APD/GBA (Belgium) - 46/2024: Difference between revisions

From GDPRhub
(Good summary! Don't hesitate to give a few more details so that readers can get as much helpful information as they can for their own similar situations!)
 
Line 79: Line 79:
First, the DPA analysed the data subject's interest in lodging a complaint. The GBA pointed out that the GDPR does not prevent a national law from allowing persons other than data subjects to lodge a complaint with DPAs. In accordance with this, Belgian national law allows any person to file a complaint, provided they have a sufficient interest in doing so.   
First, the DPA analysed the data subject's interest in lodging a complaint. The GBA pointed out that the GDPR does not prevent a national law from allowing persons other than data subjects to lodge a complaint with DPAs. In accordance with this, Belgian national law allows any person to file a complaint, provided they have a sufficient interest in doing so.   


In the present case, the GBA hled that the subject of the complaint was the use of the data subject's personal data by the controller to build and train the models which the personalised discounts service was based on. Following the data subject's exercise of his right to object to the processing, the models were modified. Therefore, the current models were no longer based on the data subject's personal data.   
In the present case, the GBA held that the subject of the complaint was the use of the data subject's personal data by the controller to build and train the models which the personalised discounts service was based on. Following the data subject's exercise of his right to object to the processing, the models were modified. Therefore, the current models were no longer based on the data subject's personal data.   


However, the GBA considered that this was completely irrelevant: the mere fact that the data subject's personal data was no longer included in the dataset on which the models were based and trained did not mean that the data subject had no interest in filing the complaint. The GBA pointed out that it could not be denied that the data subject's personal data was indeed processed. Thus, the data subject had an interest in challenging the legal basis for such data processing.  
However, the GBA considered that this was completely irrelevant: the mere fact that the data subject's personal data was no longer included in the dataset on which the models were based and trained did not mean that the data subject had no interest in filing the complaint. The GBA pointed out that it could not be denied that the data subject's personal data was indeed processed. Thus, the data subject had an interest in challenging the legal basis for such data processing.  


Second, regarding the legal basis, the GBA confirmed that the processing of personal data for building data models constitutes processing for a new purpose than that of targeting data subjects with personalised discounts. The GBA also pointed out that this purpose was not disclosed to customers, including the data subject, at the time of entering into the customer relationship. With regard to what was claimed by the controller in its privacy policy, the DPA considered that this processing constituted a new purpose distinct form the initial purpose of executing and recording payments.   
Second, regarding the purpose, the GBA confirmed that the processing of personal data for building data models constitutes processing for a new purpose than that of targeting data subjects with personalised discounts. The GBA also pointed out that this purpose was not disclosed to customers, including the data subject, at the time of entering into the customer relationship. With regard to what was claimed by the controller in its privacy policy, the DPA considered that this processing constituted a new purpose distinct form the initial purpose of executing and recording payments.   


Concerning the further processing, the GBA assessed whether or not this new purpose could be considered compatible with the initial purpose. [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] establishes that processing of personal data for purposes other than those for which they were initially collected may be authorised if the processing is compatible with the purposes for which they were initially collected. In the present case, the GBA considered that when the data subject entrusted his personal and transaction data to the controller, he had no reasonable expectation that the controller would use the same data to build models that offer personalised discounts. Moreover, the DPA held that the purpose pursued by the controller was not  motivated by scientific, historical or statistical considerations. The end goal was purely commercial. As such, the GBA concluded that the controller could not benefit from this exception and that there was no compatible further processing.   
Concerning the further processing, the GBA assessed whether or not this new purpose could be considered compatible with the initial purpose. [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] establishes that processing of personal data for purposes other than those for which they were initially collected may be authorised if the processing is compatible with the purposes for which they were initially collected. In the present case, the GBA considered that when the data subject entrusted his personal and transaction data to the controller, he had no reasonable expectation that the controller would use the same data to build models that offer personalised discounts. Moreover, the DPA held that the purpose pursued by the controller was not  motivated by scientific, historical or statistical considerations. The end goal was purely commercial. As such, the GBA concluded that the controller could not benefit from this exception and that there was no compatible further processing.   
Line 89: Line 89:
Concerning the legal basis, the DPA examined the possibility of invoking legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In [[CJEU - C-13/16 - Rīgas satiksme|CJEU, 4 May 2017, Rigas, C-13/16,]] the Court of Justice held that [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] lays down three cumulative conditions: (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.  
Concerning the legal basis, the DPA examined the possibility of invoking legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In [[CJEU - C-13/16 - Rīgas satiksme|CJEU, 4 May 2017, Rigas, C-13/16,]] the Court of Justice held that [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] lays down three cumulative conditions: (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.  


Regarding the pursuit of a legitimate interest, the GBA considered that building models in order to offer personalised discounts to the controller's customers should be considered as carried out with a legitimate interest in mind. The DPA noted that building a data model aimed at offering personalised discounts was part of the controller positioning itself in the market. The controller's starting point was to gain insight into its customers' services while repsonding to societal evolutions and trends such as digitisation and personalisation of services and diversification of service. The GBA considered that this may be a legitimate interest.   
Regarding the pursuit of a legitimate interest, the GBA considered that building models in order to offer personalised discounts to the controller's customers should be considered as carried out with a legitimate interest in mind. The DPA noted that building a data model aimed at offering personalised discounts was part of the controller positioning itself in the market. The controller's starting point was to gain insight into its customers' services while responding to societal evolutions and trends such as digitisation and personalisation of services and diversification of service. The GBA considered that this may be a legitimate interest.   


