14(2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR and Article 25(1) GDPR for the information obligation.

Article 30(1)(a) GDPR for not including the contact details of the data protection officer in the register of processing activities.

Article 39(1) GDPR for the direct reporting to the highest management level. The DPA held that it cannot impose an administrative fine on a government body.

As such, the DPA reprimanded the controller but also held that most of the infractions have been remedied.

Comment

The Belgian DPA reversed the burden of proof in paragraph 117. as it stated that there were no concrete examples that allowed the DPA to conclude the DPO was not involved in a timely manner. It should come to the controller to prove the DPO was involved in a timely manner.

Further Resources

Share blogs or news Articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/35

Litigation room

Decision on the merits 15/2023 of 21 February 2023

File number : DOS-2021-03522

Subject : Complaint about the use of a geolocation system

The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;

Having regard to the documents in the file;

Made the following decision regarding:

The complainant: X, hereinafter “the complainant”;

The defendant: Y, hereinafter “the defendant”. Decision on the substance 15/2023/2023 - 2/35

I. Factual Procedure

1. On 31 March 2021, the complainant shall submit a complaint to the Data Protection Authority against

defendant.

The complainant was an employee of the defendant and in that capacity chief manager of one

service car. In this context, he received a personal note containing registered injection times

were compared with the vehicle's trip reports. The note stated that he has both his

private address, if that of his mother, visited a certain café and some random streets
which would constitute fraud. The complainant claims that he was not informed

of the geolocation system (GPS tracking) in the service vehicles, until he received the bill. This

according to the complainant, the geolocation system is also not mentioned in the work regulations

the complainant subsequently submitted a request for the dismissal of this personal note to the

mayor, but this was rejected. Consequently, the complainant has lodged this complaint.

2. On September 30, 2021, the complaint will be declared admissible by the First Line Service on

pursuant to Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG

submitted to the Disputes Chamber.

3. On 27 October 2021, in accordance with Article 96, § 1 WOG, the request of the

Disputes Chamber to carry out an investigation submitted to the Inspectorate,

together with the complaint and the inventory of the documents.

4. On 10 January 2022, the inspection will be completed by the Inspection Service, the report will be

appended to the file and the file is transferred by the Inspector General to

the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

The report contains findings with regard to the subject of the complaint and states the

following violations:

a. violation of Article 5(1)(a) and (2) and Article 6(1) of the GDPR; and

b. violation of Article 5, Article 24(1) and Article 25(1) and (2) of the GDPR.

The report also contains findings that go beyond the subject of the complaint.

In general terms, the Inspectorate establishes the following infringements:

a. infringement of Article 4, 11), Article 5, paragraph 1, a) and paragraph 2, Article 6, paragraph 1, a) and Article 7, paragraph 1, and paragraph
3 of the AVG for the use of cookies that are not strictly necessary;

b. infringement of article 12, paragraph 1 and paragraph 6, article 13, paragraph 1 and paragraph 2 and article 14, paragraph 1 and paragraph, article

5 (2), Article 24 (1) and Article 25 (1) of the GDPR;

c. infringement of Article 30(1),(3) and (4) of the GDPR; and

d. violation of Article 38(1) and (3) and Article 39 of the GDPR. Decision on the substance 15/2023/2023 - 3/35

5. On February 4, 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

WOG that the file is ready for treatment on the merits.

6. On 4 February 2022, the parties concerned will be notified by registered mail

of the provisions as stated in Article 95, § 2, as well as of those in Article 98 WOG.

They are also informed of the terms for their

to file defenses.

As regards the findings relating to the subject matter of the complaint, the

deadline for receipt of the statement of reply from the defendant

on 18 March 2022, those for the complainant's reply on 8 April 2022 and at

finally this one for the defendant's statement of defense on 29 April 2022.

As regards the findings that go beyond the subject of the complaint, the

deadline for receipt of the statement of reply from the defendant

on March 18, 2022.

7. On February 4, 2022, the complainant electronically accepts all communication regarding the case.

8. On February 7, 2022, the defendant electronically accepts all communications regarding the

case.

9. On March 18, 2022, the Disputes Chamber will receive the statement of defense from the

defendant with regard to the findings with regard to the object of the

complaint. This statement also contains the response of the defendant regarding the

findings made by the Inspectorate outside the scope of the complaint. In
his conclusions, the defendant disputes the findings regarding the unlawfulness of

the geolocation system does not. The defendant argues that since then she has a new

geolocation policy has been drawn up and approved. This will be communicated

to all employees involved. With regard to the third and fourth findings, the

defendant to have worked out a new privacy statement and cookie policy. This

new proposals are with the ICT and Communication services of the defendant for review
with the target date set for March 18, 2022. With regard to the fifth

determination, the defendant agrees that there is ambiguity about the

contact details of the DPO. This is clarified in the conclusions. Finally, the

the defendant that it is the intention that the annual report will be made available for information

on the agenda of the Board of Mayor and Aldermen and the Permanent Bureau after the

has been presented to the Joint Management Team. Furthermore, the officer presents
data protection issues formal advice to the City Council and the Council if necessary

for Social Welfare and/or to the Board of Mayor and Aldermen / the

Fixed desk. Decision on the substance 15/2023/2023 - 4/35

10. The Disputes Chamber does not receive a statement of reply from the complainant with regard to

the findings regarding the subject of the complaint. Then the

Litigation Chamber also no conclusions of the defendant's rejoinder with regard to the

findings regarding the subject of the complaint.

11. On September 28, 2022, the parties will be notified that the hearing will

take place on November 18, 2022.

12. On November 18, 2022, the party appearing will be heard by the Litigation Chamber. During the day

the hearing explains to the defendant what steps he has already taken in terms of

data protection since the submission of the complaint and the Inspectorate investigation.

13. On November 21, 2022, the minutes of the hearing will be sent to the party appearing

transferred.

14. The Disputes Chamber has no comments on behalf of the defendant

receive the report.

II. Motivation

15. The Disputes Chamber then assesses each of the findings included in the report

of the Inspectorate in light of the arguments put forward by the defendant in this regard

resources.

II.1. Article 5 (1) (a) and (2) of the GDPR and Article 6 (1) of the GDPR

II.1.1. Article 5 (1) a) and Article 6 (1) GDPR with regard to legality

16. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data

must be processed lawfully, fairly and transparently. This means that the

processing must be based on the grounds for processing as set out in Article 6,

paragraph 1 GDPR. When personal data is processed lawfully, the

processing it properly. Finally, it must be clear for which
purposes personal data are processed and how this is done.

17. In further elaboration of this basic principle, Article 6 (1) GDPR states that personal data

may only be processed on the basis of one of the following legal grounds:

“a) the data subject has given consent to the processing of his

personal data for one or more specific purposes;

b) the processing is necessary for the performance of an agreement in which

the data subject is a party, or at the request of the data subject before the conclusion of

an agreement to take measures; Decision on the substance 15/2023/2023 - 5/35

c) the processing is necessary for compliance with a legal obligation

rests on the controller;

d) the processing is necessary to protect the vital interests of the data subject or of

to protect another natural person;

e) the processing is necessary for the performance of a general task

interest or of a task in the exercise of public authority
has been assigned to the controller;

f) the processing is necessary for the protection of the justified person

interests of the controller or of a third party, except when
the interests or fundamental rights and freedoms of the data subject

that require the protection of personal data outweigh those

interests, in particular when the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing by public authorities
in the exercise of their duties.”

Findings from the Inspection Report

18. The Inspectorate argues that the defendant has fulfilled the obligations imposed by Article 5(1)(a)

and paragraph 2 of the GDPR and by Article 6 of the GDPR. To this end, the

Inspectorate the following considerations apply:

a. “The program processes the number plate of the vehicle and

tracked, as well as the route followed. In principle, no names are given

directors, but a head of department knows in most cases

who is on the road with a vehicle.” It is clear from the complaint that the defendant

concretely processed personal data of the complainant for the preparation and

delivery of a note dated October 14, 2020.

b. The defendant does not clarify in its answer on what legal basis

the personal data of the directors are processed, despite the

express request in this regard from the Inspectorate.

Defendant's position

19. In its submissions, the defendant disputes these findings of unlawfulness

processing of personal data in the context of the geolocation system is not. He poses
take the necessary steps to avoid this in the future and until then the geolocation system

no longer usable.

20. During the hearing dd. November 18, 2022, the defendant explains the steps taken

since the submission of the above claims. Meanwhile, on September 21
Approved a revised and up-to-date geolocation policy in 2021, in which the legal basis and Substantive decision 15/2023/2023 - 6/35

purposes for the data processing at issue were included. As for the

legal basis of the geolocation system, the defendant relies on it

legitimate interest (Article 6(1)(f) GDPR) in being able to trace its service vehicles.
The defendant states that he has made an extensive weighing of interests between

on the one hand its interest in operationalizing and optimizing its services, and on the other hand

the interest of employees not to be subjected to excessive

processing of their personal data.

Review by the Litigation Chamber

21. The Litigation Chamber points out that the complaint relates to the control of the works

testing times in August and September 2020, but that the geolocation policy has been in place since
2009 until it was put on hold pursuant to the present proceedings.

22. The Disputes Chamber determines from the documents submitted by the defendant

that the processing of personal data collected through geolocation, by the defendant
started in 2009. On August 20, 2009, this geolocation system was discussed

during the meeting of the Special Negotiating Committee. In this context, it was

drafted an information document on the geolocation system on 19 August 2009.

A note on the modalities of the geolocation system and a step-by-step plan of the

its implementation was also drafted on August 19, 2009. After a collegiate
decision of the Board of Mayor and Aldermen was made on September 28, 2009

internal service note transferred to the staff, after which the geolocation system is switched on

came into effect.

23. It is important to note that the information document predates the
entry into force of the GDPR. Thus, no account could be taken of its creation

be taken into account with the obligations under the GDPR, but with the obligations

arising from Directive 95/46/EC, the legal predecessor of the GDPR. In the

information document therefore describes the installation and use of it

geolocation system tested against the principles of purpose limitation, proportionality and
transparency. The Disputes Chamber concludes from this that the defendant has made a decision

has made to protect the right to privacy of the data subjects as much as possible

to protect. Also on September 28, 2009, an internal service note was distributed

within the Implementation service in which the geolocation system is explained. In this note

the various purposes are described, including combating unauthorized
use of service vehicles as well as mapping the movements so that the

proper and correct execution of the agreed work can be checked. The

note explains which data can be obtained by the geolocation system

(location of the car in real time, route traveled per day and per vehicle, etc.). In the note

it is also stated that only the heads of service have access to the Substantive Decision 15/2023/2023 - 7/35

geolocation data via a license and login code. All the above information,

including examples of reports and a step-by-step implementation plan

transferred to the staff.