Regarding the necessity of the processing in order to achieve the legitimate interest, the GBA pointed out that the analysis of transaction data to train models is necessary to provide personalised discounts to the controller's customers. Indeed, without the creation of data models, the discounts could not be offered in a personalised manner through a digital application. Therefore, the GBA considered that this processing was necessary to achieve the legitimate interest.  
Regarding the necessity of the processing in order to achieve the legitimate interest, the GBA pointed out that the analysis of transaction data to train models is necessary to provide personalised discounts to the controller's customers. Indeed, without the creation of data models, the discounts could not be offered in a personalised manner through a digital application. Therefore, the GBA considered that this processing was necessary to achieve the legitimate interest.  

Latest revision as of 14:08, 28 May 2024

APD/GBA - DOS-2019-05837
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Type: Complaint
Outcome: Rejected
Started: 20.01.2020
Decided: 15.03.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2019-05837
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: ADP (in NL)
Initial Contributor: n/a

The DPA rejected a complaint concerning the processing of personal data for the purpose of building and training a model which offered personalised discounts, noting that this practice could be understood as a legitimate interest of the controller.

English Summary

Facts

A bank ('controller') used the data subject's personal data, including the content of payment transactions, to build models for their 'personalised discounts' service. The data subject objected to the use of his data to build models which offered the personalised discounts. The controller responded that his request was registered and that his data would no longer be used for model building. The data subject filed a complaint with the Belgian DPA ('GBA') on 10 January 2020.

First, the controller argued that it relied on consent for the activation of the personalised discounts service. However, to build the models on which the service is based, the controller invoked legitimate interest. It also explained that building these models constitutes further processing. Therefore, the controller distinguished between 'tailored information' which was based on the data subject's consent which he could withdraw and the 'model building', which was based on legitimate interest with the data subject's right to object.

Second, the controller argued that the data subject did not have an interest in the case as he never activated the personalised discounts service. The controller also explained that the data subject's right to objection was granted before the complaint was filed and thus, his personal data was no longer processed for the model building. The controller considered that this rendered the complaint inadmissible.

The data subject argued that the processing of personal data in data models was done for a completely different purpose than that for which the personal data was initially collected, namely the handling of transactions in the performance of the agreement between the controller and the data subject. The data subject also explained that the controller's privacy policy of 2 February 2017 stated that the controller used its customers' transaction data to better know and serve its customers for all marketing and commercial purposes as listed in the privacy policy. The controller updated its privacy policy on 1 February 2019 and it indicated that the transaction data was used to build analytical data models for commercial purposes.

Holding

First, the DPA analysed the data subject's interest in lodging a complaint. The GBA pointed out that the GDPR does not prevent a national law from allowing persons other than data subjects to lodge a complaint with DPAs. In accordance with this, Belgian national law allows any person to file a complaint, provided they have a sufficient interest in doing so.

In the present case, the GBA held that the subject of the complaint was the use of the data subject's personal data by the controller to build and train the models which the personalised discounts service was based on. Following the data subject's exercise of his right to object to the processing, the models were modified. Therefore, the current models were no longer based on the data subject's personal data.

However, the GBA considered that this was completely irrelevant: the mere fact that the data subject's personal data was no longer included in the dataset on which the models were based and trained did not mean that the data subject had no interest in filing the complaint. The GBA pointed out that it could not be denied that the data subject's personal data was indeed processed. Thus, the data subject had an interest in challenging the legal basis for such data processing.

Second, regarding the purpose, the GBA confirmed that the processing of personal data for building data models constitutes processing for a new purpose than that of targeting data subjects with personalised discounts. The GBA also pointed out that this purpose was not disclosed to customers, including the data subject, at the time of entering into the customer relationship. With regard to what was claimed by the controller in its privacy policy, the DPA considered that this processing constituted a new purpose distinct form the initial purpose of executing and recording payments.

Concerning the further processing, the GBA assessed whether or not this new purpose could be considered compatible with the initial purpose. Article 5(1)(b) GDPR establishes that processing of personal data for purposes other than those for which they were initially collected may be authorised if the processing is compatible with the purposes for which they were initially collected. In the present case, the GBA considered that when the data subject entrusted his personal and transaction data to the controller, he had no reasonable expectation that the controller would use the same data to build models that offer personalised discounts. Moreover, the DPA held that the purpose pursued by the controller was not motivated by scientific, historical or statistical considerations. The end goal was purely commercial. As such, the GBA concluded that the controller could not benefit from this exception and that there was no compatible further processing.

Concerning the legal basis, the DPA examined the possibility of invoking legitimate interest under Article 6(1)(f) GDPR as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In CJEU, 4 May 2017, Rigas, C-13/16, the Court of Justice held that Article 6(1)(f) GDPR lays down three cumulative conditions: (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.