24. The GDPR has been applicable since 25 May 2018. The processing of personal data via

the geolocation system should therefore be based on a foundation as specified in

Article 6, paragraph 1 GDPR and the processing had to be done in accordance with the

principles from Article 5 (1) GDPR. It belongs to the controller

to indicate a lawful basis for its processing. This requirement also makes

part of the principles of legality and transparency that he must apply

(Article 5(1)(a) of the GDPR - as explained in Recital 39 of the GDPR).

Since different effects follow from one or the other legal basis, with

in particular with regard to the rights of the data subjects, it should be clear to the data subjects

on which legal basis the disputed processing is based. Serving those involved

therefore be informed of the legal basis of the processing in accordance with the

Articles 13 (1) (c) and 14 (1) (c) of the GDPR. As determined by the Inspectorate

the aforementioned 2009 information document does not state on what legal basis the

personal data of the directors are processed after they have been sent via the

geolocation system are collected, despite the express requests of the

inspection service in this regard. The defendant does not dispute this finding in its submissions.

25. In view of the above, namely the lack of identification of the appropriate

lawful basis for collecting and processing geolocation data

of the complainant, the Litigation Chamber concludes that the defendant has committed an infringement

to Articles 5(1)(a) and 6 GDPR as regards the period from 25 May 2018

to cessation of the processing operations in question following the findings of the

Inspection Service. In the present case, the Disputes Chamber finds that the defendant has already

was aware of the need to adjust the geolocation policy even before the

complaint was filed in this case, as a result of which the defendant acted negligently.

The Litigation Chamber considers it to be part of the normal expectation pattern of

a citizen whose data is processed by the government, who at the same time also their

employer is that the obligations under the AVG and other legal provisions -

proactive - be complied with. After all, the starting point should be that the defendant, just

like any other controller, makes every effort to

process personal data in a correct manner in accordance with the

applicable regulations and does not adopt a wait-and-see attitude and therefore does not merely follow

1
See decision grounds 38/2021 of 23 March 2022, para 43, available via the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten.
2See decision on the merits 47/2022 of 4 April 2022, para 113 and decision 48/2022 of 4 April 2022, para 125 and 219,
available via the webpage https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 15/2023/2023 - 8/35

intervention of the Data Protection Authority takes action for that adjustment
3
to accomplish. However, the Disputes Chamber also takes into account the fact that the

defendant, already took into account when drawing up its geolocation policy in 2009

taking into account the principles of finality, proportionality and rights of those involved.

In addition, the 2009 geolocation policy transparently informs the

those involved in the installed geolocation system.

26. During the hearing, the defendant points out that the geolocation policy was adopted in 2021

altered. This new policy explicitly explains that the geolocation system

is based on the legal basis of the legitimate interest as understood in Article 6, paragraph

1, f) GDPR. Consequently, the Litigation Chamber must verify whether the legitimate interest ex

Article 6 (1) f) GDPR can serve as the legal basis for such processing by the

defendant.

27. The last sentence of Article 6 (1) f) GDPR stipulates that this legal basis of the

legitimate interest does not apply to the processing of personal data by

government authorities in the exercise of their duties. The question therefore arises whether

the defendant can rely on this legal basis for the geolocation system.

28. Since the defendant is a government agency, the above must be assessed

in light of the principle of conferral of administrative powers, it

principle of the specialty of legal persons and the principle of legality, which the

determines the conditions under which the administration can interfere with the right to
protection of privacy, of which the right to protection

personal data is part. 4 According to the principle of the allocation of

administrative powers, which is enshrined in Article 105 of the Constitution and Article

78 of the Special Institutional Reform Act of August 8, 1980, the

administrative authorities have no powers other than those formally vested in them

granted by the Constitution and the laws and decrees that are thereunder

issued. Furthermore, the specialty principle of legal entities states that each

legal entity may only act to achieve the purpose or purposes

achieve for which it was established, provided that only a legislature

standard can entrust a legal entity with a public service mission. The Council of

State, in its opinion on the draft law "on the protection of

natural persons with regard to the processing of personal data".

that "the passing of data from one government agency to another is a form of

interference with the right to the protection of privacy of the

3 See also decision 141/2021 of 16 December 2021, available on the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten.

4The CPP has already pointed this out in its advice on the preliminary draft law that has become the WVG. See CPP, Advice
No. 33/2018, p. 44 Decision on the substance 15/2023/2023 - 9/35

data subjects. Under Article 8 of the European Convention on Human Rights and

Article 22 of the Constitution, as interpreted in the settled case-law of the

Constitutional Court, such interference must in particular have a legal basis

are proportionate to the objective pursued and are sufficient

organized in a clear way so that it is foreseeable for the citizen".

29. In short, a government agency may only process personal data if this is the case
processing is necessary for compliance with an obligation imposed by or pursuant to a

legal provision has been imposed on one of the controllers (Article 6 para

1, c) GDPR) or if this communication is necessary for the performance of a task of

public interest assigned to one of the controllers by or

pursuant to a law (Article 6(1)(e) GDPR). The Disputes Chamber will determine as much as necessary

points out that it cannot be ruled out that in limited cases a public authority may appeal

do on Article 6(1)(f) but that this for the geolocation system as described by

the defendant is not possible. The legal basis from Article 6(1)(f) GDPR (legitimate

interest) cannot apply to the processing at issue.

30. In order for a controller to be able to rely on Article 6(1)(e) of the GDPR,

professions to process personal data, this processing must be necessary for

the fulfillment of a task of general interest or of a task within the framework of the

exercise of public authority vested in the controller

assigned.

31. The Disputes Chamber notes that the AVG offers no starting point for the

answering the question to what extent understanding "processing necessary for the

performance of a task in the public interest" would also include human resources management.

32. However, a clear starting point for a broad interpretation of this concept is possible

found in Regulation (EU) No. 2018/1725 of the European Parliament and the
Council of 23 October 2018 on the protection of natural persons

with the processing of personal data by the institutions, bodies and authorities of the

Union and the free movement of such data, and repealing Regulation (EC) No.

45/2001 and Decision no. 1247/2002/EC, recital 22 of which reads: "[...]. The processing of

personal data for the performance of the tasks assigned by the institutions or bodies of

the Union in the public interest includes the processing of the

management and operation of those institutions and bodies [...]".

33. From this consideration, the Litigation Chamber deduces that Article 6(e) GDPR is not alone

relates to processing operations that are necessary for the fulfillment of

5 Advice of the Council of State no. 63.192/2 of 19 April 2018, in Parl. St., K., Regular Session, 2017-2018, no. 54-3126/001, p.
421-422 Decision on the substance 15/2023/2023 - 10/35

the task of public interest in the strict sense, but also to processing that is necessary

for the performance of duties directly related to that duty of general

interest, including those necessary for the management and operation of the

bodies entrusted with that task of general interest.

34. The Knowledge Center of the GBA has already confirmed that the processing of

personal data by a government in the context of the management of its personnel

means can take place on the basis of 6 (1) e) GDPR provided that the taken

measures are actually necessary. 6

35. In view of the above, the Litigation Chamber concludes that the concept of "processing that

necessary for the performance of a task carried out in the public interest".

to be interpreted. Consequently, the notion of “processing is necessary for the

performance of a task of public interest” refers to processing that is necessary

are for the fulfillment of the task of general interest in the strict sense, but also on

processing that is necessary for the performance of tasks that are directly related

with that task of public interest, including those necessary for

the management and functioning of the bodies entrusted with that task of general interest.

Since the defendant without personnel and associated management of human resources

could not perform its tasks in the public interest, processing of

personal data in the context of personnel management should also be based on

Article 6 (1) e) GDPR.

36. In order to legitimately rely on the legal basis of Article 6(1)(e) GDPR

personal data may therefore only be processed if this is necessary for the

performance of a task in the public interest or if it is necessary for the exercise

of the public authority entrusted to the controller. The processing must

in these cases always have a basis in the law of the European Union or that of the

Member State concerned, which must also state the purpose of the processing. Consequently, there must be

whether these conditions are met in this case.

37. Pursuant to Article 6(3) and Recital 45 of the GDPR, processing based on

Article 6(1)(e) GDPR meet the following conditions:

a. The controller must be responsible for fulfilling a

assignment of public interest or an assignment that forms part of the

exercise of public authority on any legal basis, regardless

6See o.a.GBA, recommendation02/2020 of 31 January 2020 on the scope of the obligation to establish a protocol
to formalize the communications of personal data by the federal public sector
https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-02-2020.pdf.
7
GBA, recommendation02/2020 of 31 January 2020 on the scope of the obligation to conclude a protocol
to formalize the communications of personal data by the federal public sector
https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-02-2020.pdf. Decision on the substance 15/2023/2023 - 11/35

whether it is in the law of the European Union or in the law of the Member States

contained;

b. The purposes of the processing are determined in the legal basis or must be

are necessary for the performance of the public interest assignment or the

exercise of public authority.

38. The Litigation Chamber will determine the conditions of public interest, legal basis and

assess necessity below.

Public interest task

39. In this case, the defendant adopted the geolocation policy in order, on the one hand, to

professional use of the service vehicles and the proper execution of it

to check assigned work within the planned work schedule and, on the other hand, to check the

monitor staff in the performance of their duties. The Disputes Chamber is therefore of

believes that the public interest lies in scarce government resources, in this case the

deploy fleet and personnel efficiently and to prevent fraud and misuse of services

so that these resources can be used for the performance of the tasks
8
assigned to the municipality.

A clear, precise and predictable legal basis

40. According to recital 41 of the GDPR, this legal basis or legislative measure

be clear and precise and its application must be for the litigants

be foreseeable, in accordance with the jurisprudence of the Court of Justice of the

European Union (hereinafter: Court of Justice) and the ECHR. The European Court of the Rights of

de Mens (hereinafter: ECHR) used the concept of predictability in the Rotaru judgment

legal basis specified. Since that case involved surveillance systems

of a state's security apparatus, the context of the present case differs. In

in other cases, the ECtHR has indicated that it adheres to these principles

can be guided, but it considers that these criteria, which in the specific context of

that specific case have been established and followed thus not as such on all cases of

be applicable.

11
41. Pursuant to article 186, §1 of the Local Government Decree, the municipal council of each

municipality determines the legal status of municipal employees. The city council and

the council for social welfare establish a joint deontological code

for the staff. This concretises the provisions included in the Local Decree

8See by analogy recital 47 of the GDPR.

9 ECtHR, 4 May 2000, Rotaru v. Romania.
10 ECtHR, 2 September 2010, Uzun v. Germany, § 66.

1 Decree on Local Government of 22 December 2017, BS 15 February 2018. Substantive decision 15/2023/2023 - 12/35

Board and can assume additional deontological rights and obligations,

in accordance with the organizational management system, as stipulated in articles 217 and
12
220 of the Local Government Decree The organizational system to be

adopted by each municipality is described as the set of measures and

procedures designed to provide reasonable assurance that one:

1°knowingandcontrollingthedefinedobjectivesachievedtheriskstoachievethese;

2° comply with legislation and procedures;

3° has reliable financial and management reporting;

4° works in an effective and efficient manner and the available resources are economical

stake;

5° protects the assets and prevents fraud. 13

42. In view of the above, the defendant is under a statutory obligation to take measures

and procedures in relation to its organization to ensure that they are on

works efficiently with an economic use of resources and prevents fraud,

without explicitly specifying how this should be done concretely.

43. The Litigation Chamber has already pointed this out in decision 149/2022 dd. 18

October 2022 14 that tasks of public interest or public authority with which

controllers are in charge, often not based on accuracy

defined obligations or legislative standards, which define the essential features of the

capture data processing. Rather, processing takes place on the basis of a

more general authorization to act, such as for the fulfillment of the task that

is necessary, as is also the case in this case. This leads to the relevant legal

basis in practice often does not contain any concretely defined provisions regarding the

necessary data processing. Controllers who are based on

want to invoke such a legal basis on Article 6 (1 e) GDPR, you must do so yourself

verify whether the processing is necessary for the task of public interest and interests

of those involved.

Necessity

44. Pursuant to Article 6(1)(e) GDPR, processing is lawful only if and for

insofar as the processing is necessary for the performance of a task of public interest or

of a task in the context of the exercise of public authority vested in the

controller is instructed. Contains as explained above

1Article 193, §1, second paragraph Decree on Local Administration.
13
Article 217 Decree on Local Government.
14See also decision 124/2021 dd. 10 November 2021. Decision on the substance 15/2023/2023 - 13/35

legislation often lacks concretely defined provisions regarding the necessary

data processing.

15
45. The Court of Justice ruled on this condition of

necessity:

“Having regard to the aim of providing equivalent protection in all Member States, the concept

necessity as it emerges from Article 7(e) of Directive 95/46, which a

want to provide precise delineation for one of the cases in which the processing of

personal data is permitted, i.e. does not have a content that differs from Member State to Member State

member state. It is therefore an autonomous concept of Community law, which must be

be interpreted in a way that fully fulfills the purpose of the directive such as
16
defined in Article 1(1).’

46. The Advocate General also stated in his Opinions that “[t]t

concept of necessity [has] a long history in Community law and a

an integral part of the proportionality criterion. It means that the authority that

adopts a measure to achieve a legitimate aim that

Community law affects guaranteed rights, must demonstrate that this measure is the

least restrictive to achieving this goal. In addition, when the processing of

personal data can lead to an infringement of the fundamental right to respect for the
privacy, Article 8 of the

European Convention for the Protection of Human and Fundamental Rights

freedoms (ECHR), which guarantees the right to respect for private and family life.

As the Court has stated in its judgment in ÖsterreichischerRundfunke.a., a national

regulation that is not in accordance with Article 8 ECHR, also does not comply with the provisions of Article 7, sub e, of

requirement laid down in Directive 95/46. Article 8(2) of the ECHR provides that interference with the

private life is permitted to the extent that it serves one of the purposes listed herein

is pursuedand this is “necessary in a democratic society”.According to the

European Court of Human Rights holds the adjective “necessary”

in that a "compelling social need" for a particular action by the

government exists and that the measure is proportionate to the legitimate aim pursued.

47. This case law formulated in relation to Article 7(e) of Directive 95/46/EC

remains relevant to this day. Article 6(1) of the GDPR takes over the wording from

Article 7 of Directive 95/46/EC.

15 CJEU, Heinz Huber t. Bundesrepublik Deutschland, December 16, 2008, C-524/06.
16 CJEU, Heinz Huber t. Bundesrepublik Deutschland, December 16, 2008, C-524/06, para. 52. Decision on the substance 15/2023/2023 - 14/35

48. The Court of Justice has also clarified that if there are realistic and less
17
are radical alternatives, the treatment is not "necessary".

49. The Litigation Chamber must therefore assess whether installing the

geolocation system was necessary for the aforementioned public interest and whether there

other less invasive options were to pursue the aforementioned public interest

aim.The necessity of a geolocation system is apparent from the fact that the report

of the meeting of the special negotiating committee of the defendant in which the

geolocation system was explained and discussed, mentions that the organization of the

fleet of the A should be better monitored as there were quite a few in the past

have been incidents that could not pass the bracket. Since these incidents

relate to movements outside the premises or domains of the defendant,

states that it is impossible for him to verify in any other way whether the

fleet is used optimally and to detect and prevent possible fraud.

The geolocation system aims to put an end to these practices.

18
50. Recently, the ECtHR has ruled in Florindo de Almeida Vasconcelos Gramaxot. Portugal
spoke out about the use of geolocation systems for professional

track movements. The ECtHR states that, by using only the geolocation data that

relate to the professional displacements, to handle, the interference on it

right to protection of private life was limited to what was necessary for the

defense of the public interest of the defendant. The Disputes Chamber states that it

processing of personal data via a geolocation system is therefore only possible

in the specific circumstances set out in this judgment. In the present case, the

findings of the ECtHR apply by analogy. The processed

personal data also only relates to professional travel, with a

service car, which is necessary for the promotion of the public interest, te

know how to prevent fraud and the proper management of public funds.

51. In view of the above, the geolocation system does indeed constitute an interference

the right to protection of the private life of those concerned, but this one is earlier

limited.The Litigation Chamber notes that, if the processing of geolocation data
20
happens under the conditions set, namely with regard to professional

movements within working hours with a service car and limited to the data that

1CJUE,Volker&MarkusScheckeGbRenHartmutEifertt.LandHessen,9November2010,joint casesC‑92/09

and C‑93/09
18 ECtHR, 13 December 2022, Florindo de Almeida Vasconcelos Gramaxo v. Portugal, para 120-122.
19In the judgment in Florindo de Almeida Vasconcelos Gramaxo v. Portugal, it concerned a company car that could be used

for private and professional trips, but only the geolocation data of the professional
transfers could be processed by the employer.
20In the judgment in Florindo de Almeida Vasconcelos Gramaxo v. Portugal, it concerned a company car that could be used
for private and professional trips, but only the geolocation data of the professional
transfers could be processed by the employer. Decision on the substance 15/2023/2023 - 15/35

are necessary, with the necessary guarantees that the processing of the data collected

is done in accordance with the basic principles of Article 5 (1) GDPR, which in addition

explained transparently, this system constitutes a less invasive interference than

other methods of surveillance. Moreover, for the defendant there is no other
feasible method to monitor the cars and the service movements in the context of

the goals mentioned above. In addition, only consultation will be possible due to a limited

number of persons described in the geolocation policy and if there is a specific

there is reason to.

II.1.2. Article 5(1)(a) GDPR with regard to transparency

52. When the controller bases processing on the public interest,

then he must be transparent about this because of, among other things, the public interest pursued

name, make clear for what purposes the personal data are processed,

which personal data is processed, whether the data is shared with others

parties and how long the personal data is kept.

53. As already mentioned, the defendant has drawn up a new geolocation policy. During the day

the hearing provides the defendant with a draft of this amended

geolocation policy. In this, the defendant explains and explains the legal basis and purposes

he explains how the geolocation system works and how the people involved
prior to moving with a vehicle equipped with such a system

to verify its presence. In addition, the policy determines which data is there

and not processed and for what purposes this data is processed and for

which purposes it is not (such as checking speed limit compliance, a

monitor employee permanently, etc.). Next, the geolocation policy clarified

who has access to the personal data, how access can be obtained
by these persons (such as via a login code) and the retention period of the data. The

Defendant notes that the new geolocation policy has yet to be approved

– early 2023 – after which the geolocation system can be started. In this context

the defendant will develop a process to explain this new policy to all

persons involved, for which a signature will be required for acknowledgment.

54. The Disputes Chamber is of the opinion that the mere fact that the defendant is not the correct one

lawful basis has applied in the past the processing in the future

not necessarily invalid. The Litigation Chamber notes that it is as above

described collection and processing of geolocation data may be lawful,

if the appropriate legal basis is correctly determined and the above
transparency obligations in this regard are complied with by the defendant

of its staff. The Disputes Chamber refers to the design of the new

geolocation policy approved by the city council on September 21, 2021. Substantive decision 15/2023/2023 - 16/35

Since only the data related to the movements carried out in the context of
the performance of (certain aspects of) the job, is the degree of interference with the law

on data protection limited to what is necessary to protect the public interest

pursuit, namely the proper organization and management of public funds of the

defendant on the other. The Disputes Chamber therefore states that the processing of

personal data collected through a geolocation system can be done by the

defendant provided that the conditions of Article 6(1)(e) are met.

II.2. Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1) and (2) of the
AVG

II.2.1. Article 5 (2) GDPR, Article 24 (1) and Article 25 (1).

55. The Litigation Chamber recalls that each controller has the

basic principles on the protection of personal data as understood in Article 5,

must comply with paragraph 1 GDPR and must be able to demonstrate this. That follows from the

accountability in Article 5(2) GDPR in conjunction with Article 24(1) GDPR as
21
confirmed by the Litigation Chamber.

56. Based on Articles 24 and 25 of the GDPR, the defendant must take appropriate technical and

take organizational measures to ensure and be able to demonstrate that the

processing takes place in accordance with the GDPR. The defendant must do so

effectively implement data protection principles, the rights of data subjects

as well as only process personal data that is necessary for each

specific purpose of the processing.

57. As part of its investigation, the Inspectorate assessed to what extent the

the defendant has taken the necessary technical and organizational measures to

comply with these principles from Article 5 (1) GDPR and in particular the principle of

legality and transparency (see II.1). In this regard, the Inspectorate decides that the

the defendant has not sufficiently demonstrated that he has taken the necessary measures

so that the incontestable processing takes place in accordance with article 5, paragraph 1a) and article

6 (1) GDPR, since the Inspection Service has concluded that the processing

were inconsistent with these principles.

58. During the hearing, the defendant explained that a new

geolocation policy has been drawn up and approved. This is the next step in the process

to communicate to all employees involved, according to the defendant. In this way

the defendant wanted to comply with the guidelines on making the way of transparent

work towards employees.