Regarding the pursuit of a legitimate interest, the GBA considered that building models in order to offer personalised discounts to the controller's customers should be considered as carried out with a legitimate interest in mind. The DPA noted that building a data model aimed at offering personalised discounts was part of the controller positioning itself in the market. The controller's starting point was to gain insight into its customers' services while responding to societal evolutions and trends such as digitisation and personalisation of services and diversification of service. The GBA considered that this may be a legitimate interest.

Regarding the necessity of the processing in order to achieve the legitimate interest, the GBA pointed out that the analysis of transaction data to train models is necessary to provide personalised discounts to the controller's customers. Indeed, without the creation of data models, the discounts could not be offered in a personalised manner through a digital application. Therefore, the GBA considered that this processing was necessary to achieve the legitimate interest.

Regrading balancing between the interests of the controller and the freedoms and rights of the data subject, the GBA held that the reasonable expectations of the data subject should be taken into account. This is also emphasised by CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, in which the CJEU found that "the data subject’s reasonable expectations that his or her personal data will not be processed when, in the circumstance of the case, that person cannot reasonably expect further processing of those data, are also relevant for the purposes of the balancing exercise." The GBA considered that it was essential to distinguish between the phase of building and training the models themselves, and the phase of offering personalised discounts through the use of the models built in the previous phase.

The GBA found that it was within the data subject's normal expectation that the controller used its transaction data to train models, without further operationally using them to offer personalised discounts for which consent was sought. The controller removed identifiers and did not apply the model to identify individuals, nor to re-identify them. The GBA also held that the models were merely algorithms that no longer contained personal data. The DPA also took into account the fact that the customers' personal data was not passed on to third parties and no special categories of data were processed by the models. Therefore, the GBA concluded that the impact on the data subject was extremely small and the processing of his personal data was kept to a minimum as it did not give rise to the offering of personalised discounts without the data subject's consent. The GBA also pointed out that the data subject could always exercise his right to object to the use of his data to build models within the meaning of Article 21 GDPR.

Therefore, the GBA concluded that there was a legitimate interest of the controller related to the processing, - namely building data models, aimed at offering personalised services – being an element of positioning itself in the market – a commercial interest of the controller.

Additionally, the GBA pointed out that the controller complied with the transparency obligation by not only updating its privacy policy, but by also informing its customers directly. The data subject was also made aware of the possibility of exercising his right to object, which he did, and the controller responded appropriately.

Therefore, the GBA concluded that the controller complied with its obligations under and did not commit any breach of the GDPR as regards to the construction of the data models.

Comment

Initial contributor's comment: Decision may possess significant importance for usage of training data. While the model in question appears to not have possess the ability to learn, the same reasoning as presented by DPA could be applied to artificial intelligence solutions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Warning - Page 15 cannot be translated