21 Decision on the merits 34/2020 of 23 June 2020 available via the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 15/2023/2023 - 17/35

59. The Litigation Chamber ruled in part II.1 that there was indeed an infringement

to Article 5(1)(a) GDPR with regard to legality for the period between 25 May

2018 and when the defendant ceased the processing at issue. For

with regard to the transparency principle, the Litigation Chamber notes that in the
geolocation policy from 2009 and the accompanying internal memorandum show that the

employees have been informed, but the defendant does not show that they

in this respect complies with accountability since the entry into force of the GDPR,

for example by updating the geolocation policy

and request confirmation of receipt from the employees concerned. As

already explained above, the defendant had to check on its own initiative whether
he complies with the obligations under the GDPR from 25 May 2018. The Disputes Chamber also states

established that the defendant could not demonstrate that he had the necessary technical and organizational

has taken measures to comply with the principle of legality and the

principle of transparency as understood in Article 5(1)(a) GDPR since 25 May 2018. Therefore

the Disputes Chamber rules that there is a violation of Article 5(2) in this context

Article 24 (1) and Article 25 (1) GDPR.

II.2.2. Article 5 (1) GDPR

60. Although Article 5(1) and (2) GDPR are closely linked, any one means

violation of the accountability obligation of Article 5 (2) GDPR is not automatically also a

Violation of Art. 5 (1) GDPR. After all, accountability is the formal one
externalization through documents to ensure compliance with the material

basic principles of the GDPR.

61. As regards compliance with Article 5(1)(a), the Litigation Chamber refers to section II.1

of this decision. As regards the basic principles contained in Article 5(1),
b)t.e.m.f)does the Dispute Chamber not have sufficient elements to make an assessment

to go over.

II.3. Article 4, 11) of the GDPR, Article 5, paragraph 1, a) and paragraph 2 of the GDPR, Article 6, paragraph 1, a) of the
GDPR and article 7, paragraph 1 and paragraph 3 of the GDPR for the use of non-strictly necessary
cookies

62. Based on Article 4, 11), Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and (3)

GDPR, it is necessary that the controller who invokes the consent

as a legal basis for the processing, can demonstrate that the data subject has effective consent

has given. Article 7, paragraph 3 GDPR sets strict conditions for withdrawing a

valid permission.

II.3.1. Findings from the Inspection Report Substantive decision 15/2023/2023 - 18/35

63. The Inspectorate first established that there could be no question of a valid

consent to the placement of cookies that are not strictly necessary, given on the one hand the

interface design of the cookie banner and, on the other hand, the flawed information in it

cookie policy. Secondly, the Inspectorate finds that the defendant did not comply with
the conditions regarding the withdrawal of a valid consent.

64. With regard to the consent process and more specifically the interface of the

cookie banner, the Inspection Service determines that a data subject on the cookie banner two

options for the use of cookies that are not strictly necessary, namely
on the one hand 'continue' and on the other hand 'more info'. These were not on an equal footing

way. In addition, the choice was missing in the cookie banner that came with the

opening the website allows data subjects to use not strictly necessary

cookies in the first information layer by refusing one click.

65. With regard to the transparency obligations in the context of an informed

permission, the Inspectorate has determined that the defendant's data subjects

did not receive transparent information about the consequences for their personal data

the use of cookies. After all, the defendant was informed by the parties involved in the

cookie window is not given an explanation of the consequences of their choice. The privacy statement

of the defendant provided only vague information about the consequences for them
personal data through the use of cookies by the defendant, such as which are not strict

necessary cookies exactly the defendant uses on its website and what the purposes

of the processing of the personal data of the data subjects for each of them

cookies; how long the personal data of the data subjects that were processed via not

Strictly necessary cookies are stored on the defendant's website or which ones

the criteria are for determining that period; what concrete steps should be taken by those involved
if they wanted to change the cookie settings via their internet browser.

66. Finally, no explanation was given to data subjects in the cookie window about how a

given consent can be withdrawn.

67. In view of the above, the Inspectorate has determined that there are no legally valid

consent within the meaning of Article 5, Article 6 (1) a) and Article 4.11) in conjunction with Article 7 GDPR

asked the website visitors for the use of not strictly necessary

cookies, which means that it cannot be demonstrated either.

II.3.2. Defendant's position

68. First, the defendant emphasizes that the process of updating its cookie and

cookie policy had already started, even before he was informed of the findings

of the Inspection Service and shortly afterwards the new cookie and cookie policy
implemented on the website and the consent policy regarding the use of Decision Substance 15/2023/2023 - 19/35

cookies on the website. The cookie banner has been adjusted so that the data subject

is no longer steered in a certain direction with regard to the placement of

analytical and other not strictly necessary cookies. The person concerned can also contact any

visit the website in a simple way to adjust his preferences again via a link
'cookie settings' at the bottom of the website. By way of illustration, the defendant makes several

screenshots about.

69. With regard to these findings, the defendant argues that a new cookie policy

was worked out. At the time of drafting the conclusion, the proposal was with its services
ICT and Communication for review and implementation was scheduled for March 18, 2022.

During the hearing, the defendant admits that the new cookie policy is now transparent

explains which cookies are used, for what purposes this happens, what

what happens to the collected data, how the data subject can manage its use,

when the defendant passes the cookies on to third parties and under which

conditions this would happen. The defendant also points out that in the new cookie policy
it is indicated how the data subject can determine via the browser settings how the

web browser handles cookies. Furthermore, the new cookie policy informs the

data subject about his rights and about the possibility of contacting the

defendant as controller, or with the officer for

data protection, and how the visitor can manage its use, when the

cookies are passed on to third parties and, if applicable, under what conditions.
Finally, the new cookie policy also informs users about their rights and the

possibility to contact the defendant as data controller,

or with the data protection officer.

II.3.3. Review by the Litigation Chamber.

70. With regard to legal consent within the meaning of the aforementioned articles,

the Litigation Chamber determines that the interface of the cookie banner and the cookie policy

were indeed adjusted since the Inspection Report, as indicated by the

defendant at the hearing. Although the adjustments were only made after the

intervention of the Inspectorate, which does not detract from the earlier

findings of the Inspectorate, the Litigation Chamber will only discuss the new ones below
cookie banner and review the new cookie policy. by the Inspectorate

the established infringements were after all clear and were not contested by the defendant.

71. The Litigation Chamber will first assess the consent process, in particular the interface

of the cookie banner and the information obligations regarding the cookies in the cookie policy.
Subsequently, the Litigation Chamber will check whether the conditions regarding the withdrawal of the

valid permission was respected. Decision on the substance 15/2023/2023 - 20/35

1. Consent lawfully given

72. Before examining whether there is valid consent in the present case,

reminds the Litigation Chamber of the conditions that must be met in order for a

legally valid consent. Article 5.3 of the ePrivacy Directive , 22

as transposed in article 10/2 of the law of 30 July 2018 on the protection of

natural persons with regard to the processing of personal data (hereinafter:

Data Protection Act). 23 stipulates that the consent of the data subjects is required

for placing the cookies, except when it concerns strictly necessary cookies.

73. Recital 17 of the ePrivacy Directive clarifies that for the application of the concept

“consent” should have the same meaning as “consent of the data subject” such as

defined and specified in the Data Protection Directive 95/46/EC (which is now

replaced by the GDPR). This was also clarified in guidelines on consent

by the Data Protection Group. 24

74. Article 4, 11) GDPR defines “consent” of the data subject as “any free, specific,

informed and unambiguous expression of will by the data subject by means of a

statement or an unequivocal active act concerning him processing of

accepts personal data”.

75. Article 7 GDPR stipulates the conditions applicable to the consent:

1. When processing is based on consent, the controller must

be able to demonstrate that the data subject has given consent to the processing of

his personal data.

2. If the data subject gives consent in the context of a written statement that

also relates to other matters, the request for consent shall be submitted in

an intelligible and easily accessible form and in clear and plain language

presented in such a way that a clear distinction can be made from the others

matters. When any part of such statement constitutes an infringement

to this regulation, this section is not binding.

3. The data subject has the right to withdraw his consent at any time. Withdrawing

of the consent leaves the lawfulness of the processing based on the

consent before its withdrawal. Before being the data subject

consents, he will be notified thereof. Withdrawal of consent

is as simple as giving it.

22Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of
personal data and the protection of privacy in the electronic communications sector (Directive
on privacy and electronic communications), OJ L 201, 31.7.2002
23Law of 30 July 2018 on the protection of natural persons with regard to the processing of

personal data, B.S., September 5, 2018.
24EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 May 2020, i.a. para.7. Decision on the substance 15/2023/2023 - 21/35

4. When assessing whether consent can be freely given, the

take into account, among other things, the question whether for the implementation of a

agreement, including a service agreement, requires consent

a processing of personal data that is not necessary for the implementation of that

agreement.

1.1 Consent lawfully given: cookie banner

76. With the new cookie banner, the visitor to the website is given the choice of, on the one hand, the

manage or otherwise agree to cookie preferences (i.e. all not strictly

accept necessary cookies = global opt-in button). When you click on the

option 'Manage cookie preferences', more information appears about the cookies that are used

are divided into the following three categories: “necessary”, “analytical cookies” and

"cookies with your preferences" where information is always given in understandable language about

the purpose of these cookies. The data subject can therefore, as far as the not strict

necessary cookies, give the consent per above category. So there is none

button present at the same level as the global opt-in button where the

can refuse permission for all non-strictly necessary cookies. Referring to it

Report of the Task Force Cookie Banner of the European Data Protection Board (EDPB) , 25

the Disputes Chamber notes that these adjustments to the new cookie banner are already a step

are in the right direction with regard to the findings of the Inspectorate with

regarding the old cookie banner.

77. For the sake of completeness, the Disputes Chamber notes the following matters. First

the aforementioned Task Force Cookie Banner report clarifies the rules regarding a

legally given consent. There should be a button for rejecting all non-strict

necessary cookies to be available at the same level of information as the global opt-

on the first layer of information, for example by buttons titled “accept all”

and “reject everything”. At the moment, the new cookie banner only provides an opt-in button

but no global button to deny permission. In view of the publication of this report

after closing the debates, the Litigation Chamber formulates the above as

recommendation.

78. Secondly, the Disputes Chamber also notes that in the new cookie banner the button “my

manage choice” is white, like the background of the cookie banner, while the button “all

accept cookies” has a turquoise background, which contrasts with the white one

background, and thus directs the data subject to accept all cookies. For as much as

25 EDPB, Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023,
https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf.
26
EDPB, Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023,
https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf Decision on the substance 15/2023/2023 - 22/35

necessary, the Litigation Chamber points out that the aforementioned report of the Cookie Banner Task

ForceoftheEDPBstatesthatthismayconsideraninvalidconsent,butthatthiscase

must be assessed on a case-by-case basis. In view of the publication of this report after the close of

the debates, the Litigation Chamber formulates the above as a recommendation.

1.2 Consent lawfully given: cookie policy

79. The Litigation Chamber notes that the cookie policy has been amended in accordance with the

most of the Inspectorate's comments. The Disputes Chamber takes this

deed and will now only discuss the new cookie policy. Although the new cookie policy

even if steps are taken in the right direction compared to the old cookie policy that was examined

by the Inspectorate, it is recommended that the following elements

also to provide for the new cookie policy. First, the Disputes Chamber determines

that the cookies present are divided into the following three categories: necessary,

analytical and cookies with preferences. The Litigation Chamber finds that in the category

'cookies with your preferences' contains cookies with different purposes. So would the

cookies with the purpose of collecting user feedback to improve our website

improve, better placed in the category of analytical cookies, while the cookies

for the purpose of “capturing your interests in order to provide tailored content and

to be able to offer offers' have marketing as their purpose. Considering the principle of

granularity, the Litigation Chamber formulates the recommendation to classify the cookies

'cookies with your preferences' can also be classified per objective. This allows the person concerned

to make a more nuanced choice. Secondly, the Litigation Chamber notes that

it is not clear from the cookie policy to whom the data collected via the cookies

is being sent. The Litigation Chamber also recommends that these recipients also be registered

include in the cookie policy. Finally, the Disputes Chamber points out that with the

browser settings no valid consent can be collected regarding the

AVG.On the one hand, because the users cannot (yet) give permission according to

the purposes pursued by the different types of cookies. The permission given through the

browser settings is therefore not sufficiently specific with regard to the
28
requirements of the GDPR. On the other hand, because the browser settings can default

provide for the acceptance of the cookies, without the data subject being aware of this

is, as a result of which the consent does not constitute an explicit active act and is therefore not

is legally valid within the meaning of the GDPR.

27 EDPB, Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023,
https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf, p. 6 and 7.
28
See also theme Cookies on the website of the GBA, which can be consulted via
https://www.dataprotectionauthority.be/professioneel/thema-s/cookies. Decision on the substance 15/2023/2023 - 23/35

80. In view of the above, the Disputes Chamber rules that there was an infringement

to Article 4, 11), Article 5, paragraph 1, a) and Article 6, paragraph 1 GDPR, and that these have been partially remedied

became.

2. Withdrawal of a given consent

81. With regard to the transparent information about the withdrawal of a data

consent to the use of cookies that are not strictly necessary, remembers the

Litigation Chamber that the data subject has the right under Article 7(3) GDPR

has to withdraw his consent at any time, and that the withdrawal of the

consent should be as simple as giving it. The person concerned must do so

shall be notified of this right under the same provision, before he is

gives permission.

82. In this context, the Litigation Chamber notes that at the bottom of the website a link 'cookie

settings' is available, whereby the data subject returns to the above

selection menu from the cookie banner regarding the consent of the categories of cookies.

According to the aforementioned Cookie Banner Task force report, the website

provide readily available options to withdraw consent, at any time

moment, such as by placing a link in a visible and obvious place. 29 The link

"cookie settings" is located at the bottom of the defendant's website, where common

the links to the privacy policy and cookie policy are there, and the link is at any time

accessible. The Disputes Chamber therefore concludes that the defendant is transparent

provides information and functionality about withdrawing a given consent

the use of cookies that are not strictly necessary in accordance with Article 7 (3) of the GDPR.

83. In view of the above, concludes that there is no longer any infringement of
Article 7, paragraph 3 GDPR. This does not alter the fact that there was a historic breach that became in the meantime

remedied.

II.4. Article 12, paragraph 1 and paragraph 6 of the GDPR, Article 13, paragraph 1 and paragraph 2 of the GDPR and Article 14, paragraph

1 and paragraph 2 GDPR, Article 5 paragraph 2 GDPR, Article 24 paragraph 1 GDPR and Article
25 (1) GDPR

84. Based on Article 12(1) GDPR, Article 13(1) and (2) GDPR and Article 14(1)

and paragraph 2 of the GDPR, it is necessary for the defendant to be the controller

provides the data subjects with concise, transparent and comprehensible information about the

personal data that are processed. The aforementioned transparency obligations form

a concretization of the general transparency obligation of Article 5(1)(a) of the

AVG. As already explained, the defendant must have the appropriate technical and

29 EDPB, Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023,
https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf, p. 8. Decision on the substance 15/2023/2023 - 24/35

take organizational measures to ensure and be able to demonstrate that the

processing takes place in accordance with the GDPR. The defendant must do so

effectively implement data protection principles, the rights of data subjects
as well as only process personal data that is necessary for each

specific purpose of the processing.

II.4.1. Findings in the Inspection Report

85. Based on its investigation, the Inspectorate concludes that the

the defendant's privacy statement was not transparent and understandable to the defendant

data subjects as imposed by Article 12 (1) GDPR and from the point of view of

data protection contained irrelevant and incorrect information. Different elements

in the privacy statement were superfluous because it does not have the protection of

personal data went. Second, created the defendant's privacy statement
wrongly the perception to the data subject that the defendant fully complies with the GDPR

complied with, quod non, according to the Inspectorate. Thirdly, the privacy statement stated

wrong that the data subject always had to prove his identity before exercising

the rights of data subjects in the GDPR. This was incorrect because the defendant complied

article 12, paragraph 6 GDPR, only additional information may be requested from the data subject when he
has reasons to doubt the identity of the natural person making the request

submits as referred to in Articles 15 up to and including 21 GDPR. Fourth, the

privacy statement of the defendant is wrongly not the possibility for the data subjects

to submit a complaint to the Data Protection Authority. Finally, the

the defendant's privacy statement is not clear and therefore not transparent to the

stakeholders with regard to the interchangeable use of the terms
“personal data” and “data”, the purposes and legal bases of the processing, the

transfer of personal data and the adjustments that have been made.

86. In addition, the defendant's privacy statement was, according to the findings of the
Inspection service, incomplete because not all mandatory according to Articles 13 and 14 of the GDPR

information to be stated was effectively stated. After all, no information was included

about the contact details of the data protection officer, the

processing purposes and the legal basis for the processing, the recipients or the

categories of recipients of the personal data, the storage period or the criteria for
determination of that period, the right of the data subject to limitation of the him

regarding processing as well as the right to data portability,

the right to withdraw a given consent and the right to lodge a complaint

to the Data Protection Authority. Decision on the substance 15/2023/2023 - 25/35

II.4.2. Defendant's position

87. . With regard to these findings, the defendant argues that a new privacy policy

was worked out. At the time of drawing up the conclusion, the proposal was with the services

ICT and Communication for review. The implementation took place on March 18, 2022.
With regard to the privacy statement, the defendant argues that it has been updated

to comply with the findings of the Inspectorate. So became irrelevant

passages are omitted, so that the statement only contains the relevant provisions

contains in accordance with the GDPR (principles of processing, purposes, legal basis,

data transfer, rights of data subjects and contact and complaint options

The involved). The defendant no longer automatically demands proof of identity
prior to the exercise of the rights of the person concerned.This will only be requested

when the identity of the data subject cannot be ascertained in any other way

insured. The privacy statement was also supplemented with the various options that

the data subject has to file a complaint in the event of a possible violation of the

protection of his personal data. The privacy statement now also uses

consistent wording and to clarify the grounds for processing
specific examples are included, according to the defendant. In addition, the

privacy statement under the title “History of changes” next to the date of revision

also the subjects that have been effectively adapted. Finally, the defendant points out that

following information has been added to the privacy statement: contact details of the

data protection officer, purposes for processing, legal basis for

the processing, mention that only the defendant acts as controller and the

receives data, stating that the defendant no longer has the data in principle
than necessary for the purpose for which it was collected, the rights of the

data subjects and the possibilities for complaint of the data subjects. Thedefendantistherefore

believes that the information it provides to data subjects meets the requirements of

Articles 12, 13 and 14 of the GDPR

II.4.3. Review by the Litigation Chamber

88. The Litigation Chamber points out that the GDPR determines which information must be mandatory

included in the privacy statement, and more specifically in articles 13 and 14 GDPR. This

Transparency requirements are further explained in the Transparency Guidelines

in accordance with Regulation (EU) 2016/679 of the Data Protection Working Party.

89. Since the defendant carries out a large number of data processing operations, resulting in a

large amount of information must be provided to the data subjects, the decision on the substance is 15/2023/2023 - 26/35

Litigation Chamber is of the opinion that a controller such as the defendant has a

multi-layered approach: 30

- On the one hand, the data subject must have clear and

accessible information about the fact that there are information about the processing of

personal data exists (privacy policy) and where he will be able to do it in full

find.

- On the other hand, without prejudice to the accessibility of the

privacy policy in its entirety, from the first communication of the

controller with him be informed of the

details of the purpose of the processing in question, the identity of the

controller and the rights available to him.

90. The importance of providing this multi-layered information ensures accessible and

comprehensible information for the data subjects, an obligation arising in particular from

Recital 39 of the GDPR. All additional information within the meaning of Articles 13 and 14 GDPR that

necessary to enable the data subject on the basis of the information provided at this first level

information to understand what the consequences of the processing in question will be for him,

must be added.

91. The Litigation Chamber consulted the current privacy statement of the defendant and stated
thereby, indeed, that the latter was updated in such a way that the account becomes

took into account most of the comments of the Inspectorate and the

privacy statement was therefore almost completely aligned with the

relevant provisions of the GDPR. The Disputes Chamber takes note of this.

92. It is noted, however, that the new privacy statement does not yet address this

arrived at all the findings of the Inspectorate.

93. First of all, the Disputes Chamber notes that the privacy statement does not state clearly

makes of the retention periods of the personal data concerned or the criteria for

provision thereof, as required by Article 13 (2) a) GDPR. The privacy statement states

the following in this regard: “In principle, [we] do not store your data longer than

is necessary for the purpose for which it was collected. Being a government agency

however, we are often required by law to keep your personal data longer, under
more on the basis of archive legislation. It is also possible that your personal data

further processed for scientific and historical research or statistical purposes

purposes". However, the Guidelines of the Data Protection Group show that

30 In the same sentence: decision no. 81/2020 of the Litigation Chamber (points 53 and following) and decision 76/2021 (points 58
et seq.), available via the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 15/2023/2023 - 27/35

such formulation is not sufficient. The Data Protection Group points out in this regard

note that the (mention of the) retention period is related to the principle of minimum

data processing covered by Article 5 (1) c) GDPR as well as the requirement of storage limitation

of Article 5 (1) e) GDPR. It specifies that “the storage period (or the criteria for

determine) may be dictated by factors such as legal requirements or sectoral

guidelines, but should always be formulated in such a way that the data subject, on the basis

of his or her own situation, can assess the retention period for specific
31
data/purposes”. The Litigation Chamber is of the opinion that this is a violation

means of Article 13 (1) c) and 14 (2) c) GDPR.