1/16
Dispute Chamber
Decision on the merits 46/2024 of March 15, 2024
File number: DOS-2019-05837
Subject: Use of transaction data for personalized discounts
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, chairman, and Messrs. Frank De Smet and Romain Robert, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The complainant: Mr.
The defendant: Y BANK, represented by master Heidi Waem,
hereinafter “the defendant”
Decision on the merits 46/2024 - 2/16
I. Facts and procedure
1. On January 10, 2020, the complainant submits a complaint to the Data Protection Authority
against defendant.
2. The subject of the complaint concerns the defendant's use of personal data,
including the content of payment transactions, for building models for the
service "Personalized Discounts". The complainant states that the activation of the
personalized discounts service takes place after the data subject has done so
has granted permission, but that for building the models on which these
service is based and for which the defendant has personal, financial data
processes customers, the defendant relies on his legitimate interest, while
according to the complainant, permission is required for this. The complainant states that he has resisted
against “Customized Information” from the defendant. However, there is no bill
taken into account his opposition to the processing of personal data when building
models for “Personalized discounts”. Furthermore, the complainant notes that
resistance to building models for “Personalized Discounts” with his
data is only implemented one month later for technical-organizational reasons. According to the complainant, this leads to the processes that the
The defendant's approach is to make resistance de facto impossible.
3. On January 14, 2020, the complaint will be declared admissible by the First Line Service on
on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
4. On February 7, 2020, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for substantive treatment and will be involved
parties are notified by registered mail of the provisions as stated in
Article 95, § 2, as well as that in Article 98 WOG. They are also subject to Article 99
WOG informed of the deadlines for submitting their defenses.
The deadline for receipt of the defendant's statement of defense was
recorded on March 11, 2020, this for the conclusion of the complainant's reply on 26
March 2020 and this for the defendant's response on April 10, 2020.
5. On February 12, 2020, the complainant electronically accepts all communications regarding the case,
in accordance with article 98 WOG.
6. On February 17, 2020, the defendant requests a copy of the file (Article 95, § 2, 3°
WOG), which was transferred to him on February 25, 2020. The
defendant electronically receives all communications regarding the case and indicates its use
wish to take advantage of the opportunity to be heard, in accordance with Article 98 of the WOG.
Decision on the merits 46/2024 - 3/16
7. On March 11, 2020, the Disputes Chamber will receive the response statement
defendant in which he relies on the legitimate interest in building
data models for the “personalized discounts” service, as well as arguing that it
building these models constitutes compatible further processing. The defendant
makes a distinction between “customized information” and “building models” on it
in terms of legal grounds and the rights of the data subject, where “tailor-made information”
is based on consent with the right of the data subject to obtain this consent
to withdraw, and “model building” will be based on legitimate interest
with the right of the data subject to object. In addition, the
defendant that the withdrawal of consent in the context of “customized information”
does not extend to the processing of personal data for model building
for “Personalized discounts” based on legitimate interest. According to the
defendant, the complaint is unfounded.
8. On March 26, 2020, the Disputes Chamber will receive the complainant's response. The
the complainant argues that the processing of personal data takes place in data models
for a completely different purpose than that for which the data was initially collected
collected, in particular for the execution of the agreement that the defendant has
with its customers for the settlement of transactions. Therefore, he argues that the
processing for this new purpose constitutes incompatible processing and the defendant
cannot rely on the legitimate interest in drawing up data models
for direct marketing for third parties. According to the complainant, there is also no clear distinction
between the services “customized information”, “personalized discounts” and construction
of models for these services, ensuring transparency and fairness of the
processing is undermined. He argues that it is resistance to building models
for “personalized discounts” is misunderstood by giving the illusion to the
user that this right was exercised, while this subsequently appears not to be the case. Also
According to the complainant, the period of time between the privacy statement dated September 1, 2019 and the
in practice give effect to the objection which could only be exercised after
notification of the “personalized discounts” service by letter dated September 21
2019, followed by the period of one month that the defendant needs to
to delete the complainant's data is problematic. The complainant states that during that period
the defendant can use the transaction data to build valuable models and then
to offer direct marketing so that the resistance is implemented when it
the purpose of the processing has already been achieved and it is therefore de facto impossible
for the customer to object to the processing of his data for this purpose.
9. On April 10, 2020, the Disputes Chamber will receive the defendant's response.
The defendant further elaborates on the elements as set out in the conclusion of
answer. An additional element that is raised is that alleged by the defendant
Decision on the merits 46/2024 - 4/16
lack of interest on the part of the complainant resulting in the complaint being filed according to the defendant
is inadmissible and therefore not only unfounded. Furthermore, the defendant defines the object
of the procedure by pointing out that the complainant never “personalized” the service
discounts” and only objected to the use of his
data for building models for offering the personalized
discounts, which ensures the legality of the processing in the context of offering
personalized discounts are not an issue.
10. On March 22, 2023, the parties will be notified that the hearing will
take place on April 26, 2023.
11. On April 3, 2023, the parties will be notified that the hearing will take place
unforeseen circumstances had to be moved to May 9, 2023.
12. On May 9, 2023, the parties will be heard by the Disputes Chamber.
13. The minutes of the hearing will be submitted to the parties on June 5, 2023.
14. On June 12, 2023, the Disputes Chamber will receive some comments from the defendant
with regard to the official report, which it decides to include in its deliberations.
II. Justification
a) Interest of the complainant
15. First of all, the defendant emphasizes the absence of any personal and current interest
on behalf of the complainant. The defendant believes this can be deduced from the fact that the law
objection filed by the complainant was granted before the complaint was filed
and the complainant's personal data will therefore no longer be processed for the purpose of building
models. Also, according to the defendant, the complainant would not have committed a violation of his own