94. Secondly, the Disputes Chamber notes in this context that the privacy statement is not op

mentions in sufficient detail the exact legal basis(s) and

purposes of the processing and which personal data are used for this

personal data concerned, as required by Articles 13 and 14 GDPR. The Dispute Room

notes that the privacy statement does mention these elements, but that the way in which

is not understandable and transparent to the data subjects, as it is not clear to the

data subject which data are processed for which purpose and on what basis
legal basis this happens. Ideally, the controller provides a list

of the different purposes for which he processes personal data, with each time the

indication of which (categories of) personal data are processed for this purpose, via which

source they were obtained, for how long they are kept and with what (categories of)

recipients they (may) be shared.

95. The Disputes Chamber notes that the other findings of the Inspectorate
meanwhile was met by the amendments made by the defendant

to the privacy statement, but notes, however, that these findings at the time of the

performance of the inspection investigation are indisputable. The Disputes Chamber points it out

note that the defendant has made efforts to obtain the compensation under the

Articles 12, 13 and 14 GDPR to adjust the information to be provided, albeit after receipt

of the Inspectorate's comments.

96. The Litigation Chamber deduces from the above-listed findings of infringements that the

defendant's transparency obligations under Article 12 GDPR and its information obligation

from Articles 13 and 14 GDPR has not been complied with. In doing so, the defendant has acted negligently
acted contrary to his accountability as stipulated in Article 5, paragraph 2 and 24 of

the GDPR.

31Guidelines on transparency under Regulation (EU) 2016/679, WP260rev1 adopted on 29
November 2017, p 25. Substantive decision 15/2023/2023 - 28/35

II.5. Article 30, paragraph 1, paragraph 3 and paragraph 4 of the GDPR

97. In order to effectively apply the obligations contained in the GDPR, it is of

It is essential that the controller (and the processors) have an overview

of the processing of personal data that they carry out. So this registry is
primarily a tool to assist the controller in the

compliance with the GDPR for the various data processing operations it carries out because it

register makes its main features visible. The obligations regarding this

register of processing activities are defined in Article 30 GDPR.

98. Pursuant to Article 30 GDPR, each controller must keep records

of the processing activities carried out under its responsibility.

Article 30(1)(a) to (g) GDPR stipulates that, with regard to the

of processing operations carried out by the controller, the following information

must be available:

a) the name and contact details of the controller and any

joint controllers and, where applicable, of the

representative of the controller and of the officer for

data protection;

b) the processing purposes;

c) a description of the categories of data subjects and of the categories of
personal data;

d) the categories of recipients to whom the personal data have been or will be

provided, including recipients in third countries or international organisations;

e) where applicable, transfers of personal data to a third country or a

international organisation, including the reference to that third country or countries

international organization and, in the case of the organizations referred to in Article 49(1) second subparagraph GDPR,

such transfers, the documents concerning the appropriate safeguards;

f) if possible, the envisaged time limits within which the different categories of

data must be erased;

g) if possible, a general description of the technical and organizational

security measures as referred to in Article 32 (1) GDPR.

99. The processing register must be in written form, including in electronic form,
be drawn up (Article 30(3) GDPR). In accordance with Article 30 (4) GDPR, the

controller shall make the register of processing available to the

supervisory authority at its request. Decision on the substance 15/2023/2023 - 29/35

100. With regard to the register of processing activities, the Inspection Service notes that

the defendant does not have the obligations imposed by Article 30 (1), (3) and (4) GDPR

complied. After all, the Inspectorate only has a part of the register
receive processing activities, namely the building maintenance part.

The part that was transferred meets the requirements of the Inspectorate

does not meet the minimum requirements from Article 30 paragraph 1 GDPR as the following are mandatory

entries are missing:

a. The contact details of the defendant (Article 30(1)(a) GDPR).

b. A description of the categories of data subjects and of the categories of

personal data (Article 30(1)(c) GDPR). There is a short general summary
provided, but that is not a description, according to the Inspectorate.

101. The Litigation Chamber must rule on whether Article 30(1)(c) GDPR requires

that a description is given of the categories of personal data and the
categories of data subjects in the register of processing activities, or whether a

summary will suffice.

102. Concerning the lack of protection of the categories of data subjects
personal data, the defendant asks for clarification in its conclusions. There are

indeed general examples are included in this regard, but the defendant states that

they do give an idea of the type of data that is meant. In the GDPR, the

Defendant cannot find a definition of what a description should be.

103. The Litigation Chamber notes that Article 30(1)(c) GDPR requires that a description of the

categories of data subjects and of the categories of personal data

included in the register of processing activities. Those involved are the

identified or identifiable natural persons whose data are collected

processed (Article 4 (1) of the GDPR). Regarding the categories data, of course it has to
concern personal data as defined in Article 4 (1) of the GDPR.

104. The Disputes Chamber finds that the defendant in its register of

processing activities enumerates:

- the categories of data subjects (Article 30(1)(c) GDPR), i.e. “staff members”.

- the categories of personal data (Article 30(1)(c) GDPR), namely the “Data

Geolocation system [...]: number plate, route traveled, vehicle description”.

105. The Litigation Chamber recalls the purpose of the register of
processing activities. To effectively fulfill the obligations contained in the GDPR

apply, it is essential that the controller (and the

processors) have an overview of the processing of personal data that they

to carry out. This register is therefore primarily an instrument for

assist the controller in GDPR compliance for the various

data processing it carries outbecause the register retains its main features

makes visible. The Disputes Chamber is of the opinion that this processing register is a

essential tool in the context of the accountability obligation already mentioned (Article 5,

paragraph 2, and Article 24 GDPR) and that this register forms the basis of all obligations that the
GDPR imposes on the controller.

106. Regarding the mandatory information pursuant to Article 30(1)(c) GDPR regarding the

description of the categories of data subjects and of the categories of

personal data, the Disputes Chamber notes that neither the text of the GDPR nor the

objectives of the GDPR prevent an enumeration of the categories of

personal data and categories of data subjects are included in the register of

processing activities or whether a more detailed description would be required.

107. With regard to the categories of recipients, the Litigation Chamber refers to a
32 33
recommendation of the CPP and the doctrine setting out that while it is not
it is necessary to state the individual recipients of the data, but that they are

can be grouped by recipient category. Mutatis mutandis can do this

statement can also be applied to the categories of personal data and data subjects.

The Disputes Chamber hereby emphasizes that the information about the categories of

personal data and data subjects must be such that in the event of an exercise

of the right of access by a data subject, the controller specific

must be able to provide information to this data subject about the exact data processed

data and the specific recipients of its personal data. 34

108. However, the Disputes Chamber points out that the completion of the register of

processing activities must always be evaluated on a case-by-case basis to determine whether the

description or enumeration contained herein is sufficiently clear and concrete. In this

case, the Litigation Chamber states that the description “personnel” is clear, since this

file shows that it concerns the employees of the Maintenance Buildings service. Also the

enumeration of the data generated by the software of the geolocation system

processed are clear. Consequently, the Dispute Chamber determines that in the case mentioned above

enumerations comply with the requirements of Article 30 (1) (c) GDPR.

109. As regards the missing entries from Article 30(1)(a) GDPR, the

Litigation Chamber determines that the contact details of the officer for

32Available at: https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-06-2017.pdf
33
W. Kotschy, "Article 30: records of processing activities", in Ch. KUNER The EU General Data Protection Regulation
(GDPR), a commentary, 2020, pg. 621.
34ECJ, 12 January 2023, Österreichische Post AG, C-154/21, ECLI:EU:C:2023:3, para 36. Decision on the substance 15/2023/2023 - 31/35

data protection are included in the modified version of the register

processing activities.This does not alter the fact that there was a historical breach of Article 30,

paragraph 1, a) GDPR and that it has been remedied in the meantime.

110. As regards the transmission of the register of processing activities, the

defendant does not that it was not submitted to the Inspectorate in its entirety. This

after all, the register of processing activities consists of several excel files, te

know one document per government department and it was reasoned by the defendant that
only the processing register of the service concerned had to be submitted. The

In its conclusions, the defendant declares that it is willing to submit the complete register of

processing activities, and has done so prior to the

hearing. The Disputes Chamber cannot deduce from further correspondence that the

Inspectorate would have requested these additional sheets.

111. The Disputes Chamber is of the opinion that the defendant has timely filed the processing register in the

particularly with regard to the geolocation system at issue

electronic form by e-mail at the first request of the Inspectorate. The additional
sheets were not further requested by the Inspectorate. Consequently, the

Litigation Chamber that there is no violation of article 30, paragraph 3 and 4 AVG. However, there was one

historical infringement with regard to article 30, paragraph 1, a) of which the Litigation Chamber determines

that it was remedied by remedial measures.

II.6. Article 38(1) and (3) GDPR and Article 39(1) GDPR

112. The GDPR recognizes that the data protection officer is a key figure for what

concerns the protection of personal data, whose designation, position and tasks are regulated

to be subjected. These rules help the controller to comply with

its obligations under the GDPR, but also help the officer

data protection to properly perform its tasks.

113. Article 38(1) GDPR requires the controller to take care of it

that the data protection officer is involved in a timely and appropriate manner

all matters related to the protection of personal data.

114. In addition, Article 38(3) in fine GDPR stipulates that the officer for

data protection reports directly to the top management

within the organization involved. In addition, the data protection officer
to report annually on the activities carried out by him and this ter

available to top management.

115. The Inspectorate finds that the defendant has fulfilled the obligations imposed by Article 38,
has not complied with paragraphs 1 and 3 GDPR. According to the Inspectorate, the defendant does not show Substantive decision 15/2023/2023 - 32/35

that its data protection officer has been properly and timely involved

in the context of the complaint. In addition, the defendant does not demonstrate that his

data protection officer reports effectively to the highest

managerial level of the defendant.

116. The Respondent does not dispute that it is of crucial importance that the official for

data protection is involved as early as possible in all matters related to

data protection related. Efforts have been made to this end

awareness of it, among other things, at the heads of department meeting of 3 December 2021. Brings further
the data protection officer will formally advise the data protection officer if necessary

Municipal Council/Social Welfare Council and/or the Municipal Executive

and Aldermen, this concerns 5 formal recommendations in 2021. The defendant also prepares documents

on demonstrating that the data protection officer is proactive,

such as 44 informal opinions in 2021. Finally, the defendant indicates that the annual report ter

notification is placed on the agenda of the Board of Mayor and Aldermen and the
Fixed desk.

117. In view of the above, the Disputes Chamber finds that the officer for

data protection is involved on a regular basis in matters with

regarding the protection of personal data. Specifically regarding the context of
the complaint, the Litigation Chamber notes that the official was involved in the run-up to

the present complaint. The complaint was filed on March 31, 2021 after being filed on November 16

2020 and on 23 February 2021, there was consultation between the defendant and the officer

for data protection about the geolocation policy. From the whole of all the pieces that

were submitted, are no concrete elements that allow the Disputes Chamber to

conclude that the data protection officer would not be involved in a timely manner
have been. However, the Litigation Chamber points out that documenting the timely

involvement can be useful for the controller itself, but also for the

Inspectorate in the event of a complaint, as well as during the (casuistic) assessment by the

Litigation room.