rights, but rather denouncing the defendant's practices in name
of the general interest of the defendant's other customers and are not aimed at it
to safeguard its own rights, but the rights of other customers.
16. In this regard, the Disputes Chamber points out that it is only concerned with those elements of
the complaint for which the complainant has an interest. The
Dispute Chamber on the following:
17. Article 58 of the WOG states: “Anyone can submit a complaint or complaint in writing, dated and signed
submit a request to the Data Protection Authority”. In accordance with article
60, paragraph 2 WOG “a complaint is admissible if it:
- is drawn up in one of the national languages;
- contains a statement of the facts as well as the necessary indications for the identification of
the processing to which it relates;
Decision on the merits 46/2024 - 5/16
- it falls within the jurisdiction of the Data Protection Authority”.
18. The preparatory activities of the WOG determine: “The
Data Protection Authority may receive complaints or requests from anyone;
natural persons but also legal entities, associations or institutions that have a
wish to sue alleged infringement of the Regulation. Submit a complaint or request
the Data Protection Authority must be in writing, dated and by the appropriate authority
authorized person must be signed. A request must be in the broadest sense of the word
be interpreted (request for information or explanation, a request to mediate,
...)”1
.
19. The WOG therefore does not rule out the possibility that a person other than the data subject or the person who
is authorized by the data subject, as referred to in Article 220 of the Act of 30 July 2018
on the protection of natural persons with regard to the processing of
personal data, can file a complaint with the Authority.
20. While the GDPR approaches the 'complaint' from the data subject's point of view, through the
supervisory authorities to impose obligations when a person makes a complaint
(see Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent national law from
gives persons other than those involved the opportunity to file a complaint with
the national supervisory authority. The possibility of such a referral is appalling
otherwise corresponds to the instructions given to the supervisors by the GDPR
promised. In that respect and generally speaking, each regulator ensures: the
monitoring and enforcement of the application of the GDPR (Article 57, 1., a) GDPR), and the
performance of all other tasks related to the protection of
personal data (Article 57, 1., v) GDPR).2
21. In that respect, the Disputes Chamber rules that Article 58 of the WOG applies to every person
opportunity to file a complaint, provided that he has sufficient interest in it
in accordance with the aforementioned provisions of the GDPR.
22. The condition is that the complainant demonstrates a sufficient interest. In that regard
the Disputes Chamber points out that, based on the documents in the file, it is unmistakable
it has been established that the complainant's personal data was used by the defendant
for building and training the data models on which the 'Personalized
discounts' is based, which is precisely the subject of the complaint. The
determination by the defendant that as a result of the exercise of the right of
objection by the complainant the data models were adjusted in such a way that the current one
1 Parl. doc., Chamber of Representatives, 2016-2017, DOC 54 2648/001, p.40 (comment on article 58 of the
original bill).
2
In its decision of June 8, 2020, the Disputes Chamber has already allowed, under very strict conditions, that a
submits a complaint other than the person concerned (Decision on the merits 30/2020, published on the GBA website).
Decision on the merits 46/2024 - 6/16
models are no longer based on the complainant's data is absolute
irrelevant. The mere fact that the complainant's personal data is no more
included in the set of personal data on which the models will be created
based and trained and the complainant's right to object was granted before the
complaint was filed does not in any way mean that the defendant can claim that the
the complainant would have no interest in submitting the complaint and his complaint solely on it
is aimed at safeguarding the general interest of other customers. Not only were the
the complainant's personal data will only be removed from the dataset on which the models are used
trained after he had taken the initiative and had his right to object
exercised, but in addition it cannot be denied by the defendant that the
the complainant's personal data were indeed processed and the complainant has an interest in this
has to contest the legal basis for this data processing. The mere
determination that in the current situation the defendant does not have the personal data of the complainant
more processed for building the data models on the basis of which the
personalized discounts are offered, does not change this and therefore implies
in no way that the complainant no longer has an interest at present.
b) Rights of defense and principles of good administration
23. The defendant states that the notification by the Disputes Chamber that the relevant
complaint was filed without mentioning the articles of law that may be involved
would have been violated, has the consequence that the principles of good administration and the
rights of defense vis-à-vis the defendant have been violated.
24. From the claims submitted by the defendant, which are accurately addressed
However, on each of the points raised by the complainant, it appears that the complaint and the possible
infringements charged to him by the complainant were clear from the outset
for the defendant.
25. Furthermore, the Disputes Chamber points out that the procedural guarantees must be maintained in full
are complied with and if there may already have been a disadvantage to the
defendant by the manner in which he was informed of the complaint and the defendant
charged infringements, this disadvantage has been completely removed in the follow-up process3, as a result
there can be no question of any violation of the principles of good conduct
management. The procedural elements raised by the defendant have no effect
that the rights of defense have been violated, as the defendant has the opportunity
given the opportunity to fully present his argument through the conclusion
3 See in this context: Decision on the merits 18/2020 of April 28, 2020; Decision on the merits 71/2020 of October 30, 2020;
Decision on the merits 133/2021 of December 2, 2021.
Decision on the merits 46/2024 - 7/16
of answer. In addition, the defendant has fully exercised his right to appeal
exercise during the hearing of the Disputes Chamber. The defendant thus has no
only suffered a disadvantage and the rights of defense are therefore valid
respected.
c) Legal basis
26. According to the complainant, the use of the transaction data of the customers of the
defendant for building and training models used for the
offering personalized discounts for third party services and products
to be considered as processing for a purpose other than the original one
purpose consisting of the handling of transactions, namely the execution and
registering payments. This leads the complainant to the conclusion that the defendant is responsible for the
uses transaction data obtained for the purpose of achieving the initial purpose
other, incompatible purpose.
27. The Disputes Chamber examines to what extent the defendant has access to customer transaction data
can use to build data models based on which
personalized discounts are offered.
28. The Disputes Chamber states that the processing of customer transaction data
for building data models constitutes processing for a new purpose,
since no document present in the file shows that this was already the case at the time of collection
the transaction data, i.e. information at the time of entering into the customer relationship
was provided for this purpose. Article 13.1. c) GDPR requires that before
started the processing activities the data subject is informed about the
processing purposes for which the personal data are intended, including the
legal basis. Building data models for commercial purposes is one
purpose that was not brought to the attention of the customers, including the complainant, on the
moment of entering into the customer relationship. The complaint shows that the complainant did not comply with the
was informed of this purpose when entering into the customer relationship with the
defendant, which is also not denied by the defendant. The defendant claims
However, the use of the transaction data in the data models must be processed
be regarded as not incompatible with the original purposes of the sentence
of article 5.1. b) GDPR.
29. The defendant's privacy statement dating from February 2, 2017 states that
the defendant also uses the transaction data of its customers to better serve its customers
to get to know and be able to operate for all marketing and commercial purposes
purposes, as listed in the privacy statement. Explicit reference is made to
Decision on the merits 46/2024 - 8/16
the purpose that the defendant pursues in order to function as a company, as well as
to the purpose of doing direct marketing for their own banks
insurance activities of the defendant and also for these activities of partners of
the defendant who offer products or services in the banking and insurance sector. On
Based on this, the Disputes Chamber can determine that the reuse of the
transaction data at that time is limited to the commercial activities that
directly related to the range of products and services within the banking and insurance sector4
.
30. The privacy statement of February 1, 2019 states that the transaction data
used for building analytical data models for commercial purposes5
, also
this time limited to banking and insurance activities².
31. The Disputes Chamber notes that in any case from the moment of the privacy statement
from September 1, 2019 building data models for commercial purposes the context
of banking and insurance products and services, since from that moment on
it is mentioned that data models are created to provide personalized discounts for
to offer third party products and services to the defendant's customers.
This constitutes a new purpose that is distinguishable from the initial purpose,
namely making and registering payments. The Disputes Chamber will check whether this is the case
new purpose may or may not be considered compatible with the initial one
purpose as stated when entering into the customer relationship with the
complainant.
32. In accordance with Article 5.1. b) GDPR may allow the processing of personal data for others
purposes other than those for which the personal data was initially collected
be permitted if the processing is compatible with the purposes for which the
personal data was initially collected. Taking the criteria into account
included in article 6.4. GDPR and recital 50 GDPR6 it must therefore be determined whether
the further processing, in this case building data models for offering
personalized discounts for third party services and products, whether or not
is compatible with the initial processing consisting of the execution and registration of
payments on behalf of the complainant. The Disputes Chamber concludes that the complainant
4
[…]
5
[…]
6 Recital 50 GDPR: […] In order to determine whether a purpose of further processing is compatible with the purpose for which the
personal data have initially been collected, the controller must, after having complied with all regulations relating thereto
legality of the original processing has been met, taking into account, among other things: a possible link
between those purposes and the purposes of the intended further processing; the framework in which the data is
collected; in particular the reasonable expectations of those involved based on their relationship with the
controller regarding its further use; the nature of the personal data; the consequences of the
intended further processing for the data subjects; and appropriate safeguards for both the original and the
intended further processing.
Decision on the merits 46/2024 - 9/16
has entrusted his personal data and transaction data to the defendant
within the framework of his contractual relationship with the bank (being the defendant) to which he
when a customer calls for the settlement of his banking affairs and there is no way
could reasonably expect that the bank would use the same data, without
that the complainant can oppose this, to train data models that the banking and
exceed the defendant's insurance activities and are purely aimed at it
products or services from third parties that are not at all related to the activities
of the defendant.
33. Moreover, the defendant's additional argument that it can be analyzed internally
of data and building data models in this case can be equated with one
processing for research purposes or statistical purposes within the meaning of Article 5.1 b)
GDPR, which means that the respective further processing is not considered incompatible with the
original purposes can be considered, not convincing and therefore not leading to one
lead to another decision. Article 5.1 b) GDPR specifies further processing for the purpose of
scientific or historical research or statistical purposes7
, where this
purposes in themselves. The purpose pursued by the defendant is not
motivated by scientific, historical or statistical considerations. The building
of the data models is not aimed at any scientific, historical or statistical purpose
as an end goal (e.g. publication of the results in scientific journals), but
on the other hand, are built solely for a commercial purpose, namely the
have models that offer personalized third-party discounts
can facilitate.
34. This leads to the conclusion that there is no compatible further processing,
so that a separate legal basis is required to allow building data models with
the purpose of offering products or services from third parties as could be lawful
are labeled.
35. Processing of personal data, including incompatible processing
After all, processing as in the present case is only lawful if there is a right to do so
legal basis exists. For incompatible further processing
7 Article 5.1 b) GDPR:
Personal data must:
a) […]
b) collected for specific, explicit and legitimate purposes and subsequently not allowed
further processed in a manner incompatible with those purposes; further processing for the purpose of archiving
public interest, scientific or historical research or statistical purposes in accordance with Article 89,
paragraph 1, not considered incompatible with the original purposes ('purpose limitation');
[…]
Recital 50 GDPR. […] The further processing for the purpose of archiving in the public interest, scientific or
historical research or statistical purposes, must be regarded as a legitimate legitimate purpose compatible with the initial purposes
processing are considered. […]
Decision on the merits 46/2024 - 10/16
reverted to Article 6.1. GDPR and recital 50 GDPR. In recital 50 GDPR8