118. The Inspectorate also found an infringement of Article 38(3) regarding the

reporting to the highest management level. The defendant had during the

investigation clarifies to the Inspectorate that the official for

data protection chairperson of the Information Security Cell, which reports

to the General Manager via the annual report. The Inspectorate refers in this regard

to an earlier decision of the Litigation Chamber in which it was clarified that in a
municipality the college of mayor and aldermen the highest daily

managerial level. The Disputes Chamber notes that in the course of October to

December 2020 an audit of the defendant carried out by Audit Vlaanderen has Substantive decision 15/2023/2023 - 33/35

occurred. This included a recommendation that the defendant has

its own organizational management framework, which includes reporting to the College

The Mayor and Aldermen foresees that this is lacking in practice. The
The Disputes Chamber notes that the defendant has set to work with this recommendation

since in 2021 5 formal and 44 informal recommendations will be made directly to the Executive Board

Mayor and Aldermen were addressed, in addition to the annual report that the officer for

data protection issues annually.

119. Based on the above, the Disputes Chamber concludes that there is no infringement of

Article 38 (1) and (3) and Article 39 (1) GDPR. This does not alter the fact that it is historical

has been an infringement with regard to Article 38 (3) GDPR and that this has been done by remedial

measures were remedied.

III. Sanctions

120. On the basis of the documents in the file, the Disputes Chamber establishes that there is

following (historical) infringements:

- Article 5 (1) a) and (2) and Article 6 (1) GDPR, and Article 24 (1) and Article 24 (1) and (2) of

the GDPR with regard to the geolocation system;

- Article 4, 11), Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and (3) for what
concerns the use of cookies that are not strictly necessary;

- Article 12(1) and (6), Article 13(1) and (2), Article 14(1) and (2), Article 5(2), Article 24(1)

and Article 25 (1) GDPR with regard to the information obligations;

- Article 30 (1) (a) GDPR with regard to the contact details of the officer in the

register of processing activities; and

- Article 38, paragraph 3 GDPR with regard to direct reporting to the highest

managerial level.

121. Although the defendant has taken remedial measures to remedy these infringements, whether

not already completely remedied, it is certain that there are infringements of the right to

data protection have taken place. As already explained are the principles

of legality and transparency fundamental principles of the GDPR. Also the

data protection officer plays a vital role in data protection

controller.TheDispute ChamberremindsthattheAVGreeds
entered into force in 2016 and became applicable on 25 May 2018. In the meantime, almost

5 years have passed since the GDPR became applicable, a period specified by the defendant

has been insufficiently used to make its operation GDPR-compliant.

122. When determining the sanction, the Disputes Chamber takes into account the fact that the

the defendant has already (partially) rectified these infringements and evidence of this Decision on the merits 15/2023/2023 - 34/35

transfers. Needless to say, the Disputes Chamber points out that it is not authorized to

impose an administrative fine on public authorities, in accordance with Article 221,

§ 2 of the Data Protection Act. 35In view of the above, the Disputes Chamber

is of the opinion that a reprimand based on Article 100, § 1, 5 WOG is appropriate in this case

is.

123. The Disputes Chamber proceeds to dismiss the other grievances and findings of the
Inspectorate because, based on the facts and the documents in the file, they do not belong to the

conclude that there has been a breach of the GDPR. These grievances and

findings of the Inspectorate are therefore regarded as manifestly unfounded

within the meaning of Art. 57(4) GDPR.

IV. Publication of the decision

124. Given the importance of transparency with regard to decision-making by the

Litigation Chamber, this decision will be published on the website of the

Data Protection Authority. However, it is not necessary for the

identification data of the parties are disclosed directly.

FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

- on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the

defendant for the infringement of Article 5(1)(a) and (2) and Article 6(1);

Article 24(1) and Article 24(1) and (2); Article 4, 11), Article 5(1)(a) and (2), Article 6(1)(a)
and Article 7(1) and (3); Article 12(1) and (6), Article 13(1) and (2), Article 14(1) and (2),

Article 5 (2), Article 24 (1) and Article 25 (1) GDPR; Article 30 (1) GDPR and Article 38 (3)

GDPR;

- pursuant to article 100, §1, 1° WOG with regard to all other determinations in

dismiss.

Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.

35Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
36 See point 3.A.2 of the Dispute Chamber's Dispute Policy, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 15/2023/2023 - 35/35

Such an appeal may be made by means of an inter partes petition

the entries listed in article 1034ter of the Judicial Code must contain .The 37

a contradictory petition must be submitted to the Registry of the Market Court

38
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).

(get.) Hielke H IJMANS

Chairman of the Litigation Chamber

37
The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be

summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.