is
states that a separate legal basis is required for the processing of
personal data for other purposes that are incompatible with the purposes
for which the personal data was initially collected. That separate one
legal grounds for processing, including incompatible ones
further processing, which can be considered lawful, is determined in Article 6.1.
GDPR.
36. To this end, the Disputes Chamber examines the extent to which the legal grounds as provided in Article
6.1. GDPR can be invoked by the defendant in order to further processing
of the personal data relating to the complainant.
37. The defendant himself relies on the legitimate interest, the legal basis such as
included in article 6.1 f) GDPR, which would allow him to proceed with the
data processing that is the subject of the complaint, being the construction of
data models for the “personalized discounts” service.
38. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the
European Union (hereinafter “the Court”), three cumulative conditions must be met
so that a controller can legally rely on this
legal basis, “namely, in the first place, the promotion of a
legitimate interest of the controller or of the third party(ies).
to whom the data is provided, secondly, the necessity of the processing
the personal data for the pursuit of the legitimate interest, and, thirdly
place, the condition that the fundamental rights and freedoms of the
data protection of the person concerned does not prevail” (judgment “Rigas”9
).
39. In order to be able to rely on the legality ground in accordance with Article 6.1 f) GDPR
of the “legitimate interest”, the controller must cooperate with other
words to show that:
1) the interests it pursues with the processing can be justified
recognized (the “target test”);
2) the intended processing is necessary for the realization of these interests (de
“necessity test”); and
8 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data are intended
initially collected should only be permitted if the processing is compatible with the purposes for which it is intended
the personal data was initially collected. In that case, no separate legal basis other than that at
basis on which the collection of personal data was permitted. […]
9 CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
“Rīgas satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK v/Asociaţia de Proprietari bloc M5A-ScaraA,
recital 40.
Decision on the merits 46/2024 - 11/16
3) the weighing of these interests against the interests and fundamental freedoms
and fundamental rights of those involved weighs in favor of the
controller (the “balancing test”).
40. With regard to the first condition (the so-called “target test”), the Disputes Chamber is of
judgment that building data models in order to benefit the defendant's customers
offer personalized discounts on third-party products and services
are considered to be carried out for a legitimate interest. It leaves the
defendant to make a similar service available to its customers, just like
other banks that also grant discounts in the form of cashbacks. The building of
the data model for which the defendant has the transaction data of the customers, including
so also the one used by the complainant is aimed at offering personalized discounts
offer, which is part of positioning oneself on the market. The premise of
the defendant is thus gaining insight into the services provided to its customers
which responds to social evolutions and trends such as digitalization
and personalization of services and diversification of service offerings, which
is motivated by a commercial interest. Such commercial interest can be a
legitimate interest in accordance with Recital 47 GDPR10 and is also
supported in Opinion 06/2014 of the Article 2911 Data Protection Working Party
. Becomes
the first condition contained in Article 6.1, f) GDPR is therefore met.
41. In order to meet the second condition, it must be shown that the
processing is necessary for the achievement of the purposes pursued. This
specifically means that the question must be asked or by other means
the same result can be achieved without processing personal data or without
unnecessarily intrusive processing for those involved.
42. It should be taken into consideration that data analysis of the transaction data
for training models is a necessary tool to achieve the ultimate goal
10 Recital 47 states that the processing of personal data may be for direct marketing purposes
considered to be carried out for the purposes of a legitimate interest. Direct marketing is thus an example of one
commercial interest that is considered a legitimate interest.
See also: the judgment of the European Court of Justice of 29 July 2019 (case -40/17 Fashion ID)
11 Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article
7 of Directive 95/46/EC:
“The fact that the controller has such a legitimate interest in the processing of
certain data, does not mean that he can rely on Article 7(f) as a legal basis for the processing. The
fairness of the interests of the controller is only a starting point, one of the elements
to be analyzed in accordance with Article 7(f). Whether Article 7(f) can be used depends
the outcome of the subsequent assessment.
By way of illustration: a data controller may have a legitimate interest in the preferences of his
customers so he can better personalize offers and, ultimately, deliver products and services
that better meet the needs and wishes of its customers. In view of this, Article 7(f) may be an appropriate legal basis
are for some types of marketing activities, both online and offline, provided that appropriate safeguards are in place (including
a useful mechanism through which such an objection can be lodged in accordance with Article 14(b).
processing, as will be demonstrated in section III.3.6 The right to object and further).”[own underlining]
Decision on the merits 46/2024 - 12/16
intended purpose, namely offering digital applications for offering
personalized discounts to the defendant's customers. The
data models form a necessary intermediate step between the
transaction data as such and, on the other hand, the offer of personalized discounts
via digital means. After all, discounts cannot be made without drawing up data models
are offered in a personalized manner via a digital application. This leads to it
decides that the second condition of Article 6.1 f) GDPR has also been met.
43. In order to determine whether the third condition of Article 6.1, f) GDPR - the so-called
“balancing test” between the interests of the controller, on the one hand, and
the fundamental freedoms and fundamental rights of the data subject, on the other hand
is met, the
reasonable expectations of the data subject. More specifically, it needs to be evaluated
or “data subject at the time and in the context of the collection of the personal data
can reasonably expect that processing can take place for that purpose”
12
.
44. This is also emphasized by the Court in its judgment “TK v/ Asociaţia de Proprietari bloc
M5A-ScaraA” of December 11, 201913, in which it states:
“Also relevant to this assessment are the reasonable expectations of the person concerned
or her personal data will not be processed when, in the given
circumstances of the case, the data subject cannot reasonably do any further processing
can expect the data”.
45. The Disputes Chamber examines whether the interest of the defendant is proportionate
impact it has on the fundamental rights and freedoms of those involved,
including the complainant. In this context it is essential to distinguish between