38 The petition with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.

@@ Line 104: / Line 104: @@
 === Facts ===
-The controller was a public authority and the data subject was its employee. The data subject used a company car which was tracked by a GPS by the controller. The GPS tracking was active since 2009, before the GDPR came into existence but was put on hold once the complaint was submitted.
+The controller was a public authority and the data subject was its employee. The data subject used a company car which the controller was tracking with a GPS. The GPS tracking was active since 2009, before the GDPR came into existence but was put on hold once the complaint was submitted.
-At some point, the data subject received a fraud report where his registered work time schedule were compared to the tracking of his car. This report included certain addresses, such as his mother’s, a bar and some random streets.
+At some point, the data subject received a fraud report where his registered work time schedule was compared to the tracking of his car. This report included certain addresses, such as his mother’s, a bar and some random streets.
 On 31 March 2021, the data subject submitted a complaint explaining that he was not informed about the GPS tracking before receiving the report, nor was it included in the privacy policy. Following the complaint, the DPA investigated and the Investigation Service issued a report in 5 parts : the GPS tracking system, cookiebanner and cookie policy, the controller’s information obligation, the register of processing activities and role of the data protection officer.
-The Investigation Service concluded that the controller breached the GDPR in several ways. The controller did not refute this, but claimed this was the old system. They implemented a new privacy policy, cookiebanner, cookie notice and GPS tracking information process, as well as an updated register of processing activities and new procedures to involve the DPO.
+The Investigation Service concluded that the controller breached the GDPR in several ways. The controller did not refute this and in the meantime, it implemented a new privacy policy, cookiebanner, cookie notice and GPS tracking information process, as well as an updated register of processing activities and new procedures to involve the DPO.
 The controller did not refute this and explained that these practices were prior to the GDPR and that it recently updated the internal processes as well as the privacy and cookie policy in line with the GDPR, following an internal audit and the recommendations of the Investigation Service.
@@ Line 118: / Line 118: @@
 ==== GPS tracking ====
-The DPA clarified that for the original GPS tracking, Directive 95/46/EC (predecessor of the GDPR) must be considered. The DPA concluded that the controller, in 2009, assured that the processing was aligned with the principles of purpose limitation, proportionality and transparency to protect the rights of the data subjects as much as possible. The access was also limited to specific people. However, since the introduction of the GDPR on the 25th of May 2018, the controller had to ensure that all processing activities were compliant with, among others, [[article 5 GDPR#1|Article 5(1) GDPR]], [[article 6 GDPR#1|Article 6(1) GDPR]]. The DPA held that the controller was thus obligated to take a proactive approach and to inform its data subjects about the legal ground of the processing, regardless of any complaint submitted. The DPA held that by not reworking its privacy policy and by not informing its employees, the controller breached those Articles.
+The DPA clarified that for the original GPS tracking, Directive 95/46/EC (predecessor of the GDPR) must be considered. The DPA concluded that the controller, in 2009, assured that the processing was aligned with the principles of purpose limitation, proportionality and transparency to protect the rights of the data subjects as much as possible. The access was also limited to specific people.
-The DPA stipulated that the controller relied on legitimate interest under [[article 6 GDPR#1f|Article 6(1)(f) GDPR]], which cannot be relied upon by a public authority in the performance of their tasks according to [[article 6 GDPR#1f|Article 6(1)]].
+However, since the introduction of the GDPR on the 25th of May 2018, the controller had to ensure that all processing activities were compliant with, among others, [[article 5 GDPR#1|Article 5(1) GDPR]], [[article 6 GDPR#1|Article 6(1) GDPR]]. The DPA held that the controller was thus obligated to take a proactive approach and to inform its data subjects about the legal ground of the processing, regardless of any complaint submitted. The DPA held that by not reworking its privacy policy and by not informing its employees, the controller breached those Articles.
-The DPA therefore assessed if the processing was necessary for the performance of a legal obligation under [[article 6 GDPR#1e|Article 6(1)(c) GDPR]]. The DPA held that under national law, public authorities do not possess other competences besides those formally assigned to them by law and tracking. This implies that a public authority may only process personal data if this is necessary for a task it is legally obliged to fulfill. [[article 6 GDPR#1e|Article 6(1)(c)]] could therefore not be considered as a legal basis.
+Regarding the legal basis for the processing, the DPA stipulated that the controller relied on legitimate interest under [[article 6 GDPR#1f|Article 6(1)(f) GDPR]], which cannot be relied upon by a public authority in the performance of their tasks according to [[article 6 GDPR#1f|Article 6(1)]].
-The DPA then assessed how the controllers could rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]]: the GPS tracking had to be necessary and directly related to the performance of a task in the public interest. The DPA stated that this should be interpreted in a broad way. It held that the efficient utilisation of scarce government resources by checking the time tables of employees and the use of the company car falled under a task carried out in the public interest. However, the controller must also have a clear, precise and predictable legal basis to rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The DPA referred to its decision 149/2022 (summary of this decision is available [[APD/GBA (Belgium) - 149/2022|here]] and concluded that controllers must assess themselves if they can rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]].
+The DPA therefore assessed if the processing was necessary for the performance of a legal obligation under [[article 6 GDPR#1e|Article 6(1)(c) GDPR]]. The DPA held that under national law, public authorities only possess competences formally assigned to them by law. This implies that a public authority may only process personal data if this is necessary for a task it is legally obliged to fulfill. [[article 6 GDPR#1e|Article 6(1)(c)]] could therefore not be considered as a legal basis.
-For the necessity condition, the DPA analysed whether the GPS tracking in this case was necessary for the task in the public interest and if there were less invasive alternatives. The DPA determined that the processing happens under specific parameters (professional activities, with the company car, limited to the strictly necessary personal data, transparently explained to the data subject). Other tracking could also be more invasive and there is no other possible way for the controller to monitor the movements of the company car. Lastly, the amount of people who can access the logs is strictly limited. The DPA concluded that there was no breach of [[article 6 GDPR#1e|Article 6(1)(e) GDPR]] since the controller only processed personal data related to movement of a company car and that the intrusion on the personal life of the data subject was limited to what was strictly necessary for the purpose of fulfilling a public task.
+The DPA then assessed how the controllers could rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]]: the GPS tracking had to be necessary and directly related to the performance of a task in the public interest. The DPA stated that this should be interpreted in a broad way. It held that the efficient use of scarce government resources by checking the time tables of employees and the use of the company car falled under a task carried out in the public interest. However, the controller must also have a clear, precise and predictable legal basis to rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The DPA referred to its decision 149/2022 (summary of this decision is available [[APD/GBA (Belgium) - 149/2022|here]]) and concluded that controllers must assess themselves if they can rely on [[article 6 GDPR#1e|Article 6(1)(e) GDPR]].
+For the necessity condition, the DPA analysed whether the GPS tracking in this case was necessary for the task in the public interest and if there were less invasive alternatives. The DPA determined that the processing happened under specific parameters (professional activities, with the company car, limited to the strictly necessary personal data, transparently explained to the data subject). Other tracking could also be more invasive and there was no other possible way for the controller to monitor the movements of the company car. Lastly, the amount of people who could access the data was strictly limited. The DPA concluded that there was no breach of [[article 6 GDPR#1e|Article 6(1)(e) GDPR]] since the controller only processed personal data related to movement of a company car and that the intrusion on the personal life of the data subject was limited to what was strictly necessary for the purpose of fulfilling a public task.
 The DPA then assessed if the controller fulfilled its transparency obligations under [[article 5 GDPR#1|Article 5(1) GDPR]]. Even though the controller did not deny relying on a faulty legal basis in the past, it has since then mended its legal basis including in the privacy policy.
@@ Line 133: / Line 135: @@
 ==== Cookiebanner and cookie policy ====
-The DPA assessed the usage of non-strictly necessary cookies. The controller does not contest that the earlier version of their cookiebanner and cookie policy was non-compliant but stated that their current (and new) version is compliant. As such, the DPA only reviewed the new versions.
+The DPA also assessed the usage of non-strictly necessary cookies and recommended to implement a reject all button on all layers of the cookie banner. It held that the old cookie policy breached [[article 4 GDPR#11|Article 4(11) GDPR]], [[article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[article 6 GDPR#1|Article 6(1) GDPR]] while the new one partially remedies these breaches.
-First, the DPA assessed the validity of the consent asked in the cookiebanner in line with Article 5(3) ePrivacy Directive juncto [[article 4 GDPR#11|Article 4(11) GDPR]], [[article 6 GDPR#1|Article 6(1) GDPR]], [[article 7 GDPR#1|Article 7(1) GDPR]] and the requirements to revoke consent under [[article 7 GDPR#3|Article 7(3) GDPR]]. The DPA noticed that while there is a global opt-in for cookies in the first layer, there is no similar button to reject all non-strictly necessary cookies. In line with the Task Force Cookie Banner by the EDPB (which was published after the hearings), the DPA recommended to implement a reject all button as well. On top of that, the option ‘change settings’ is much less noticeable in comparison to the ‘accept all’ button. While the EDPB stated that this can be a breach of valid consent, the DPA again recommended to bring this in line. Secondly, the DPA assessed the validity of the consent in the new cookie policy. The DPA recommended to also group the cookies per purpose to increase clarity. This allows the data subject to make a more nuanced choice. Additionally, the DPA noted that the cookie policy did not declare to which parties the collected personal data is sent. Lastly, the DPA stated that a valid consent cannot be given by means of browser settings as it is not sufficiently specific and not an active action necessary to grant consent.
-Since the website allows for easily retraction the consent, in a visible and easy to find place (i.e. the bottom of the page, next to the cookie policy), it is as easy to give as to withdrawn consent in line with [[article 7 GDPR#3|Article 7(3) GDPR]].
-Based on the above, the DPA held that the old cookie policy breached [[article 4 GDPR#11|Article 4(11) GDPR]], [[article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[article 6 GDPR#1|Article 6(1) GDPR]] while the new one partially remedies these breaches.
 ==== Information obligation ====
-Then, the DPA assessed the requirements of transparency and information of data subjects in the privacy policy under [[article 12 GDPR|Article 12 GDPR]], [[article 13 GDPR|Article 13 GDPR]] and [[article 14 GDPR|Article 14 GDPR]]. The DPA stated that a controller which processes large quantities of personal data (such as the controller) should use a layered approach to inform the data subjects. On the one hand, a controller should group all information in a clear and accessible way e.g. in the privacy policy. On the other hand, a data subject should be informed about the processing from the first communication with or processing by the controller.
+Then, the DPA assessed the requirements of transparency and information of data subjects in the privacy policy under [[article 12 GDPR|Article 12 GDPR]], [[article 13 GDPR|Article 13 GDPR]] and [[article 14 GDPR|Article 14 GDPR]]. The DPA stated that the new privacy policy did not clearly state the retention period of the personal data as stipulated in [[article 13 GDPR#2a|Article 13(2)(a) GDPR]]. As such, the DPA concluded to a breach of [[article 13 GDPR#1c|Article 13(1)(c) GDPR]] and [[article 14 GDPR#2c|Article 14(2)(c) GDPR]].
-However, the new privacy policy does not clearly state the retention period of the personal data as stipulated in [[article 13 GDPR#2a|Article 13(2)(a) GDPR]]. A data subject should be able to determine the retention period of their personal data at all times, based on the circumstances. As such, the DPA found a breach of [[article 13 GDPR#1c|Article 13(1)(c) GDPR]] and [[article 14 GDPR#2c|Article 14(2)(c) GDPR]].
 On top of that, the DPA held that the applicable legal basis was not included in a sufficiently precise way, resulting in a breach of the accountability principle of [[article 5 GDPR#2|Article 5(2) GDPR]] and [[article 24 GDPR|Article 24 GDPR]].
 ==== Register of processing activities ====
-The DPA concluded a historical breach of [[article 30 GDPR#1a|Article 30(1)(a) GDPR]] by not including the contact details of the data protection officer in the register of processing activities. The new register of processing activities did include these contact details.
+The DPA concluded a historical breach of [[article 30 GDPR#1a|Article 30(1)(a) GDPR]] by not including the contact details of the data protection officer in the register of processing activities. The new register of processing activities did include these contact details either.
 ==== Role of the DPO ====
-The DPA reinstated that the DPO is the key figure for data protection for controllers. The Inspection Service held that the DPO was not properly and in a timely manner involved in all issues related to the protection of personal data pursuant to [[article 38 GDPR#1|Article 38(1) GDPR]]. However, the DPA stated that there is no proof which shows that the DPO was not timely involved. The DPA did state that it could be useful to document the involvement of the DPO. The DPA also held that, based on an audit report, the DPO did not directly report to the highest management level. The controller stated that this has changed since they implemented recommendations of the audit report. As such, the DPA concluded no breach of [[article 38 GDPR#1|Article 38(1) GDPR]], [[article 38 GDPR#3|Article 38(3) GDPR]] and [[article 39 GDPR#1|Article 39(1) GDPR]] but a historical breach of [[article 38 GDPR#3|Article 38(3) GDPR]] which has been remedied.
+Regarding the role of the DPO, the DPA concluded no breach of [[article 38 GDPR#1|Article 38(1) GDPR]], [[article 38 GDPR#3|Article 38(3) GDPR]] and [[article 39 GDPR#1|Article 39(1) GDPR]] but a historical breach of [[article 38 GDPR#3|Article 38(3) GDPR]] which has been remedied.
 ==== Conclusion ====
 Put together, the DPA concluded a (historical) breach of the GDPR for following reasons:
--	[[article 5 GDPR#1a|Article 5(1a) GDPR]], [[article 6 GDPR#1|Article 6(1) GDPR]], [[article 24 GDPR#1|Article 24(1) GDPR]] and [[article 24 GDPR#2|Article 24(2) GDPR]] for the GPS tracking system.
+[[article 5 GDPR#1a|Article 5(1a) GDPR]], [[article 6 GDPR#1|Article 6(1) GDPR]], [[article 24 GDPR#1|Article 24(1) GDPR]] and [[article 24 GDPR#2|Article 24(2) GDPR]] for the GPS tracking system.
--	[[article 4 GDPR#11|Article 4(11) GDPR]], [[article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[article 5 GDPR#2|Article 5(2) GDPR]],[[article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[article 7 GDPR#1|Article 7(1) GDPR]]and [[article 7 GDPR#3|Article 7(3) GDPR]] for the usage of non-strictly necessary cookies.
+[[article 4 GDPR#11|Article 4(11) GDPR]], [[article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[article 5 GDPR#2|Article 5(2) GDPR]],[[article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[article 7 GDPR#1|Article 7(1) GDPR]]and [[article 7 GDPR#3|Article 7(3) GDPR]] for the usage of non-strictly necessary cookies.
--	[[article 12 GDPR#1|Article 12(1) GDPR]], [[article 12 GDPR#6|Article 12(6) GDPR]], [[article 13 GDPR#1|Article 13(1) GDPR]], [[article 13 GDPR#2|Article 13(2) GDPR]], [[article 14 GDPR#1|Article 14(1) GDPR]], [[article 14 GDPR#2|Article 14(2) GDPR]], [[article 5 GDPR#2|Article 5(2) GDPR]], [[article 24 GDPR#1|Article 24(1) GDPR]] and [[article 25 GDPR#1|Article 25(1) GDPR]] for the information obligation.
+[[article 12 GDPR#1|Article 12(1) GDPR]], [[article 12 GDPR#6|Article 12(6) GDPR]], [[article 13 GDPR#1|Article 13(1) GDPR]], [[article 13 GDPR#2|Article 13(2) GDPR]], [[article 14 GDPR#1|Article 14(1) GDPR]], [[article 14 GDPR#2|Article 14(2) GDPR]], [[article 5 GDPR#2|Article 5(2) GDPR]], [[article 24 GDPR#1|Article 24(1) GDPR]] and [[article 25 GDPR#1|Article 25(1) GDPR]] for the information obligation.
--	[[article 30 GDPR#1a|Article 30(1)(a) GDPR]] for not including the contact details of the data protection officer in the register of processing activities.
+[[article 30 GDPR#1a|Article 30(1)(a) GDPR]] for not including the contact details of the data protection officer in the register of processing activities.
--	[[article 39 GDPR#1|Article 39(1) GDPR]] for the direct reporting to the highest management level.
+[[article 39 GDPR#1|Article 39(1) GDPR]] for the direct reporting to the highest management level.
 The DPA held that it cannot impose an administrative fine on a government body.
 As such, the DPA reprimanded the controller but also held that most of the infractions have been remedied.