on the one hand, the phase of building or training data models themselves, and on the other hand, the phase of
operationally offering personalized discounts via digital applications
use the models built in the previous phase.
46. Based on the documents present in the file, the Disputes Chamber determines that the
method of the defendant in the context of building the models conceptually and
largely constitutes an application of Phase 1 in Figure 1 as shown below
recommendation 18 of the Big Data Report14
. Regarding this aspect in particular, the
Disputes Chamber is of the opinion that it is within the normal expectations of the
complainant finds that the defendant uses his transaction data - unless the complainant objects
complainant - to train data models (without further using them operationally for the
12 Recital 47 GDPR.
13 CJEU, December 11, 2019, C-708/18, TK v/ Asociaţia de Proprietari bloc M5A-ScaraA, recital 58.
14 https://www.gegevensbeschermingsautoriteit.be/publications/big-data-rapport.pdf
Decision on the merits 46/2024 - 13/16
offering personalized discounts, for which permission is requested). The
The defendant may only process data using as many identifiers as possible
of those involved have been removed to train a model, an algorithm, without this
model in this phase is applied to identified in an operational context
persons. Furthermore, no attempts should ever be made to – if anything
would be possible after removing as many data subject identifiers as possible –
re-identify the people in the training set. Also, according to the defendant, the
resulting models are only algorithms that no longer contain personal data
contain, and the Dispute Chamber has no evidence to the contrary. This should also be submitted
to be taken into account that no personal data of customers at any time
are passed on to third parties. Moreover, no document shows that there is anything special
categories of personal data within the meaning of Article 9 GDPR are included in the data models
incorporated. The Disputes Chamber is therefore of the opinion that the impact on the complainant is:
is extremely small and the processing of his personal data is limited to a minimum
in the sense that its data is indeed reused, but at the construction stage
of the models do not give rise to the offering of personalized discounts
if the complainant does not actively give permission for this. Moreover, the complainant can also
always exercise his right to object to the use of his data for the
building the models for offering personalized third-party discounts
within the meaning of art. 21 GDPR.
47. With regard to the offer of personalized discounts for products and services
from third parties to identified customers in an operational context (see Phase 2 in Figure 1
as included under recommendation 18 of the Big Data Report) the defendant appeals
after all, expressly relies on Article 6.1 a) GDPR as a separate legal basis, so that in the absence of
to consent, the complainant will not experience any further consequences from the use of his
transaction data in the data model that serves purely as an intermediate step
considered for the ultimate intended purpose, the offer of personalized
discounts. This ensures that only the defendant's customers will
have agreed in advance and have expressly opted to use the service
If you want to take advantage of “personalized discounts”, you will enjoy a certain advantage
which is made possible by the defendant through the reuse of the
transaction data from its customers in the development of data models.
48. The combination of the above elements leads the Dispute Chamber to conclude that this is also the case
the third condition is met and the defendant is therefore rightly relying on the
legal basis of Article 6.1 f) GDPR for the construction of data models for the purpose of
offering personalized discounts for third-party products and services, which
this incompatible further processing must be considered lawful.
Decision on the merits 46/2024 - 14/16
49. In addition, the defendant has complied with the obligation of transparency (Article 5.1 a) GDPR
in conjunction with Article 12.1 GDPR) because not only the privacy statement was updated on September 1, 2019
adapted, but also by addressing itself directly to its customers and also to the complainant.
These were allowed to receive a letter on September 21, 2019 stating these
informed about the various aspects included in article 13.1 GDPR through
reference to the amended privacy statement, following the preparation
of and therefore prior to the launch of the personalized discount offer
from third parties. The complainant is also informed of the possibility of exercising this right
of the right to object, which he also exercised on September 22, 2019
and to which the defendant is notified in a timely and appropriate manner in accordance with Article 12 GDPR in conjunction
has complied with Article 21 GDPR by confirming on September 30, 2019 that its
objection was registered and that his data will no longer be used for
building models.
50. The fact that the defendant indicates in the same letter of September 30, 2019 that at
technical-organizational reasons, this method can only be applied after expiry
of one month does not affect this. As the defendant states in the conclusions and
As the Big Data Report15 also shows, training data models is complex
process that takes some time. The Disputes Chamber considers the period of one month as
reasonable to implement the complainant's objection.
51. A final point that the complainant raises is that he has already stated that
the defendant that he does not wish to receive “tailor-made information”, but that the facts
give rise to the complaint demonstrate that the defendant is nevertheless
personal data used to build models for offering
personalized discounts from third parties. The defendant shows in the conclusion and accompanying
documents show that there is a clear distinction between the construction of data models on the one hand
and on the other hand, “tailor-made information”, consisting of tailor-made advertising relating to the
services within the banking and insurance sector. This concerns the classical
personalized direct marketing for which the defendant has the foregoing
consent (Article 6.1 a) GDPR) and this on the basis of a transparent explanation
of what exactly “tailor-made information” means. From the defense and the accompanying
privacy statement of February 2, 2017, as well as that of February 1, 2019, shows that the
defendant has acted in accordance with Article 5.1 a) GDPR in conjunction with Article 12.1
GDPR. With regard to the “Customized Information”, the complainant has granted his initial consent
permission withdrawn. The Disputes Chamber determines that the complainant has withdrawn this
permission with regard to “Customized information” cannot be extended to “construction
of data models for personalized third-party discounts” which, as above
15 https://www.gegevensbeschermingsautoriteit.be/publications/big-data-rapport.pdf

Decision on the merits 46/2024 - 16/16
Such an appeal can be lodged by means of an inter partes petition
must contain information listed in Article 1034ter of the Judicial Code16. It
an objection petition must be submitted to the registry of the Market Court
in accordance with Article 1034quinquies of the Ger.W.17, or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke HIJMANS
Chairman of the Disputes Chamber
16 The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
17 The petition with its appendix will be sent by registered letter in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry.